a300600b35
Also deal with missing CCE issues. Resolves: rhbz#1962564
11208 lines
492 KiB
Diff
11208 lines
492 KiB
Diff
From 215db1bbe08fdaf1139f563abf9515e8a15a6457 Mon Sep 17 00:00:00 2001
|
||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
Date: Thu, 10 Jun 2021 19:36:47 +0200
|
||
Subject: [PATCH 1/4] Added RHEL9 profiles that are based on RHEL8 profiles.
|
||
|
||
Unsupported rules are commented out.
|
||
---
|
||
.../profiles/anssi_bp28_enhanced.profile | 16 +
|
||
.../rhel9/profiles/anssi_bp28_high.profile | 15 +
|
||
.../profiles/anssi_bp28_intermediary.profile | 15 +
|
||
.../rhel9/profiles/anssi_bp28_minimal.profile | 16 +
|
||
rhel9/profiles/cis.profile | 1088 +++++++++++++++++
|
||
rhel9/profiles/cjis.profile | 139 +++
|
||
rhel9/profiles/cui.profile | 32 +
|
||
rhel9/profiles/e8.profile | 149 +++
|
||
rhel9/profiles/hipaa.profile | 164 +++
|
||
rhel9/profiles/ism_o.profile | 134 ++
|
||
rhel9/profiles/ospp-mls.profile | 25 +
|
||
rhel9/profiles/ospp.profile | 444 +++++++
|
||
rhel9/profiles/pci-dss.profile | 134 +-
|
||
rhel9/profiles/rht-ccp.profile | 100 ++
|
||
rhel9/profiles/standard.profile | 67 +
|
||
rhel9/profiles/stig.profile | 1069 ++++++++++++++++
|
||
rhel9/profiles/stig_gui.profile | 36 +
|
||
17 files changed, 3640 insertions(+), 3 deletions(-)
|
||
create mode 100644 rhel9/profiles/anssi_bp28_enhanced.profile
|
||
create mode 100644 rhel9/profiles/anssi_bp28_high.profile
|
||
create mode 100644 rhel9/profiles/anssi_bp28_intermediary.profile
|
||
create mode 100644 rhel9/profiles/anssi_bp28_minimal.profile
|
||
create mode 100644 rhel9/profiles/cis.profile
|
||
create mode 100644 rhel9/profiles/cjis.profile
|
||
create mode 100644 rhel9/profiles/cui.profile
|
||
create mode 100644 rhel9/profiles/e8.profile
|
||
create mode 100644 rhel9/profiles/hipaa.profile
|
||
create mode 100644 rhel9/profiles/ism_o.profile
|
||
create mode 100644 rhel9/profiles/ospp-mls.profile
|
||
create mode 100644 rhel9/profiles/ospp.profile
|
||
create mode 100644 rhel9/profiles/rht-ccp.profile
|
||
create mode 100644 rhel9/profiles/standard.profile
|
||
create mode 100644 rhel9/profiles/stig.profile
|
||
create mode 100644 rhel9/profiles/stig_gui.profile
|
||
|
||
diff --git a/rhel9/profiles/anssi_bp28_enhanced.profile b/rhel9/profiles/anssi_bp28_enhanced.profile
|
||
new file mode 100644
|
||
index 00000000000..bbc11353f3b
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/anssi_bp28_enhanced.profile
|
||
@@ -0,0 +1,16 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'ANSSI-BP-028 (enhanced)'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||
+
|
||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||
+
|
||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||
+
|
||
+selections:
|
||
+ - anssi:all:enhanced
|
||
+ - '!selinux_state'
|
||
diff --git a/rhel9/profiles/anssi_bp28_high.profile b/rhel9/profiles/anssi_bp28_high.profile
|
||
new file mode 100644
|
||
index 00000000000..560460b55f7
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/anssi_bp28_high.profile
|
||
@@ -0,0 +1,15 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'ANSSI-BP-028 (high)'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||
+
|
||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||
+
|
||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||
+
|
||
+selections:
|
||
+ - anssi:all:high
|
||
diff --git a/rhel9/profiles/anssi_bp28_intermediary.profile b/rhel9/profiles/anssi_bp28_intermediary.profile
|
||
new file mode 100644
|
||
index 00000000000..a5920316735
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/anssi_bp28_intermediary.profile
|
||
@@ -0,0 +1,15 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'ANSSI-BP-028 (intermediary)'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||
+
|
||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||
+
|
||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||
+
|
||
+selections:
|
||
+ - anssi:all:intermediary
|
||
diff --git a/rhel9/profiles/anssi_bp28_minimal.profile b/rhel9/profiles/anssi_bp28_minimal.profile
|
||
new file mode 100644
|
||
index 00000000000..cef8394114d
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/anssi_bp28_minimal.profile
|
||
@@ -0,0 +1,16 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'ANSSI-BP-028 (minimal)'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||
+
|
||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||
+
|
||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||
+
|
||
+selections:
|
||
+ - anssi:all:minimal
|
||
+
|
||
diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile
|
||
new file mode 100644
|
||
index 00000000000..8939011ad1f
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/cis.profile
|
||
@@ -0,0 +1,1088 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: 1.0.0
|
||
+ SMEs:
|
||
+ - vojtapolasek
|
||
+ - yuumasato
|
||
+
|
||
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
||
+
|
||
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
|
||
+
|
||
+description: |-
|
||
+ This profile defines a baseline that aligns to the Center for Internet Security®
|
||
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
|
||
+
|
||
+ This profile includes Center for Internet Security®
|
||
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
||
+
|
||
+selections:
|
||
+ # Necessary for dconf rules
|
||
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
|
||
+
|
||
+ ### Partitioning
|
||
+ - mount_option_home_nodev
|
||
+
|
||
+ ## 1.1 Filesystem Configuration
|
||
+
|
||
+ ### 1.1.1 Disable unused filesystems
|
||
+
|
||
+ #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
|
||
+ - kernel_module_cramfs_disabled
|
||
+
|
||
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
|
||
+
|
||
+
|
||
+ #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
|
||
+ - kernel_module_squashfs_disabled
|
||
+
|
||
+ #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
|
||
+ - kernel_module_udf_disabled
|
||
+
|
||
+ ### 1.1.2 Ensure /tmp is configured (Scored)
|
||
+ - partition_for_tmp
|
||
+
|
||
+ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
|
||
+ - mount_option_tmp_nodev
|
||
+
|
||
+ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
|
||
+ - mount_option_tmp_nosuid
|
||
+
|
||
+ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
|
||
+ - mount_option_tmp_noexec
|
||
+
|
||
+ ### 1.1.6 Ensure separate partition exists for /var (Scored)
|
||
+ - partition_for_var
|
||
+
|
||
+ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
|
||
+ - partition_for_var_tmp
|
||
+
|
||
+ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
|
||
+ - mount_option_var_tmp_nodev
|
||
+
|
||
+ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
|
||
+ - mount_option_var_tmp_nosuid
|
||
+
|
||
+ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
|
||
+ - mount_option_var_tmp_noexec
|
||
+
|
||
+ ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
|
||
+ - partition_for_var_log
|
||
+
|
||
+ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
|
||
+ - partition_for_var_log_audit
|
||
+
|
||
+ ### 1.1.13 Ensure separate partition exists for /home (Scored)
|
||
+ - partition_for_home
|
||
+
|
||
+ ### 1.1.14 Ensure nodev option set on /home partition (Scored)
|
||
+ - mount_option_home_nodev
|
||
+
|
||
+ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
|
||
+ - mount_option_dev_shm_nodev
|
||
+
|
||
+ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
|
||
+ - mount_option_dev_shm_nosuid
|
||
+
|
||
+ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
|
||
+ - mount_option_dev_shm_noexec
|
||
+
|
||
+ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
|
||
+ - mount_option_nodev_removable_partitions
|
||
+
|
||
+ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
|
||
+ - mount_option_nosuid_removable_partitions
|
||
+
|
||
+ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
|
||
+ - mount_option_noexec_removable_partitions
|
||
+
|
||
+ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
|
||
+ - dir_perms_world_writable_sticky_bits
|
||
+
|
||
+ ### 1.1.22 Disable Automounting (Scored)
|
||
+ - service_autofs_disabled
|
||
+
|
||
+ ### 1.1.23 Disable USB Storage (Scored)
|
||
+ - kernel_module_usb-storage_disabled
|
||
+
|
||
+ ## 1.2 Configure Software Updates
|
||
+
|
||
+ ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
|
||
+
|
||
+ ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
|
||
+ - service_rhnsd_disabled
|
||
+
|
||
+ ### 1.2.3 Ensure GPG keys are configured (Not Scored)
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+
|
||
+ ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+
|
||
+ ### 1.2.5 Ensure package manager repositories are configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
|
||
+
|
||
+ ## 1.3 Configure sudo
|
||
+
|
||
+ ### 1.3.1 Ensure sudo is installed (Scored)
|
||
+ - package_sudo_installed
|
||
+
|
||
+ ### 1.3.2 Ensure sudo commands use pty (Scored)
|
||
+ - sudo_add_use_pty
|
||
+
|
||
+ ### 1.3.3 Ensure sudo log file exists (Scored)
|
||
+ - sudo_custom_logfile
|
||
+
|
||
+ ## 1.4 Filesystem Integrity Checking
|
||
+
|
||
+ ### 1.4.1 Ensure AIDE is installed (Scored)
|
||
+ - package_aide_installed
|
||
+
|
||
+ ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
|
||
+ - aide_periodic_cron_checking
|
||
+
|
||
+ ## Secure Boot Settings
|
||
+
|
||
+ ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
|
||
+ #### chown root:root /boot/grub2/grub.cfg
|
||
+ - file_owner_grub2_cfg
|
||
+ - file_groupowner_grub2_cfg
|
||
+
|
||
+ #### chmod og-rwx /boot/grub2/grub.cfg
|
||
+ - file_permissions_grub2_cfg
|
||
+
|
||
+ #### chown root:root /boot/grub2/grubenv
|
||
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
|
||
+
|
||
+ #### chmod og-rwx /boot/grub2/grubenv
|
||
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
|
||
+
|
||
+ ### 1.5.2 Ensure bootloader password is set (Scored)
|
||
+ - grub2_password
|
||
+
|
||
+ ### 1.5.3 Ensure authentication required for single user mode (Scored)
|
||
+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
|
||
+ - require_singleuser_auth
|
||
+
|
||
+ #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
|
||
+ - require_emergency_target_auth
|
||
+
|
||
+ ## 1.6 Additional Process Hardening
|
||
+
|
||
+ ### 1.6.1 Ensure core dumps are restricted (Scored)
|
||
+ #### * hard core 0
|
||
+ - disable_users_coredumps
|
||
+
|
||
+ #### fs.suid_dumpable = 0
|
||
+ - sysctl_fs_suid_dumpable
|
||
+
|
||
+ #### ProcessSizeMax=0
|
||
+# - coredump_disable_backtraces
|
||
+
|
||
+ #### Storage=none
|
||
+# - coredump_disable_storage
|
||
+
|
||
+ ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
|
||
+ - sysctl_kernel_randomize_va_space
|
||
+
|
||
+ ## 1.7 Mandatory Access Control
|
||
+
|
||
+ ### 1.7.1 Configure SELinux
|
||
+
|
||
+ #### 1.7.1.1 Ensure SELinux is installed (Scored)
|
||
+ - package_libselinux_installed
|
||
+
|
||
+ #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
|
||
+ - grub2_enable_selinux
|
||
+
|
||
+ #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - selinux_policytype
|
||
+
|
||
+ #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
|
||
+ - var_selinux_state=enforcing
|
||
+ - selinux_state
|
||
+
|
||
+ #### 1.7.1.5 Ensure no unconfied services exist (Scored)
|
||
+ - selinux_confinement_of_daemons
|
||
+
|
||
+ #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
|
||
+ - package_setroubleshoot_removed
|
||
+
|
||
+ #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
|
||
+ - package_mcstrans_removed
|
||
+
|
||
+ ## Warning Banners
|
||
+
|
||
+ ### 1.8.1 Command Line Warning Baners
|
||
+
|
||
+ #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
|
||
+ - banner_etc_motd
|
||
+
|
||
+ #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
|
||
+ - banner_etc_issue
|
||
+
|
||
+ #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
|
||
+
|
||
+ #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
|
||
+ # chmod u-x,go-wx /etc/motd
|
||
+ - file_permissions_etc_motd
|
||
+
|
||
+ #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
|
||
+ # chmod u-x,go-wx /etc/issue
|
||
+ - file_permissions_etc_issue
|
||
+
|
||
+ #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
|
||
+ # Previously addressed via 'rpm_verify_permissions' rule
|
||
+
|
||
+ ### 1.8.2 Ensure GDM login banner is configured (Scored)
|
||
+ #### banner-message-enable=true
|
||
+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM
|
||
+
|
||
+ #### banner-message-text='<banner message>'
|
||
+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM
|
||
+
|
||
+ ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
|
||
+ - security_patches_up_to_date
|
||
+
|
||
+ ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
|
||
+ - var_system_crypto_policy=future
|
||
+ - configure_crypto_policy
|
||
+
|
||
+ ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
|
||
+ # Previously addressed via 'configure_crypto_policy' rule
|
||
+
|
||
+ # Services
|
||
+
|
||
+ ## 2.1 inetd Services
|
||
+
|
||
+ ### 2.1.1 Ensure xinetd is not installed (Scored)
|
||
+ - package_xinetd_removed
|
||
+
|
||
+ ## 2.2 Special Purpose Services
|
||
+
|
||
+ ### 2.2.1 Time Synchronization
|
||
+
|
||
+ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
|
||
+ - package_chrony_installed
|
||
+
|
||
+ #### 2.2.1.2 Ensure chrony is configured (Scored)
|
||
+ - service_chronyd_enabled
|
||
+ - chronyd_specify_remote_server
|
||
+ - chronyd_run_as_chrony_user
|
||
+
|
||
+ ### 2.2.2 Ensure X Window System is not installed (Scored)
|
||
+ - package_xorg-x11-server-common_removed
|
||
+ - xwindows_runlevel_target
|
||
+
|
||
+ ### 2.2.3 Ensure rsync service is not enabled (Scored)
|
||
+ - service_rsyncd_disabled
|
||
+
|
||
+ ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
|
||
+ - service_avahi-daemon_disabled
|
||
+
|
||
+ ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
|
||
+ - service_snmpd_disabled
|
||
+
|
||
+ ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
|
||
+ - package_squid_removed
|
||
+
|
||
+ ### 2.2.7 Ensure Samba is not enabled (Scored)
|
||
+ - service_smb_disabled
|
||
+
|
||
+ ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
|
||
+ - service_dovecot_disabled
|
||
+
|
||
+ ### 2.2.9 Ensure HTTP server is not enabled (Scored)
|
||
+ - service_httpd_disabled
|
||
+
|
||
+ ### 2.2.10 Ensure FTP Server is not enabled (Scored)
|
||
+ - service_vsftpd_disabled
|
||
+
|
||
+ ### 2.2.11 Ensure DNS Server is not enabled (Scored)
|
||
+ - service_named_disabled
|
||
+
|
||
+ ### 2.2.12 Ensure NFS is not enabled (Scored)
|
||
+ - service_nfs_disabled
|
||
+
|
||
+ ### 2.2.13 Ensure RPC is not enabled (Scored)
|
||
+ - service_rpcbind_disabled
|
||
+
|
||
+ ### 2.2.14 Ensure LDAP service is not enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
|
||
+
|
||
+ ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
|
||
+ - service_dhcpd_disabled
|
||
+
|
||
+ ### 2.2.16 Ensure CUPS is not enabled (Scored)
|
||
+ - service_cups_disabled
|
||
+
|
||
+ ### 2.2.17 Ensure NIS Server is not enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
|
||
+
|
||
+ ### 2.2.18 Ensure mail transfer agent is configured for
|
||
+ ### local-only mode (Scored)
|
||
+ - postfix_network_listening_disabled
|
||
+
|
||
+ ## 2.3 Service Clients
|
||
+
|
||
+ ### 2.3.1 Ensure NIS Client is not installed (Scored)
|
||
+ - package_ypbind_removed
|
||
+
|
||
+ ### 2.3.2 Ensure telnet client is not installed (Scored)
|
||
+ - package_telnet_removed
|
||
+
|
||
+ ### Ensure LDAP client is not installed
|
||
+ - package_openldap-clients_removed
|
||
+
|
||
+ # 3 Network Configuration
|
||
+
|
||
+ ## 3.1 Network Parameters (Host Only)
|
||
+
|
||
+ ### 3.1.1 Ensure IP forwarding is disabled (Scored)
|
||
+ #### net.ipv4.ip_forward = 0
|
||
+ - sysctl_net_ipv4_ip_forward
|
||
+
|
||
+ #### net.ipv6.conf.all.forwarding = 0
|
||
+ - sysctl_net_ipv6_conf_all_forwarding
|
||
+
|
||
+ ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
|
||
+ #### net.ipv4.conf.all.send_redirects = 0
|
||
+ - sysctl_net_ipv4_conf_all_send_redirects
|
||
+
|
||
+ #### net.ipv4.conf.default.send_redirects = 0
|
||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||
+
|
||
+ ## 3.2 Network Parameters (Host and Router)
|
||
+
|
||
+ ### 3.2.1 Ensure source routed packets are not accepted (Scored)
|
||
+ #### net.ipv4.conf.all.accept_source_route = 0
|
||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||
+
|
||
+ #### net.ipv4.conf.default.accept_source_route = 0
|
||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||
+
|
||
+ #### net.ipv6.conf.all.accept_source_route = 0
|
||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
||
+
|
||
+ #### net.ipv6.conf.default.accept_source_route = 0
|
||
+ - sysctl_net_ipv6_conf_default_accept_source_route
|
||
+
|
||
+ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
|
||
+ #### net.ipv4.conf.all.accept_redirects = 0
|
||
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
||
+
|
||
+ #### net.ipv4.conf.default.accept_redirects
|
||
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
||
+
|
||
+ #### net.ipv6.conf.all.accept_redirects = 0
|
||
+ - sysctl_net_ipv6_conf_all_accept_redirects
|
||
+
|
||
+ #### net.ipv6.conf.defaults.accept_redirects = 0
|
||
+ - sysctl_net_ipv6_conf_default_accept_redirects
|
||
+
|
||
+ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
|
||
+ #### net.ipv4.conf.all.secure_redirects = 0
|
||
+ - sysctl_net_ipv4_conf_all_secure_redirects
|
||
+
|
||
+ #### net.ipv4.cof.default.secure_redirects = 0
|
||
+ - sysctl_net_ipv4_conf_default_secure_redirects
|
||
+
|
||
+ ### 3.2.4 Ensure suspicious packets are logged (Scored)
|
||
+ #### net.ipv4.conf.all.log_martians = 1
|
||
+ - sysctl_net_ipv4_conf_all_log_martians
|
||
+
|
||
+ #### net.ipv4.conf.default.log_martians = 1
|
||
+ - sysctl_net_ipv4_conf_default_log_martians
|
||
+
|
||
+ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
|
||
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||
+
|
||
+ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
|
||
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
||
+
|
||
+ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
|
||
+ #### net.ipv4.conf.all.rp_filter = 1
|
||
+ - sysctl_net_ipv4_conf_all_rp_filter
|
||
+
|
||
+ #### net.ipv4.conf.default.rp_filter = 1
|
||
+ - sysctl_net_ipv4_conf_default_rp_filter
|
||
+
|
||
+ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
|
||
+ - sysctl_net_ipv4_tcp_syncookies
|
||
+
|
||
+ ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
|
||
+ #### net.ipv6.conf.all.accept_ra = 0
|
||
+ - sysctl_net_ipv6_conf_all_accept_ra
|
||
+
|
||
+ #### net.ipv6.conf.default.accept_ra = 0
|
||
+ - sysctl_net_ipv6_conf_default_accept_ra
|
||
+
|
||
+ ## 3.3 Uncommon Network Protocols
|
||
+
|
||
+ ### 3.3.1 Ensure DCCP is disabled (Scored)
|
||
+ - kernel_module_dccp_disabled
|
||
+
|
||
+ ### Ensure SCTP is disabled (Scored)
|
||
+ - kernel_module_sctp_disabled
|
||
+
|
||
+ ### 3.3.3 Ensure RDS is disabled (Scored)
|
||
+ - kernel_module_rds_disabled
|
||
+
|
||
+ ### 3.3.4 Ensure TIPC is disabled (Scored)
|
||
+ - kernel_module_tipc_disabled
|
||
+
|
||
+ ## 3.4 Firewall Configuration
|
||
+
|
||
+ ### 3.4.1 Ensure Firewall software is installed
|
||
+
|
||
+ #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
|
||
+ ##### firewalld
|
||
+ - package_firewalld_installed
|
||
+
|
||
+ ##### nftables
|
||
+ #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
|
||
+
|
||
+ ##### iptables
|
||
+ #- package_iptables_installed
|
||
+
|
||
+ ### 3.4.2 Configure firewalld
|
||
+
|
||
+ #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
|
||
+ - service_firewalld_enabled
|
||
+
|
||
+ #### 3.4.2.2 Ensure iptables is not enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
|
||
+
|
||
+ #### 3.4.2.3 Ensure nftables is not enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
|
||
+
|
||
+ #### 3.4.2.4 Ensure default zone is set (Scored)
|
||
+ - set_firewalld_default_zone
|
||
+
|
||
+ #### 3.4.2.5 Ensure network interfaces are assigned to
|
||
+ #### appropriate zone (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
|
||
+
|
||
+ #### 3.4.2.6 Ensure unnecessary services and ports are not
|
||
+ #### accepted (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
|
||
+
|
||
+ ### 3.4.3 Configure nftables
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
|
||
+
|
||
+ #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
|
||
+
|
||
+ #### 3.4.3.2 Ensure a table exists (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
|
||
+
|
||
+ #### 3.4.3.3 Ensure base chains exist (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
|
||
+
|
||
+ #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
|
||
+
|
||
+ #### 3.4.3.5 Ensure outbound and established connections are
|
||
+ #### configured (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
|
||
+
|
||
+ #### 3.4.3.6 Ensure default deny firewall policy (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
|
||
+
|
||
+ #### 3.4.3.7 Ensure nftables service is enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
|
||
+
|
||
+ #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
|
||
+
|
||
+ ### 3.4.4 Configure iptables
|
||
+
|
||
+ #### 3.4.4.1 Configure IPv4 iptables
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
|
||
+
|
||
+ ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
|
||
+
|
||
+ ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
|
||
+
|
||
+ ##### 3.4.4.1.3 Ensure outbound and established connections are
|
||
+ ##### configured (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
|
||
+
|
||
+ ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
|
||
+
|
||
+ #### 3.4.4.2 Configure IPv6 ip6tables
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
|
||
+
|
||
+ ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
|
||
+
|
||
+ ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
|
||
+
|
||
+ ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
|
||
+ ##### configured (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
|
||
+
|
||
+ ## 3.5 Ensure wireless interfaces are disabled (Scored)
|
||
+ - wireless_disable_interfaces
|
||
+
|
||
+ ## 3.6 Disable IPv6 (Not Scored)
|
||
+ - kernel_module_ipv6_option_disabled
|
||
+
|
||
+ # Logging and Auditing
|
||
+
|
||
+ ## 4.1 Configure System Accounting (auditd)
|
||
+
|
||
+ ### 4.1.1 Ensure auditing is enabled
|
||
+
|
||
+ #### 4.1.1.1 Ensure auditd is installed (Scored)
|
||
+ - package_audit_installed
|
||
+
|
||
+ #### 4.1.1.2 Ensure auditd service is enabled (Scored)
|
||
+ - service_auditd_enabled
|
||
+
|
||
+ #### 4.1.1.3 Ensure auditing for processes that start prior to audit
|
||
+ #### is enabled (Scored)
|
||
+ - grub2_audit_argument
|
||
+
|
||
+ #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
|
||
+ - grub2_audit_backlog_limit_argument
|
||
+
|
||
+ ### 4.1.2 Configure Data Retention
|
||
+
|
||
+ #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
|
||
+ - auditd_data_retention_max_log_file
|
||
+
|
||
+ #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
|
||
+ - auditd_data_retention_max_log_file_action
|
||
+
|
||
+ #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
|
||
+ - var_auditd_space_left_action=email
|
||
+ - auditd_data_retention_space_left_action
|
||
+
|
||
+ ##### action_mail_acct = root
|
||
+ - var_auditd_action_mail_acct=root
|
||
+ - auditd_data_retention_action_mail_acct
|
||
+
|
||
+ ##### admin_space_left_action = halt
|
||
+ - var_auditd_admin_space_left_action=halt
|
||
+ - auditd_data_retention_admin_space_left_action
|
||
+
|
||
+ ### 4.1.3 Ensure changes to system administration scope
|
||
+ ### (sudoers) is collected (Scored)
|
||
+ - audit_rules_sysadmin_actions
|
||
+
|
||
+ ### 4.1.4 Ensure login and logout events are collected (Scored)
|
||
+ - audit_rules_login_events_faillock
|
||
+ - audit_rules_login_events_lastlog
|
||
+
|
||
+ ### 4.1.5 Ensure session initiation information is collected (Scored)
|
||
+ - audit_rules_session_events
|
||
+
|
||
+ ### 4.1.6 Ensure events that modify date and time information
|
||
+ ### are collected (Scored)
|
||
+ #### adjtimex
|
||
+ - audit_rules_time_adjtimex
|
||
+
|
||
+ #### settimeofday
|
||
+ - audit_rules_time_settimeofday
|
||
+
|
||
+ #### stime
|
||
+ - audit_rules_time_stime
|
||
+
|
||
+ #### clock_settime
|
||
+ - audit_rules_time_clock_settime
|
||
+
|
||
+ #### -w /etc/localtime -p wa
|
||
+ - audit_rules_time_watch_localtime
|
||
+
|
||
+ ### 4.1.7 Ensure events that modify the system's Mandatory
|
||
+ ### Access Control are collected (Scored)
|
||
+ #### -w /etc/selinux/ -p wa
|
||
+ - audit_rules_mac_modification
|
||
+
|
||
+ #### -w /usr/share/selinux/ -p wa
|
||
+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
|
||
+
|
||
+ ### 4.1.8 Ensure events that modify the system's network
|
||
+ ### enironment are collected (Scored)
|
||
+ - audit_rules_networkconfig_modification
|
||
+
|
||
+ ### 4.1.9 Ensure discretionary access control permission modification
|
||
+ ### events are collected (Scored)
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_fchmod
|
||
+ - audit_rules_dac_modification_fchmodat
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_dac_modification_fchown
|
||
+ - audit_rules_dac_modification_fchownat
|
||
+ - audit_rules_dac_modification_lchown
|
||
+ - audit_rules_dac_modification_setxattr
|
||
+ - audit_rules_dac_modification_lsetxattr
|
||
+ - audit_rules_dac_modification_fsetxattr
|
||
+ - audit_rules_dac_modification_removexattr
|
||
+ - audit_rules_dac_modification_lremovexattr
|
||
+ - audit_rules_dac_modification_fremovexattr
|
||
+
|
||
+ ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
|
||
+ ### collected (Scored)
|
||
+ - audit_rules_unsuccessful_file_modification_creat
|
||
+ - audit_rules_unsuccessful_file_modification_open
|
||
+ - audit_rules_unsuccessful_file_modification_openat
|
||
+ - audit_rules_unsuccessful_file_modification_truncate
|
||
+ - audit_rules_unsuccessful_file_modification_ftruncate
|
||
+ # Opinionated selection
|
||
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||
+
|
||
+ ### 4.1.11 Ensure events that modify user/group information are
|
||
+ ### collected (Scored)
|
||
+ - audit_rules_usergroup_modification_passwd
|
||
+ - audit_rules_usergroup_modification_group
|
||
+ - audit_rules_usergroup_modification_gshadow
|
||
+ - audit_rules_usergroup_modification_shadow
|
||
+ - audit_rules_usergroup_modification_opasswd
|
||
+
|
||
+ ### 4.1.12 Ensure successful file system mounts are collected (Scored)
|
||
+ - audit_rules_media_export
|
||
+
|
||
+ ### 4.1.13 Ensure use of privileged commands is collected (Scored)
|
||
+ - audit_rules_privileged_commands
|
||
+
|
||
+ ### 4.1.14 Ensure file deletion events by users are collected
|
||
+ ### (Scored)
|
||
+ - audit_rules_file_deletion_events_unlink
|
||
+ - audit_rules_file_deletion_events_unlinkat
|
||
+ - audit_rules_file_deletion_events_rename
|
||
+ - audit_rules_file_deletion_events_renameat
|
||
+ # Opinionated selection
|
||
+ - audit_rules_file_deletion_events_rmdir
|
||
+
|
||
+ ### 4.1.15 Ensure kernel module loading and unloading is collected
|
||
+ ### (Scored)
|
||
+ - audit_rules_kernel_module_loading
|
||
+
|
||
+ ### 4.1.16 Ensure system administrator actions (sudolog) are
|
||
+ ### collected (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
|
||
+
|
||
+ ### 4.1.17 Ensure the audit configuration is immutable (Scored)
|
||
+ - audit_rules_immutable
|
||
+
|
||
+ ## 4.2 Configure Logging
|
||
+
|
||
+ ### 4.2.1 Configure rsyslog
|
||
+
|
||
+ #### 4.2.1.1 Ensure rsyslog is installed (Scored)
|
||
+ - package_rsyslog_installed
|
||
+
|
||
+ #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
|
||
+ - service_rsyslog_enabled
|
||
+
|
||
+ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
|
||
+ - rsyslog_files_permissions
|
||
+
|
||
+ #### 4.2.1.4 Ensure logging is configured (Not Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
|
||
+
|
||
+ #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
|
||
+ #### log host (Scored)
|
||
+ - rsyslog_remote_loghost
|
||
+
|
||
+ #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
|
||
+ #### designated log hosts (Not Scored)
|
||
+ - rsyslog_nolisten
|
||
+
|
||
+ ### 4.2.2 Configure journald
|
||
+
|
||
+ #### 4.2.2.1 Ensure journald is configured to send logs to
|
||
+ #### rsyslog (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
|
||
+
|
||
+ #### 4.2.2.2 Ensure journald is configured to compress large
|
||
+ #### log files (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
|
||
+
|
||
+
|
||
+ #### 4.2.2.3 Ensure journald is configured to write logfiles to
|
||
+ #### persistent disk (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
|
||
+
|
||
+ ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
|
||
+
|
||
+ ## 4.3 Ensure logrotate is configured (Not Scored)
|
||
+
|
||
+ # 5 Access, Authentication and Authorization
|
||
+
|
||
+ ## 5.1 Configure cron
|
||
+
|
||
+ ### 5.1.1 Ensure cron daemon is enabled (Scored)
|
||
+ - service_crond_enabled
|
||
+
|
||
+
|
||
+ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
|
||
+ # chown root:root /etc/crontab
|
||
+ - file_owner_crontab
|
||
+ - file_groupowner_crontab
|
||
+ # chmod og-rwx /etc/crontab
|
||
+ - file_permissions_crontab
|
||
+
|
||
+ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
|
||
+ # chown root:root /etc/cron.hourly
|
||
+ - file_owner_cron_hourly
|
||
+ - file_groupowner_cron_hourly
|
||
+ # chmod og-rwx /etc/cron.hourly
|
||
+ - file_permissions_cron_hourly
|
||
+
|
||
+ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
|
||
+ # chown root:root /etc/cron.daily
|
||
+ - file_owner_cron_daily
|
||
+ - file_groupowner_cron_daily
|
||
+ # chmod og-rwx /etc/cron.daily
|
||
+ - file_permissions_cron_daily
|
||
+
|
||
+ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
|
||
+ # chown root:root /etc/cron.weekly
|
||
+ - file_owner_cron_weekly
|
||
+ - file_groupowner_cron_weekly
|
||
+ # chmod og-rwx /etc/cron.weekly
|
||
+ - file_permissions_cron_weekly
|
||
+
|
||
+ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
|
||
+ # chown root:root /etc/cron.monthly
|
||
+ - file_owner_cron_monthly
|
||
+ - file_groupowner_cron_monthly
|
||
+ # chmod og-rwx /etc/cron.monthly
|
||
+ - file_permissions_cron_monthly
|
||
+
|
||
+ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
|
||
+ # chown root:root /etc/cron.d
|
||
+ - file_owner_cron_d
|
||
+ - file_groupowner_cron_d
|
||
+ # chmod og-rwx /etc/cron.d
|
||
+ - file_permissions_cron_d
|
||
+
|
||
+ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
|
||
+
|
||
+
|
||
+ ## 5.2 SSH Server Configuration
|
||
+
|
||
+ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
|
||
+ # chown root:root /etc/ssh/sshd_config
|
||
+ - file_owner_sshd_config
|
||
+ - file_groupowner_sshd_config
|
||
+
|
||
+ # chmod og-rwx /etc/ssh/sshd_config
|
||
+ - file_permissions_sshd_config
|
||
+
|
||
+ ### 5.2.2 Ensure SSH access is limited (Scored)
|
||
+
|
||
+
|
||
+ ### 5.2.3 Ensure permissions on SSH private host key files are
|
||
+ ### configured (Scored)
|
||
+ # TO DO: The rule sets to 640, but benchmark wants 600
|
||
+ - file_permissions_sshd_private_key
|
||
+ # TO DO: check owner of private keys in /etc/ssh is root:root
|
||
+
|
||
+ ### 5.2.4 Ensure permissions on SSH public host key files are configured
|
||
+ ### (Scored)
|
||
+ - file_permissions_sshd_pub_key
|
||
+ # TO DO: check owner of pub keys in /etc/ssh is root:root
|
||
+
|
||
+ ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
|
||
+ - sshd_set_loglevel_info
|
||
+
|
||
+ ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
|
||
+ - sshd_disable_x11_forwarding
|
||
+
|
||
+ ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
|
||
+ - sshd_max_auth_tries_value=4
|
||
+ - sshd_set_max_auth_tries
|
||
+
|
||
+ ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
|
||
+ - sshd_disable_rhosts
|
||
+
|
||
+ ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
|
||
+ - disable_host_auth
|
||
+
|
||
+ ### 5.2.10 Ensure SSH root login is disabled (Scored)
|
||
+ - sshd_disable_root_login
|
||
+
|
||
+ ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
|
||
+ - sshd_disable_empty_passwords
|
||
+
|
||
+ ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
|
||
+ - sshd_do_not_permit_user_env
|
||
+
|
||
+ ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
|
||
+ # ClientAliveInterval 300
|
||
+ - sshd_idle_timeout_value=5_minutes
|
||
+ - sshd_set_idle_timeout
|
||
+
|
||
+ # ClientAliveCountMax 0
|
||
+ - var_sshd_set_keepalive=0
|
||
+
|
||
+ ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
|
||
+ ### or less (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
|
||
+
|
||
+ ### 5.2.15 Ensure SSH warning banner is configured (Scored)
|
||
+ - sshd_enable_warning_banner
|
||
+
|
||
+ ### 5.2.16 Ensure SSH PAM is enabled (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
|
||
+
|
||
+ ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
|
||
+ - sshd_disable_tcp_forwarding
|
||
+
|
||
+ ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
|
||
+
|
||
+ ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
|
||
+ - sshd_set_max_sessions
|
||
+ - var_sshd_max_sessions=4
|
||
+
|
||
+ ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
|
||
+ - configure_ssh_crypto_policy
|
||
+
|
||
+ ## 5.3 Configure authselect
|
||
+
|
||
+
|
||
+ ### 5.3.1 Create custom authselectet profile (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
|
||
+
|
||
+ ### 5.3.2 Select authselect profile (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
|
||
+
|
||
+ ### 5.3.3 Ensure authselect includes with-faillock (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
|
||
+
|
||
+ ## 5.4 Configure PAM
|
||
+
|
||
+ ### 5.4.1 Ensure password creation requirements are configured (Scored)
|
||
+ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
|
||
+ - accounts_password_pam_retry
|
||
+ - var_password_pam_minlen=14
|
||
+ - accounts_password_pam_minlen
|
||
+ - var_password_pam_minclass=4
|
||
+ - accounts_password_pam_minclass
|
||
+
|
||
+ ### 5.4.2 Ensure lockout for failed password attempts is
|
||
+ ### configured (Scored)
|
||
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
||
+ - var_accounts_passwords_pam_faillock_deny=5
|
||
+ - accounts_passwords_pam_faillock_unlock_time
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+
|
||
+ ### 5.4.3 Ensure password reuse is limited (Scored)
|
||
+ - var_password_pam_unix_remember=5
|
||
+ - accounts_password_pam_unix_remember
|
||
+
|
||
+ ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
|
||
+ - set_password_hashing_algorithm_systemauth
|
||
+
|
||
+ ## 5.5 User Accounts and Environment
|
||
+
|
||
+ ### 5.5.1 Set Shadow Password Suite Parameters
|
||
+
|
||
+ #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
|
||
+ - var_accounts_maximum_age_login_defs=365
|
||
+ - accounts_maximum_age_login_defs
|
||
+
|
||
+ #### 5.5.1.2 Ensure minimum days between password changes is 7
|
||
+ #### or more (Scored)
|
||
+ - var_accounts_minimum_age_login_defs=7
|
||
+ - accounts_minimum_age_login_defs
|
||
+
|
||
+ #### 5.5.1.3 Ensure password expiration warning days is
|
||
+ #### 7 or more (Scored)
|
||
+ - var_accounts_password_warn_age_login_defs=7
|
||
+ - accounts_password_warn_age_login_defs
|
||
+
|
||
+ #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
|
||
+ # TODO: Rule doesn't check list of users
|
||
+ # https://github.com/ComplianceAsCode/content/issues/5536
|
||
+ - var_account_disable_post_pw_expiration=30
|
||
+ - account_disable_post_pw_expiration
|
||
+
|
||
+ #### 5.5.1.5 Ensure all users last password change date is
|
||
+ #### in the past (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
|
||
+
|
||
+ ### 5.5.2 Ensure system accounts are secured (Scored)
|
||
+ - no_shelllogin_for_systemaccounts
|
||
+
|
||
+ ### 5.5.3 Ensure default user shell timeout is 900 seconds
|
||
+ ### or less (Scored)
|
||
+ - var_accounts_tmout=15_min
|
||
+ - accounts_tmout
|
||
+
|
||
+ ### 5.5.4 Ensure default group for the root account is
|
||
+ ### GID 0 (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
|
||
+
|
||
+ ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
|
||
+ - var_accounts_user_umask=027
|
||
+ - accounts_umask_etc_bashrc
|
||
+ - accounts_umask_etc_profile
|
||
+
|
||
+ ## 5.6 Ensure root login is restricted to system console (Not Scored)
|
||
+ - securetty_root_login_console_only
|
||
+ - no_direct_root_logins
|
||
+
|
||
+ ## 5.7 Ensure access to the su command is restricted (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
|
||
+
|
||
+ # System Maintenance
|
||
+
|
||
+ ## 6.1 System File Permissions
|
||
+
|
||
+ ### 6.1.1 Audit system file permissions (Not Scored)
|
||
+ - rpm_verify_permissions
|
||
+ - rpm_verify_ownership
|
||
+
|
||
+ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
|
||
+ # chown root:root /etc/passwd
|
||
+ - file_owner_etc_passwd
|
||
+ - file_groupowner_etc_passwd
|
||
+
|
||
+ # chmod 644 /etc/passwd
|
||
+ - file_permissions_etc_passwd
|
||
+
|
||
+ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
|
||
+ # chown root:root /etc/shadow
|
||
+ - file_owner_etc_shadow
|
||
+ - file_groupowner_etc_shadow
|
||
+
|
||
+ # chmod o-rwx,g-wx /etc/shadow
|
||
+ - file_permissions_etc_shadow
|
||
+
|
||
+ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
|
||
+ # chown root:root /etc/group
|
||
+ - file_owner_etc_group
|
||
+ - file_groupowner_etc_group
|
||
+
|
||
+ # chmod 644 /etc/group
|
||
+ - file_permissions_etc_group
|
||
+
|
||
+ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
|
||
+ # chown root:root /etc/gshadow
|
||
+ - file_owner_etc_gshadow
|
||
+ - file_groupowner_etc_gshadow
|
||
+
|
||
+ # chmod o-rwx,g-rw /etc/gshadow
|
||
+ - file_permissions_etc_gshadow
|
||
+
|
||
+ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
|
||
+ # chown root:root /etc/passwd-
|
||
+ - file_owner_backup_etc_passwd
|
||
+ - file_groupowner_backup_etc_passwd
|
||
+
|
||
+ # chmod 644 /etc/passwd-
|
||
+ - file_permissions_backup_etc_passwd
|
||
+
|
||
+ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
|
||
+ # chown root:root /etc/shadow-
|
||
+ - file_owner_backup_etc_shadow
|
||
+ - file_groupowner_backup_etc_shadow
|
||
+
|
||
+ # chmod 0000 /etc/shadow-
|
||
+ - file_permissions_backup_etc_shadow
|
||
+
|
||
+ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
|
||
+ # chown root:root /etc/group-
|
||
+ - file_owner_backup_etc_group
|
||
+ - file_groupowner_backup_etc_group
|
||
+
|
||
+ # chmod 644 /etc/group-
|
||
+ - file_permissions_backup_etc_group
|
||
+
|
||
+ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
|
||
+ # chown root:root /etc/gshadow-
|
||
+ - file_owner_backup_etc_gshadow
|
||
+ - file_groupowner_backup_etc_gshadow
|
||
+
|
||
+ # chmod 0000 /etc/gshadow-
|
||
+ - file_permissions_backup_etc_gshadow
|
||
+
|
||
+ ### 6.1.10 Ensure no world writable files exist (Scored)
|
||
+ - file_permissions_unauthorized_world_writable
|
||
+
|
||
+ ### 6.1.11 Ensure no unowned files or directories exist (Scored)
|
||
+ - no_files_unowned_by_user
|
||
+
|
||
+ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
|
||
+ - file_permissions_ungroupowned
|
||
+
|
||
+ ### 6.1.13 Audit SUID executables (Not Scored)
|
||
+ - file_permissions_unauthorized_suid
|
||
+
|
||
+ ### 6.1.14 Audit SGID executables (Not Scored)
|
||
+ - file_permissions_unauthorized_sgid
|
||
+
|
||
+ ## 6.2 User and Group Settings
|
||
+
|
||
+ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
|
||
+ - no_legacy_plus_entries_etc_passwd
|
||
+
|
||
+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
|
||
+ - no_legacy_plus_entries_etc_shadow
|
||
+
|
||
+ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
|
||
+ - no_legacy_plus_entries_etc_group
|
||
+
|
||
+ ### 6.2.6 Ensure root is the only UID 0 account (Scored)
|
||
+ - accounts_no_uid_except_zero
|
||
+
|
||
+ ### 6.2.7 Ensure users' home directories permissions are 750
|
||
+ ### or more restrictive (Scored)
|
||
+ - file_permissions_home_dirs
|
||
+
|
||
+ ### 6.2.8 Ensure users own their home directories (Scored)
|
||
+ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
|
||
+ - file_groupownership_home_directories
|
||
+
|
||
+ ### 6.2.9 Ensure users' dot files are not group or world
|
||
+ ### writable (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
|
||
+
|
||
+ ### 6.2.10 Ensure no users have .forward files (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
|
||
+
|
||
+ ### 6.2.11 Ensure no users have .netrc files (Scored)
|
||
+ - no_netrc_files
|
||
+
|
||
+ ### 6.2.12 Ensure users' .netrc Files are not group or
|
||
+ ### world accessible (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
|
||
+
|
||
+ ### 6.2.13 Ensure no users have .rhosts files (Scored)
|
||
+ - no_rsh_trust_files
|
||
+
|
||
+ ### 6.2.14 Ensure all groups in /etc/passwd exist in
|
||
+ ### /etc/group (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
|
||
+
|
||
+ ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
|
||
+
|
||
+ ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
|
||
+
|
||
+ ### 6.2.17 Ensure no duplicate user names exist (Scored)
|
||
+ - account_unique_name
|
||
+
|
||
+ ### 6.2.18 Ensure no duplicate group names exist (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
|
||
+
|
||
+ ### 6.2.19 Ensure shadow group is empty (Scored)
|
||
+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
|
||
+
|
||
+ ### 6.2.20 Ensure all users' home directories exist (Scored)
|
||
+ - accounts_user_interactive_home_directory_exists
|
||
diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
|
||
new file mode 100644
|
||
index 00000000000..1fc531952b6
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/cjis.profile
|
||
@@ -0,0 +1,139 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: 5.4
|
||
+ SMEs:
|
||
+ - carlosmmatos
|
||
+
|
||
+reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
|
||
+
|
||
+title: 'Criminal Justice Information Services (CJIS) Security Policy'
|
||
+
|
||
+description: |-
|
||
+ This profile is derived from FBI's CJIS v5.4
|
||
+ Security Policy. A copy of this policy can be found at the CJIS Security
|
||
+ Policy Resource Center:
|
||
+
|
||
+ https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
|
||
+
|
||
+selections:
|
||
+ - service_auditd_enabled
|
||
+ - grub2_audit_argument
|
||
+ - auditd_data_retention_num_logs
|
||
+ - auditd_data_retention_max_log_file
|
||
+ - auditd_data_retention_max_log_file_action
|
||
+ - auditd_data_retention_space_left_action
|
||
+ - auditd_data_retention_admin_space_left_action
|
||
+ - auditd_data_retention_action_mail_acct
|
||
+ - auditd_audispd_syslog_plugin_activated
|
||
+ - audit_rules_time_adjtimex
|
||
+ - audit_rules_time_settimeofday
|
||
+ - audit_rules_time_stime
|
||
+ - audit_rules_time_clock_settime
|
||
+ - audit_rules_time_watch_localtime
|
||
+ - audit_rules_usergroup_modification
|
||
+ - audit_rules_networkconfig_modification
|
||
+ - file_permissions_var_log_audit
|
||
+ - file_ownership_var_log_audit
|
||
+ - audit_rules_mac_modification
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_dac_modification_fchmod
|
||
+ - audit_rules_dac_modification_fchmodat
|
||
+ - audit_rules_dac_modification_fchown
|
||
+ - audit_rules_dac_modification_fchownat
|
||
+ - audit_rules_dac_modification_fremovexattr
|
||
+ - audit_rules_dac_modification_fsetxattr
|
||
+ - audit_rules_dac_modification_lchown
|
||
+ - audit_rules_dac_modification_lremovexattr
|
||
+ - audit_rules_dac_modification_lsetxattr
|
||
+ - audit_rules_dac_modification_removexattr
|
||
+ - audit_rules_dac_modification_setxattr
|
||
+ - audit_rules_login_events
|
||
+ - audit_rules_session_events
|
||
+ - audit_rules_unsuccessful_file_modification
|
||
+ - audit_rules_privileged_commands
|
||
+ - audit_rules_media_export
|
||
+ - audit_rules_file_deletion_events
|
||
+ - audit_rules_sysadmin_actions
|
||
+ - audit_rules_kernel_module_loading
|
||
+ - audit_rules_immutable
|
||
+ - account_unique_name
|
||
+ - gid_passwd_group_same
|
||
+ - accounts_password_all_shadowed
|
||
+ - no_empty_passwords
|
||
+ - display_login_attempts
|
||
+ - var_accounts_password_minlen_login_defs=12
|
||
+ - var_accounts_maximum_age_login_defs=90
|
||
+ - var_password_pam_unix_remember=10
|
||
+ - var_account_disable_post_pw_expiration=0
|
||
+ - var_password_pam_minlen=12
|
||
+ - var_accounts_minimum_age_login_defs=1
|
||
+ - var_password_pam_difok=6
|
||
+ - var_accounts_max_concurrent_login_sessions=3
|
||
+ - account_disable_post_pw_expiration
|
||
+ - accounts_password_pam_minlen
|
||
+ - accounts_minimum_age_login_defs
|
||
+ - accounts_password_pam_difok
|
||
+ - accounts_max_concurrent_login_sessions
|
||
+ - set_password_hashing_algorithm_systemauth
|
||
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
|
||
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
|
||
+ - file_owner_etc_shadow
|
||
+ - file_groupowner_etc_shadow
|
||
+ - file_permissions_etc_shadow
|
||
+ - file_owner_etc_group
|
||
+ - file_groupowner_etc_group
|
||
+ - file_permissions_etc_group
|
||
+ - file_owner_etc_passwd
|
||
+ - file_groupowner_etc_passwd
|
||
+ - file_permissions_etc_passwd
|
||
+ - file_owner_grub2_cfg
|
||
+ - file_groupowner_grub2_cfg
|
||
+ - var_password_pam_retry=5
|
||
+ - var_accounts_passwords_pam_faillock_deny=5
|
||
+ - var_accounts_passwords_pam_faillock_unlock_time=600
|
||
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM
|
||
+ - sshd_allow_only_protocol2
|
||
+ - sshd_set_idle_timeout
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - disable_host_auth
|
||
+ - sshd_disable_root_login
|
||
+ - sshd_disable_empty_passwords
|
||
+ - sshd_enable_warning_banner
|
||
+ - sshd_do_not_permit_user_env
|
||
+ - var_system_crypto_policy=fips
|
||
+ - configure_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+ - kernel_module_dccp_disabled
|
||
+ - kernel_module_sctp_disabled
|
||
+ - service_firewalld_enabled
|
||
+ - set_firewalld_default_zone
|
||
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
|
||
+ - sshd_idle_timeout_value=30_minutes
|
||
+ - inactivity_timeout_value=30_minutes
|
||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||
+ - sysctl_net_ipv4_tcp_syncookies
|
||
+ - sysctl_net_ipv4_conf_all_send_redirects
|
||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
||
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
||
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||
+ - var_password_pam_ocredit=1
|
||
+ - var_password_pam_dcredit=1
|
||
+ - var_password_pam_ucredit=1
|
||
+ - var_password_pam_lcredit=1
|
||
+ - package_aide_installed
|
||
+ - aide_build_database
|
||
+ - aide_periodic_cron_checking
|
||
+ - rpm_verify_permissions
|
||
+ - rpm_verify_hashes
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+ - security_patches_up_to_date
|
||
+ - kernel_module_bluetooth_disabled
|
||
diff --git a/rhel9/profiles/cui.profile b/rhel9/profiles/cui.profile
|
||
new file mode 100644
|
||
index 00000000000..bf6d9511c17
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/cui.profile
|
||
@@ -0,0 +1,32 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: TBD
|
||
+ SMEs:
|
||
+ - carlosmmatos
|
||
+
|
||
+title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
|
||
+
|
||
+description: |-
|
||
+ From NIST 800-171, Section 2.2:
|
||
+ Security requirements for protecting the confidentiality of CUI in nonfederal
|
||
+ information systems and organizations have a well-defined structure that
|
||
+ consists of:
|
||
+
|
||
+ (i) a basic security requirements section;
|
||
+ (ii) a derived security requirements section.
|
||
+
|
||
+ The basic security requirements are obtained from FIPS Publication 200, which
|
||
+ provides the high-level and fundamental security requirements for federal
|
||
+ information and information systems. The derived security requirements, which
|
||
+ supplement the basic security requirements, are taken from the security controls
|
||
+ in NIST Special Publication 800-53.
|
||
+
|
||
+ This profile configures Red Hat Enterprise Linux 8 to the NIST Special
|
||
+ Publication 800-53 controls identified for securing Controlled Unclassified
|
||
+ Information (CUI)."
|
||
+
|
||
+extends: ospp
|
||
+
|
||
+selections:
|
||
+ - inactivity_timeout_value=10_minutes
|
||
diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile
|
||
new file mode 100644
|
||
index 00000000000..30eb9c594ac
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/e8.profile
|
||
@@ -0,0 +1,149 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ SMEs:
|
||
+ - shaneboulden
|
||
+
|
||
+reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
|
||
+
|
||
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configuration checks for Red Hat Enterprise Linux 8
|
||
+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
|
||
+
|
||
+ A copy of the Essential Eight in Linux Environments guide can be found at the
|
||
+ ACSC website:
|
||
+
|
||
+ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
|
||
+
|
||
+selections:
|
||
+
|
||
+ ### Remove obsolete packages
|
||
+ - package_talk_removed
|
||
+ - package_talk-server_removed
|
||
+ - package_xinetd_removed
|
||
+ - service_xinetd_disabled
|
||
+ - package_ypbind_removed
|
||
+ - package_telnet_removed
|
||
+ - service_telnet_disabled
|
||
+ - package_telnet-server_removed
|
||
+ - package_rsh_removed
|
||
+ - package_rsh-server_removed
|
||
+ - service_zebra_disabled
|
||
+ - package_quagga_removed
|
||
+ - service_avahi-daemon_disabled
|
||
+ - package_squid_removed
|
||
+ - service_squid_disabled
|
||
+
|
||
+ ### Software update
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+ - ensure_gpgcheck_local_packages
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - security_patches_up_to_date
|
||
+ - dnf-automatic_security_updates_only
|
||
+
|
||
+ ### System security settings
|
||
+ - sysctl_kernel_randomize_va_space
|
||
+ - sysctl_kernel_exec_shield
|
||
+ - sysctl_kernel_kptr_restrict
|
||
+ - sysctl_kernel_dmesg_restrict
|
||
+ - sysctl_kernel_kexec_load_disabled
|
||
+ - sysctl_kernel_yama_ptrace_scope
|
||
+ - sysctl_kernel_unprivileged_bpf_disabled
|
||
+ - sysctl_net_core_bpf_jit_harden
|
||
+
|
||
+ ### SELinux
|
||
+ - var_selinux_state=enforcing
|
||
+ - selinux_state
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - selinux_policytype
|
||
+
|
||
+ ### Filesystem integrity
|
||
+ - rpm_verify_hashes
|
||
+ - rpm_verify_permissions
|
||
+ - rpm_verify_ownership
|
||
+ - file_permissions_unauthorized_sgid
|
||
+ - file_permissions_unauthorized_suid
|
||
+ - file_permissions_unauthorized_world_writable
|
||
+ - dir_perms_world_writable_sticky_bits
|
||
+ - file_permissions_library_dirs
|
||
+ - file_ownership_binary_dirs
|
||
+ - file_permissions_binary_dirs
|
||
+ - file_ownership_library_dirs
|
||
+
|
||
+ ### Passwords
|
||
+ - no_empty_passwords
|
||
+
|
||
+ ### Partitioning
|
||
+ - mount_option_dev_shm_nodev
|
||
+ - mount_option_dev_shm_nosuid
|
||
+ - mount_option_dev_shm_noexec
|
||
+
|
||
+ ### Network
|
||
+ - package_firewalld_installed
|
||
+ - service_firewalld_enabled
|
||
+ - network_sniffer_disabled
|
||
+
|
||
+ ### Admin privileges
|
||
+ - accounts_no_uid_except_zero
|
||
+ - sudo_remove_nopasswd
|
||
+ - sudo_remove_no_authenticate
|
||
+ - sudo_require_authentication
|
||
+
|
||
+ ### Audit
|
||
+ - package_rsyslog_installed
|
||
+ - service_rsyslog_enabled
|
||
+ - service_auditd_enabled
|
||
+ - var_auditd_flush=incremental_async
|
||
+ - auditd_data_retention_flush
|
||
+ - auditd_local_events
|
||
+ - auditd_write_logs
|
||
+ - auditd_log_format
|
||
+ - auditd_freq
|
||
+ - auditd_name_format
|
||
+ - audit_rules_login_events_tallylog
|
||
+ - audit_rules_login_events_faillock
|
||
+ - audit_rules_login_events_lastlog
|
||
+ - audit_rules_login_events
|
||
+ - audit_rules_time_adjtimex
|
||
+ - audit_rules_time_clock_settime
|
||
+ - audit_rules_time_watch_localtime
|
||
+ - audit_rules_time_settimeofday
|
||
+ - audit_rules_time_stime
|
||
+ - audit_rules_execution_restorecon
|
||
+ - audit_rules_execution_chcon
|
||
+ - audit_rules_execution_semanage
|
||
+ - audit_rules_execution_setsebool
|
||
+ - audit_rules_execution_setfiles
|
||
+ - audit_rules_execution_seunshare
|
||
+ - audit_rules_sysadmin_actions
|
||
+ - audit_rules_networkconfig_modification
|
||
+ - audit_rules_usergroup_modification
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_kernel_module_loading
|
||
+
|
||
+ ### Secure access
|
||
+ - sshd_disable_root_login
|
||
+ - sshd_disable_gssapi_auth
|
||
+ - sshd_print_last_log
|
||
+ - sshd_do_not_permit_user_env
|
||
+ - sshd_disable_rhosts
|
||
+ - sshd_set_loglevel_info
|
||
+ - sshd_disable_empty_passwords
|
||
+ - sshd_disable_user_known_hosts
|
||
+ - sshd_enable_strictmodes
|
||
+
|
||
+ # See also: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms
|
||
+ - var_system_crypto_policy=default_nosha1
|
||
+ - configure_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+
|
||
+ ### Application whitelisting
|
||
+ - package_fapolicyd_installed
|
||
+ - service_fapolicyd_enabled
|
||
+
|
||
+ ### Backup
|
||
+ - package_rear_installed
|
||
diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile
|
||
new file mode 100644
|
||
index 00000000000..7919649d4d5
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/hipaa.profile
|
||
@@ -0,0 +1,164 @@
|
||
+documentation_complete: True
|
||
+
|
||
+metadata:
|
||
+ SMEs:
|
||
+ - jjaswanson4
|
||
+ - carlosmmatos
|
||
+
|
||
+reference: https://www.hhs.gov/hipaa/for-professionals/index.html
|
||
+
|
||
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
|
||
+
|
||
+description: |-
|
||
+ The HIPAA Security Rule establishes U.S. national standards to protect individuals’
|
||
+ electronic personal health information that is created, received, used, or
|
||
+ maintained by a covered entity. The Security Rule requires appropriate
|
||
+ administrative, physical and technical safeguards to ensure the
|
||
+ confidentiality, integrity, and security of electronic protected health
|
||
+ information.
|
||
+
|
||
+ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
|
||
+ Rule identified for securing of electronic protected health information.
|
||
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
|
||
+
|
||
+selections:
|
||
+ - grub2_password
|
||
+# - grub2_uefi_password # not supported in RHEL9 ATM
|
||
+ - file_groupowner_grub2_cfg
|
||
+ - file_permissions_grub2_cfg
|
||
+ - file_owner_grub2_cfg
|
||
+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM
|
||
+ - no_direct_root_logins
|
||
+ - no_empty_passwords
|
||
+ - require_singleuser_auth
|
||
+ - restrict_serial_port_logins
|
||
+ - securetty_root_login_console_only
|
||
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
|
||
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
|
||
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
|
||
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_remote_access_credential_prompt # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_remote_access_encryption # not supported in RHEL9 ATM
|
||
+ - sshd_disable_empty_passwords
|
||
+ - sshd_disable_root_login
|
||
+# - libreswan_approved_tunnels # not supported in RHEL9 ATM
|
||
+ - no_rsh_trust_files
|
||
+ - package_rsh-server_removed
|
||
+ - package_talk_removed
|
||
+ - package_talk-server_removed
|
||
+ - package_telnet_removed
|
||
+ - package_telnet-server_removed
|
||
+ - package_xinetd_removed
|
||
+ - service_crond_enabled
|
||
+# - service_rexec_disabled # not supported in RHEL9 ATM
|
||
+# - service_rlogin_disabled # not supported in RHEL9 ATM
|
||
+ - service_telnet_disabled
|
||
+ - service_xinetd_disabled
|
||
+ - service_zebra_disabled
|
||
+# - use_kerberos_security_all_exports # not supported in RHEL9 ATM
|
||
+ - disable_host_auth
|
||
+ - sshd_allow_only_protocol2
|
||
+ - sshd_disable_compression
|
||
+ - sshd_disable_gssapi_auth
|
||
+ - sshd_disable_kerb_auth
|
||
+ - sshd_do_not_permit_user_env
|
||
+ - sshd_enable_strictmodes
|
||
+ - sshd_enable_warning_banner
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - encrypt_partitions
|
||
+ - var_system_crypto_policy=fips
|
||
+ - configure_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - var_selinux_state=enforcing
|
||
+ - grub2_enable_selinux
|
||
+ - sebool_selinuxuser_execheap
|
||
+ - sebool_selinuxuser_execmod
|
||
+ - sebool_selinuxuser_execstack
|
||
+ - selinux_confinement_of_daemons
|
||
+ - selinux_policytype
|
||
+ - selinux_state
|
||
+ - service_kdump_disabled
|
||
+ - sysctl_fs_suid_dumpable
|
||
+ - sysctl_kernel_dmesg_restrict
|
||
+ - sysctl_kernel_exec_shield
|
||
+ - sysctl_kernel_randomize_va_space
|
||
+ - rpm_verify_hashes
|
||
+ - rpm_verify_permissions
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+ - ensure_gpgcheck_local_packages
|
||
+ - grub2_audit_argument
|
||
+ - service_auditd_enabled
|
||
+ - audit_rules_privileged_commands_sudo
|
||
+ - audit_rules_privileged_commands_su
|
||
+ - audit_rules_immutable
|
||
+ - kernel_module_usb-storage_disabled
|
||
+ - service_autofs_disabled
|
||
+ - auditd_audispd_syslog_plugin_activated
|
||
+ - rsyslog_remote_loghost
|
||
+ - auditd_data_retention_flush
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_dac_modification_fchmodat
|
||
+ - audit_rules_dac_modification_fchmod
|
||
+ - audit_rules_dac_modification_fchownat
|
||
+ - audit_rules_dac_modification_fchown
|
||
+ - audit_rules_dac_modification_fremovexattr
|
||
+ - audit_rules_dac_modification_fsetxattr
|
||
+ - audit_rules_dac_modification_lchown
|
||
+ - audit_rules_dac_modification_lremovexattr
|
||
+ - audit_rules_dac_modification_lsetxattr
|
||
+ - audit_rules_dac_modification_removexattr
|
||
+ - audit_rules_dac_modification_setxattr
|
||
+ - audit_rules_execution_chcon
|
||
+ - audit_rules_execution_restorecon
|
||
+ - audit_rules_execution_semanage
|
||
+ - audit_rules_execution_setsebool
|
||
+ - audit_rules_file_deletion_events_renameat
|
||
+ - audit_rules_file_deletion_events_rename
|
||
+ - audit_rules_file_deletion_events_rmdir
|
||
+ - audit_rules_file_deletion_events_unlinkat
|
||
+ - audit_rules_file_deletion_events_unlink
|
||
+ - audit_rules_kernel_module_loading_delete
|
||
+ - audit_rules_kernel_module_loading_init
|
||
+ - audit_rules_login_events_faillock
|
||
+ - audit_rules_login_events_lastlog
|
||
+ - audit_rules_login_events_tallylog
|
||
+ - audit_rules_mac_modification
|
||
+ - audit_rules_media_export
|
||
+ - audit_rules_networkconfig_modification
|
||
+ - audit_rules_privileged_commands_chage
|
||
+ - audit_rules_privileged_commands_chsh
|
||
+ - audit_rules_privileged_commands_crontab
|
||
+ - audit_rules_privileged_commands_gpasswd
|
||
+ - audit_rules_privileged_commands_newgrp
|
||
+ - audit_rules_privileged_commands_pam_timestamp_check
|
||
+ - audit_rules_privileged_commands_passwd
|
||
+ - audit_rules_privileged_commands_postdrop
|
||
+ - audit_rules_privileged_commands_postqueue
|
||
+ - audit_rules_privileged_commands_ssh_keysign
|
||
+ - audit_rules_privileged_commands_sudoedit
|
||
+ - audit_rules_privileged_commands_umount
|
||
+ - audit_rules_privileged_commands_unix_chkpwd
|
||
+ - audit_rules_privileged_commands_userhelper
|
||
+ - audit_rules_session_events
|
||
+ - audit_rules_sysadmin_actions
|
||
+ - audit_rules_system_shutdown
|
||
+ - audit_rules_time_adjtimex
|
||
+ - audit_rules_time_clock_settime
|
||
+ - audit_rules_time_settimeofday
|
||
+ - audit_rules_time_stime
|
||
+ - audit_rules_time_watch_localtime
|
||
+ - audit_rules_unsuccessful_file_modification_creat
|
||
+ - audit_rules_unsuccessful_file_modification_ftruncate
|
||
+ - audit_rules_unsuccessful_file_modification_openat
|
||
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||
+ - audit_rules_unsuccessful_file_modification_open
|
||
+ - audit_rules_unsuccessful_file_modification_truncate
|
||
+ - audit_rules_usergroup_modification_group
|
||
+ - audit_rules_usergroup_modification_gshadow
|
||
+ - audit_rules_usergroup_modification_opasswd
|
||
+ - audit_rules_usergroup_modification_passwd
|
||
+ - audit_rules_usergroup_modification_shadow
|
||
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
|
||
new file mode 100644
|
||
index 00000000000..592be03783f
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/ism_o.profile
|
||
@@ -0,0 +1,134 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ SMEs:
|
||
+ - shaneboulden
|
||
+ - wcushen
|
||
+ - ahamilto156
|
||
+
|
||
+reference: https://www.cyber.gov.au/ism
|
||
+
|
||
+title: 'Australian Cyber Security Centre (ACSC) ISM Official'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configuration checks for Red Hat Enterprise Linux 8
|
||
+ that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
|
||
+ with the applicability marking of OFFICIAL.
|
||
+
|
||
+ The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
|
||
+ Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls
|
||
+ specific to an organisation's security posture and risk profile.
|
||
+
|
||
+ A copy of the ISM can be found at the ACSC website:
|
||
+
|
||
+ https://www.cyber.gov.au/ism
|
||
+
|
||
+extends: e8
|
||
+
|
||
+selections:
|
||
+
|
||
+ ## Operating system configuration
|
||
+ ## Identifiers 1491
|
||
+ - no_shelllogin_for_systemaccounts
|
||
+
|
||
+ ## Local administrator accounts
|
||
+ ## Identifiers 1382 / 1410
|
||
+ - accounts_password_all_shadowed
|
||
+ - package_sudo_installed
|
||
+
|
||
+ ## Content filtering & Anti virus
|
||
+ ## Identifiers 0576 / 1341 / 1034 / 1417 / 1288
|
||
+ - package_aide_installed
|
||
+
|
||
+ ## Software firewall
|
||
+ ## Identifiers 1416
|
||
+# - configure_firewalld_ports # not supported in RHEL9 ATM
|
||
+ ## Removing due to build error
|
||
+ ## - configure_firewalld_rate_limiting
|
||
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
|
||
+ - set_firewalld_default_zone
|
||
+
|
||
+ ## Endpoint device control software
|
||
+ ## Identifiers 1418
|
||
+ - package_usbguard_installed
|
||
+ - service_usbguard_enabled
|
||
+
|
||
+ ## Authentication hardening
|
||
+ ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
|
||
+ ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
|
||
+ - sshd_max_auth_tries_value=5
|
||
+ - disable_host_auth
|
||
+ - require_emergency_target_auth
|
||
+ - require_singleuser_auth
|
||
+ - sshd_disable_kerb_auth
|
||
+ - sshd_set_max_auth_tries
|
||
+
|
||
+ ## Password authentication & Protecting credentials
|
||
+ ## Identifiers 0421 / 0431 / 0418 / 1402
|
||
+ - var_password_pam_minlen=14
|
||
+ - var_accounts_password_warn_age_login_defs=7
|
||
+ - var_accounts_minimum_age_login_defs=1
|
||
+ - var_accounts_maximum_age_login_defs=60
|
||
+ - accounts_password_warn_age_login_defs
|
||
+ - accounts_maximum_age_login_defs
|
||
+ - accounts_minimum_age_login_defs
|
||
+ - accounts_passwords_pam_faillock_interval
|
||
+ - accounts_passwords_pam_faillock_unlock_time
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+ - accounts_passwords_pam_faillock_deny_root
|
||
+ - accounts_password_pam_minlen
|
||
+
|
||
+ ## Centralised logging facility
|
||
+ ## Identifiers 1405 / 0988
|
||
+ - rsyslog_cron_logging
|
||
+ - rsyslog_files_groupownership
|
||
+ - rsyslog_files_ownership
|
||
+ - rsyslog_files_permissions
|
||
+ - rsyslog_nolisten
|
||
+ - rsyslog_remote_loghost
|
||
+ - rsyslog_remote_tls
|
||
+ - rsyslog_remote_tls_cacert
|
||
+ - package_chrony_installed
|
||
+ - service_chronyd_enabled
|
||
+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
|
||
+ - chronyd_specify_remote_server
|
||
+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
|
||
+
|
||
+ ## Events to be logged
|
||
+ ## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957
|
||
+ - display_login_attempts
|
||
+ - sebool_auditadm_exec_content
|
||
+ - audit_rules_privileged_commands
|
||
+ - audit_rules_session_events
|
||
+ - audit_rules_unsuccessful_file_modification
|
||
+ - audit_access_failed
|
||
+ - audit_access_success
|
||
+
|
||
+ ## Web application & Database servers
|
||
+ ## Identifiers 1552 / 1277
|
||
+# - openssl_use_strong_entropy # not supported in RHEL9 ATM
|
||
+
|
||
+ ## Network design and configuration
|
||
+ ## Identifiers 1055 / 1311
|
||
+# - network_nmcli_permissions # not supported in RHEL9 ATM
|
||
+ - service_snmpd_disabled
|
||
+# - snmpd_use_newer_protocol # not supported in RHEL9 ATM
|
||
+
|
||
+ ## Wireless networks
|
||
+ ## Identifiers 1315
|
||
+ - wireless_disable_interfaces
|
||
+
|
||
+ ## ASD Approved Cryptographic Algorithms
|
||
+ ## Identifiers 0471 / 0472 / 0473 / 0474 / 0475 / 0476 / 0477 /
|
||
+ ## 0479 / 0480 / 0481 / 0489 / 0497 / 0994 / 0998 / 1001 / 1139 /
|
||
+ ## 1372 / 1373 / 1374 / 1375
|
||
+# - enable_fips_mode # not supported in RHEL9 ATM
|
||
+ - var_system_crypto_policy=fips
|
||
+ - configure_crypto_policy
|
||
+
|
||
+ ## Secure Shell access
|
||
+ ## Identifiers 0484 / 1506 / 1449 / 0487
|
||
+ - sshd_allow_only_protocol2
|
||
+ - sshd_enable_warning_banner
|
||
+ - sshd_disable_x11_forwarding
|
||
+ - file_permissions_sshd_private_key
|
||
diff --git a/rhel9/profiles/ospp-mls.profile b/rhel9/profiles/ospp-mls.profile
|
||
new file mode 100644
|
||
index 00000000000..d1d1b8aff73
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/ospp-mls.profile
|
||
@@ -0,0 +1,25 @@
|
||
+documentation_complete: false
|
||
+
|
||
+title: 'Protection Profile for General Purpose Operating Systems - MLS Mode'
|
||
+
|
||
+description: |-
|
||
+ Placeholder to put MLS specific rules
|
||
+
|
||
+extends: ospp
|
||
+
|
||
+selections:
|
||
+
|
||
+ ################################################
|
||
+ ## MUST INSTALL PACKAGES IN MLS MODE
|
||
+ #cups
|
||
+ #foomatic
|
||
+ #ghostscript
|
||
+ #ghostscript-fonts
|
||
+ #checkpolicy
|
||
+ #mcstrans
|
||
+ #policycoreutils-newrole
|
||
+ #selinux-policy-devel
|
||
+ ##xinetd
|
||
+ #iproute
|
||
+ #iputils
|
||
+ #netlabel_tools
|
||
diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile
|
||
new file mode 100644
|
||
index 00000000000..c4a43dc5eb6
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/ospp.profile
|
||
@@ -0,0 +1,444 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: 4.2.1
|
||
+ SMEs:
|
||
+ - comps
|
||
+ - carlosmmatos
|
||
+ - stevegrubb
|
||
+
|
||
+reference: https://www.niap-ccevs.org/Profile/PP.cfm
|
||
+
|
||
+title: 'Protection Profile for General Purpose Operating Systems'
|
||
+
|
||
+description: |-
|
||
+ This profile reflects mandatory configuration controls identified in the
|
||
+ NIAP Configuration Annex to the Protection Profile for General Purpose
|
||
+ Operating Systems (Protection Profile Version 4.2.1).
|
||
+
|
||
+ This configuration profile is consistent with CNSSI-1253, which requires
|
||
+ U.S. National Security Systems to adhere to certain configuration
|
||
+ parameters. Accordingly, this configuration profile is suitable for
|
||
+ use in U.S. National Security Systems.
|
||
+
|
||
+selections:
|
||
+
|
||
+ #######################################################
|
||
+ ### GENERAL REQUIREMENTS
|
||
+ ### Things needed to meet OSPP functional requirements.
|
||
+ #######################################################
|
||
+
|
||
+ ### Partitioning
|
||
+ - mount_option_home_nodev
|
||
+ - mount_option_home_nosuid
|
||
+ - mount_option_tmp_nodev
|
||
+ - mount_option_tmp_noexec
|
||
+ - mount_option_tmp_nosuid
|
||
+ - partition_for_var_tmp
|
||
+ - mount_option_var_tmp_nodev
|
||
+ - mount_option_var_tmp_noexec
|
||
+ - mount_option_var_tmp_nosuid
|
||
+ - mount_option_dev_shm_nodev
|
||
+ - mount_option_dev_shm_noexec
|
||
+ - mount_option_dev_shm_nosuid
|
||
+ - mount_option_nodev_nonroot_local_partitions
|
||
+ - mount_option_boot_nodev
|
||
+ - mount_option_boot_nosuid
|
||
+ - partition_for_home
|
||
+ - partition_for_var
|
||
+ - mount_option_var_nodev
|
||
+ - partition_for_var_log
|
||
+ - mount_option_var_log_nodev
|
||
+ - mount_option_var_log_nosuid
|
||
+ - mount_option_var_log_noexec
|
||
+ - partition_for_var_log_audit
|
||
+ - mount_option_var_log_audit_nodev
|
||
+ - mount_option_var_log_audit_nosuid
|
||
+ - mount_option_var_log_audit_noexec
|
||
+
|
||
+ ### Services
|
||
+ # sshd
|
||
+ - sshd_disable_root_login
|
||
+ - sshd_enable_strictmodes
|
||
+ - disable_host_auth
|
||
+ - sshd_disable_empty_passwords
|
||
+ - sshd_disable_kerb_auth
|
||
+ - sshd_disable_gssapi_auth
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - sshd_enable_warning_banner
|
||
+ - sshd_rekey_limit
|
||
+ - var_rekey_limit_size=1G
|
||
+ - var_rekey_limit_time=1hour
|
||
+# - sshd_use_strong_rng # not supported in RHEL9 ATM
|
||
+# - openssl_use_strong_entropy # not supported in RHEL9 ATM
|
||
+
|
||
+ # Time Server
|
||
+# - chronyd_client_only # not supported in RHEL9 ATM
|
||
+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM
|
||
+
|
||
+ ### Network Settings
|
||
+ - sysctl_net_ipv6_conf_all_accept_ra
|
||
+ - sysctl_net_ipv6_conf_default_accept_ra
|
||
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
||
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
||
+ - sysctl_net_ipv6_conf_all_accept_redirects
|
||
+ - sysctl_net_ipv6_conf_default_accept_redirects
|
||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
||
+ - sysctl_net_ipv6_conf_default_accept_source_route
|
||
+ - sysctl_net_ipv4_conf_all_secure_redirects
|
||
+ - sysctl_net_ipv4_conf_default_secure_redirects
|
||
+ - sysctl_net_ipv4_conf_all_send_redirects
|
||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||
+ - sysctl_net_ipv4_conf_all_log_martians
|
||
+ - sysctl_net_ipv4_conf_default_log_martians
|
||
+ - sysctl_net_ipv4_conf_all_rp_filter
|
||
+ - sysctl_net_ipv4_conf_default_rp_filter
|
||
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
||
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||
+ - sysctl_net_ipv4_ip_forward
|
||
+ - sysctl_net_ipv4_tcp_syncookies
|
||
+
|
||
+ ### systemd
|
||
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
|
||
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
|
||
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
|
||
+
|
||
+ ### umask
|
||
+ - var_accounts_user_umask=027
|
||
+ - accounts_umask_etc_profile
|
||
+ - accounts_umask_etc_bashrc
|
||
+# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
|
||
+
|
||
+ ### Software update
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - ensure_gpgcheck_local_packages
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+
|
||
+ ### Passwords
|
||
+ - var_password_pam_difok=4
|
||
+ - accounts_password_pam_difok
|
||
+ - var_password_pam_maxrepeat=3
|
||
+ - accounts_password_pam_maxrepeat
|
||
+ - var_password_pam_maxclassrepeat=4
|
||
+ - accounts_password_pam_maxclassrepeat
|
||
+
|
||
+ ### Kernel Config
|
||
+ ## Boot prompt
|
||
+ - grub2_audit_argument
|
||
+ - grub2_audit_backlog_limit_argument
|
||
+ - grub2_slub_debug_argument
|
||
+ - grub2_page_poison_argument
|
||
+ - grub2_vsyscall_argument
|
||
+ - grub2_vsyscall_argument.role=unscored
|
||
+ - grub2_vsyscall_argument.severity=info
|
||
+ - grub2_pti_argument
|
||
+ - grub2_kernel_trust_cpu_rng
|
||
+
|
||
+ ## Security Settings
|
||
+ - sysctl_kernel_kptr_restrict
|
||
+ - sysctl_kernel_dmesg_restrict
|
||
+ - sysctl_kernel_kexec_load_disabled
|
||
+ - sysctl_kernel_yama_ptrace_scope
|
||
+ - sysctl_kernel_perf_event_paranoid
|
||
+ - sysctl_user_max_user_namespaces
|
||
+ - sysctl_user_max_user_namespaces.role=unscored
|
||
+ - sysctl_user_max_user_namespaces.severity=info
|
||
+ - sysctl_kernel_unprivileged_bpf_disabled
|
||
+ - sysctl_net_core_bpf_jit_harden
|
||
+ - service_kdump_disabled
|
||
+
|
||
+ ## File System Settings
|
||
+ - sysctl_fs_protected_hardlinks
|
||
+ - sysctl_fs_protected_symlinks
|
||
+
|
||
+ ### Audit
|
||
+ - service_auditd_enabled
|
||
+ - var_auditd_flush=incremental_async
|
||
+ - auditd_data_retention_flush
|
||
+ - auditd_local_events
|
||
+ - auditd_write_logs
|
||
+ - auditd_log_format
|
||
+ - auditd_freq
|
||
+ - auditd_name_format
|
||
+
|
||
+ ### Module Blacklist
|
||
+ - kernel_module_cramfs_disabled
|
||
+ - kernel_module_bluetooth_disabled
|
||
+ - kernel_module_sctp_disabled
|
||
+ - kernel_module_firewire-core_disabled
|
||
+ - kernel_module_atm_disabled
|
||
+ - kernel_module_can_disabled
|
||
+ - kernel_module_tipc_disabled
|
||
+
|
||
+ ### rpcbind
|
||
+
|
||
+ ### Install Required Packages
|
||
+ - package_aide_installed
|
||
+ - package_dnf-automatic_installed
|
||
+ - package_subscription-manager_installed
|
||
+# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
|
||
+ - package_firewalld_installed
|
||
+ - package_openscap-scanner_installed
|
||
+ - package_policycoreutils_installed
|
||
+ - package_sudo_installed
|
||
+ - package_usbguard_installed
|
||
+ - package_scap-security-guide_installed
|
||
+ - package_audit_installed
|
||
+ - package_crypto-policies_installed
|
||
+ - package_openssh-server_installed
|
||
+ - package_openssh-clients_installed
|
||
+ - package_policycoreutils-python-utils_installed
|
||
+ - package_rsyslog_installed
|
||
+ - package_rsyslog-gnutls_installed
|
||
+ - package_audispd-plugins_installed
|
||
+ - package_chrony_installed
|
||
+ - package_gnutls-utils_installed
|
||
+
|
||
+ ### Remove Prohibited Packages
|
||
+ - package_sendmail_removed
|
||
+ - package_iprutils_removed
|
||
+ - package_gssproxy_removed
|
||
+ - package_nfs-utils_removed
|
||
+ - package_krb5-workstation_removed
|
||
+ - package_abrt-addon-kerneloops_removed
|
||
+ - package_abrt-addon-python_removed
|
||
+ - package_abrt-addon-ccpp_removed
|
||
+ - package_abrt-plugin-rhtsupport_removed
|
||
+ - package_abrt-plugin-logger_removed
|
||
+ - package_abrt-plugin-sosreport_removed
|
||
+ - package_abrt-cli_removed
|
||
+ - package_abrt_removed
|
||
+
|
||
+ ### Login
|
||
+ - disable_users_coredumps
|
||
+ - sysctl_kernel_core_pattern
|
||
+# - coredump_disable_storage
|
||
+# - coredump_disable_backtraces
|
||
+ - service_systemd-coredump_disabled
|
||
+ - var_accounts_max_concurrent_login_sessions=10
|
||
+ - accounts_max_concurrent_login_sessions
|
||
+ - securetty_root_login_console_only
|
||
+ - var_password_pam_unix_remember=5
|
||
+ - accounts_password_pam_unix_remember
|
||
+# - use_pam_wheel_for_su # not supported in RHEL9 ATM
|
||
+
|
||
+ ### SELinux Configuration
|
||
+ - var_selinux_state=enforcing
|
||
+ - selinux_state
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - selinux_policytype
|
||
+
|
||
+ ### Application Whitelisting (RHEL 9)
|
||
+ - package_fapolicyd_installed
|
||
+ - service_fapolicyd_enabled
|
||
+
|
||
+ ### Configure USBGuard
|
||
+ - service_usbguard_enabled
|
||
+ - configure_usbguard_auditbackend
|
||
+ - usbguard_allow_hid_and_hub
|
||
+
|
||
+
|
||
+ ### Enable / Configure FIPS
|
||
+# - enable_fips_mode # not supported in RHEL9 ATM
|
||
+ - var_system_crypto_policy=fips_ospp
|
||
+ - configure_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+ - configure_bind_crypto_policy
|
||
+ - configure_openssl_crypto_policy
|
||
+ - configure_libreswan_crypto_policy
|
||
+ - configure_kerberos_crypto_policy
|
||
+# - enable_dracut_fips_module # not supported in RHEL9 ATM
|
||
+
|
||
+ #######################################################
|
||
+ ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE
|
||
+ ### FOR GENERAL PURPOSE OPERATING SYSTEMS
|
||
+ ### ANNEX RELEASE 1
|
||
+ ### FOR PROTECTION PROFILE VERSIONS 4.2
|
||
+ ###
|
||
+ ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/
|
||
+ #######################################################
|
||
+
|
||
+ ## Configure Minimum Password Length to 12 Characters
|
||
+ ## IA-5 (1)(a) / FMT_MOF_EXT.1
|
||
+ - var_accounts_password_minlen_login_defs=12
|
||
+ - accounts_password_minlen_login_defs
|
||
+ - var_password_pam_minlen=12
|
||
+ - accounts_password_pam_minlen
|
||
+
|
||
+ ## Require at Least 1 Special Character in Password
|
||
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
|
||
+ - var_password_pam_ocredit=1
|
||
+ - accounts_password_pam_ocredit
|
||
+
|
||
+ ## Require at Least 1 Numeric Character in Password
|
||
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
|
||
+ - var_password_pam_dcredit=1
|
||
+ - accounts_password_pam_dcredit
|
||
+
|
||
+ ## Require at Least 1 Uppercase Character in Password
|
||
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
|
||
+ - var_password_pam_ucredit=1
|
||
+ - accounts_password_pam_ucredit
|
||
+
|
||
+ ## Require at Least 1 Lowercase Character in Password
|
||
+ ## IA-5(1)(a) / FMT_MOF_EXT.1
|
||
+ - var_password_pam_lcredit=1
|
||
+ - accounts_password_pam_lcredit
|
||
+
|
||
+ ## Enable Screen Lock
|
||
+ ## FMT_MOF_EXT.1
|
||
+ - package_tmux_installed
|
||
+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM
|
||
+# - no_tmux_in_shells # not supported in RHEL9 ATM
|
||
+# - configure_tmux_lock_command # not supported in RHEL9 ATM
|
||
+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM
|
||
+
|
||
+ ## Set Screen Lock Timeout Period to 30 Minutes or Less
|
||
+ ## AC-11(a) / FMT_MOF_EXT.1
|
||
+ ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
|
||
+ - sshd_idle_timeout_value=14_minutes
|
||
+ - sshd_set_idle_timeout
|
||
+
|
||
+ ## Disable Unauthenticated Login (such as Guest Accounts)
|
||
+ ## FIA_UAU.1
|
||
+ - require_singleuser_auth
|
||
+# - grub2_disable_interactive_boot # not supported in RHEL9 ATM
|
||
+# - grub2_uefi_password # not supported in RHEL9 ATM
|
||
+ - no_empty_passwords
|
||
+
|
||
+ ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes
|
||
+ ## AC-7 / FIA_AFL.1
|
||
+ - var_accounts_passwords_pam_faillock_deny=3
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
||
+ - accounts_passwords_pam_faillock_interval
|
||
+ - var_accounts_passwords_pam_faillock_unlock_time=never
|
||
+ - accounts_passwords_pam_faillock_unlock_time
|
||
+
|
||
+ ## Enable Host-Based Firewall
|
||
+ ## SC-7(12) / FMT_MOF_EXT.1
|
||
+ - service_firewalld_enabled
|
||
+
|
||
+ ## Configure Name/Addres of Remote Management Server
|
||
+ ## From Which to Receive Config Settings
|
||
+ ## CM-3(3) / FMT_MOF_EXT.1
|
||
+
|
||
+ ## Configure the System to Offload Audit Records to a Log
|
||
+ ## Server
|
||
+ ## AU-4(1) / FAU_GEN.1.1.c
|
||
+ # temporarily dropped
|
||
+
|
||
+ ## Set Logon Warning Banner
|
||
+ ## AC-8(a) / FMT_MOF_EXT.1
|
||
+
|
||
+ ## Audit All Logons (Success/Failure) and Logoffs (Success)
|
||
+ ## CNSSI 1253 Value or DoD-Specific Values:
|
||
+ ## (1) Logons (Success/Failure)
|
||
+ ## (2) Logoffs (Success)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+
|
||
+ ## Audit File and Object Events (Unsuccessful)
|
||
+ ## CNSSI 1253 Value or DoD-specific Values:
|
||
+ ## (1) Create (Success/Failure)
|
||
+ ## (2) Access (Success/Failure)
|
||
+ ## (3) Delete (Sucess/Failure)
|
||
+ ## (4) Modify (Success/Failure)
|
||
+ ## (5) Permission Modification (Sucess/Failure)
|
||
+ ## (6) Ownership Modification (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ ##
|
||
+ ##
|
||
+ ## (1) Create (Success/Failure)
|
||
+ ## (open with O_CREAT)
|
||
+ ## (2) Access (Success/Failure)
|
||
+ ## (3) Delete (Success/Failure)
|
||
+ ## (4) Modify (Success/Failure)
|
||
+ ## (5) Permission Modification (Success/Failure)
|
||
+ ## (6) Ownership Modification (Success/Failure)
|
||
+
|
||
+ ## Audit User and Group Management Events (Success/Failure)
|
||
+ ## CNSSI 1253 Value or DoD-specific Values:
|
||
+ ## (1) User add, delete, modify, disable, enable (Success/Failure)
|
||
+ ## (2) Group/Role add, delete, modify (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ ##
|
||
+ ## Generic User and Group Management Events (Success/Failure)
|
||
+ ## Selection of setuid programs that relate to
|
||
+ ## user accounts.
|
||
+ ##
|
||
+ ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure)
|
||
+ ##
|
||
+ ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure)
|
||
+ ##
|
||
+ ## Audit Privilege or Role Escalation Events (Success/Failure)
|
||
+ ## CNSSI 1253 Value or DoD-specific Values:
|
||
+ ## - Privilege/Role escalation (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ ## Audit All Audit and Log Data Accesses (Success/Failure)
|
||
+ ## CNSSI 1253 Value or DoD-specific Values:
|
||
+ ## - Audit and log data access (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ ## Audit Cryptographic Verification of Software (Success/Failure)
|
||
+ ## CNSSI 1253 Value or DoD-specific Values:
|
||
+ ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite,
|
||
+ ## etc) initialization (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
|
||
+ ## AU-2(a) / FAU_GEN.1.1.c
|
||
+ - audit_basic_configuration
|
||
+ - audit_immutable_login_uids
|
||
+ - audit_create_failed
|
||
+ - audit_create_success
|
||
+ - audit_modify_failed
|
||
+ - audit_modify_success
|
||
+ - audit_access_failed
|
||
+ - audit_access_success
|
||
+ - audit_delete_failed
|
||
+ - audit_delete_success
|
||
+ - audit_perm_change_failed
|
||
+ - audit_perm_change_success
|
||
+ - audit_owner_change_failed
|
||
+ - audit_owner_change_success
|
||
+ - audit_ospp_general
|
||
+ - audit_module_load
|
||
+
|
||
+ ## Enable Automatic Software Updates
|
||
+ ## SI-2 / FMT_MOF_EXT.1
|
||
+ # Configure dnf-automatic to Install Only Security Updates
|
||
+ - dnf-automatic_security_updates_only
|
||
+
|
||
+ # Configure dnf-automatic to Install Available Updates Automatically
|
||
+ - dnf-automatic_apply_updates
|
||
+
|
||
+ # Enable dnf-automatic Timer
|
||
+ - timer_dnf-automatic_enabled
|
||
+
|
||
+ # Configure TLS for remote logging
|
||
+ - rsyslog_remote_tls
|
||
+ - rsyslog_remote_tls_cacert
|
||
+
|
||
+ # Prevent Kerberos use by system daemons
|
||
+ - kerberos_disable_no_keytab
|
||
+
|
||
+ # set ssh client rekey limit
|
||
+# - ssh_client_rekey_limit # not supported in RHEL9 ATM
|
||
+ - var_ssh_client_rekey_limit_size=1G
|
||
+ - var_ssh_client_rekey_limit_time=1hour
|
||
+
|
||
+# configure ssh client to use strong entropy
|
||
+# - ssh_client_use_strong_rng_sh # not supported in RHEL9 ATM
|
||
+# - ssh_client_use_strong_rng_csh # not supported in RHEL9 ATM
|
||
+
|
||
+ # zIPl specific rules
|
||
+ - zipl_bls_entries_only
|
||
+ - zipl_bootmap_is_up_to_date
|
||
+ - zipl_audit_argument
|
||
+ - zipl_audit_backlog_limit_argument
|
||
+ - zipl_slub_debug_argument
|
||
+ - zipl_page_poison_argument
|
||
+ - zipl_vsyscall_argument
|
||
+ - zipl_vsyscall_argument.role=unscored
|
||
+ - zipl_vsyscall_argument.severity=info
|
||
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
|
||
index 3ad218b5a0d..966b2d5e1d8 100644
|
||
--- a/rhel9/profiles/pci-dss.profile
|
||
+++ b/rhel9/profiles/pci-dss.profile
|
||
@@ -6,14 +6,142 @@ metadata:
|
||
|
||
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
|
||
|
||
-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9'
|
||
+title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
|
||
|
||
description: |-
|
||
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
|
||
|
||
selections:
|
||
- # selections are empty because almost no rules are applicable for RHEL9
|
||
- - package_rsyslog_installed
|
||
+ - var_password_pam_unix_remember=4
|
||
+ - var_account_disable_post_pw_expiration=90
|
||
+ - var_accounts_passwords_pam_faillock_deny=6
|
||
+ - var_accounts_passwords_pam_faillock_unlock_time=1800
|
||
+ - sshd_idle_timeout_value=15_minutes
|
||
+ - var_password_pam_minlen=7
|
||
+ - var_password_pam_minclass=2
|
||
+ - var_accounts_maximum_age_login_defs=90
|
||
+ - var_auditd_num_logs=5
|
||
+ - service_auditd_enabled
|
||
+ - grub2_audit_argument
|
||
+ - auditd_data_retention_num_logs
|
||
+ - auditd_data_retention_max_log_file
|
||
+ - auditd_data_retention_max_log_file_action
|
||
+ - auditd_data_retention_space_left_action
|
||
+ - auditd_data_retention_admin_space_left_action
|
||
+ - auditd_data_retention_action_mail_acct
|
||
+ - package_audispd-plugins_installed
|
||
+ - auditd_audispd_syslog_plugin_activated
|
||
+ - audit_rules_time_adjtimex
|
||
+ - audit_rules_time_settimeofday
|
||
+ - audit_rules_time_stime
|
||
+ - audit_rules_time_clock_settime
|
||
+ - audit_rules_time_watch_localtime
|
||
+ - audit_rules_usergroup_modification_group
|
||
+ - audit_rules_usergroup_modification_gshadow
|
||
+ - audit_rules_usergroup_modification_opasswd
|
||
+ - audit_rules_usergroup_modification_passwd
|
||
+ - audit_rules_usergroup_modification_shadow
|
||
+ - audit_rules_networkconfig_modification
|
||
+ - file_permissions_var_log_audit
|
||
+ - file_ownership_var_log_audit
|
||
+ - audit_rules_mac_modification
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_dac_modification_fchmod
|
||
+ - audit_rules_dac_modification_fchmodat
|
||
+ - audit_rules_dac_modification_fchown
|
||
+ - audit_rules_dac_modification_fchownat
|
||
+ - audit_rules_dac_modification_fremovexattr
|
||
+ - audit_rules_dac_modification_fsetxattr
|
||
+ - audit_rules_dac_modification_lchown
|
||
+ - audit_rules_dac_modification_lremovexattr
|
||
+ - audit_rules_dac_modification_lsetxattr
|
||
+ - audit_rules_dac_modification_removexattr
|
||
+ - audit_rules_dac_modification_setxattr
|
||
+ - audit_rules_login_events
|
||
+ - audit_rules_session_events
|
||
+ - audit_rules_unsuccessful_file_modification_creat
|
||
+ - audit_rules_unsuccessful_file_modification_ftruncate
|
||
+ - audit_rules_unsuccessful_file_modification_open
|
||
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||
+ - audit_rules_unsuccessful_file_modification_openat
|
||
+ - audit_rules_unsuccessful_file_modification_truncate
|
||
+ - audit_rules_privileged_commands
|
||
+ - audit_rules_media_export
|
||
+ - audit_rules_file_deletion_events_rename
|
||
+ - audit_rules_file_deletion_events_renameat
|
||
+ - audit_rules_file_deletion_events_rmdir
|
||
+ - audit_rules_file_deletion_events_unlink
|
||
+ - audit_rules_file_deletion_events_unlinkat
|
||
+ - audit_rules_sysadmin_actions
|
||
+ - audit_rules_kernel_module_loading_delete
|
||
+ - audit_rules_kernel_module_loading_finit
|
||
+ - audit_rules_kernel_module_loading_init
|
||
+ - audit_rules_immutable
|
||
+ - var_multiple_time_servers=rhel
|
||
+# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
|
||
+# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM
|
||
+# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
|
||
+ - rpm_verify_permissions
|
||
+ - rpm_verify_hashes
|
||
+# - install_hids # not supported in RHEL9 ATM
|
||
- rsyslog_files_permissions
|
||
- rsyslog_files_ownership
|
||
- rsyslog_files_groupownership
|
||
+ - ensure_logrotate_activated
|
||
+ - package_aide_installed
|
||
+ - aide_build_database
|
||
+ - aide_periodic_cron_checking
|
||
+ - account_unique_name
|
||
+ - gid_passwd_group_same
|
||
+ - accounts_password_all_shadowed
|
||
+ - no_empty_passwords
|
||
+ - display_login_attempts
|
||
+ - account_disable_post_pw_expiration
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+ - accounts_passwords_pam_faillock_unlock_time
|
||
+# - dconf_db_up_to_date # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_idle_activation_enabled # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_screensaver_mode_blank # not supported in RHEL9 ATM
|
||
+ - sshd_set_idle_timeout
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - accounts_password_pam_minlen
|
||
+ - accounts_password_pam_dcredit
|
||
+ - accounts_password_pam_ucredit
|
||
+ - accounts_password_pam_lcredit
|
||
+ - accounts_password_pam_unix_remember
|
||
+ - accounts_maximum_age_login_defs
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+ - security_patches_up_to_date
|
||
+ - package_opensc_installed
|
||
+ - var_smartcard_drivers=cac
|
||
+# - configure_opensc_card_drivers # not supported in RHEL9 ATM
|
||
+# - force_opensc_card_drivers # not supported in RHEL9 ATM
|
||
+# - package_pcsc-lite_installed # not supported in RHEL9 ATM
|
||
+# - service_pcscd_enabled # not supported in RHEL9 ATM
|
||
+# - sssd_enable_smartcards # not supported in RHEL9 ATM
|
||
+ - set_password_hashing_algorithm_systemauth
|
||
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
|
||
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
|
||
+ - file_owner_etc_shadow
|
||
+ - file_groupowner_etc_shadow
|
||
+ - file_permissions_etc_shadow
|
||
+ - file_owner_etc_group
|
||
+ - file_groupowner_etc_group
|
||
+ - file_permissions_etc_group
|
||
+ - file_owner_etc_passwd
|
||
+ - file_groupowner_etc_passwd
|
||
+ - file_permissions_etc_passwd
|
||
+ - file_owner_grub2_cfg
|
||
+ - file_groupowner_grub2_cfg
|
||
+ - package_libreswan_installed
|
||
+ - configure_crypto_policy
|
||
+ - configure_bind_crypto_policy
|
||
+ - configure_openssl_crypto_policy
|
||
+ - configure_libreswan_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+ - configure_kerberos_crypto_policy
|
||
diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
|
||
new file mode 100644
|
||
index 00000000000..3b734c2b2c5
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/rht-ccp.profile
|
||
@@ -0,0 +1,100 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||
+
|
||
+description: |-
|
||
+ This profile contains the minimum security relevant
|
||
+ configuration settings recommended by Red Hat, Inc for
|
||
+ Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
|
||
+ Cloud Providers.
|
||
+
|
||
+selections:
|
||
+ - var_selinux_state=enforcing
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - file_owner_logfiles_value=root
|
||
+ - file_groupowner_logfiles_value=root
|
||
+ - sshd_idle_timeout_value=5_minutes
|
||
+ - var_accounts_password_minlen_login_defs=6
|
||
+ - var_accounts_minimum_age_login_defs=7
|
||
+ - var_accounts_passwords_pam_faillock_deny=5
|
||
+ - var_accounts_password_warn_age_login_defs=7
|
||
+ - var_password_pam_retry=3
|
||
+ - var_password_pam_dcredit=1
|
||
+ - var_password_pam_ucredit=2
|
||
+ - var_password_pam_ocredit=2
|
||
+ - var_password_pam_lcredit=2
|
||
+ - var_password_pam_difok=3
|
||
+ - var_password_pam_unix_remember=5
|
||
+ - var_accounts_user_umask=077
|
||
+ - login_banner_text=usgcb_default
|
||
+ - partition_for_tmp
|
||
+ - partition_for_var
|
||
+ - partition_for_var_log
|
||
+ - partition_for_var_log_audit
|
||
+ - selinux_state
|
||
+ - selinux_policytype
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - security_patches_up_to_date
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - ensure_gpgcheck_never_disabled
|
||
+ - package_aide_installed
|
||
+ - accounts_password_pam_unix_remember
|
||
+ - no_shelllogin_for_systemaccounts
|
||
+ - no_empty_passwords
|
||
+ - accounts_password_all_shadowed
|
||
+ - accounts_no_uid_except_zero
|
||
+ - accounts_password_minlen_login_defs
|
||
+ - accounts_minimum_age_login_defs
|
||
+ - accounts_password_warn_age_login_defs
|
||
+ - accounts_password_pam_retry
|
||
+ - accounts_password_pam_dcredit
|
||
+ - accounts_password_pam_ucredit
|
||
+ - accounts_password_pam_ocredit
|
||
+ - accounts_password_pam_lcredit
|
||
+ - accounts_password_pam_difok
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+ - set_password_hashing_algorithm_systemauth
|
||
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
|
||
+# - set_password_hashing_algorithm_libuserconf # not supported in RHEL9 ATM
|
||
+ - require_singleuser_auth
|
||
+ - file_owner_etc_shadow
|
||
+ - file_groupowner_etc_shadow
|
||
+ - file_permissions_etc_shadow
|
||
+ - file_owner_etc_gshadow
|
||
+ - file_groupowner_etc_gshadow
|
||
+ - file_permissions_etc_gshadow
|
||
+ - file_owner_etc_passwd
|
||
+ - file_groupowner_etc_passwd
|
||
+ - file_permissions_etc_passwd
|
||
+ - file_owner_etc_group
|
||
+ - file_groupowner_etc_group
|
||
+ - file_permissions_etc_group
|
||
+ - file_permissions_library_dirs
|
||
+ - file_ownership_library_dirs
|
||
+ - file_permissions_binary_dirs
|
||
+ - file_ownership_binary_dirs
|
||
+ - file_permissions_var_log_audit
|
||
+ - file_owner_grub2_cfg
|
||
+ - file_groupowner_grub2_cfg
|
||
+ - file_permissions_grub2_cfg
|
||
+ - grub2_password
|
||
+ - kernel_module_dccp_disabled
|
||
+ - kernel_module_sctp_disabled
|
||
+ - service_firewalld_enabled
|
||
+ - set_firewalld_default_zone
|
||
+# - firewalld_sshd_port_enabled # not supported in RHEL9 ATM
|
||
+ - service_abrtd_disabled
|
||
+ - service_telnet_disabled
|
||
+ - package_telnet-server_removed
|
||
+ - package_telnet_removed
|
||
+ - sshd_allow_only_protocol2
|
||
+ - sshd_set_idle_timeout
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - disable_host_auth
|
||
+ - sshd_disable_root_login
|
||
+ - sshd_disable_empty_passwords
|
||
+ - sshd_enable_warning_banner
|
||
+ - sshd_do_not_permit_user_env
|
||
+ - var_system_crypto_policy=fips
|
||
+ - configure_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
|
||
new file mode 100644
|
||
index 00000000000..a63ae2cf328
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/standard.profile
|
||
@@ -0,0 +1,67 @@
|
||
+documentation_complete: true
|
||
+
|
||
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||
+
|
||
+description: |-
|
||
+ This profile contains rules to ensure standard security baseline
|
||
+ of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload
|
||
+ all of these checks should pass.
|
||
+
|
||
+selections:
|
||
+ - ensure_redhat_gpgkey_installed
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+ - rpm_verify_permissions
|
||
+ - rpm_verify_hashes
|
||
+ - security_patches_up_to_date
|
||
+ - no_empty_passwords
|
||
+ - file_permissions_unauthorized_sgid
|
||
+ - file_permissions_unauthorized_suid
|
||
+ - file_permissions_unauthorized_world_writable
|
||
+ - accounts_root_path_dirs_no_write
|
||
+ - dir_perms_world_writable_sticky_bits
|
||
+ - mount_option_dev_shm_nodev
|
||
+ - mount_option_dev_shm_nosuid
|
||
+ - partition_for_var_log
|
||
+ - partition_for_var_log_audit
|
||
+ - package_rsyslog_installed
|
||
+ - service_rsyslog_enabled
|
||
+ - audit_rules_time_adjtimex
|
||
+ - audit_rules_time_settimeofday
|
||
+ - audit_rules_time_stime
|
||
+ - audit_rules_time_clock_settime
|
||
+ - audit_rules_time_watch_localtime
|
||
+ - audit_rules_usergroup_modification
|
||
+ - audit_rules_networkconfig_modification
|
||
+ - audit_rules_mac_modification
|
||
+ - audit_rules_dac_modification_chmod
|
||
+ - audit_rules_dac_modification_chown
|
||
+ - audit_rules_dac_modification_fchmod
|
||
+ - audit_rules_dac_modification_fchmodat
|
||
+ - audit_rules_dac_modification_fchown
|
||
+ - audit_rules_dac_modification_fchownat
|
||
+ - audit_rules_dac_modification_fremovexattr
|
||
+ - audit_rules_dac_modification_fsetxattr
|
||
+ - audit_rules_dac_modification_lchown
|
||
+ - audit_rules_dac_modification_lremovexattr
|
||
+ - audit_rules_dac_modification_lsetxattr
|
||
+ - audit_rules_dac_modification_removexattr
|
||
+ - audit_rules_dac_modification_setxattr
|
||
+ - audit_rules_unsuccessful_file_modification
|
||
+ - audit_rules_privileged_commands
|
||
+ - audit_rules_media_export
|
||
+ - audit_rules_file_deletion_events
|
||
+ - audit_rules_sysadmin_actions
|
||
+ - audit_rules_kernel_module_loading
|
||
+ - service_abrtd_disabled
|
||
+ - service_atd_disabled
|
||
+ - service_autofs_disabled
|
||
+ - service_ntpdate_disabled
|
||
+ - service_oddjobd_disabled
|
||
+ - service_qpidd_disabled
|
||
+ - service_rdisc_disabled
|
||
+ - configure_crypto_policy
|
||
+ - configure_bind_crypto_policy
|
||
+ - configure_openssl_crypto_policy
|
||
+ - configure_libreswan_crypto_policy
|
||
+ - configure_ssh_crypto_policy
|
||
+ - configure_kerberos_crypto_policy
|
||
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
|
||
new file mode 100644
|
||
index 00000000000..50548f7e8eb
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/stig.profile
|
||
@@ -0,0 +1,1069 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: V1R2
|
||
+ SMEs:
|
||
+ - carlosmmatos
|
||
+
|
||
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||
+
|
||
+title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configuration checks that align to the
|
||
+ DISA STIG for Red Hat Enterprise Linux 8 V1R2.
|
||
+
|
||
+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
+ configuration baseline as applicable to the operating system tier of
|
||
+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
|
||
+
|
||
+ - Red Hat Enterprise Linux Server
|
||
+ - Red Hat Enterprise Linux Workstation and Desktop
|
||
+ - Red Hat Enterprise Linux for HPC
|
||
+ - Red Hat Storage
|
||
+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image
|
||
+
|
||
+selections:
|
||
+ ### Variables
|
||
+ - var_rekey_limit_size=1G
|
||
+ - var_rekey_limit_time=1hour
|
||
+ - var_accounts_user_umask=077
|
||
+ - var_password_pam_difok=8
|
||
+ - var_password_pam_maxrepeat=3
|
||
+ - var_sshd_disable_compression=no
|
||
+ - var_password_hashing_algorithm=SHA512
|
||
+ - var_password_pam_maxclassrepeat=4
|
||
+ - var_password_pam_minclass=4
|
||
+ - var_accounts_minimum_age_login_defs=1
|
||
+ - var_accounts_max_concurrent_login_sessions=10
|
||
+ - var_password_pam_unix_remember=5
|
||
+ - var_selinux_state=enforcing
|
||
+ - var_selinux_policy_name=targeted
|
||
+ - var_accounts_password_minlen_login_defs=15
|
||
+ - var_password_pam_unix_rounds=5000
|
||
+ - var_password_pam_minlen=15
|
||
+ - var_password_pam_ocredit=1
|
||
+ - var_password_pam_dcredit=1
|
||
+ - var_password_pam_ucredit=1
|
||
+ - var_password_pam_lcredit=1
|
||
+ - var_password_pam_retry=3
|
||
+ - var_password_pam_minlen=15
|
||
+ - var_sshd_set_keepalive=0
|
||
+ - sshd_idle_timeout_value=10_minutes
|
||
+ - var_accounts_passwords_pam_faillock_deny=3
|
||
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
||
+ - var_accounts_passwords_pam_faillock_unlock_time=never
|
||
+ - var_ssh_client_rekey_limit_size=1G
|
||
+ - var_ssh_client_rekey_limit_time=1hour
|
||
+ - var_accounts_fail_delay=4
|
||
+ - var_account_disable_post_pw_expiration=35
|
||
+ - var_auditd_action_mail_acct=root
|
||
+ - var_time_service_set_maxpoll=18_hours
|
||
+ - var_accounts_maximum_age_login_defs=60
|
||
+ - var_auditd_space_left=250MB
|
||
+ - var_auditd_space_left_action=email
|
||
+ - var_auditd_disk_error_action=halt
|
||
+ - var_auditd_max_log_file_action=syslog
|
||
+ - var_auditd_disk_full_action=halt
|
||
+
|
||
+ ### Enable / Configure FIPS
|
||
+# - enable_fips_mode # not supported in RHEL9 ATM
|
||
+ - var_system_crypto_policy=fips
|
||
+ - configure_crypto_policy
|
||
+ - configure_bind_crypto_policy
|
||
+ - configure_libreswan_crypto_policy
|
||
+ - configure_kerberos_crypto_policy
|
||
+# - enable_dracut_fips_module # not supported in RHEL9 ATM
|
||
+
|
||
+ ### Rules:
|
||
+ # RHEL-08-010070
|
||
+ - installed_OS_is_vendor_supported
|
||
+
|
||
+ # RHEL-08-010010
|
||
+ - security_patches_up_to_date
|
||
+
|
||
+ # RHEL-08-010020
|
||
+ - sysctl_crypto_fips_enabled
|
||
+
|
||
+ # RHEL-08-010030
|
||
+ - encrypt_partitions
|
||
+
|
||
+ # RHEL-08-010040
|
||
+ - sshd_enable_warning_banner
|
||
+
|
||
+ # RHEL-08-010050
|
||
+# - dconf_gnome_banner_enabled # not supported in RHEL9 ATM
|
||
+# - dconf_gnome_login_banner_text # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010060
|
||
+ - banner_etc_issue
|
||
+
|
||
+ # RHEL-08-010070
|
||
+
|
||
+ # RHEL-08-010090
|
||
+
|
||
+ # RHEL-08-010100
|
||
+
|
||
+ # RHEL-08-010110
|
||
+# - set_password_hashing_algorithm_logindefs # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010120
|
||
+
|
||
+ # RHEL-08-010130
|
||
+ - accounts_password_pam_unix_rounds_system_auth
|
||
+ - accounts_password_pam_unix_rounds_password_auth
|
||
+
|
||
+ # RHEL-08-010140
|
||
+# - grub2_uefi_password # not supported in RHEL9 ATM
|
||
+# - grub2_uefi_admin_username # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010150
|
||
+ - grub2_password
|
||
+# - grub2_admin_username # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010151
|
||
+ - require_singleuser_auth
|
||
+ - require_emergency_target_auth
|
||
+
|
||
+ # RHEL-08-010152
|
||
+ # To be released in V1R3
|
||
+ # - require_emergency_target_auth
|
||
+
|
||
+ # RHEL-08-010160
|
||
+ - set_password_hashing_algorithm_systemauth
|
||
+
|
||
+ # RHEL-08-010161
|
||
+ - kerberos_disable_no_keytab
|
||
+
|
||
+ # RHEL-08-010162
|
||
+ - package_krb5-workstation_removed
|
||
+
|
||
+ # RHEL-08-010170
|
||
+ - selinux_state
|
||
+
|
||
+ # RHEL-08-010171
|
||
+ - package_policycoreutils_installed
|
||
+
|
||
+ # RHEL-08-010180
|
||
+
|
||
+ # RHEL-08-010190
|
||
+ - dir_perms_world_writable_sticky_bits
|
||
+
|
||
+ # RHEL-08-010200
|
||
+ - sshd_set_idle_timeout
|
||
+
|
||
+ # RHEL-08-010210
|
||
+ - file_permissions_var_log_messages
|
||
+
|
||
+ # RHEL-08-010220
|
||
+ - file_owner_var_log_messages
|
||
+
|
||
+ # RHEL-08-010230
|
||
+ - file_groupowner_var_log_messages
|
||
+
|
||
+ # RHEL-08-010240
|
||
+ - file_permissions_var_log
|
||
+
|
||
+ # RHEL-08-010250
|
||
+ - file_owner_var_log
|
||
+
|
||
+ # RHEL-08-010260
|
||
+ - file_groupowner_var_log
|
||
+
|
||
+ # RHEL-08-010290 && RHEL-08-010291
|
||
+ ### NOTE: This will get split out in future STIG releases, as well as we will break
|
||
+ ### these rules up to be more flexible in meeting the requirements.
|
||
+ - configure_ssh_crypto_policy
|
||
+
|
||
+ # RHEL-08-010292
|
||
+# - sshd_use_strong_rng # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010293
|
||
+ - configure_openssl_crypto_policy
|
||
+
|
||
+ # RHEL-08-010294
|
||
+ - configure_openssl_tls_crypto_policy
|
||
+
|
||
+ # RHEL-08-010295
|
||
+# - configure_gnutls_tls_crypto_policy # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010300
|
||
+ - file_permissions_binary_dirs
|
||
+
|
||
+ # RHEL-08-010310
|
||
+ - file_ownership_binary_dirs
|
||
+
|
||
+ # RHEL-08-010320
|
||
+
|
||
+ # RHEL-08-010330
|
||
+ - file_permissions_library_dirs
|
||
+
|
||
+ # RHEL-08-010340
|
||
+ - file_ownership_library_dirs
|
||
+
|
||
+ # RHEL-08-010350
|
||
+
|
||
+ # RHEL-08-010360
|
||
+ - package_aide_installed
|
||
+ - aide_scan_notification
|
||
+
|
||
+ # RHEL-08-010370
|
||
+ - ensure_gpgcheck_globally_activated
|
||
+
|
||
+ # RHEL-08-010371
|
||
+ - ensure_gpgcheck_local_packages
|
||
+
|
||
+ # RHEL-08-010372
|
||
+ - sysctl_kernel_kexec_load_disabled
|
||
+
|
||
+ # RHEL-08-010373
|
||
+ - sysctl_fs_protected_symlinks
|
||
+
|
||
+ # RHEL-08-010374
|
||
+ - sysctl_fs_protected_hardlinks
|
||
+
|
||
+ # RHEL-08-010375
|
||
+ - sysctl_kernel_dmesg_restrict
|
||
+
|
||
+ # RHEL-08-010376
|
||
+ - sysctl_kernel_perf_event_paranoid
|
||
+
|
||
+ # RHEL-08-010380
|
||
+ - sudo_remove_nopasswd
|
||
+
|
||
+ # RHEL-08-010381
|
||
+ - sudo_remove_no_authenticate
|
||
+
|
||
+ # RHEL-08-010382
|
||
+ - sudo_restrict_privilege_elevation_to_authorized
|
||
+
|
||
+ # RHEL-08-010383
|
||
+ - sudoers_validate_passwd
|
||
+
|
||
+ # RHEL-08-010390
|
||
+ - install_smartcard_packages
|
||
+
|
||
+ # RHEL-08-010400
|
||
+
|
||
+ # RHEL-08-010410
|
||
+ - package_opensc_installed
|
||
+
|
||
+ # RHEL-08-010420
|
||
+
|
||
+ # RHEL-08-010421
|
||
+ - grub2_page_poison_argument
|
||
+
|
||
+ # RHEL-08-010422
|
||
+ - grub2_vsyscall_argument
|
||
+
|
||
+ # RHEL-08-010423
|
||
+ - grub2_slub_debug_argument
|
||
+
|
||
+ # RHEL-08-010430
|
||
+ - sysctl_kernel_randomize_va_space
|
||
+
|
||
+ # RHEL-08-010440
|
||
+ - clean_components_post_updating
|
||
+
|
||
+ # RHEL-08-010450
|
||
+ - selinux_policytype
|
||
+
|
||
+ # RHEL-08-010460
|
||
+# - no_host_based_files # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010470
|
||
+# - no_user_host_based_files # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010471
|
||
+ - service_rngd_enabled
|
||
+ - package_rng-tools_installed
|
||
+
|
||
+ # RHEL-08-010480
|
||
+ - file_permissions_sshd_pub_key
|
||
+
|
||
+ # RHEL-08-010490
|
||
+ - file_permissions_sshd_private_key
|
||
+
|
||
+ # RHEL-08-010500
|
||
+ - sshd_enable_strictmodes
|
||
+
|
||
+ # RHEL-08-010510
|
||
+ - sshd_disable_compression
|
||
+
|
||
+ # RHEL-08-010520
|
||
+ - sshd_disable_user_known_hosts
|
||
+
|
||
+ # RHEL-08-010521
|
||
+ - sshd_disable_kerb_auth
|
||
+ - sshd_disable_gssapi_auth
|
||
+
|
||
+ # RHEL-08-010540
|
||
+ - partition_for_var
|
||
+
|
||
+ # RHEL-08-010541
|
||
+ - partition_for_var_log
|
||
+
|
||
+ # RHEL-08-010542
|
||
+ - partition_for_var_log_audit
|
||
+
|
||
+ # RHEL-08-010543
|
||
+ - partition_for_tmp
|
||
+
|
||
+ # RHEL-08-010544
|
||
+ ### NOTE: Will probably show up in V1R3 - Q3 of 21'
|
||
+ - partition_for_var_tmp
|
||
+
|
||
+ # RHEL-08-010550
|
||
+ - sshd_disable_root_login
|
||
+
|
||
+ # RHEL-08-010560
|
||
+ - service_auditd_enabled
|
||
+
|
||
+ # RHEL-08-010561
|
||
+ - service_rsyslog_enabled
|
||
+
|
||
+ # RHEL-08-010570
|
||
+ - mount_option_home_nosuid
|
||
+
|
||
+ # RHEL-08-010571
|
||
+ - mount_option_boot_nosuid
|
||
+
|
||
+ # RHEL-08-010580
|
||
+ - mount_option_nodev_nonroot_local_partitions
|
||
+
|
||
+ # RHEL-08-010590
|
||
+
|
||
+ # RHEL-08-010600
|
||
+ - mount_option_nodev_removable_partitions
|
||
+
|
||
+ # RHEL-08-010610
|
||
+ - mount_option_noexec_removable_partitions
|
||
+
|
||
+ # RHEL-08-010620
|
||
+ - mount_option_nosuid_removable_partitions
|
||
+
|
||
+ # RHEL-08-010630
|
||
+ - mount_option_noexec_remote_filesystems
|
||
+
|
||
+ # RHEL-08-010640
|
||
+ - mount_option_nodev_remote_filesystems
|
||
+
|
||
+ # RHEL-08-010650
|
||
+ - mount_option_nosuid_remote_filesystems
|
||
+
|
||
+ # RHEL-08-010660
|
||
+# - accounts_user_dot_no_world_writable_programs # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010670
|
||
+ - service_kdump_disabled
|
||
+
|
||
+ # RHEL-08-010671
|
||
+ - sysctl_kernel_core_pattern
|
||
+
|
||
+ # RHEL-08-010672
|
||
+ - service_systemd-coredump_disabled
|
||
+
|
||
+ # RHEL-08-010673
|
||
+ - disable_users_coredumps
|
||
+
|
||
+ # RHEL-08-010674
|
||
+# - coredump_disable_storage
|
||
+
|
||
+ # RHEL-08-010675
|
||
+# - coredump_disable_backtraces
|
||
+
|
||
+ # RHEL-08-010680
|
||
+# - network_configure_name_resolution # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010690
|
||
+# - accounts_user_home_paths_only # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010700
|
||
+ - dir_perms_world_writable_root_owned
|
||
+
|
||
+ # RHEL-08-010710
|
||
+
|
||
+ # RHEL-08-010720
|
||
+# - accounts_user_interactive_home_directory_defined # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010730
|
||
+ - file_permissions_home_directories
|
||
+
|
||
+ # RHEL-08-010740
|
||
+ - file_groupownership_home_directories
|
||
+
|
||
+ # RHEL-08-010750
|
||
+ - accounts_user_interactive_home_directory_exists
|
||
+
|
||
+ # RHEL-08-010760
|
||
+# - accounts_have_homedir_login_defs # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010770
|
||
+ - file_permission_user_init_files
|
||
+
|
||
+ # RHEL-08-010780
|
||
+ - no_files_unowned_by_user
|
||
+
|
||
+ # RHEL-08-010790
|
||
+ - file_permissions_ungroupowned
|
||
+
|
||
+ # RHEL-08-010800
|
||
+ - partition_for_home
|
||
+
|
||
+ # RHEL-08-010820
|
||
+# - gnome_gdm_disable_automatic_login # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-010830
|
||
+ - sshd_do_not_permit_user_env
|
||
+
|
||
+ # RHEL-08-020000
|
||
+# - account_temp_expire_date # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020010
|
||
+ - accounts_passwords_pam_faillock_deny
|
||
+
|
||
+ # RHEL-08-020011
|
||
+
|
||
+ # RHEL-08-020012
|
||
+ - accounts_passwords_pam_faillock_interval
|
||
+
|
||
+ # RHEL-08-020013
|
||
+
|
||
+ # RHEL-08-020014
|
||
+ - accounts_passwords_pam_faillock_unlock_time
|
||
+
|
||
+ # RHEL-08-020015
|
||
+
|
||
+ # RHEL-08-020016
|
||
+
|
||
+ # RHEL-08-020017
|
||
+
|
||
+ # RHEL-08-020018
|
||
+
|
||
+ # RHEL-08-020019
|
||
+
|
||
+ # RHEL-08-020020
|
||
+
|
||
+ # RHEL-08-020021
|
||
+
|
||
+ # RHEL-08-020022
|
||
+ - accounts_passwords_pam_faillock_deny_root
|
||
+
|
||
+ # RHEL-08-020023
|
||
+
|
||
+ # RHEL-08-020024
|
||
+ - accounts_max_concurrent_login_sessions
|
||
+
|
||
+ # RHEL-08-020030
|
||
+# - dconf_gnome_screensaver_lock_enabled # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020040
|
||
+ - package_tmux_installed
|
||
+# - configure_tmux_lock_command # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020041
|
||
+# - configure_bashrc_exec_tmux # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020042
|
||
+# - no_tmux_in_shells # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020050
|
||
+# - dconf_gnome_lock_screen_on_smartcard_removal # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020060
|
||
+# - dconf_gnome_screensaver_idle_delay # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020070
|
||
+# - configure_tmux_lock_after_time # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020080
|
||
+
|
||
+ # RHEL-08-020090
|
||
+
|
||
+ # RHEL-08-020100
|
||
+ - accounts_password_pam_retry
|
||
+
|
||
+ # RHEL-08-020110
|
||
+ - accounts_password_pam_ucredit
|
||
+
|
||
+ # RHEL-08-020120
|
||
+ - accounts_password_pam_lcredit
|
||
+
|
||
+ # RHEL-08-020130
|
||
+ - accounts_password_pam_dcredit
|
||
+
|
||
+ # RHEL-08-020140
|
||
+ - accounts_password_pam_maxclassrepeat
|
||
+
|
||
+ # RHEL-08-020150
|
||
+ - accounts_password_pam_maxrepeat
|
||
+
|
||
+ # RHEL-08-020160
|
||
+ - accounts_password_pam_minclass
|
||
+
|
||
+ # RHEL-08-020170
|
||
+ - accounts_password_pam_difok
|
||
+
|
||
+ # RHEL-08-020180
|
||
+# - accounts_password_set_min_life_existing # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020190
|
||
+ - accounts_minimum_age_login_defs
|
||
+
|
||
+ # RHEL-08-020200
|
||
+ - accounts_maximum_age_login_defs
|
||
+
|
||
+ # RHEL-08-020210
|
||
+# - accounts_password_set_max_life_existing # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020220
|
||
+ - accounts_password_pam_unix_remember
|
||
+
|
||
+ # RHEL-08-020230
|
||
+ - accounts_password_pam_minlen
|
||
+
|
||
+ # RHEL-08-020231
|
||
+ - accounts_password_minlen_login_defs
|
||
+
|
||
+ # RHEL-08-020240
|
||
+
|
||
+ # RHEL-08-020250
|
||
+# - sssd_enable_smartcards # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020260
|
||
+ - account_disable_post_pw_expiration
|
||
+
|
||
+ # RHEL-08-020270
|
||
+
|
||
+ # RHEL-08-020280
|
||
+ - accounts_password_pam_ocredit
|
||
+
|
||
+ # RHEL-08-020290
|
||
+# - sssd_offline_cred_expiration # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020300
|
||
+
|
||
+ # RHEL-08-020310
|
||
+ - accounts_logon_fail_delay
|
||
+
|
||
+ # RHEL-08-020320
|
||
+ # - accounts_authorized_local_users
|
||
+
|
||
+ # RHEL-08-020330
|
||
+ - no_empty_passwords
|
||
+ - sshd_disable_empty_passwords
|
||
+
|
||
+ # RHEL-08-020340
|
||
+ - display_login_attempts
|
||
+
|
||
+ # RHEL-08-020350
|
||
+ - sshd_print_last_log
|
||
+
|
||
+ # RHEL-08-020351
|
||
+ - accounts_umask_etc_login_defs
|
||
+
|
||
+ # RHEL-08-020352
|
||
+# - accounts_umask_interactive_users # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-020353
|
||
+ - accounts_umask_etc_bashrc
|
||
+
|
||
+ # RHEL-08-030000
|
||
+# - audit_rules_suid_privilege_function # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-030010
|
||
+ - rsyslog_cron_logging
|
||
+
|
||
+ # RHEL-08-030020
|
||
+ - auditd_data_retention_action_mail_acct
|
||
+
|
||
+ # RHEL-08-030030
|
||
+ - postfix_client_configure_mail_alias
|
||
+
|
||
+ # RHEL-08-030040
|
||
+ - auditd_data_disk_error_action
|
||
+
|
||
+ # RHEL-08-030050
|
||
+ - auditd_data_retention_max_log_file_action
|
||
+
|
||
+ # RHEL-08-030060
|
||
+ - auditd_data_disk_full_action
|
||
+
|
||
+ # RHEL-08-030061
|
||
+ - auditd_local_events
|
||
+
|
||
+ # RHEL-08-030062
|
||
+ - auditd_name_format
|
||
+
|
||
+ # RHEL-08-030063
|
||
+ - auditd_log_format
|
||
+
|
||
+ # RHEL-08-030070
|
||
+ - file_permissions_var_log_audit
|
||
+
|
||
+ # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110
|
||
+ ### NOTE: These might get broken up, but currently the following
|
||
+ ### rule accounts for these STIG ID's
|
||
+ - file_ownership_var_log_audit
|
||
+
|
||
+ # RHEL-08-030120
|
||
+ - directory_permissions_var_log_audit
|
||
+
|
||
+ # *** NOTE *** #
|
||
+ # Audit rules are currently under review as to how best to approach
|
||
+ # them. We are working with DISA and our internal audit experts to
|
||
+ # provide a final solution soon.
|
||
+ # ************ #
|
||
+
|
||
+ # RHEL-08-030121
|
||
+ # - audit_rules_immutable
|
||
+
|
||
+ # RHEL-08-030122
|
||
+ # - audit_immutable_login_uids
|
||
+
|
||
+ # RHEL-08-030130
|
||
+ # - audit_rules_usergroup_modification_shadow
|
||
+
|
||
+ # RHEL-08-030140
|
||
+ # - audit_rules_usergroup_modification_opasswd
|
||
+
|
||
+ # RHEL-08-030150
|
||
+ # - audit_rules_usergroup_modification_passwd
|
||
+
|
||
+ # RHEL-08-030160
|
||
+ # - audit_rules_usergroup_modification_gshadow
|
||
+
|
||
+ # RHEL-08-030170
|
||
+ # - audit_rules_usergroup_modification_group
|
||
+
|
||
+ # RHEL-08-030171, RHEL-08-030172
|
||
+ # - audit_rules_sysadmin_actions
|
||
+
|
||
+ # RHEL-08-030180
|
||
+ - package_audit_installed
|
||
+ - service_auditd_enabled
|
||
+
|
||
+ # RHEL-08-030190
|
||
+ # - audit_rules_privileged_commands_sudo
|
||
+
|
||
+ # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240
|
||
+ # - audit_perm_change_failed
|
||
+ # - audit_perm_change_success
|
||
+
|
||
+ # RHEL-08-030250
|
||
+ # - audit_rules_privileged_commands_chage
|
||
+
|
||
+ # RHEL-08-030260
|
||
+ # - audit_rules_execution_chcon
|
||
+
|
||
+ # RHEL-08-030270
|
||
+ # - audit_perm_change_failed
|
||
+ # - audit_perm_change_success
|
||
+
|
||
+ # RHEL-08-030280
|
||
+
|
||
+ # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030302
|
||
+ # - audit_rules_media_export
|
||
+
|
||
+ # RHEL-08-030310
|
||
+
|
||
+ # RHEL-08-030311
|
||
+ # - audit_rules_privileged_commands_postdrop
|
||
+
|
||
+ # RHEL-08-030312
|
||
+ # - audit_rules_privileged_commands_postqueue
|
||
+
|
||
+ # RHEL-08-030313
|
||
+ # - audit_rules_execution_semanage
|
||
+
|
||
+ # RHEL-08-030314
|
||
+ # - audit_rules_execution_setfiles
|
||
+
|
||
+ # RHEL-08-030315
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030316
|
||
+ # - audit_rules_execution_setsebool
|
||
+
|
||
+ # RHEL-08-030317
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030320
|
||
+ # - audit_rules_privileged_commands_ssh_keysign
|
||
+
|
||
+ # RHEL-08-030330
|
||
+
|
||
+ # RHEL-08-030340
|
||
+ # - audit_rules_privileged_commands_pam_timestamp_check
|
||
+
|
||
+ # RHEL-08-030350
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030360
|
||
+ # - audit_module_load
|
||
+
|
||
+ # RHEL-08-030361, RHEL-08-030362
|
||
+ # - audit_delete_failed
|
||
+ # - audit_delete_success
|
||
+
|
||
+ # RHEL-08-030363
|
||
+
|
||
+ # RHEL-08-030364, RHEL-08-030365
|
||
+ # - audit_delete_failed
|
||
+ # - audit_delete_success
|
||
+
|
||
+ # RHEL-08-030370
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030380, RHEL-08-030390
|
||
+ # - audit_module_load
|
||
+
|
||
+ # RHEL-08-030400
|
||
+ # - audit_ospp_general
|
||
+
|
||
+ # RHEL-08-030410
|
||
+ # - audit_rules_privileged_commands_chsh
|
||
+
|
||
+ # RHEL-08-030420
|
||
+ # - audit_modify_failed
|
||
+ # - audit_modify_success
|
||
+
|
||
+ # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450
|
||
+ # - audit_create_failed
|
||
+ # - audit_create_success
|
||
+ # - audit_modify_failed
|
||
+ # - audit_modify_success
|
||
+ # - audit_access_failed
|
||
+ # - audit_access_success
|
||
+
|
||
+ # RHEL-08-030460
|
||
+ # - audit_modify_failed
|
||
+ # - audit_modify_success
|
||
+
|
||
+ # RHEL-08-030470
|
||
+ # - audit_create_failed
|
||
+ # - audit_create_success
|
||
+
|
||
+ # RHEL-08-030480
|
||
+ # - audit_owner_change_failed
|
||
+ # - audit_owner_change_success
|
||
+
|
||
+ # RHEL-08-030490
|
||
+ # - audit_perm_change_failed
|
||
+ # - audit_perm_change_success
|
||
+
|
||
+ # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520
|
||
+ # - audit_owner_change_failed
|
||
+ # - audit_owner_change_success
|
||
+
|
||
+ # RHEL-08-030530, RHEL-08-030540
|
||
+ # - audit_perm_change_failed
|
||
+ # - audit_perm_change_success
|
||
+
|
||
+ # RHEL-08-030550
|
||
+ # - audit_rules_privileged_commands_sudo
|
||
+
|
||
+ # RHEL-08-030560
|
||
+
|
||
+ # RHEL-08-030570
|
||
+
|
||
+ # RHEL-08-030580
|
||
+
|
||
+ # RHEL-08-030590
|
||
+ # - audit_rules_login_events_faillock
|
||
+
|
||
+ # RHEL-08-030600
|
||
+ # - audit_rules_login_events_lastlog
|
||
+
|
||
+ # RHEL-08-030601
|
||
+ - grub2_audit_argument
|
||
+
|
||
+ # RHEL-08-030602
|
||
+ - grub2_audit_backlog_limit_argument
|
||
+
|
||
+ # RHEL-08-030603
|
||
+ - configure_usbguard_auditbackend
|
||
+
|
||
+ # RHEL-08-030610
|
||
+
|
||
+ # RHEL-08-030620
|
||
+
|
||
+ # RHEL-08-030630
|
||
+
|
||
+ # RHEL-08-030640
|
||
+
|
||
+ # RHEL-08-030650
|
||
+
|
||
+ # RHEL-08-030660
|
||
+
|
||
+ # RHEL-08-030670
|
||
+ - package_rsyslog_installed
|
||
+
|
||
+ # RHEL-08-030680
|
||
+ - package_rsyslog-gnutls_installed
|
||
+
|
||
+ # RHEL-08-030690
|
||
+ - rsyslog_remote_loghost
|
||
+
|
||
+ # RHEL-08-030700
|
||
+
|
||
+ # RHEL-08-030710
|
||
+
|
||
+ # RHEL-08-030720
|
||
+
|
||
+ # RHEL-08-030730
|
||
+ # this rule expects configuration in MB instead percentage as how STIG demands
|
||
+ # - auditd_data_retention_space_left
|
||
+ - auditd_data_retention_space_left_action
|
||
+
|
||
+ # RHEL-08-030740
|
||
+ # remediation fails because default configuration file contains pool instead of server keyword
|
||
+# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-030741
|
||
+# - chronyd_client_only # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-030742
|
||
+# - chronyd_no_chronyc_network # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040000
|
||
+ - package_telnet-server_removed
|
||
+
|
||
+ # RHEL-08-040001
|
||
+ - package_abrt_removed
|
||
+ - package_abrt-addon-ccpp_removed
|
||
+ - package_abrt-addon-kerneloops_removed
|
||
+ - package_abrt-addon-python_removed
|
||
+ - package_abrt-cli_removed
|
||
+ - package_abrt-plugin-logger_removed
|
||
+ - package_abrt-plugin-rhtsupport_removed
|
||
+ - package_abrt-plugin-sosreport_removed
|
||
+
|
||
+ # RHEL-08-040002
|
||
+ - package_sendmail_removed
|
||
+
|
||
+ # RHEL-08-040003
|
||
+ ### NOTE: Will be removed in V1R2, merged into RHEL-08-040370
|
||
+
|
||
+ # RHEL-08-040004
|
||
+ - grub2_pti_argument
|
||
+
|
||
+ # RHEL-08-040010
|
||
+ - package_rsh-server_removed
|
||
+
|
||
+ # RHEL-08-040020
|
||
+
|
||
+ # RHEL-08-040021
|
||
+ - kernel_module_atm_disabled
|
||
+
|
||
+ # RHEL-08-040022
|
||
+ - kernel_module_can_disabled
|
||
+
|
||
+ # RHEL-08-040023
|
||
+ - kernel_module_sctp_disabled
|
||
+
|
||
+ # RHEL-08-040024
|
||
+ - kernel_module_tipc_disabled
|
||
+
|
||
+ # RHEL-08-040025
|
||
+ - kernel_module_cramfs_disabled
|
||
+
|
||
+ # RHEL-08-040026
|
||
+ - kernel_module_firewire-core_disabled
|
||
+
|
||
+ # RHEL-08-040030
|
||
+# - configure_firewalld_ports # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040060
|
||
+ ### NOTE: Will be removed in V1R2
|
||
+
|
||
+ # RHEL-08-040070
|
||
+ - service_autofs_disabled
|
||
+
|
||
+ # RHEL-08-040080
|
||
+ - kernel_module_usb-storage_disabled
|
||
+
|
||
+ # RHEL-08-040090
|
||
+
|
||
+ # RHEL-08-040100
|
||
+ - service_firewalld_enabled
|
||
+ - package_firewalld_installed
|
||
+
|
||
+ # RHEL-08-040110
|
||
+ - wireless_disable_interfaces
|
||
+
|
||
+ # RHEL-08-040111
|
||
+ - kernel_module_bluetooth_disabled
|
||
+
|
||
+ # RHEL-08-040120
|
||
+ - mount_option_dev_shm_nodev
|
||
+
|
||
+ # RHEL-08-040121
|
||
+ - mount_option_dev_shm_nosuid
|
||
+
|
||
+ # RHEL-08-040122
|
||
+ - mount_option_dev_shm_noexec
|
||
+
|
||
+ # RHEL-08-040123
|
||
+ - mount_option_tmp_nodev
|
||
+
|
||
+ # RHEL-08-040124
|
||
+ - mount_option_tmp_nosuid
|
||
+
|
||
+ # RHEL-08-040125
|
||
+ - mount_option_tmp_noexec
|
||
+
|
||
+ # RHEL-08-040126
|
||
+ - mount_option_var_log_nodev
|
||
+
|
||
+ # RHEL-08-040127
|
||
+ - mount_option_var_log_nosuid
|
||
+
|
||
+ # RHEL-08-040128
|
||
+ - mount_option_var_log_noexec
|
||
+
|
||
+ # RHEL-08-040129
|
||
+ - mount_option_var_log_audit_nodev
|
||
+
|
||
+ # RHEL-08-040130
|
||
+ - mount_option_var_log_audit_nosuid
|
||
+
|
||
+ # RHEL-08-040131
|
||
+ - mount_option_var_log_audit_noexec
|
||
+
|
||
+ # RHEL-08-040132
|
||
+ - mount_option_var_tmp_nodev
|
||
+
|
||
+ # RHEL-08-040133
|
||
+ - mount_option_var_tmp_nosuid
|
||
+
|
||
+ # RHEL-08-040134
|
||
+ - mount_option_var_tmp_noexec
|
||
+
|
||
+ # RHEL-08-040135
|
||
+ - package_fapolicyd_installed
|
||
+ - service_fapolicyd_enabled
|
||
+
|
||
+ # RHEL-08-040140
|
||
+ - package_usbguard_installed
|
||
+ - service_usbguard_enabled
|
||
+
|
||
+ # RHEL-08-040150
|
||
+
|
||
+ # RHEL-08-040160
|
||
+ - package_openssh-server_installed
|
||
+ - service_sshd_enabled
|
||
+
|
||
+ # RHEL-08-040161
|
||
+ - sshd_rekey_limit
|
||
+
|
||
+ # RHEL-08-040162
|
||
+# - ssh_client_rekey_limit # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040170
|
||
+# - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040171
|
||
+# - dconf_gnome_disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040172
|
||
+# - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040180
|
||
+# - service_debug-shell_disabled # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040190
|
||
+ - package_tftp-server_removed
|
||
+
|
||
+ # RHEL-08-040200
|
||
+ - accounts_no_uid_except_zero
|
||
+
|
||
+ # RHEL-08-040210
|
||
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
||
+ - sysctl_net_ipv6_conf_default_accept_redirects
|
||
+
|
||
+ # RHEL-08-040220
|
||
+ - sysctl_net_ipv4_conf_all_send_redirects
|
||
+
|
||
+ # RHEL-08-040230
|
||
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||
+
|
||
+ # RHEL-08-040240
|
||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
||
+
|
||
+ # RHEL-08-040250
|
||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||
+ - sysctl_net_ipv6_conf_default_accept_source_route
|
||
+
|
||
+ # RHEL-08-040260
|
||
+ - sysctl_net_ipv4_ip_forward
|
||
+
|
||
+ # RHEL-08-040261
|
||
+ - sysctl_net_ipv6_conf_all_accept_ra
|
||
+
|
||
+ # RHEL-08-040262
|
||
+ - sysctl_net_ipv6_conf_default_accept_ra
|
||
+
|
||
+ # RHEL-08-040270
|
||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||
+
|
||
+ # RHEL-08-040280
|
||
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
||
+ - sysctl_net_ipv6_conf_all_accept_redirects
|
||
+
|
||
+ # RHEL-08-040281
|
||
+ - sysctl_kernel_unprivileged_bpf_disabled
|
||
+
|
||
+ # RHEL-08-040282
|
||
+ - sysctl_kernel_yama_ptrace_scope
|
||
+
|
||
+ # RHEL-08-040283
|
||
+ - sysctl_kernel_kptr_restrict
|
||
+
|
||
+ # RHEL-08-040284
|
||
+ - sysctl_user_max_user_namespaces
|
||
+
|
||
+ # RHEL-08-040285
|
||
+ - sysctl_net_ipv4_conf_all_rp_filter
|
||
+
|
||
+ # RHEL-08-040290
|
||
+ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
|
||
+ # there needs to be a new platform check to identify when postfix is installed or not
|
||
+ # - postfix_prevent_unrestricted_relay
|
||
+
|
||
+ # RHEL-08-040300
|
||
+ - aide_verify_ext_attributes
|
||
+
|
||
+ # RHEL-08-040310
|
||
+ - aide_verify_acls
|
||
+
|
||
+ # RHEL-08-040320
|
||
+ - xwindows_remove_packages
|
||
+
|
||
+ # RHEL-08-040330
|
||
+ - network_sniffer_disabled
|
||
+
|
||
+ # RHEL-08-040340
|
||
+ - sshd_disable_x11_forwarding
|
||
+
|
||
+ # RHEL-08-040341
|
||
+# - sshd_x11_use_localhost # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040350
|
||
+# - tftpd_uses_secure_mode # not supported in RHEL9 ATM
|
||
+
|
||
+ # RHEL-08-040360
|
||
+ - package_vsftpd_removed
|
||
+
|
||
+ # RHEL-08-040370
|
||
+ - package_gssproxy_removed
|
||
+
|
||
+ # RHEL-08-040380
|
||
+ - package_iprutils_removed
|
||
+
|
||
+ # RHEL-08-040390
|
||
+ - package_tuned_removed
|
||
diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile
|
||
new file mode 100644
|
||
index 00000000000..ff9a2833df8
|
||
--- /dev/null
|
||
+++ b/rhel9/profiles/stig_gui.profile
|
||
@@ -0,0 +1,36 @@
|
||
+documentation_complete: true
|
||
+
|
||
+metadata:
|
||
+ version: V1R2
|
||
+ SMEs:
|
||
+ - carlosmmatos
|
||
+
|
||
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||
+
|
||
+title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
||
+
|
||
+description: |-
|
||
+ This profile contains configuration checks that align to the
|
||
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
|
||
+
|
||
+ In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
+ configuration baseline as applicable to the operating system tier of
|
||
+ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
|
||
+
|
||
+ - Red Hat Enterprise Linux Server
|
||
+ - Red Hat Enterprise Linux Workstation and Desktop
|
||
+ - Red Hat Enterprise Linux for HPC
|
||
+ - Red Hat Storage
|
||
+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image
|
||
+
|
||
+ Warning: The installation and use of a Graphical User Interface (GUI)
|
||
+ increases your attack vector and decreases your overall security posture. If
|
||
+ your Information Systems Security Officer (ISSO) lacks a documented operational
|
||
+ requirement for a graphical user interface, please consider using the
|
||
+ standard DISA STIG for Red Hat Enterprise Linux 8 profile.
|
||
+
|
||
+extends: stig
|
||
+
|
||
+selections:
|
||
+ # RHEL-08-040320
|
||
+ - '!xwindows_remove_packages'
|
||
|
||
From 5c5a4500a92ebd32078cf05b2b3eb24a9f58f285 Mon Sep 17 00:00:00 2001
|
||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
Date: Thu, 10 Jun 2021 19:48:13 +0200
|
||
Subject: [PATCH 2/4] Added note that the profile is a RHEL9 draft.
|
||
|
||
---
|
||
rhel9/profiles/cis.profile | 10 +++-------
|
||
rhel9/profiles/cjis.profile | 2 +-
|
||
rhel9/profiles/e8.profile | 4 ++--
|
||
rhel9/profiles/hipaa.profile | 4 ++--
|
||
rhel9/profiles/ism_o.profile | 4 ++--
|
||
rhel9/profiles/ospp.profile | 2 +-
|
||
rhel9/profiles/pci-dss.profile | 2 +-
|
||
rhel9/profiles/rht-ccp.profile | 4 ++--
|
||
rhel9/profiles/standard.profile | 2 +-
|
||
rhel9/profiles/stig.profile | 7 +++----
|
||
rhel9/profiles/stig_gui.profile | 13 ++++++-------
|
||
11 files changed, 24 insertions(+), 30 deletions(-)
|
||
|
||
diff --git a/rhel9/profiles/cis.profile b/rhel9/profiles/cis.profile
|
||
index 8939011ad1f..7cc538f82ce 100644
|
||
--- a/rhel9/profiles/cis.profile
|
||
+++ b/rhel9/profiles/cis.profile
|
||
@@ -1,21 +1,17 @@
|
||
documentation_complete: true
|
||
|
||
metadata:
|
||
- version: 1.0.0
|
||
+ version: 0.0.0
|
||
SMEs:
|
||
- vojtapolasek
|
||
- yuumasato
|
||
|
||
reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
||
|
||
-title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
|
||
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark'
|
||
|
||
description: |-
|
||
- This profile defines a baseline that aligns to the Center for Internet Security®
|
||
- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
|
||
-
|
||
- This profile includes Center for Internet Security®
|
||
- Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
||
+ This is a draft CIS profile based on the RHEL8 CIS
|
||
|
||
selections:
|
||
# Necessary for dconf rules
|
||
diff --git a/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
|
||
index 1fc531952b6..3c9c385cd48 100644
|
||
--- a/rhel9/profiles/cjis.profile
|
||
+++ b/rhel9/profiles/cjis.profile
|
||
@@ -7,7 +7,7 @@ metadata:
|
||
|
||
reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
|
||
|
||
-title: 'Criminal Justice Information Services (CJIS) Security Policy'
|
||
+title: '[RHEL9 DRAFT] Criminal Justice Information Services (CJIS) Security Policy'
|
||
|
||
description: |-
|
||
This profile is derived from FBI's CJIS v5.4
|
||
diff --git a/rhel9/profiles/e8.profile b/rhel9/profiles/e8.profile
|
||
index 30eb9c594ac..6d87a778eee 100644
|
||
--- a/rhel9/profiles/e8.profile
|
||
+++ b/rhel9/profiles/e8.profile
|
||
@@ -6,10 +6,10 @@ metadata:
|
||
|
||
reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
|
||
|
||
-title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
|
||
+title: '[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight'
|
||
|
||
description: |-
|
||
- This profile contains configuration checks for Red Hat Enterprise Linux 8
|
||
+ This profile contains configuration checks for Red Hat Enterprise Linux 9
|
||
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
|
||
|
||
A copy of the Essential Eight in Linux Environments guide can be found at the
|
||
diff --git a/rhel9/profiles/hipaa.profile b/rhel9/profiles/hipaa.profile
|
||
index 7919649d4d5..1bd7cc10459 100644
|
||
--- a/rhel9/profiles/hipaa.profile
|
||
+++ b/rhel9/profiles/hipaa.profile
|
||
@@ -7,7 +7,7 @@ metadata:
|
||
|
||
reference: https://www.hhs.gov/hipaa/for-professionals/index.html
|
||
|
||
-title: 'Health Insurance Portability and Accountability Act (HIPAA)'
|
||
+title: '[RHEL9 DRAFT] Health Insurance Portability and Accountability Act (HIPAA)'
|
||
|
||
description: |-
|
||
The HIPAA Security Rule establishes U.S. national standards to protect individuals’
|
||
@@ -17,7 +17,7 @@ description: |-
|
||
confidentiality, integrity, and security of electronic protected health
|
||
information.
|
||
|
||
- This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
|
||
+ This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security
|
||
Rule identified for securing of electronic protected health information.
|
||
Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
|
||
|
||
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
|
||
index 592be03783f..3a884f8371d 100644
|
||
--- a/rhel9/profiles/ism_o.profile
|
||
+++ b/rhel9/profiles/ism_o.profile
|
||
@@ -8,10 +8,10 @@ metadata:
|
||
|
||
reference: https://www.cyber.gov.au/ism
|
||
|
||
-title: 'Australian Cyber Security Centre (ACSC) ISM Official'
|
||
+title: '[RHEL9 DRAFT] Australian Cyber Security Centre (ACSC) ISM Official'
|
||
|
||
description: |-
|
||
- This profile contains configuration checks for Red Hat Enterprise Linux 8
|
||
+ This profile contains configuration checks for Red Hat Enterprise Linux 9
|
||
that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
|
||
with the applicability marking of OFFICIAL.
|
||
|
||
diff --git a/rhel9/profiles/ospp.profile b/rhel9/profiles/ospp.profile
|
||
index c4a43dc5eb6..84d23fe8ff5 100644
|
||
--- a/rhel9/profiles/ospp.profile
|
||
+++ b/rhel9/profiles/ospp.profile
|
||
@@ -9,7 +9,7 @@ metadata:
|
||
|
||
reference: https://www.niap-ccevs.org/Profile/PP.cfm
|
||
|
||
-title: 'Protection Profile for General Purpose Operating Systems'
|
||
+title: '[RHEL9 DRAFT] Protection Profile for General Purpose Operating Systems'
|
||
|
||
description: |-
|
||
This profile reflects mandatory configuration controls identified in the
|
||
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
|
||
index 966b2d5e1d8..6b00be5f76a 100644
|
||
--- a/rhel9/profiles/pci-dss.profile
|
||
+++ b/rhel9/profiles/pci-dss.profile
|
||
@@ -6,7 +6,7 @@ metadata:
|
||
|
||
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
|
||
|
||
-title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8'
|
||
+title: '[RHEL9 DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9'
|
||
|
||
description: |-
|
||
Ensures PCI-DSS v3.2.1 security configuration settings are applied.
|
||
diff --git a/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
|
||
index 3b734c2b2c5..34244db3f3d 100644
|
||
--- a/rhel9/profiles/rht-ccp.profile
|
||
+++ b/rhel9/profiles/rht-ccp.profile
|
||
@@ -1,11 +1,11 @@
|
||
documentation_complete: true
|
||
|
||
-title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||
+title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||
|
||
description: |-
|
||
This profile contains the minimum security relevant
|
||
configuration settings recommended by Red Hat, Inc for
|
||
- Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
|
||
+ Red Hat Enterprise Linux 9 instances deployed by Red Hat Certified
|
||
Cloud Providers.
|
||
|
||
selections:
|
||
diff --git a/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
|
||
index a63ae2cf328..921e30749d6 100644
|
||
--- a/rhel9/profiles/standard.profile
|
||
+++ b/rhel9/profiles/standard.profile
|
||
@@ -1,6 +1,6 @@
|
||
documentation_complete: true
|
||
|
||
-title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||
+title: 'Standard System Security Profile for Red Hat Enterprise Linux 9'
|
||
|
||
description: |-
|
||
This profile contains rules to ensure standard security baseline
|
||
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
|
||
index 50548f7e8eb..1baafe6f751 100644
|
||
--- a/rhel9/profiles/stig.profile
|
||
+++ b/rhel9/profiles/stig.profile
|
||
@@ -1,17 +1,16 @@
|
||
documentation_complete: true
|
||
|
||
metadata:
|
||
- version: V1R2
|
||
+ version: NA
|
||
SMEs:
|
||
- carlosmmatos
|
||
|
||
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||
|
||
-title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
||
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 9'
|
||
|
||
description: |-
|
||
- This profile contains configuration checks that align to the
|
||
- DISA STIG for Red Hat Enterprise Linux 8 V1R2.
|
||
+ This profile contains configuration checks that are based on the RHEL8 STIG
|
||
|
||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
configuration baseline as applicable to the operating system tier of
|
||
diff --git a/rhel9/profiles/stig_gui.profile b/rhel9/profiles/stig_gui.profile
|
||
index ff9a2833df8..da26c9f1b89 100644
|
||
--- a/rhel9/profiles/stig_gui.profile
|
||
+++ b/rhel9/profiles/stig_gui.profile
|
||
@@ -1,19 +1,18 @@
|
||
documentation_complete: true
|
||
|
||
metadata:
|
||
- version: V1R2
|
||
+ version: NA
|
||
SMEs:
|
||
- carlosmmatos
|
||
|
||
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
||
|
||
-title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
||
+title: '[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9'
|
||
|
||
description: |-
|
||
- This profile contains configuration checks that align to the
|
||
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2.
|
||
+ This profile contains configuration checks that are based on the RHEL8 STIG
|
||
|
||
- In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
||
+ In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
|
||
configuration baseline as applicable to the operating system tier of
|
||
Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
|
||
|
||
@@ -21,13 +20,13 @@ description: |-
|
||
- Red Hat Enterprise Linux Workstation and Desktop
|
||
- Red Hat Enterprise Linux for HPC
|
||
- Red Hat Storage
|
||
- - Red Hat Containers with a Red Hat Enterprise Linux 8 image
|
||
+ - Red Hat Containers with a Red Hat Enterprise Linux 9 image
|
||
|
||
Warning: The installation and use of a Graphical User Interface (GUI)
|
||
increases your attack vector and decreases your overall security posture. If
|
||
your Information Systems Security Officer (ISSO) lacks a documented operational
|
||
requirement for a graphical user interface, please consider using the
|
||
- standard DISA STIG for Red Hat Enterprise Linux 8 profile.
|
||
+ standard DISA STIG for Red Hat Enterprise Linux 9 profile.
|
||
|
||
extends: stig
|
||
|
||
|
||
From f27a9195b81f017f25f95eec50ec19114b0ea406 Mon Sep 17 00:00:00 2001
|
||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
Date: Wed, 16 Jun 2021 12:04:53 +0200
|
||
Subject: [PATCH 3/4] Added RHEL9 CCEs.
|
||
|
||
Some of the available CCEs were actually taken, so the amount of removed CCEs is greater
|
||
than the number of rules that got a CCE.
|
||
Sometimes PRs introduce CCE inconsistencies: https://github.com/ComplianceAsCode/content/pull/6579
|
||
---
|
||
.../service_avahi-daemon_disabled/rule.yml | 1 +
|
||
.../base/package_abrt_removed/rule.yml | 1 +
|
||
.../base/service_abrtd_disabled/rule.yml | 1 +
|
||
.../base/service_kdump_disabled/rule.yml | 1 +
|
||
.../base/service_ntpdate_disabled/rule.yml | 1 +
|
||
.../base/service_oddjobd_disabled/rule.yml | 1 +
|
||
.../base/service_qpidd_disabled/rule.yml | 1 +
|
||
.../base/service_rdisc_disabled/rule.yml | 1 +
|
||
.../base/service_rhnsd_disabled/rule.yml | 1 +
|
||
.../file_groupowner_cron_d/rule.yml | 1 +
|
||
.../file_groupowner_cron_daily/rule.yml | 1 +
|
||
.../file_groupowner_cron_hourly/rule.yml | 1 +
|
||
.../file_groupowner_cron_monthly/rule.yml | 1 +
|
||
.../file_groupowner_cron_weekly/rule.yml | 1 +
|
||
.../file_groupowner_crontab/rule.yml | 1 +
|
||
.../cron_and_at/file_owner_cron_d/rule.yml | 1 +
|
||
.../file_owner_cron_daily/rule.yml | 1 +
|
||
.../file_owner_cron_hourly/rule.yml | 1 +
|
||
.../file_owner_cron_monthly/rule.yml | 1 +
|
||
.../file_owner_cron_weekly/rule.yml | 1 +
|
||
.../cron_and_at/file_owner_crontab/rule.yml | 1 +
|
||
.../file_permissions_cron_d/rule.yml | 1 +
|
||
.../file_permissions_cron_daily/rule.yml | 1 +
|
||
.../file_permissions_cron_hourly/rule.yml | 1 +
|
||
.../file_permissions_cron_monthly/rule.yml | 1 +
|
||
.../file_permissions_cron_weekly/rule.yml | 1 +
|
||
.../file_permissions_crontab/rule.yml | 1 +
|
||
.../cron_and_at/service_atd_disabled/rule.yml | 1 +
|
||
.../service_crond_enabled/rule.yml | 1 +
|
||
.../package_dhcp_removed/rule.yml | 1 +
|
||
.../service_dhcpd_disabled/rule.yml | 1 +
|
||
.../service_named_disabled/rule.yml | 1 +
|
||
.../package_fapolicyd_installed/rule.yml | 1 +
|
||
.../service_fapolicyd_enabled/rule.yml | 1 +
|
||
.../package_vsftpd_removed/rule.yml | 1 +
|
||
.../service_vsftpd_disabled/rule.yml | 1 +
|
||
.../service_httpd_disabled/rule.yml | 1 +
|
||
.../service_dovecot_disabled/rule.yml | 1 +
|
||
.../kerberos_disable_no_keytab/rule.yml | 1 +
|
||
.../package_openldap-clients_removed/rule.yml | 1 +
|
||
.../mail/package_sendmail_removed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../service_rpcbind_disabled/rule.yml | 1 +
|
||
.../service_nfs_disabled/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_nfs-utils_removed/rule.yml | 1 +
|
||
.../ntp/chronyd_run_as_chrony_user/rule.yml | 1 +
|
||
.../chronyd_specify_remote_server/rule.yml | 1 +
|
||
.../ntp/package_chrony_installed/rule.yml | 1 +
|
||
.../ntp/service_chronyd_enabled/rule.yml | 1 +
|
||
.../package_xinetd_removed/rule.yml | 1 +
|
||
.../service_xinetd_disabled/rule.yml | 1 +
|
||
.../nis/package_ypbind_removed/rule.yml | 1 +
|
||
.../nis/package_ypserv_removed/rule.yml | 1 +
|
||
.../r_services/no_rsh_trust_files/rule.yml | 1 +
|
||
.../package_rsh-server_removed/rule.yml | 1 +
|
||
.../r_services/package_rsh_removed/rule.yml | 1 +
|
||
.../obsolete/service_rsyncd_disabled/rule.yml | 1 +
|
||
.../talk/package_talk-server_removed/rule.yml | 1 +
|
||
.../talk/package_talk_removed/rule.yml | 1 +
|
||
.../package_telnet-server_removed/rule.yml | 1 +
|
||
.../telnet/package_telnet_removed/rule.yml | 1 +
|
||
.../telnet/service_telnet_disabled/rule.yml | 1 +
|
||
.../tftp/package_tftp-server_removed/rule.yml | 1 +
|
||
.../printing/service_cups_disabled/rule.yml | 1 +
|
||
.../package_squid_removed/rule.yml | 1 +
|
||
.../service_squid_disabled/rule.yml | 1 +
|
||
.../rng/service_rngd_enabled/rule.yml | 1 +
|
||
.../package_quagga_removed/rule.yml | 1 +
|
||
.../service_zebra_disabled/rule.yml | 1 +
|
||
.../service_smb_disabled/rule.yml | 1 +
|
||
.../service_snmpd_disabled/rule.yml | 1 +
|
||
.../ssh/file_groupowner_sshd_config/rule.yml | 1 +
|
||
.../ssh/file_owner_sshd_config/rule.yml | 1 +
|
||
.../ssh/file_permissions_sshd_config/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_openssh-server_installed/rule.yml | 1 +
|
||
.../ssh/service_sshd_enabled/rule.yml | 1 +
|
||
.../ssh/ssh_server/disable_host_auth/rule.yml | 1 +
|
||
.../sshd_allow_only_protocol2/rule.yml | 1 +
|
||
.../sshd_disable_compression/rule.yml | 1 +
|
||
.../sshd_disable_empty_passwords/rule.yml | 1 +
|
||
.../sshd_disable_gssapi_auth/rule.yml | 1 +
|
||
.../sshd_disable_kerb_auth/rule.yml | 1 +
|
||
.../ssh_server/sshd_disable_rhosts/rule.yml | 1 +
|
||
.../sshd_disable_root_login/rule.yml | 1 +
|
||
.../sshd_disable_tcp_forwarding/rule.yml | 1 +
|
||
.../sshd_disable_user_known_hosts/rule.yml | 1 +
|
||
.../sshd_disable_x11_forwarding/rule.yml | 1 +
|
||
.../sshd_do_not_permit_user_env/rule.yml | 1 +
|
||
.../sshd_enable_strictmodes/rule.yml | 1 +
|
||
.../sshd_enable_warning_banner/rule.yml | 1 +
|
||
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
|
||
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 +
|
||
.../ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
|
||
.../ssh_server/sshd_set_keepalive/rule.yml | 1 +
|
||
.../sshd_set_loglevel_info/rule.yml | 1 +
|
||
.../sshd_set_max_auth_tries/rule.yml | 1 +
|
||
.../ssh_server/sshd_set_max_sessions/rule.yml | 1 +
|
||
.../configure_usbguard_auditbackend/rule.yml | 1 +
|
||
.../package_usbguard_installed/rule.yml | 1 +
|
||
.../service_usbguard_enabled/rule.yml | 1 +
|
||
.../usbguard_allow_hid_and_hub/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../xwindows_remove_packages/rule.yml | 1 +
|
||
.../xwindows_runlevel_target/rule.yml | 1 +
|
||
.../banner_etc_issue/rule.yml | 1 +
|
||
.../accounts-banners/banner_etc_motd/rule.yml | 1 +
|
||
.../file_permissions_etc_issue/rule.yml | 1 +
|
||
.../file_permissions_etc_motd/rule.yml | 1 +
|
||
.../display_login_attempts/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts_password_pam_dcredit/rule.yml | 1 +
|
||
.../accounts_password_pam_difok/rule.yml | 1 +
|
||
.../accounts_password_pam_lcredit/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts_password_pam_maxrepeat/rule.yml | 1 +
|
||
.../accounts_password_pam_minclass/rule.yml | 1 +
|
||
.../accounts_password_pam_minlen/rule.yml | 1 +
|
||
.../accounts_password_pam_ocredit/rule.yml | 1 +
|
||
.../accounts_password_pam_retry/rule.yml | 1 +
|
||
.../accounts_password_pam_ucredit/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../require_emergency_target_auth/rule.yml | 1 +
|
||
.../require_singleuser_auth/rule.yml | 1 +
|
||
.../package_tmux_installed/rule.yml | 1 +
|
||
.../install_smartcard_packages/rule.yml | 1 +
|
||
.../package_opensc_installed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../account_unique_name/rule.yml | 1 +
|
||
.../accounts_maximum_age_login_defs/rule.yml | 1 +
|
||
.../accounts_minimum_age_login_defs/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts_password_all_shadowed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../gid_passwd_group_same/rule.yml | 1 +
|
||
.../no_empty_passwords/rule.yml | 1 +
|
||
.../no_legacy_plus_entries_etc_group/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../password_storage/no_netrc_files/rule.yml | 1 +
|
||
.../accounts_no_uid_except_zero/rule.yml | 1 +
|
||
.../no_direct_root_logins/rule.yml | 1 +
|
||
.../no_shelllogin_for_systemaccounts/rule.yml | 1 +
|
||
.../restrict_serial_port_logins/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts_logon_fail_delay/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts_polyinstantiated_tmp/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../accounts-session/accounts_tmout/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_permission_user_init_files/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_permissions_home_dirs/rule.yml | 1 +
|
||
.../accounts_root_path_dirs_no_write/rule.yml | 1 +
|
||
.../accounts_umask_etc_bashrc/rule.yml | 1 +
|
||
.../accounts_umask_etc_login_defs/rule.yml | 1 +
|
||
.../accounts_umask_etc_profile/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_execution_chcon/rule.yml | 1 +
|
||
.../audit_rules_execution_restorecon/rule.yml | 1 +
|
||
.../audit_rules_execution_semanage/rule.yml | 1 +
|
||
.../audit_rules_execution_setfiles/rule.yml | 1 +
|
||
.../audit_rules_execution_setsebool/rule.yml | 1 +
|
||
.../audit_rules_execution_seunshare/rule.yml | 1 +
|
||
.../audit_rules_file_deletion_events/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_login_events/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_login_events_lastlog/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_privileged_commands/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_immutable/rule.yml | 1 +
|
||
.../audit_rules_mac_modification/rule.yml | 1 +
|
||
.../audit_rules_media_export/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_session_events/rule.yml | 1 +
|
||
.../audit_rules_sysadmin_actions/rule.yml | 1 +
|
||
.../audit_rules_system_shutdown/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../audit_rules_time_adjtimex/rule.yml | 1 +
|
||
.../audit_rules_time_clock_settime/rule.yml | 1 +
|
||
.../audit_rules_time_settimeofday/rule.yml | 1 +
|
||
.../audit_rules_time_stime/rule.yml | 1 +
|
||
.../audit_rules_time_watch_localtime/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_ownership_var_log_audit/rule.yml | 1 +
|
||
.../file_permissions_var_log_audit/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../auditd_data_disk_error_action/rule.yml | 1 +
|
||
.../auditd_data_disk_full_action/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../auditd_data_retention_flush/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../auditd_data_retention_num_logs/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../auditd_freq/rule.yml | 1 +
|
||
.../auditd_local_events/rule.yml | 1 +
|
||
.../auditd_log_format/rule.yml | 1 +
|
||
.../auditd_name_format/rule.yml | 1 +
|
||
.../auditd_write_logs/rule.yml | 1 +
|
||
.../auditing/grub2_audit_argument/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../auditing/package_audit_installed/rule.yml | 1 +
|
||
.../policy_rules/audit_access_failed/rule.yml | 1 +
|
||
.../audit_access_success/rule.yml | 1 +
|
||
.../audit_basic_configuration/rule.yml | 1 +
|
||
.../policy_rules/audit_create_failed/rule.yml | 1 +
|
||
.../audit_create_success/rule.yml | 1 +
|
||
.../policy_rules/audit_delete_failed/rule.yml | 1 +
|
||
.../audit_delete_success/rule.yml | 1 +
|
||
.../audit_immutable_login_uids/rule.yml | 1 +
|
||
.../policy_rules/audit_modify_failed/rule.yml | 1 +
|
||
.../audit_modify_success/rule.yml | 1 +
|
||
.../policy_rules/audit_module_load/rule.yml | 1 +
|
||
.../policy_rules/audit_ospp_general/rule.yml | 1 +
|
||
.../audit_owner_change_failed/rule.yml | 1 +
|
||
.../audit_owner_change_success/rule.yml | 1 +
|
||
.../audit_perm_change_failed/rule.yml | 1 +
|
||
.../audit_perm_change_success/rule.yml | 1 +
|
||
.../auditing/service_auditd_enabled/rule.yml | 1 +
|
||
.../grub2_enable_iommu_force/rule.yml | 1 +
|
||
.../grub2_kernel_trust_cpu_rng/rule.yml | 1 +
|
||
.../grub2_pti_argument/rule.yml | 1 +
|
||
.../grub2_vsyscall_argument/rule.yml | 1 +
|
||
.../file_groupowner_grub2_cfg/rule.yml | 1 +
|
||
.../non-uefi/file_owner_grub2_cfg/rule.yml | 1 +
|
||
.../file_permissions_grub2_cfg/rule.yml | 1 +
|
||
.../non-uefi/grub2_password/rule.yml | 1 +
|
||
.../zipl_audit_argument/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../zipl_bls_entries_only/rule.yml | 1 +
|
||
.../zipl_bootmap_is_up_to_date/rule.yml | 1 +
|
||
.../zipl_page_poison_argument/rule.yml | 1 +
|
||
.../zipl_slub_debug_argument/rule.yml | 1 +
|
||
.../zipl_vsyscall_argument/rule.yml | 1 +
|
||
.../rsyslog_cron_logging/rule.yml | 1 +
|
||
.../ensure_logrotate_activated/rule.yml | 1 +
|
||
.../package_rsyslog-gnutls_installed/rule.yml | 1 +
|
||
.../rsyslog_nolisten/rule.yml | 1 +
|
||
.../rsyslog_remote_loghost/rule.yml | 1 +
|
||
.../rsyslog_remote_tls/rule.yml | 1 +
|
||
.../rsyslog_remote_tls_cacert/rule.yml | 1 +
|
||
.../logging/service_rsyslog_enabled/rule.yml | 1 +
|
||
.../package_firewalld_installed/rule.yml | 1 +
|
||
.../service_firewalld_enabled/rule.yml | 1 +
|
||
.../set_firewalld_default_zone/rule.yml | 1 +
|
||
.../package_libreswan_installed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_net_ipv4_tcp_rfc1337/rule.yml | 1 +
|
||
.../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 +
|
||
.../kernel_module_atm_disabled/rule.yml | 1 +
|
||
.../kernel_module_can_disabled/rule.yml | 1 +
|
||
.../kernel_module_dccp_disabled/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../kernel_module_rds_disabled/rule.yml | 1 +
|
||
.../kernel_module_sctp_disabled/rule.yml | 1 +
|
||
.../kernel_module_tipc_disabled/rule.yml | 1 +
|
||
.../kernel_module_bluetooth_disabled/rule.yml | 1 +
|
||
.../wireless_disable_interfaces/rule.yml | 1 +
|
||
.../network/network_sniffer_disabled/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_permissions_ungroupowned/rule.yml | 1 +
|
||
.../files/no_files_unowned_by_user/rule.yml | 1 +
|
||
.../file_groupowner_backup_etc_group/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_groupowner_etc_group/rule.yml | 1 +
|
||
.../file_groupowner_etc_gshadow/rule.yml | 1 +
|
||
.../file_groupowner_etc_passwd/rule.yml | 1 +
|
||
.../file_groupowner_etc_shadow/rule.yml | 1 +
|
||
.../file_owner_backup_etc_group/rule.yml | 1 +
|
||
.../file_owner_backup_etc_gshadow/rule.yml | 1 +
|
||
.../file_owner_backup_etc_passwd/rule.yml | 1 +
|
||
.../file_owner_backup_etc_shadow/rule.yml | 1 +
|
||
.../file_owner_etc_group/rule.yml | 1 +
|
||
.../file_owner_etc_gshadow/rule.yml | 1 +
|
||
.../file_owner_etc_passwd/rule.yml | 1 +
|
||
.../file_owner_etc_shadow/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_permissions_etc_group/rule.yml | 1 +
|
||
.../file_permissions_etc_gshadow/rule.yml | 1 +
|
||
.../file_permissions_etc_passwd/rule.yml | 1 +
|
||
.../file_permissions_etc_shadow/rule.yml | 1 +
|
||
.../file_groupowner_var_log/rule.yml | 1 +
|
||
.../file_groupowner_var_log_messages/rule.yml | 1 +
|
||
.../file_owner_var_log/rule.yml | 1 +
|
||
.../file_owner_var_log_messages/rule.yml | 1 +
|
||
.../file_permissions_var_log/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../file_ownership_binary_dirs/rule.yml | 1 +
|
||
.../file_ownership_library_dirs/rule.yml | 1 +
|
||
.../file_permissions_binary_dirs/rule.yml | 1 +
|
||
.../file_permissions_library_dirs/rule.yml | 1 +
|
||
.../sysctl_fs_protected_hardlinks/rule.yml | 1 +
|
||
.../sysctl_fs_protected_symlinks/rule.yml | 1 +
|
||
.../kernel_module_cramfs_disabled/rule.yml | 1 +
|
||
.../kernel_module_squashfs_disabled/rule.yml | 1 +
|
||
.../kernel_module_udf_disabled/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../mounting/service_autofs_disabled/rule.yml | 1 +
|
||
.../mount_option_boot_nodev/rule.yml | 1 +
|
||
.../mount_option_boot_noexec/rule.yml | 1 +
|
||
.../mount_option_boot_nosuid/rule.yml | 1 +
|
||
.../mount_option_dev_shm_nodev/rule.yml | 1 +
|
||
.../mount_option_dev_shm_noexec/rule.yml | 1 +
|
||
.../mount_option_dev_shm_nosuid/rule.yml | 1 +
|
||
.../mount_option_home_nodev/rule.yml | 1 +
|
||
.../mount_option_home_noexec/rule.yml | 1 +
|
||
.../mount_option_home_nosuid/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../mount_option_opt_nosuid/rule.yml | 1 +
|
||
.../mount_option_srv_nosuid/rule.yml | 1 +
|
||
.../mount_option_tmp_nodev/rule.yml | 1 +
|
||
.../mount_option_tmp_noexec/rule.yml | 1 +
|
||
.../mount_option_tmp_nosuid/rule.yml | 1 +
|
||
.../mount_option_var_log_audit_nodev/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../mount_option_var_log_nodev/rule.yml | 1 +
|
||
.../mount_option_var_log_noexec/rule.yml | 1 +
|
||
.../mount_option_var_log_nosuid/rule.yml | 1 +
|
||
.../mount_option_var_nodev/rule.yml | 1 +
|
||
.../mount_option_var_noexec/rule.yml | 1 +
|
||
.../mount_option_var_nosuid/rule.yml | 1 +
|
||
.../mount_option_var_tmp_nodev/rule.yml | 1 +
|
||
.../mount_option_var_tmp_noexec/rule.yml | 1 +
|
||
.../mount_option_var_tmp_nosuid/rule.yml | 1 +
|
||
.../disable_users_coredumps/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_fs_suid_dumpable/rule.yml | 1 +
|
||
.../sysctl_kernel_exec_shield/rule.yml | 1 +
|
||
.../sysctl_kernel_kptr_restrict/rule.yml | 1 +
|
||
.../sysctl_kernel_randomize_va_space/rule.yml | 1 +
|
||
.../grub2_page_poison_argument/rule.yml | 1 +
|
||
.../grub2_slub_debug_argument/rule.yml | 1 +
|
||
.../sysctl_kernel_core_pattern/rule.yml | 1 +
|
||
.../sysctl_kernel_dmesg_restrict/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_kernel_modules_disabled/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_kernel_pid_max/rule.yml | 1 +
|
||
.../restrictions/sysctl_kernel_sysrq/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 +
|
||
.../sysctl_net_core_bpf_jit_harden/rule.yml | 1 +
|
||
.../sysctl_user_max_user_namespaces/rule.yml | 1 +
|
||
.../sysctl_vm_mmap_min_addr/rule.yml | 1 +
|
||
.../selinux/grub2_enable_selinux/rule.yml | 1 +
|
||
.../package_libselinux_installed/rule.yml | 1 +
|
||
.../selinux/package_mcstrans_removed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_setroubleshoot_removed/rule.yml | 1 +
|
||
.../sebool_auditadm_exec_content/rule.yml | 1 +
|
||
.../sebool_deny_execmem/rule.yml | 1 +
|
||
.../sebool_polyinstantiation_enabled/rule.yml | 1 +
|
||
.../sebool_secure_mode_insmod/rule.yml | 1 +
|
||
.../sebool_selinuxuser_execheap/rule.yml | 1 +
|
||
.../sebool_selinuxuser_execmod/rule.yml | 1 +
|
||
.../sebool_selinuxuser_execstack/rule.yml | 1 +
|
||
.../sebool_ssh_sysadm_login/rule.yml | 1 +
|
||
.../selinux_confinement_of_daemons/rule.yml | 1 +
|
||
.../selinux/selinux_policytype/rule.yml | 1 +
|
||
.../system/selinux/selinux_state/rule.yml | 1 +
|
||
.../encrypt_partitions/rule.yml | 1 +
|
||
.../partition_for_home/rule.yml | 1 +
|
||
.../partition_for_srv/rule.yml | 1 +
|
||
.../partition_for_tmp/rule.yml | 1 +
|
||
.../partition_for_var/rule.yml | 1 +
|
||
.../partition_for_var_log/rule.yml | 1 +
|
||
.../partition_for_var_log_audit/rule.yml | 1 +
|
||
.../partition_for_var_tmp/rule.yml | 1 +
|
||
.../gnome/package_gdm_removed/rule.yml | 1 +
|
||
.../installed_OS_is_vendor_supported/rule.yml | 1 +
|
||
.../configure_bind_crypto_policy/rule.yml | 1 +
|
||
.../crypto/configure_crypto_policy/rule.yml | 1 +
|
||
.../configure_kerberos_crypto_policy/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../configure_openssl_crypto_policy/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../configure_ssh_crypto_policy/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../fips/sysctl_crypto_fips_enabled/rule.yml | 1 +
|
||
.../aide/aide_build_database/rule.yml | 1 +
|
||
.../aide/aide_periodic_cron_checking/rule.yml | 1 +
|
||
.../aide/aide_scan_notification/rule.yml | 1 +
|
||
.../aide/aide_verify_acls/rule.yml | 1 +
|
||
.../aide/aide_verify_ext_attributes/rule.yml | 1 +
|
||
.../aide/package_aide_installed/rule.yml | 1 +
|
||
.../rpm_verify_hashes/rule.yml | 1 +
|
||
.../rpm_verify_ownership/rule.yml | 1 +
|
||
.../rpm_verify_permissions/rule.yml | 1 +
|
||
.../system/software/prefer_64bit_os/rule.yml | 1 +
|
||
.../sudo/package_sudo_installed/rule.yml | 1 +
|
||
.../software/sudo/sudo_add_noexec/rule.yml | 1 +
|
||
.../sudo/sudo_add_requiretty/rule.yml | 1 +
|
||
.../software/sudo/sudo_add_use_pty/rule.yml | 1 +
|
||
.../sudo/sudo_custom_logfile/rule.yml | 1 +
|
||
.../sudo/sudo_remove_no_authenticate/rule.yml | 1 +
|
||
.../sudo/sudo_remove_nopasswd/rule.yml | 1 +
|
||
.../sudo/sudo_require_authentication/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../software/sudo/sudo_vdsm_nopasswd/rule.yml | 1 +
|
||
.../sudoers_explicit_command_args/rule.yml | 5 +-
|
||
.../sudo/sudoers_no_command_negation/rule.yml | 5 +-
|
||
.../sudo/sudoers_no_root_target/rule.yml | 5 +-
|
||
.../sudo/sudoers_validate_passwd/rule.yml | 1 +
|
||
.../package_abrt-addon-ccpp_removed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_abrt-cli_removed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_gnutls-utils_installed/rule.yml | 1 +
|
||
.../package_gssproxy_removed/rule.yml | 1 +
|
||
.../package_iprutils_removed/rule.yml | 1 +
|
||
.../package_krb5-workstation_removed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_rear_installed/rule.yml | 1 +
|
||
.../package_rng-tools_installed/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../package_tuned_removed/rule.yml | 1 +
|
||
.../clean_components_post_updating/rule.yml | 1 +
|
||
.../dnf-automatic_apply_updates/rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../rule.yml | 1 +
|
||
.../ensure_gpgcheck_local_packages/rule.yml | 1 +
|
||
.../ensure_gpgcheck_never_disabled/rule.yml | 1 +
|
||
.../package_dnf-automatic_installed/rule.yml | 1 +
|
||
.../timer_dnf-automatic_enabled/rule.yml | 1 +
|
||
549 files changed, 554 insertions(+), 577 deletions(-)
|
||
|
||
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
||
index 86fabb43744..8ad5ad300aa 100644
|
||
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80338-7
|
||
cce@rhel8: CCE-82188-4
|
||
+ cce@rhel9: CCE-90824-4
|
||
|
||
references:
|
||
cis@rhel7: 2.2.3
|
||
diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml
|
||
index 53b633c1f32..d1f2c060751 100644
|
||
--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml
|
||
+++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81040-8
|
||
cce@rhel8: CCE-80948-3
|
||
+ cce@rhel9: CCE-84228-6
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
|
||
index cacd7eeb3a7..73b3fad1446 100644
|
||
--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82027-4
|
||
cce@rhel8: CCE-80870-9
|
||
+ cce@rhel9: CCE-84234-4
|
||
|
||
references:
|
||
nist: CM-7(a),CM-6(a)
|
||
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||
index 1bb014b5993..5129bcd31e7 100644
|
||
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80258-7
|
||
cce@rhel8: CCE-80878-2
|
||
+ cce@rhel9: CCE-84232-8
|
||
cce@sle12: CCE-83105-7
|
||
cce@sle15: CCE-85638-5
|
||
|
||
diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
|
||
index 8dfbcf5faab..7c1ae86f5fe 100644
|
||
--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80262-9
|
||
cce@rhel8: CCE-80879-0
|
||
+ cce@rhel9: CCE-84236-9
|
||
|
||
references:
|
||
disa: CCI-000382
|
||
diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
|
||
index 64aa1c45f9e..dbe4b22a809 100644
|
||
--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80263-7
|
||
cce@rhel8: CCE-80880-8
|
||
+ cce@rhel9: CCE-84229-4
|
||
|
||
references:
|
||
disa: CCI-000381
|
||
diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
|
||
index badee1af18e..be12fd102a1 100644
|
||
--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80266-0
|
||
cce@rhel8: CCE-80882-4
|
||
+ cce@rhel9: CCE-84231-0
|
||
|
||
references:
|
||
disa: CCI-000382
|
||
diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
|
||
index 772f8c37e68..3cae11fd233 100644
|
||
--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80268-6
|
||
cce@rhel8: CCE-80883-2
|
||
+ cce@rhel9: CCE-84237-7
|
||
|
||
references:
|
||
disa: CCI-000382
|
||
diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
|
||
index ba3b04d8811..35290e39084 100644
|
||
--- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80269-4
|
||
cce@rhel8: CCE-82405-2
|
||
+ cce@rhel9: CCE-84235-1
|
||
|
||
references:
|
||
cis@rhel7: 1.2.5
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
||
index bcf17d8d1ba..63741db4654 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82265-0
|
||
cce@rhel8: CCE-82268-4
|
||
+ cce@rhel9: CCE-84177-5
|
||
|
||
references:
|
||
cis@rhel7: 5.1.7
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
||
index 3731bcff80a..2bbef88897c 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82232-0
|
||
cce@rhel8: CCE-82234-6
|
||
+ cce@rhel9: CCE-84170-0
|
||
|
||
references:
|
||
cis@rhel7: 5.1.4
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
||
index f6be1d8e385..c1d873c80b4 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82226-2
|
||
cce@rhel8: CCE-82227-0
|
||
+ cce@rhel9: CCE-84186-6
|
||
|
||
references:
|
||
cis@rhel7: 5.1.3
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
||
index 823bf13d3a8..5f98988f1d3 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82255-1
|
||
cce@rhel8: CCE-82256-9
|
||
+ cce@rhel9: CCE-84189-0
|
||
|
||
references:
|
||
cis@rhel7: 5.1.6
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
||
index edeef8ff378..e6876272e08 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82242-9
|
||
cce@rhel8: CCE-82244-5
|
||
+ cce@rhel9: CCE-84174-2
|
||
|
||
references:
|
||
cis@rhel7: 5.1.5
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
||
index 8c4027198e3..6556e3f8d23 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82222-1
|
||
cce@rhel8: CCE-82223-9
|
||
+ cce@rhel9: CCE-84171-8
|
||
|
||
references:
|
||
cis@rhel7: 5.1.2
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
||
index 29df5f3a977..2e95b3569da 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82270-0
|
||
cce@rhel8: CCE-82272-6
|
||
+ cce@rhel9: CCE-84169-2
|
||
|
||
references:
|
||
cis@rhel7: 5.1.7
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
||
index f7e7811c8b1..41b87b5c458 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82236-1
|
||
cce@rhel8: CCE-82237-9
|
||
+ cce@rhel9: CCE-84188-2
|
||
|
||
references:
|
||
cis@rhel7: 5.1.4
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
||
index 04041e13dfe..97ecab21d35 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82208-0
|
||
cce@rhel8: CCE-82209-8
|
||
+ cce@rhel9: CCE-84168-4
|
||
|
||
references:
|
||
cis@rhel7: 5.1.3
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
||
index 46757a03195..b607f980e6e 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82259-3
|
||
cce@rhel8: CCE-82260-1
|
||
+ cce@rhel9: CCE-84179-1
|
||
|
||
references:
|
||
cis@rhel7: 5.1.6
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
||
index 48f897e4339..3c0d65d9349 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82246-0
|
||
cce@rhel8: CCE-82247-8
|
||
+ cce@rhel9: CCE-84190-8
|
||
|
||
references:
|
||
cis@rhel7: 5.1.5
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
||
index 738d9820b7f..ff0493c9d22 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82217-1
|
||
cce@rhel8: CCE-82224-7
|
||
+ cce@rhel9: CCE-84167-6
|
||
|
||
references:
|
||
cis@rhel7: 5.1.2
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
||
index f47ae580724..d3af795efcb 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82276-7
|
||
cce@rhel8: CCE-82277-5
|
||
+ cce@rhel9: CCE-84183-3
|
||
|
||
references:
|
||
cis@rhel7: 5.1.7
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
||
index ce7a7447a68..40eb753b45c 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82239-5
|
||
cce@rhel8: CCE-82240-3
|
||
+ cce@rhel9: CCE-84175-9
|
||
|
||
references:
|
||
cis@rhel7: 5.1.4
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
||
index dc9c7274f6e..cb0d959fecf 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82229-6
|
||
cce@rhel8: CCE-82230-4
|
||
+ cce@rhel9: CCE-84173-4
|
||
|
||
references:
|
||
cis@rhel7: 5.1.3
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
||
index 0ce221933e3..1bb7486b3be 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82262-7
|
||
cce@rhel8: CCE-82263-5
|
||
+ cce@rhel9: CCE-84181-7
|
||
|
||
references:
|
||
cis@rhel7: 5.1.6
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
||
index 0bcf7c9dfa3..ea5020367e9 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82250-2
|
||
cce@rhel8: CCE-82253-6
|
||
+ cce@rhel9: CCE-84187-4
|
||
|
||
references:
|
||
cis@rhel7: 5.1.5
|
||
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
||
index 4a743ab10d5..62b3623b10c 100644
|
||
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82205-6
|
||
cce@rhel8: CCE-82206-4
|
||
+ cce@rhel9: CCE-84176-7
|
||
|
||
references:
|
||
cis@rhel7: 5.1.2
|
||
diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
|
||
index 12bde00f86c..bd3f5894e1d 100644
|
||
--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80345-2
|
||
cce@rhel8: CCE-80871-7
|
||
+ cce@rhel9: CCE-84164-3
|
||
|
||
references:
|
||
disa: CCI-000381
|
||
diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
||
index d2c99d0d3f9..5e6aa3f246d 100644
|
||
--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27323-5
|
||
cce@rhel8: CCE-80875-8
|
||
+ cce@rhel9: CCE-84163-5
|
||
|
||
references:
|
||
cis@rhel7: 5.1.1
|
||
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
|
||
index 5f6ef7037d1..e1f2ee67c0c 100644
|
||
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
|
||
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80331-2
|
||
cce@rhel8: CCE-83385-5
|
||
+ cce@rhel9: CCE-84240-1
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
|
||
index ef7cb53457e..d5a35841bb7 100644
|
||
--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80330-4
|
||
cce@rhel8: CCE-82864-0
|
||
+ cce@rhel9: CCE-84241-9
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
|
||
index ee4527a8953..9416c1a47c3 100644
|
||
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80325-4
|
||
cce@rhel8: CCE-82409-4
|
||
+ cce@rhel9: CCE-84194-0
|
||
|
||
references:
|
||
cis@rhel7: 2.2.8
|
||
diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
|
||
index abaa84ceb0f..def5fd0b715 100644
|
||
--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
|
||
+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82191-8
|
||
+ cce@rhel9: CCE-84224-5
|
||
cce@rhcos4: CCE-82533-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
|
||
index a8b98ce3630..69be5807c1d 100644
|
||
--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82249-4
|
||
+ cce@rhel9: CCE-84227-8
|
||
cce@rhcos4: CCE-82534-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
||
index b41afade347..30f5483a471 100644
|
||
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
||
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-80245-4
|
||
cce@rhel8: CCE-82414-4
|
||
+ cce@rhel9: CCE-84159-3
|
||
cce@sle15: CCE-85700-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
|
||
index e6424e0162a..f43dabbda35 100644
|
||
--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80244-7
|
||
cce@rhel8: CCE-82413-6
|
||
+ cce@rhel9: CCE-84160-1
|
||
|
||
references:
|
||
cis@rhel7: 2.2.9
|
||
diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
|
||
index 10808731308..880cb190c41 100644
|
||
--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80300-7
|
||
cce@rhel8: CCE-82761-8
|
||
+ cce@rhel9: CCE-84213-8
|
||
|
||
references:
|
||
cis@rhel7: 2.2.10
|
||
diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
|
||
index 54235dbfe6a..d460c18646d 100644
|
||
--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80294-2
|
||
cce@rhel8: CCE-82760-0
|
||
+ cce@rhel9: CCE-84242-7
|
||
|
||
references:
|
||
cis@rhel7: 2.2.11
|
||
diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
|
||
index 3e0de0e531f..992e397de54 100644
|
||
--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
|
||
+++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82175-1
|
||
+ cce@rhel9: CCE-84221-1
|
||
|
||
references:
|
||
ospp: FTP_ITC_EXT.1
|
||
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
|
||
index 36be8d99194..6d0409fd273 100644
|
||
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
|
||
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82884-8
|
||
cce@rhel8: CCE-82885-5
|
||
+ cce@rhel9: CCE-90831-9
|
||
|
||
references:
|
||
cis@rhel7: 2.3.5
|
||
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
|
||
index 3c851cfb227..a56d93cdae5 100644
|
||
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
|
||
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80288-4
|
||
cce@rhel8: CCE-81039-0
|
||
+ cce@rhel9: CCE-90830-1
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
|
||
index 28d5b41a750..3d390b35e8f 100644
|
||
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
|
||
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82380-7
|
||
cce@rhel8: CCE-82381-5
|
||
+ cce@rhel9: CCE-90826-9
|
||
cce@sle12: CCE-83031-5
|
||
cce@sle15: CCE-85605-4
|
||
|
||
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||
index 4a9a36ab8c3..e0e3a53d9e5 100644
|
||
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80289-2
|
||
cce@rhel8: CCE-82174-4
|
||
+ cce@rhel9: CCE-90825-1
|
||
|
||
references:
|
||
cis@rhel7: 2.2.16
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
|
||
index 13723c22bab..a44f0c1c492 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80230-6
|
||
cce@rhel8: CCE-82858-2
|
||
+ cce@rhel9: CCE-84245-0
|
||
|
||
references:
|
||
cis@rhel7: 2.2.18
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
|
||
index 5ecd328720e..ef2717e3116 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80237-1
|
||
cce@rhel8: CCE-82762-6
|
||
+ cce@rhel9: CCE-90850-9
|
||
|
||
references:
|
||
cis@rhel7: 2.2.7
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
|
||
index 82eac90b88b..6b2313ecc21 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80239-7
|
||
cce@rhel8: CCE-84052-0
|
||
+ cce@rhel9: CCE-90838-4
|
||
|
||
references:
|
||
nist: CM-6(a),MP-2
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
||
index 4c65f182a9f..9bd6d8ddfdc 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
||
@@ -19,6 +19,7 @@ identifiers:
|
||
cce@sle12: CCE-83103-2
|
||
cce@sle15: CCE-85636-9
|
||
cce@rhel8: CCE-84050-4
|
||
+ cce@rhel9: CCE-84246-8
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-021021
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
||
index 134be291155..036bc8f69b3 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
||
@@ -17,6 +17,7 @@ identifiers:
|
||
cce@sle12: CCE-83102-4
|
||
cce@sle15: CCE-85635-1
|
||
cce@rhel8: CCE-84053-8
|
||
+ cce@rhel9: CCE-84247-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-021020
|
||
diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
|
||
index d8527598136..33f4764f795 100644
|
||
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
|
||
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82933-3
|
||
cce@rhel8: CCE-82932-5
|
||
+ cce@rhel9: CCE-84243-5
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
||
index 0947a2faaa8..47cb3d67b7e 100644
|
||
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
||
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
||
@@ -30,6 +30,7 @@ references:
|
||
identifiers:
|
||
cce@rhel7: CCE-82878-0
|
||
cce@rhel8: CCE-82879-8
|
||
+ cce@rhel9: CCE-84108-0
|
||
|
||
ocil_clause: 'chronyd is not running under chrony user account'
|
||
|
||
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
||
index 3583feaf04f..c36fcad3b77 100644
|
||
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
||
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
||
@@ -24,6 +24,7 @@ platform: chrony
|
||
identifiers:
|
||
cce@rhel7: CCE-83418-4
|
||
cce@rhel8: CCE-82873-1
|
||
+ cce@rhel9: CCE-84218-7
|
||
|
||
references:
|
||
cis@rhel7: 2.2.1.2
|
||
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
||
index 0c7a01f4a15..7b8edaf8b65 100644
|
||
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
||
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
||
@@ -20,6 +20,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-83419-2
|
||
cce@rhel8: CCE-82874-9
|
||
+ cce@rhel9: CCE-84215-3
|
||
|
||
references:
|
||
cis@rhel7: 2.2.1.1
|
||
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
||
index c582b2d6121..dad54bcbfa4 100644
|
||
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
||
@@ -23,6 +23,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-83420-0
|
||
cce@rhel8: CCE-82875-6
|
||
+ cce@rhel9: CCE-84217-9
|
||
|
||
references:
|
||
cis@rhel7: 2.2.1.3
|
||
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||
index f582f8b481d..ec4a0de2f61 100644
|
||
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-27354-0
|
||
cce@rhel8: CCE-80850-1
|
||
+ cce@rhel9: CCE-84155-1
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
|
||
index 2c6448da572..3a4e6d4ac78 100644
|
||
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27443-1
|
||
cce@rhel8: CCE-80888-1
|
||
+ cce@rhel9: CCE-84156-9
|
||
|
||
references:
|
||
cis@rhel7: 2.1.7
|
||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||
index e836dc6fb10..87f57cda697 100644
|
||
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-27396-1
|
||
cce@rhel8: CCE-82181-9
|
||
+ cce@rhel9: CCE-84151-0
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||
index e45f5ad0135..55ad750f02d 100644
|
||
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27399-5
|
||
cce@rhel8: CCE-82432-6
|
||
+ cce@rhel9: CCE-84152-8
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
|
||
index 02e2983feee..d4880e23956 100644
|
||
--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27406-8
|
||
cce@rhel8: CCE-80842-8
|
||
+ cce@rhel9: CCE-84145-2
|
||
|
||
references:
|
||
cis@rhel7: 6.2.14
|
||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||
index 33c36cde67d..ed8c4a6c090 100644
|
||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27342-5
|
||
cce@rhel8: CCE-82184-3
|
||
+ cce@rhel9: CCE-84143-7
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||
index 5b27c0ced97..0997a778984 100644
|
||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-27274-0
|
||
cce@rhel8: CCE-82183-5
|
||
+ cce@rhel9: CCE-84142-9
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
|
||
index 597be531e87..addfd018351 100644
|
||
--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
|
||
@@ -18,6 +18,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-83334-3
|
||
cce@rhel8: CCE-83335-0
|
||
+ cce@rhel9: CCE-84140-3
|
||
|
||
references:
|
||
cis@rhel7: 2.2.19
|
||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||
index e46e4f55d00..e0667d8811f 100644
|
||
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27210-4
|
||
cce@rhel8: CCE-82180-1
|
||
+ cce@rhel9: CCE-84158-5
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||
index 24743fc2d66..0e3c53e4b09 100644
|
||
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27432-4
|
||
cce@rhel8: CCE-80848-5
|
||
+ cce@rhel9: CCE-84157-7
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||
index a26491259da..01c967baae8 100644
|
||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27165-0
|
||
cce@rhel8: CCE-82182-7
|
||
+ cce@rhel9: CCE-84149-4
|
||
cce@sle12: CCE-83084-4
|
||
cce@sle15: CCE-83273-3
|
||
|
||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||
index afef4887348..b953c71f65c 100644
|
||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-27305-2
|
||
cce@rhel8: CCE-80849-3
|
||
+ cce@rhel9: CCE-84146-0
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
|
||
index b6446c2a78b..f4e0378f9e5 100644
|
||
--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml
|
||
@@ -41,6 +41,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27401-9
|
||
cce@rhel8: CCE-80887-3
|
||
+ cce@rhel9: CCE-84150-2
|
||
|
||
references:
|
||
cis@rhel7: 2.2.19
|
||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||
index ca25bb21244..abcff3d8982 100644
|
||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-80213-2
|
||
cce@rhel8: CCE-82436-7
|
||
+ cce@rhel9: CCE-84154-4
|
||
|
||
references:
|
||
anssi: BP28(R1)
|
||
diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
||
index 71ef701ec8f..1cedfddfd2c 100644
|
||
--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80282-7
|
||
cce@rhel8: CCE-82861-6
|
||
+ cce@rhel9: CCE-90795-6
|
||
|
||
references:
|
||
cis@rhel7: 2.2.4
|
||
diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
|
||
index f9495eef39c..5567e024ba1 100644
|
||
--- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
|
||
+++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80286-8
|
||
cce@rhel8: CCE-82189-2
|
||
+ cce@rhel9: CCE-84238-5
|
||
|
||
{{{ complete_ocil_entry_package(package="squid") }}}
|
||
|
||
diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
|
||
index 1a538ab1e05..f12fa6f203d 100644
|
||
--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80285-0
|
||
cce@rhel8: CCE-82190-0
|
||
+ cce@rhel9: CCE-84239-3
|
||
|
||
references:
|
||
cis@rhel7: 2.2.13
|
||
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||
index 4f1e4d85197..46387098d2d 100644
|
||
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82831-9
|
||
+ cce@rhel9: CCE-84223-7
|
||
cce@rhcos4: CCE-82535-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
|
||
index 9688f30b22f..b1dbf5b93af 100644
|
||
--- a/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
|
||
+++ b/linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-27594-1
|
||
cce@rhel8: CCE-82187-6
|
||
+ cce@rhel9: CCE-84191-6
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
|
||
index 8d173cf74f4..595e8da103b 100644
|
||
--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27191-6
|
||
cce@rhel8: CCE-80889-9
|
||
+ cce@rhel9: CCE-84192-4
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
|
||
index 1dba9883089..acd5c19efaf 100644
|
||
--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80277-7
|
||
cce@rhel8: CCE-82759-2
|
||
+ cce@rhel9: CCE-84201-3
|
||
|
||
references:
|
||
cis@rhel7: 2.2.12
|
||
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
|
||
index df46bd44b95..25f676360c2 100644
|
||
--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
|
||
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80274-4
|
||
cce@rhel8: CCE-82758-4
|
||
+ cce@rhel9: CCE-90832-7
|
||
|
||
references:
|
||
vmmsrg: SRG-OS-000480-VMM-002000
|
||
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
||
index 08224309561..15a190d5e49 100644
|
||
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82902-8
|
||
cce@rhel8: CCE-82901-0
|
||
+ cce@rhel9: CCE-90817-8
|
||
|
||
references:
|
||
cis@rhel7: 5.2.1
|
||
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
||
index f69a5a177c0..ee707dc646f 100644
|
||
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82899-6
|
||
cce@rhel8: CCE-82898-8
|
||
+ cce@rhel9: CCE-90821-0
|
||
|
||
references:
|
||
cis@rhel7: 5.2.1
|
||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
||
index ff719e2ca20..5250f1c72fb 100644
|
||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82895-4
|
||
cce@rhel8: CCE-82894-7
|
||
+ cce@rhel9: CCE-90818-6
|
||
|
||
references:
|
||
cis@rhel7: 5.2.1
|
||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||
index 57f3fcf792b..f6aee9aba0c 100644
|
||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27485-2
|
||
cce@rhel8: CCE-82424-3
|
||
+ cce@rhel9: CCE-90820-2
|
||
cce@sle12: CCE-83058-8
|
||
cce@sle15: CCE-85644-3
|
||
|
||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||
index 553560b83f6..30a8002bf1a 100644
|
||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27311-0
|
||
cce@rhel8: CCE-82428-4
|
||
+ cce@rhel9: CCE-90819-4
|
||
cce@sle12: CCE-83057-0
|
||
cce@sle15: CCE-85643-5
|
||
|
||
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||
index 5f585c1a502..67bf4e7e022 100644
|
||
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82722-0
|
||
+ cce@rhel9: CCE-90836-8
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||
index 2d12bf7a8cc..46794f04946 100644
|
||
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80215-7
|
||
cce@rhel8: CCE-83303-8
|
||
+ cce@rhel9: CCE-90823-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-040300
|
||
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||
index a7aaa4f3f9c..8ecbc74b778 100644
|
||
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80216-5
|
||
cce@rhel8: CCE-82426-8
|
||
+ cce@rhel9: CCE-90822-8
|
||
cce@sle12: CCE-83201-4
|
||
cce@sle15: CCE-83297-2
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
||
index af004f81acf..888e9aa2aab 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27413-4
|
||
cce@rhel8: CCE-80786-7
|
||
+ cce@rhel9: CCE-90816-0
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010470
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
|
||
index fc9d1b9b3f3..4094e612579 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27320-1
|
||
cce@rhel8: CCE-80894-9
|
||
+ cce@rhel9: CCE-90812-9
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-040390
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||
index 54f40e75063..2e56c574a6c 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80224-9
|
||
cce@rhel8: CCE-80895-6
|
||
+ cce@rhel9: CCE-90801-2
|
||
cce@sle12: CCE-83062-0
|
||
cce@sle15: CCE-85647-6
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
||
index 9e1cf6aae75..a8a1497d84d 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27471-2
|
||
cce@rhel8: CCE-80896-4
|
||
+ cce@rhel9: CCE-90799-8
|
||
cce@sle12: CCE-83014-1
|
||
cce@sle15: CCE-85667-4
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
|
||
index c15ef0c36a2..282b850f24c 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80220-7
|
||
cce@rhel8: CCE-80897-2
|
||
+ cce@rhel9: CCE-90808-7
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-040430
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
|
||
index 206a7c1399d..76708e44e1e 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80221-5
|
||
cce@rhel8: CCE-80898-0
|
||
+ cce@rhel9: CCE-90802-0
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-040440
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
||
index d9bbe22ec98..2d8670ee211 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27377-1
|
||
cce@rhel8: CCE-80899-8
|
||
+ cce@rhel9: CCE-90797-2
|
||
cce@rhcos4: CCE-82665-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
||
index 5b36e99912a..3d987f0281d 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27445-6
|
||
cce@rhel8: CCE-80901-2
|
||
+ cce@rhel9: CCE-90800-4
|
||
cce@sle12: CCE-83035-6
|
||
cce@sle15: CCE-85557-7
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
|
||
index 9a0a7b6dfa5..b9282f8c0dc 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83301-2
|
||
+ cce@rhel9: CCE-90806-1
|
||
|
||
references:
|
||
cis@rhel8: 5.2.17
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
|
||
index cd63b670a25..2580b3cdfe4 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80372-6
|
||
cce@rhel8: CCE-80902-0
|
||
+ cce@rhel9: CCE-90796-4
|
||
cce@sle12: CCE-83056-2
|
||
cce@sle15: CCE-85642-7
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||
index b93aa2e6430..7da4e89cd6b 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83359-0
|
||
cce@rhel8: CCE-83360-8
|
||
+ cce@rhel9: CCE-90798-0
|
||
cce@sle15: CCE-85707-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
||
index 006a8496cef..cd08a39312b 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27363-1
|
||
cce@rhel8: CCE-80903-8
|
||
+ cce@rhel9: CCE-90803-8
|
||
cce@sle12: CCE-83015-8
|
||
cce@sle15: CCE-85666-6
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||
index 757ffe95f0e..6edd3480966 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80222-3
|
||
cce@rhel8: CCE-80904-6
|
||
+ cce@rhel9: CCE-90809-5
|
||
cce@sle12: CCE-83060-4
|
||
cce@sle15: CCE-85645-0
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||
index c2c045ceb48..b8c7e45edf0 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27314-4
|
||
cce@rhel8: CCE-80905-3
|
||
+ cce@rhel9: CCE-90807-9
|
||
cce@sle12: CCE-83066-1
|
||
cce@sle15: CCE-83263-4
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||
index 886a03cdadd..d4a520437bb 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80225-6
|
||
cce@rhel8: CCE-82281-7
|
||
+ cce@rhel9: CCE-90804-6
|
||
cce@sle12: CCE-83083-6
|
||
cce@sle15: CCE-85563-5
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
index 84eb61830ff..a4f65562d73 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82177-7
|
||
+ cce@rhel9: CCE-90815-2
|
||
|
||
references:
|
||
ospp: FCS_SSHS_EXT.1
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||
index 7444e9680d1..7b49ebbbefb 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27433-2
|
||
cce@rhel8: CCE-80906-1
|
||
+ cce@rhel9: CCE-90811-1
|
||
cce@rhcos4: CCE-82549-7
|
||
cce@sle12: CCE-83027-3
|
||
cce@sle15: CCE-83281-6
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||
index 3995cd8c4ad..5b08b3b93fb 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27082-7
|
||
cce@rhel8: CCE-80907-9
|
||
+ cce@rhel9: CCE-90805-3
|
||
cce@rhcos4: CCE-82464-9
|
||
cce@sle12: CCE-83034-9
|
||
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
||
index 2f170a1a3c8..f6c57ccd113 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80645-5
|
||
cce@rhel8: CCE-82282-5
|
||
+ cce@rhel9: CCE-90813-7
|
||
|
||
references:
|
||
cis@debian10: 9.3.2
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
||
index c7aa0e8899e..806953fd3c8 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82354-2
|
||
cce@rhel8: CCE-83500-9
|
||
+ cce@rhel9: CCE-90810-3
|
||
|
||
references:
|
||
cis@debian9: 9.3.5
|
||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
|
||
index 2782b71905a..a283a97f99a 100644
|
||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
|
||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83357-4
|
||
+ cce@rhel9: CCE-84103-1
|
||
|
||
references:
|
||
cis@rhel8: 5.2.19
|
||
diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
|
||
index 7202c3b73e7..88c5f0a0684 100644
|
||
--- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
|
||
+++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82168-6
|
||
+ cce@rhel9: CCE-84206-2
|
||
cce@rhcos4: CCE-82538-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
|
||
index e7d3514efb0..dfc9d60d51c 100644
|
||
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
|
||
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
|
||
@@ -41,6 +41,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82960-6
|
||
cce@rhel8: CCE-82959-8
|
||
+ cce@rhel9: CCE-84203-9
|
||
cce@rhcos4: CCE-82524-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
|
||
index a111d010844..28136f33936 100644
|
||
--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
|
||
+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
|
||
@@ -18,6 +18,7 @@ platform: machine
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82853-3
|
||
+ cce@rhel9: CCE-84205-4
|
||
cce@rhcos4: CCE-82537-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
|
||
index 49fbfceb390..2f54b61c9b0 100644
|
||
--- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
|
||
+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82368-2
|
||
+ cce@rhel9: CCE-84210-4
|
||
cce@rhcos4: CCE-82539-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
||
index b1f1c590828..9c3e5853578 100644
|
||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27218-7
|
||
cce@rhel8: CCE-82757-6
|
||
+ cce@rhel9: CCE-84104-9
|
||
|
||
references:
|
||
cis@rhel7: 2.2.2
|
||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||
index 10d5efe93f4..d4ae55e76e3 100644
|
||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83410-1
|
||
cce@rhel8: CCE-83411-9
|
||
+ cce@rhel9: CCE-84106-4
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||
index e64ddd91807..4a33f52bb91 100644
|
||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27285-6
|
||
cce@rhel8: CCE-83380-6
|
||
+ cce@rhel9: CCE-84105-6
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||
index 8dde113ea69..42313d7861f 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||
@@ -84,6 +84,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27303-7
|
||
cce@rhel8: CCE-80763-6
|
||
+ cce@rhel9: CCE-83557-9
|
||
cce@rhcos4: CCE-82555-4
|
||
cce@sle12: CCE-83054-7
|
||
cce@sle15: CCE-83262-6
|
||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
|
||
index fcc47279783..bb74c68d893 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
|
||
@@ -51,6 +51,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83394-7
|
||
cce@rhel8: CCE-83496-0
|
||
+ cce@rhel9: CCE-83559-5
|
||
|
||
references:
|
||
cis@rhel7: 1.7.1.
|
||
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
|
||
index b30f8cde0f1..8bca4673c92 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83347-5
|
||
cce@rhel8: CCE-83348-3
|
||
+ cce@rhel9: CCE-83551-2
|
||
|
||
references:
|
||
cis@rhel7: 1.7.5
|
||
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
|
||
index 460cc2f5d95..bd29403c607 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83337-6
|
||
cce@rhel8: CCE-83338-4
|
||
+ cce@rhel9: CCE-83554-6
|
||
|
||
references:
|
||
cis@rhel7: 1.7.4
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
||
index 1662306b3a9..fc4f0e4b87d 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-27275-7
|
||
cce@rhel8: CCE-80788-3
|
||
+ cce@rhel9: CCE-83560-3
|
||
cce@sle12: CCE-83149-5
|
||
cce@sle15: CCE-85560-1
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||
index cb90c7ce004..98c5f2922be 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82030-8
|
||
cce@rhel8: CCE-80666-1
|
||
+ cce@rhel9: CCE-83584-3
|
||
cce@sle15: CCE-85678-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||
index 37434a1f593..cee6c05fd97 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27350-8
|
||
cce@rhel8: CCE-80667-9
|
||
+ cce@rhel9: CCE-83587-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010320
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
||
index da61edfad1f..a03264066f1 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80353-6
|
||
cce@rhel8: CCE-80668-7
|
||
+ cce@rhel9: CCE-83589-2
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010330
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
||
index 7dd0b99acf3..87026e13fb3 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27297-1
|
||
cce@rhel8: CCE-80669-5
|
||
+ cce@rhel9: CCE-83583-5
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010320
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
||
index 08902f5a931..2eb38a4ba6f 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-26884-7
|
||
cce@rhel8: CCE-80670-3
|
||
+ cce@rhel9: CCE-83588-4
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010320
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
||
index c575ed1c153..b76cf3ad00c 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27214-6
|
||
cce@rhel8: CCE-80653-9
|
||
+ cce@rhel9: CCE-83566-0
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010140
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
||
index 44f24e8cfb0..f0408f872b8 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
||
@@ -32,6 +32,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82020-9
|
||
cce@rhel8: CCE-80654-7
|
||
+ cce@rhel9: CCE-83564-5
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010160
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
||
index 20361952d6b..245e97485a3 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27345-8
|
||
cce@rhel8: CCE-80655-4
|
||
+ cce@rhel9: CCE-83570-2
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010130
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||
index a1eaf377d24..c2a456fabd4 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27512-3
|
||
cce@rhel8: CCE-81034-1
|
||
+ cce@rhel9: CCE-83575-1
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010190
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
|
||
index b4fc71af15b..2ee715f20ce 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82055-5
|
||
cce@rhel8: CCE-82066-2
|
||
+ cce@rhel9: CCE-83567-8
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010180
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
||
index 1738c4a07c0..509ba7d0f3b 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
||
@@ -39,6 +39,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82045-6
|
||
cce@rhel8: CCE-82046-4
|
||
+ cce@rhel9: CCE-83563-7
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010170
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
||
index 529799224b3..b395ce336e2 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27293-0
|
||
cce@rhel8: CCE-80656-2
|
||
+ cce@rhel9: CCE-83579-3
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010280
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
||
index 2f42a13c24b..3f64ac5fff7 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27360-7
|
||
cce@rhel8: CCE-80663-8
|
||
+ cce@rhel9: CCE-83565-2
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010150
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||
index f1f65e3b03d..c1ef5e5f64d 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27160-1
|
||
cce@rhel8: CCE-80664-6
|
||
+ cce@rhel9: CCE-83569-4
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010119
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
||
index a55c1b17003..33c60084985 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27200-5
|
||
cce@rhel8: CCE-80665-3
|
||
+ cce@rhel9: CCE-83568-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010120
|
||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||
index b0ecbd2bf1e..282c6182af8 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||
@@ -46,6 +46,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82043-1
|
||
cce@rhel8: CCE-80893-1
|
||
+ cce@rhel9: CCE-83581-9
|
||
cce@sle12: CCE-83184-2
|
||
cce@sle15: CCE-85565-0
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
||
index bc8c0a224b1..91515fcda12 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82185-0
|
||
cce@rhel8: CCE-82186-8
|
||
+ cce@rhel9: CCE-83592-6
|
||
|
||
references:
|
||
stigid@rhel7: RHEL-07-010481
|
||
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||
index 3dee04454c3..49e084358b2 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27287-2
|
||
cce@rhel8: CCE-80855-0
|
||
+ cce@rhel9: CCE-83594-2
|
||
cce@rhcos4: CCE-82550-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
|
||
index b6f9df180ea..70f73ee2865 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82963-0
|
||
cce@rhel8: CCE-80644-8
|
||
+ cce@rhel9: CCE-83599-1
|
||
|
||
references:
|
||
cui: 3.1.10
|
||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||
index 652e9287759..be1ca56f2da 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||
@@ -38,6 +38,7 @@ identifiers:
|
||
cce@sle12: CCE-83177-6
|
||
cce@sle15: CCE-83292-3
|
||
cce@rhel8: CCE-84029-8
|
||
+ cce@rhel9: CCE-83596-7
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-041001
|
||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||
index 5f8caa69b5e..dfcf1709d0d 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80568-9
|
||
cce@rhel8: CCE-80846-9
|
||
+ cce@rhel9: CCE-83595-9
|
||
|
||
references:
|
||
disa: CCI-001954,CCI-001953
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
||
index 0c538123879..71c05cec2a7 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27355-7
|
||
cce@rhel8: CCE-80954-1
|
||
+ cce@rhel9: CCE-83627-0
|
||
cce@rhcos4: CCE-82695-8
|
||
cce@sle12: CCE-83051-3
|
||
cce@sle15: CCE-85558-5
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
|
||
index 6ef67acd5a1..4ef020cccff 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80208-2
|
||
cce@rhel8: CCE-80674-5
|
||
+ cce@rhel9: CCE-83628-8
|
||
|
||
references:
|
||
cjis: 5.5.2
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||
index 15486e55f95..e89543ee542 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27051-2
|
||
cce@rhel8: CCE-80647-1
|
||
+ cce@rhel9: CCE-83606-4
|
||
cce@sle12: CCE-83050-5
|
||
cce@sle15: CCE-85570-0
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
|
||
index 31cf2d2124c..3bb7d560c33 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82036-5
|
||
cce@rhel8: CCE-80648-9
|
||
+ cce@rhel9: CCE-83610-6
|
||
cce@sle12: CCE-83049-7
|
||
cce@sle15: CCE-85720-1
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
|
||
index 4f316230045..6fc5842a7cb 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82049-8
|
||
cce@rhel8: CCE-80652-1
|
||
+ cce@rhel9: CCE-83608-0
|
||
|
||
references:
|
||
cjis: 5.6.2.1
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
|
||
index 3b51e91d080..3cee41c8ab3 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82016-7
|
||
cce@rhel8: CCE-80671-1
|
||
+ cce@rhel9: CCE-83609-8
|
||
|
||
references:
|
||
cui: 3.5.8
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
|
||
index 0563b15fc4e..a018101e9fa 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27352-4
|
||
cce@rhel8: CCE-80651-3
|
||
+ cce@rhel9: CCE-83618-9
|
||
|
||
references:
|
||
cjis: 5.5.2
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
|
||
index 71c7f51f1fd..e0219783963 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83402-8
|
||
cce@rhel8: CCE-83403-6
|
||
+ cce@rhel9: CCE-83615-5
|
||
|
||
references:
|
||
anssi: BP28(R32)
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
|
||
index e4912d51154..36181c5b094 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83384-8
|
||
cce@rhel8: CCE-83386-3
|
||
+ cce@rhel9: CCE-83621-3
|
||
|
||
references:
|
||
anssi: BP28(R32)
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
|
||
index 4f48f364505..97a37c42f91 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-27503-2
|
||
cce@rhel8: CCE-80822-0
|
||
+ cce@rhel9: CCE-83613-0
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-020300
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
|
||
index 4f0c5894d10..eb36cc54ff4 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27286-4
|
||
cce@rhel8: CCE-80841-0
|
||
+ cce@rhel9: CCE-83611-4
|
||
cce@rhcos4: CCE-82553-9
|
||
cce@sle12: CCE-83039-8
|
||
cce@sle15: CCE-85576-7
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
||
index f9799183e0c..126f2ba5645 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83388-9
|
||
cce@rhel8: CCE-83389-7
|
||
+ cce@rhel9: CCE-83616-3
|
||
|
||
references:
|
||
cis@rhel7: 6.2.4
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
||
index 1703c8b7ff4..12e9a1253e1 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82889-7
|
||
cce@rhel8: CCE-82890-5
|
||
+ cce@rhel9: CCE-83620-5
|
||
|
||
references:
|
||
cis@rhel7: 6.2.2
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
||
index 94ba6160154..102c4def630 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83390-5
|
||
cce@rhel8: CCE-84290-6
|
||
+ cce@rhel9: CCE-83612-2
|
||
|
||
references:
|
||
cis@rhel7: 6.2.3
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||
index 9e9ac4a3d87..1781d30ce87 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80211-6
|
||
cce@rhel8: CCE-83444-0
|
||
+ cce@rhel9: CCE-83617-1
|
||
cce@rhcos4: CCE-82667-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
|
||
index 0174370d54c..4357fd62803 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-82054-8
|
||
cce@rhel8: CCE-80649-7
|
||
+ cce@rhel9: CCE-83624-7
|
||
cce@rhcos4: CCE-82699-0
|
||
cce@sle12: CCE-83020-8
|
||
cce@sle15: CCE-85664-1
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
|
||
index cf261e7dbc4..ee402c27798 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27294-8
|
||
cce@rhel8: CCE-80840-2
|
||
+ cce@rhel9: CCE-83625-4
|
||
cce@rhcos4: CCE-82698-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
|
||
index 65e41ca5c18..b82172844fd 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82015-9
|
||
cce@rhel8: CCE-80843-6
|
||
+ cce@rhel9: CCE-83623-9
|
||
cce@rhcos4: CCE-82697-4
|
||
cce@sle15: CCE-85672-4
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
|
||
index 1755f68c28e..0828e1c14e4 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27268-2
|
||
cce@rhel8: CCE-80856-8
|
||
+ cce@rhel9: CCE-83622-1
|
||
|
||
references:
|
||
cui: '3.1.1,3.1.5'
|
||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
|
||
index e53917e4f22..3d04c7ec7ec 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27318-5
|
||
cce@rhel8: CCE-80864-2
|
||
+ cce@rhel9: CCE-83626-2
|
||
|
||
references:
|
||
cui: '3.1.1,3.1.5'
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
||
index d1da3b69637..c5696d27985 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
||
@@ -17,6 +17,7 @@ identifiers:
|
||
cce@rhel7: CCE-80352-8
|
||
cce@sle12: CCE-83028-1
|
||
cce@rhel8: CCE-84037-1
|
||
+ cce@rhel9: CCE-83635-3
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010430
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||
index 50ae13a1df7..dfc5836d665 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82041-5
|
||
cce@rhel8: CCE-80955-8
|
||
+ cce@rhel9: CCE-83641-1
|
||
cce@sle12: CCE-83065-3
|
||
cce@sle15: CCE-85555-1
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
|
||
index abe3c4e82a8..74e0ee3261e 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-83731-0
|
||
cce@rhel8: CCE-83732-8
|
||
+ cce@rhel9: CCE-90827-7
|
||
|
||
references:
|
||
anssi: BP28(R39)
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
|
||
index 5ded3a505f8..312a2ab6987 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-83777-3
|
||
cce@rhel8: CCE-83778-1
|
||
+ cce@rhel9: CCE-83642-9
|
||
|
||
references:
|
||
anssi: BP28(R39)
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||
index 5130296ad98..4c890a9ed9f 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27557-8
|
||
cce@rhel8: CCE-80673-7
|
||
+ cce@rhel9: CCE-83633-8
|
||
cce@sle12: CCE-83011-7
|
||
cce@sle15: CCE-83269-1
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||
index ac541680fa7..bd075ed358c 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80529-1
|
||
cce@rhel8: CCE-83424-2
|
||
+ cce@rhel9: CCE-83639-5
|
||
cce@sle12: CCE-83074-5
|
||
cce@sle15: CCE-85628-6
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||
index 237e7e86c12..bfd92f73cfe 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80532-5
|
||
cce@rhel8: CCE-83434-1
|
||
+ cce@rhel9: CCE-83629-6
|
||
cce@sle12: CCE-83096-8
|
||
cce@sle15: CCE-85711-0
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
||
index 044118cbdcd..722603ca78c 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
||
@@ -21,6 +21,7 @@ identifiers:
|
||
cce@sle12: CCE-83097-6
|
||
cce@sle15: CCE-85630-2
|
||
cce@rhel8: CCE-84043-9
|
||
+ cce@rhel9: CCE-83637-9
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-020710
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
||
index e070fdb6669..6f2e53f38da 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
||
@@ -21,6 +21,7 @@ identifiers:
|
||
cce@sle12: CCE-83076-0
|
||
cce@sle15: CCE-85629-4
|
||
cce@rhel8: CCE-84038-9
|
||
+ cce@rhel9: CCE-83634-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-020630
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
|
||
index f3b68707cb0..95e67220245 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80201-7
|
||
cce@rhel8: CCE-84274-0
|
||
+ cce@rhel9: CCE-83638-7
|
||
|
||
references:
|
||
disa: CCI-000225
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
||
index 73ebb701cc8..1f09ce4d10e 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80200-9
|
||
cce@rhel8: CCE-80672-9
|
||
+ cce@rhel9: CCE-83643-7
|
||
|
||
references:
|
||
disa: CCI-000366
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||
index d9afad723ef..3ddbc2272db 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80202-5
|
||
cce@rhel8: CCE-81036-6
|
||
+ cce@rhel9: CCE-83644-5
|
||
cce@rhcos4: CCE-84260-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
||
index 99c7f274bd5..e4f7690f9c7 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80205-8
|
||
cce@rhel8: CCE-82888-9
|
||
+ cce@rhel9: CCE-83647-8
|
||
cce@sle12: CCE-83052-1
|
||
cce@sle15: CCE-85659-1
|
||
|
||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
|
||
index 2ccc8b93149..e2531c67eb5 100644
|
||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
|
||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80204-1
|
||
cce@rhel8: CCE-81035-8
|
||
+ cce@rhel9: CCE-90828-5
|
||
cce@rhcos4: CCE-84262-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
||
index 7f4367ca2e8..826c83f6026 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27339-1
|
||
cce@rhel8: CCE-80685-1
|
||
+ cce@rhel9: CCE-83830-0
|
||
cce@rhcos4: CCE-82556-2
|
||
cce@sle12: CCE-83106-5
|
||
cce@sle15: CCE-85693-0
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
|
||
index a5f3f15bf35..05a2bb66ee9 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27364-9
|
||
cce@rhel8: CCE-80686-9
|
||
+ cce@rhel9: CCE-83812-8
|
||
cce@rhcos4: CCE-82557-0
|
||
cce@sle12: CCE-83137-0
|
||
cce@sle15: CCE-85690-6
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||
index 48f1016a4c7..11c083e8cc1 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27393-8
|
||
cce@rhel8: CCE-80687-7
|
||
+ cce@rhel9: CCE-83832-6
|
||
cce@rhcos4: CCE-82558-8
|
||
cce@sle12: CCE-83133-9
|
||
cce@sle15: CCE-85694-8
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||
index b1da8c2e2d9..43a95de5a29 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27388-8
|
||
cce@rhel8: CCE-80688-5
|
||
+ cce@rhel9: CCE-83822-7
|
||
cce@rhcos4: CCE-82559-6
|
||
cce@sle12: CCE-83132-1
|
||
cce@sle15: CCE-85695-5
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||
index 4688f94c29e..5499a793840 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||
@@ -32,6 +32,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27356-5
|
||
cce@rhel8: CCE-80689-3
|
||
+ cce@rhel9: CCE-83829-2
|
||
cce@rhcos4: CCE-82560-4
|
||
cce@sle12: CCE-83136-2
|
||
cce@sle15: CCE-85721-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||
index 94bf93b456e..6ac0c29bb8b 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27387-0
|
||
cce@rhel8: CCE-80690-1
|
||
+ cce@rhel9: CCE-83831-8
|
||
cce@rhcos4: CCE-82561-2
|
||
cce@sle12: CCE-83134-7
|
||
cce@sle15: CCE-85692-2
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||
index 6c6490cec14..2c57c277664 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||
@@ -34,6 +34,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27353-2
|
||
cce@rhel8: CCE-80691-9
|
||
+ cce@rhel9: CCE-83821-9
|
||
cce@rhcos4: CCE-82562-0
|
||
cce@sle12: CCE-83138-8
|
||
cce@sle15: CCE-85686-4
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||
index f8d076876e0..bbb177ebd9a 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27389-6
|
||
cce@rhel8: CCE-80692-7
|
||
+ cce@rhel9: CCE-83817-7
|
||
cce@rhcos4: CCE-82563-8
|
||
cce@sle12: CCE-83141-2
|
||
cce@sle15: CCE-85688-0
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||
index 746f5b38f70..2682b06a4ba 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27083-5
|
||
cce@rhel8: CCE-80693-5
|
||
+ cce@rhel9: CCE-83833-4
|
||
cce@rhcos4: CCE-82564-6
|
||
cce@sle12: CCE-83135-4
|
||
cce@sle15: CCE-85691-4
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
|
||
index cada76ea71f..c5b7f0a4b1a 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
|
||
@@ -34,6 +34,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27410-0
|
||
cce@rhel8: CCE-80694-3
|
||
+ cce@rhel9: CCE-83814-4
|
||
cce@rhcos4: CCE-82565-3
|
||
cce@sle12: CCE-83139-6
|
||
cce@sle15: CCE-85685-6
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||
index 7b8a48e4295..ccc2520da57 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27280-7
|
||
cce@rhel8: CCE-80695-0
|
||
+ cce@rhel9: CCE-83808-6
|
||
cce@rhcos4: CCE-82566-1
|
||
cce@sle15: CCE-85689-8
|
||
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||
index 839857dfbbe..89895b2802c 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27367-2
|
||
cce@rhel8: CCE-80696-8
|
||
+ cce@rhel9: CCE-83807-8
|
||
cce@rhcos4: CCE-82567-9
|
||
cce@sle12: CCE-83140-4
|
||
cce@sle15: CCE-85684-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||
index 413b11ebcc3..83511fa4bcf 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27213-8
|
||
cce@rhel8: CCE-80697-6
|
||
+ cce@rhel9: CCE-83811-0
|
||
cce@rhcos4: CCE-82568-7
|
||
cce@sle12: CCE-83142-0
|
||
cce@sle15: CCE-85687-2
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
|
||
index 0972a0a04ef..f94d9209106 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml
|
||
@@ -41,6 +41,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80393-2
|
||
cce@rhel8: CCE-80698-4
|
||
+ cce@rhel9: CCE-83748-4
|
||
cce@rhcos4: CCE-82569-5
|
||
cce@sle12: CCE-83215-4
|
||
cce@sle15: CCE-85716-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
|
||
index 4b199b8bca6..8c8a39007cb 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80394-0
|
||
cce@rhel8: CCE-80699-2
|
||
+ cce@rhel9: CCE-83749-2
|
||
cce@rhcos4: CCE-82570-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
|
||
index 673bdaf3e2a..6280105ce22 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80391-6
|
||
cce@rhel8: CCE-80700-8
|
||
+ cce@rhel9: CCE-83750-0
|
||
cce@rhcos4: CCE-82571-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
|
||
index 0440dc51191..dfbfce4df9a 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80660-4
|
||
cce@rhel8: CCE-82280-9
|
||
+ cce@rhel9: CCE-83736-9
|
||
cce@rhcos4: CCE-82572-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
|
||
index 894b1e83fcd..773c1829179 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80392-4
|
||
cce@rhel8: CCE-80701-6
|
||
+ cce@rhel9: CCE-83751-8
|
||
cce@rhcos4: CCE-82573-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
|
||
index 80dc8e2825a..f616cc6940e 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82362-5
|
||
cce@rhel8: CCE-80933-5
|
||
+ cce@rhel9: CCE-83746-8
|
||
cce@rhcos4: CCE-82574-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
|
||
index ae2fc418856..453f4ab4354 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27206-2
|
||
cce@rhel8: CCE-80702-4
|
||
+ cce@rhel9: CCE-83752-6
|
||
|
||
references:
|
||
cis@rhel7: 4.1.14
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
|
||
index 237403a21c8..1c2149fae72 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80995-4
|
||
cce@rhel8: CCE-80703-2
|
||
+ cce@rhel9: CCE-83754-2
|
||
cce@rhcos4: CCE-82575-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||
index f8ee193dbfa..5dfc167e34d 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80413-8
|
||
cce@rhel8: CCE-80704-0
|
||
+ cce@rhel9: CCE-83756-7
|
||
cce@rhcos4: CCE-82576-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||
index 7061949cbe2..49f5c093061 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80412-0
|
||
cce@rhel8: CCE-80705-7
|
||
+ cce@rhel9: CCE-83758-3
|
||
cce@rhcos4: CCE-82577-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||
index 5b4677af2bc..80f1483e895 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80996-2
|
||
cce@rhel8: CCE-80706-5
|
||
+ cce@rhel9: CCE-83757-5
|
||
cce@rhcos4: CCE-82578-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||
index f0eb0092d79..b6a1a10f75f 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80662-0
|
||
cce@rhel8: CCE-80707-3
|
||
+ cce@rhel9: CCE-83755-9
|
||
cce@rhcos4: CCE-82579-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
|
||
index 2a8763f30b4..7454775a900 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
|
||
@@ -35,6 +35,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27347-4
|
||
cce@rhel8: CCE-80750-3
|
||
+ cce@rhel9: CCE-83793-0
|
||
|
||
references:
|
||
cjis: 5.4.1.1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||
index 648095bb69f..27423e6deaf 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||
@@ -35,6 +35,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80385-8
|
||
cce@rhel8: CCE-80751-1
|
||
+ cce@rhel9: CCE-83786-4
|
||
cce@rhcos4: CCE-82621-4
|
||
cce@sle12: CCE-83092-7
|
||
cce@sle15: CCE-85681-5
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||
index 5f4e10fc1ac..3391cd44a3d 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80390-8
|
||
cce@rhel8: CCE-80752-9
|
||
+ cce@rhel9: CCE-83800-3
|
||
cce@rhcos4: CCE-82629-7
|
||
cce@sle12: CCE-83091-9
|
||
cce@sle15: CCE-85696-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||
index 5761374a4f8..7c9441884d3 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80386-6
|
||
cce@rhel8: CCE-80753-7
|
||
+ cce@rhel9: CCE-83801-1
|
||
cce@rhcos4: CCE-82633-9
|
||
cce@sle12: CCE-83131-3
|
||
cce@sle15: CCE-85680-7
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||
index 7cf89f50dde..4b4c259cd63 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||
@@ -35,6 +35,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80388-2
|
||
cce@rhel8: CCE-80755-2
|
||
+ cce@rhel9: CCE-83796-3
|
||
cce@rhcos4: CCE-82640-4
|
||
cce@sle12: CCE-83094-3
|
||
cce@sle15: CCE-85683-1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||
index a4b9c22956c..7b44a725d6f 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80387-4
|
||
cce@rhel8: CCE-80754-5
|
||
+ cce@rhel9: CCE-83794-8
|
||
cce@rhcos4: CCE-82634-7
|
||
cce@sle12: CCE-83093-5
|
||
cce@sle15: CCE-85682-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
||
index f0ac52a2ab9..899c453b947 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80389-0
|
||
cce@rhel8: CCE-80756-0
|
||
+ cce@rhel9: CCE-83792-2
|
||
cce@rhcos4: CCE-82651-1
|
||
cce@sle12: CCE-83085-1
|
||
cce@sle15: CCE-85608-8
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
|
||
index 446766d0e50..35cb29e095f 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27129-6
|
||
cce@rhel8: CCE-80709-9
|
||
+ cce@rhel9: CCE-83804-5
|
||
|
||
references:
|
||
cis@rhel7: 4.1.17
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
|
||
index d8ce90bf575..c96fbb705c8 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80415-3
|
||
cce@rhel8: CCE-80711-5
|
||
+ cce@rhel9: CCE-83802-9
|
||
cce@rhcos4: CCE-82580-2
|
||
cce@sle12: CCE-83128-9
|
||
cce@sle15: CCE-85748-2
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||
index cf4dea7a588..43b487f06b3 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80547-3
|
||
cce@rhel8: CCE-80712-3
|
||
+ cce@rhel9: CCE-83803-7
|
||
cce@rhcos4: CCE-82581-0
|
||
cce@sle12: CCE-83129-7
|
||
cce@sle15: CCE-85749-0
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
|
||
index b84eb7c5593..150ae82de02 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80414-6
|
||
cce@rhel8: CCE-80713-1
|
||
+ cce@rhel9: CCE-90835-0
|
||
cce@rhcos4: CCE-82582-8
|
||
cce@sle12: CCE-83130-5
|
||
cce@sle15: CCE-85750-8
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
|
||
index bb7d9672a55..e54d1c98fa3 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
|
||
@@ -31,6 +31,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27204-7
|
||
cce@rhel8: CCE-80717-2
|
||
+ cce@rhel9: CCE-83784-9
|
||
|
||
references:
|
||
cjis: 5.4.1.1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
||
index e59377bf222..a196008d371 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80383-3
|
||
cce@rhel8: CCE-80718-0
|
||
+ cce@rhel9: CCE-83783-1
|
||
cce@rhcos4: CCE-82583-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
||
index 9c2bd1eac7e..b83e36f9844 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80384-1
|
||
cce@rhel8: CCE-80719-8
|
||
+ cce@rhel9: CCE-83785-6
|
||
cce@rhcos4: CCE-82584-4
|
||
cce@sle12: CCE-83108-1
|
||
cce@sle15: CCE-85598-1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
||
index 50cbffd31a3..0f5c73acfd9 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80994-7
|
||
cce@rhel8: CCE-80720-6
|
||
+ cce@rhel9: CCE-83782-3
|
||
cce@rhcos4: CCE-82585-1
|
||
cce@sle12: CCE-83107-3
|
||
cce@sle15: CCE-85597-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
|
||
index cf997bbcf4a..32731527a24 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
|
||
@@ -39,6 +39,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27437-3
|
||
cce@rhel8: CCE-80724-8
|
||
+ cce@rhel9: CCE-83759-1
|
||
cce@rhcos4: CCE-82589-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
||
index dcfbe5de239..92fc399b45c 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80398-1
|
||
cce@rhel8: CCE-80725-5
|
||
+ cce@rhel9: CCE-83765-8
|
||
cce@rhcos4: CCE-82591-9
|
||
cce@sle12: CCE-83110-7
|
||
cce@sle15: CCE-85587-4
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
|
||
index 43d151984d8..bf559c8fad2 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80404-7
|
||
cce@rhel8: CCE-80726-3
|
||
+ cce@rhel9: CCE-83763-3
|
||
cce@rhcos4: CCE-82592-7
|
||
cce@sle12: CCE-83163-6
|
||
cce@sle15: CCE-85586-6
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
|
||
index cdbcd540e15..483c8fb4e84 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80410-4
|
||
cce@rhel8: CCE-80727-1
|
||
+ cce@rhel9: CCE-83761-7
|
||
cce@rhcos4: CCE-82593-5
|
||
cce@sle12: CCE-83126-3
|
||
cce@sle15: CCE-85588-2
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
|
||
index 64ebb4b3274..ec514df8a96 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80397-3
|
||
cce@rhel8: CCE-80728-9
|
||
+ cce@rhel9: CCE-83773-2
|
||
cce@rhcos4: CCE-82594-3
|
||
cce@sle12: CCE-83161-0
|
||
cce@sle15: CCE-85584-1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
|
||
index a7b1ab0a6f3..f6b09b92430 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80403-9
|
||
cce@rhel8: CCE-80729-7
|
||
+ cce@rhel9: CCE-83766-6
|
||
cce@rhcos4: CCE-82597-6
|
||
cce@sle12: CCE-83162-8
|
||
cce@sle15: CCE-85585-8
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
|
||
index c113d75ffb8..cf5804a4eb0 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
|
||
@@ -41,6 +41,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80411-2
|
||
cce@rhel8: CCE-80730-5
|
||
+ cce@rhel9: CCE-83767-4
|
||
cce@rhcos4: CCE-82599-2
|
||
cce@sle12: CCE-83127-1
|
||
cce@sle15: CCE-85601-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
|
||
index df3e1b83dce..6c76998b4e5 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80395-7
|
||
cce@rhel8: CCE-80731-3
|
||
+ cce@rhel9: CCE-83781-5
|
||
cce@rhcos4: CCE-82600-8
|
||
cce@sle12: CCE-83160-2
|
||
cce@sle15: CCE-85583-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
|
||
index 6316f31e664..843c42e8c00 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80406-2
|
||
cce@rhel8: CCE-80732-1
|
||
+ cce@rhel9: CCE-83769-0
|
||
cce@rhcos4: CCE-82601-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
|
||
index 528018fe8a9..6ab088d9adb 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80407-0
|
||
cce@rhel8: CCE-80733-9
|
||
+ cce@rhel9: CCE-83770-8
|
||
cce@rhcos4: CCE-82602-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
|
||
index d32a3c45662..1fdfcda2c17 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80408-8
|
||
cce@rhel8: CCE-80735-4
|
||
+ cce@rhel9: CCE-83776-5
|
||
cce@rhcos4: CCE-82604-0
|
||
cce@sle12: CCE-83159-4
|
||
cce@sle15: CCE-85582-5
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
|
||
index bcb50c6b080..592d53e37ff 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80400-5
|
||
cce@rhel8: CCE-80736-2
|
||
+ cce@rhel9: CCE-83771-6
|
||
cce@rhcos4: CCE-82605-7
|
||
cce@sle12: CCE-83143-8
|
||
cce@sle15: CCE-85602-1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
|
||
index 83775fefe5f..759bbbfdda0 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80401-3
|
||
cce@rhel8: CCE-80737-0
|
||
+ cce@rhel9: CCE-83780-7
|
||
cce@rhcos4: CCE-82606-5
|
||
cce@sle12: CCE-83144-6
|
||
cce@sle15: CCE-85603-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
|
||
index 6f8ed9f3163..45f851653cd 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80402-1
|
||
cce@rhel8: CCE-80738-8
|
||
+ cce@rhel9: CCE-83764-1
|
||
cce@rhcos4: CCE-82607-3
|
||
cce@sle15: CCE-85717-7
|
||
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
|
||
index abf9d895013..db04572f95a 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80405-4
|
||
cce@rhel8: CCE-80739-6
|
||
+ cce@rhel9: CCE-83762-5
|
||
cce@rhcos4: CCE-82608-1
|
||
cce@sle12: CCE-83158-6
|
||
cce@sle15: CCE-85734-2
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
||
index f1b9dd19237..b3a13b54621 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80396-5
|
||
cce@rhel8: CCE-80740-4
|
||
+ cce@rhel9: CCE-83768-2
|
||
cce@rhcos4: CCE-82609-9
|
||
cce@sle12: CCE-83109-9
|
||
cce@sle15: CCE-85727-6
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
|
||
index 8d92480f717..e32b43bb00d 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80399-9
|
||
cce@rhel8: CCE-80741-2
|
||
+ cce@rhel9: CCE-83760-9
|
||
cce@rhcos4: CCE-82610-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
|
||
index f42bcf1a18c..e37327bf154 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27097-5
|
||
cce@rhel8: CCE-80708-1
|
||
+ cce@rhel9: CCE-83716-1
|
||
cce@rhcos4: CCE-82668-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
|
||
index 3567507042f..bce6d2534dd 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27168-4
|
||
cce@rhel8: CCE-80721-4
|
||
+ cce@rhel9: CCE-83721-1
|
||
cce@rhcos4: CCE-82586-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
|
||
index 883b19d998e..ec97d311975 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27447-2
|
||
cce@rhel8: CCE-80722-2
|
||
+ cce@rhel9: CCE-83735-1
|
||
cce@rhcos4: CCE-82587-7
|
||
cce@sle12: CCE-83217-0
|
||
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
|
||
index 134cc80a7d4..7f354a63867 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27076-9
|
||
cce@rhel8: CCE-80723-0
|
||
+ cce@rhel9: CCE-83706-2
|
||
cce@rhcos4: CCE-82588-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
|
||
index ddaa1f504b1..a0a232d14b0 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27301-1
|
||
cce@rhel8: CCE-80742-0
|
||
+ cce@rhel9: CCE-83713-8
|
||
cce@rhcos4: CCE-82612-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
|
||
index b1d13fba2b8..4e095e9fcce 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27461-3
|
||
cce@rhel8: CCE-80743-8
|
||
+ cce@rhel9: CCE-83729-4
|
||
cce@rhcos4: CCE-82613-1
|
||
cce@sle15: CCE-85679-9
|
||
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
|
||
index 18ee888a8e6..240b0dcff30 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80997-0
|
||
cce@rhel8: CCE-80744-6
|
||
+ cce@rhel9: CCE-83709-6
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-030010
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
|
||
index a09d23f6dff..f0580448f18 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml
|
||
@@ -34,6 +34,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27192-4
|
||
cce@rhel8: CCE-80757-8
|
||
+ cce@rhel9: CCE-83715-3
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-030710
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
||
index f4f5820b617..1fab77b25f3 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80433-6
|
||
cce@rhel8: CCE-80758-6
|
||
+ cce@rhel9: CCE-83722-9
|
||
cce@rhcos4: CCE-82654-5
|
||
cce@sle12: CCE-83121-4
|
||
cce@sle15: CCE-85578-3
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
||
index 3f48685b35b..889d3bf1c79 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80432-8
|
||
cce@rhel8: CCE-80759-4
|
||
+ cce@rhel9: CCE-83723-7
|
||
cce@rhcos4: CCE-82655-2
|
||
cce@sle12: CCE-83095-0
|
||
cce@sle15: CCE-85580-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
||
index 5e3eba4b3f5..d4cc22ee1a1 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80430-2
|
||
cce@rhel8: CCE-80760-2
|
||
+ cce@rhel9: CCE-83712-0
|
||
cce@rhcos4: CCE-82656-0
|
||
cce@sle12: CCE-83123-0
|
||
cce@sle15: CCE-85728-4
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
||
index 0c545fd0c66..6930d0d20be 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80435-1
|
||
cce@rhel8: CCE-80761-0
|
||
+ cce@rhel9: CCE-83714-6
|
||
cce@rhcos4: CCE-82657-8
|
||
cce@sle12: CCE-83120-6
|
||
cce@sle15: CCE-85577-5
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
||
index d4763ca4709..32b597820c4 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80431-0
|
||
cce@rhel8: CCE-80762-8
|
||
+ cce@rhel9: CCE-83725-2
|
||
cce@rhcos4: CCE-82658-6
|
||
cce@sle12: CCE-83122-2
|
||
cce@sle15: CCE-85579-1
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
|
||
index 3e369f14489..290913884b6 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27290-6
|
||
cce@rhel8: CCE-80745-3
|
||
+ cce@rhel9: CCE-83840-9
|
||
cce@rhcos4: CCE-82614-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
|
||
index f8ef91a5182..e2bd099a151 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27219-5
|
||
cce@rhel8: CCE-80746-1
|
||
+ cce@rhel9: CCE-83837-5
|
||
cce@rhcos4: CCE-82615-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
|
||
index f457fba8061..8a0488d8e3d 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27216-1
|
||
cce@rhel8: CCE-80747-9
|
||
+ cce@rhel9: CCE-83836-7
|
||
cce@rhcos4: CCE-82616-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
|
||
index b8b6fbe6db2..65de17e8dee 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27299-7
|
||
cce@rhel8: CCE-80748-7
|
||
+ cce@rhel9: CCE-83835-9
|
||
cce@rhcos4: CCE-82617-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
|
||
index 37d51535902..063725a1aee 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27310-2
|
||
cce@rhel8: CCE-80749-5
|
||
+ cce@rhel9: CCE-83839-1
|
||
cce@rhcos4: CCE-82618-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
|
||
index 2c869dfb128..c13c8fb13c2 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhcos4: CCE-82692-5
|
||
cce@rhel8: CCE-84048-8
|
||
+ cce@rhel9: CCE-83734-4
|
||
|
||
references:
|
||
nist: CM-6(a),AC-6(1),AU-9
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
|
||
index e495992ecb6..3d2ae4eb21c 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80125-8
|
||
cce@rhel8: CCE-80808-9
|
||
+ cce@rhel9: CCE-83726-0
|
||
cce@rhcos4: CCE-82691-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
|
||
index f9ce395716c..d1f109a7312 100644
|
||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27205-4
|
||
cce@rhel8: CCE-80819-6
|
||
+ cce@rhel9: CCE-83720-3
|
||
cce@rhcos4: CCE-82690-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
|
||
index c42c90a8254..ed31e661e58 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27341-7
|
||
cce@rhel8: CCE-80677-8
|
||
+ cce@rhel9: CCE-83695-7
|
||
|
||
references:
|
||
cjis: 5.4.1.1
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
|
||
index f1102676c58..57e98a96963 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
|
||
@@ -25,6 +25,7 @@ identifiers:
|
||
cce@rhel7: CCE-80646-3
|
||
cce@rhcos4: CCE-82679-2
|
||
cce@rhel8: CCE-84046-2
|
||
+ cce@rhel9: CCE-83690-8
|
||
|
||
references:
|
||
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
|
||
index fd3aff398c6..77a56c9928d 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
|
||
@@ -29,6 +29,7 @@ identifiers:
|
||
cce@sle12: CCE-83032-3
|
||
cce@sle15: CCE-85606-2
|
||
cce@rhel8: CCE-84045-4
|
||
+ cce@rhel9: CCE-83684-1
|
||
|
||
references:
|
||
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
|
||
index 114363370cd..f7e1eed913a 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27394-6
|
||
cce@rhel8: CCE-80678-6
|
||
+ cce@rhel9: CCE-83698-1
|
||
cce@rhcos4: CCE-82675-0
|
||
cce@sle12: CCE-83030-7
|
||
cce@sle15: CCE-85604-7
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
|
||
index c6ce1adb653..98822fb7a92 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27370-6
|
||
cce@rhel8: CCE-80679-4
|
||
+ cce@rhel9: CCE-83700-5
|
||
cce@rhcos4: CCE-82677-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
|
||
index 6d100796619..7087dd536e1 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27331-8
|
||
cce@rhel8: CCE-80680-2
|
||
+ cce@rhel9: CCE-83685-8
|
||
cce@rhcos4: CCE-82508-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
|
||
index d825f887f04..18a83773926 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27319-3
|
||
cce@rhel8: CCE-80681-0
|
||
+ cce@rhel9: CCE-83683-3
|
||
cce@rhcos4: CCE-82694-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
|
||
index ef32b8dda40..ac486f9fdee 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27231-0
|
||
cce@rhel8: CCE-80682-8
|
||
+ cce@rhel9: CCE-83701-3
|
||
cce@rhcos4: CCE-82680-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
|
||
index dbaa3c76e18..8618a85c6d7 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27348-2
|
||
cce@rhel8: CCE-80683-6
|
||
+ cce@rhel9: CCE-83688-2
|
||
cce@rhcos4: CCE-82693-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
|
||
index 0700e4881d2..6babd3b3a01 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
|
||
@@ -31,6 +31,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27375-5
|
||
cce@rhel8: CCE-80684-4
|
||
+ cce@rhel9: CCE-83703-9
|
||
cce@rhcos4: CCE-82678-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
|
||
index 3f6cc973db0..56f618c99ae 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_freq/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82358-3
|
||
cce@rhel8: CCE-82258-5
|
||
+ cce@rhel9: CCE-83704-7
|
||
cce@rhcos4: CCE-82512-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||
index ad5a39d3c90..5df38381c28 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82355-9
|
||
cce@rhel8: CCE-82233-8
|
||
+ cce@rhel9: CCE-83682-5
|
||
cce@rhcos4: CCE-82509-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||
index 407e33433cd..1f3280507e3 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82357-5
|
||
cce@rhel8: CCE-82201-5
|
||
+ cce@rhel9: CCE-83696-5
|
||
cce@rhcos4: CCE-82511-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||
index a778d5faf28..3557e8b79f8 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82359-1
|
||
cce@rhel8: CCE-82897-0
|
||
+ cce@rhel9: CCE-83686-6
|
||
cce@rhcos4: CCE-82513-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||
index 0becb1671ce..24207420764 100644
|
||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82356-7
|
||
cce@rhel8: CCE-82366-6
|
||
+ cce@rhel9: CCE-83705-4
|
||
cce@rhcos4: CCE-82510-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
index 9f8823ad464..6408818fb8a 100644
|
||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27212-0
|
||
cce@rhel8: CCE-80825-3
|
||
+ cce@rhel9: CCE-83651-0
|
||
|
||
references:
|
||
cis@rhel7: 4.1.3
|
||
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
index aab1e2f8cff..3a93dc412b4 100644
|
||
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82156-1
|
||
cce@rhel8: CCE-80943-4
|
||
+ cce@rhel9: CCE-83652-8
|
||
|
||
references:
|
||
srg: SRG-OS-000254-GPOS-00095,SRG-OS-000341-GPOS-00132
|
||
diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||
index 6d96d340a33..85ba222d616 100644
|
||
--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82954-9
|
||
cce@rhel8: CCE-82953-1
|
||
+ cce@rhel9: CCE-83648-6
|
||
|
||
references:
|
||
srg: SRG-OS-000342-GPOS-00133
|
||
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||
index ac1da528ee6..3cbc735f963 100644
|
||
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
|
||
@@ -11,6 +11,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81042-4
|
||
cce@rhel8: CCE-81043-2
|
||
+ cce@rhel9: CCE-83649-4
|
||
cce@rhcos4: CCE-82669-3
|
||
cce@sle12: CCE-83023-2
|
||
cce@sle15: CCE-85612-0
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||
index a0d856b023b..1d415ae973b 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||
@@ -31,6 +31,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82833-5
|
||
+ cce@rhel9: CCE-83672-6
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||
index 6f79a5cf04a..dc2ff4236fa 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82834-3
|
||
+ cce@rhel9: CCE-83653-6
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||
index bd5d6455351..84f064eb799 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||
@@ -44,6 +44,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82827-7
|
||
+ cce@rhel9: CCE-83670-0
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||
index b2f731d11ba..6af306aa0aa 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||
@@ -44,6 +44,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82374-0
|
||
+ cce@rhel9: CCE-83669-2
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||
index a03a7f3b715..cfb737d4452 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82829-3
|
||
+ cce@rhel9: CCE-83668-4
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||
index d4bd88e6cfc..4436051f808 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82835-0
|
||
+ cce@rhel9: CCE-83667-6
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||
index 6c05a736e39..2bf582dd53f 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||
@@ -35,6 +35,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82836-8
|
||
+ cce@rhel9: CCE-83680-9
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||
index 34e9fc134e0..18514ecff5a 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||
@@ -32,6 +32,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82828-5
|
||
+ cce@rhel9: CCE-83673-4
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||
index 2d0f7cf9da3..81493843494 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||
@@ -44,6 +44,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82830-1
|
||
+ cce@rhel9: CCE-83671-8
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||
index 28045878a69..45fa2df7aa7 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||
@@ -39,6 +39,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82832-7
|
||
+ cce@rhel9: CCE-83681-7
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||
index d764e384ea2..261cd4ef445 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82838-4
|
||
+ cce@rhel9: CCE-90814-5
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||
index 0a41ece25fc..aef687ae110 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||
@@ -116,6 +116,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82373-2
|
||
+ cce@rhel9: CCE-83655-1
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||
index a95c0146b11..47c31aeee19 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||
@@ -37,6 +37,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82384-9
|
||
+ cce@rhel9: CCE-83675-9
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||
index 4133eb193f2..5a6792c5f1b 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82385-6
|
||
+ cce@rhel9: CCE-83658-5
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||
index 47f248a2b36..f83c888b928 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82837-6
|
||
+ cce@rhel9: CCE-83676-7
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||
index 5017b17849b..8bd5d90049a 100644
|
||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||
@@ -35,6 +35,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82383-1
|
||
+ cce@rhel9: CCE-83678-3
|
||
|
||
references:
|
||
ospp: FAU_GEN.1.1.c
|
||
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||
index 19421f40ade..112bda557df 100644
|
||
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
|
||
@@ -26,6 +26,7 @@ requires:
|
||
identifiers:
|
||
cce@rhel7: CCE-27407-6
|
||
cce@rhel8: CCE-80872-5
|
||
+ cce@rhel9: CCE-90829-3
|
||
cce@rhcos4: CCE-82463-1
|
||
cce@sle12: CCE-83024-0
|
||
cce@sle15: CCE-85581-7
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
index c1f77e21c36..0a0d76aeb23 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-82351-8
|
||
cce@rhel8: CCE-83920-9
|
||
+ cce@rhel9: CCE-83844-1
|
||
|
||
references:
|
||
anssi: BP28(R11)
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
index 03f56b8031d..308ae9cb735 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83314-5
|
||
+ cce@rhel9: CCE-83841-7
|
||
|
||
references:
|
||
ospp: FCS_RBG_EXT.1.1
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
index f186b1ae6e7..7a8d228ddc3 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: high
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82194-2
|
||
+ cce@rhel9: CCE-83843-3
|
||
|
||
references:
|
||
srg: SRG-OS-000433-GPOS-00193,SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
index 0b5873c56a2..f82c1648315 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82159-5
|
||
cce@rhel8: CCE-80946-7
|
||
+ cce@rhel9: CCE-83842-5
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
|
||
index 38f33d1812a..28132401b0e 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82023-3
|
||
cce@rhel8: CCE-80800-6
|
||
+ cce@rhel9: CCE-83848-2
|
||
|
||
references:
|
||
cis@rhel7: 1.4.2
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||
index 80c53fdd4b0..70ebc483f25 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82026-6
|
||
cce@rhel8: CCE-80805-5
|
||
+ cce@rhel9: CCE-83845-8
|
||
|
||
references:
|
||
cis@rhel7: 1.4.2
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
|
||
index 6564de998e2..d3ee73725d8 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82039-9
|
||
cce@rhel8: CCE-80814-7
|
||
+ cce@rhel9: CCE-83846-6
|
||
|
||
references:
|
||
cis@rhel7: 1.4.2
|
||
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
||
index 795230dcbec..89b29fc27d4 100644
|
||
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
||
@@ -43,6 +43,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27309-4
|
||
cce@rhel8: CCE-80828-7
|
||
+ cce@rhel9: CCE-83849-0
|
||
cce@sle12: CCE-83044-8
|
||
cce@sle15: CCE-83274-1
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||
index 987a42d31ec..d342163b6c0 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83321-0
|
||
+ cce@rhel9: CCE-84096-7
|
||
|
||
ocil_clause: 'auditing is not enabled at boot time'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||
index cfb8c08f31d..c37fbcb9ba1 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83341-8
|
||
+ cce@rhel9: CCE-84099-1
|
||
|
||
ocil_clause: 'audit backlog limit is not configured'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||
index b8b025f74f4..56b634d4b19 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83485-3
|
||
+ cce@rhel9: CCE-84092-6
|
||
|
||
ocil_clause: 'a non BLS boot entry is configured'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||
index c8133e19ab4..6c7e3396553 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83486-1
|
||
+ cce@rhel9: CCE-84098-3
|
||
|
||
ocil_clause: 'the bootmap is outdated'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||
index c626f6188cd..0cd61ae2f53 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83351-7
|
||
+ cce@rhel9: CCE-84101-5
|
||
|
||
ocil_clause: 'page allocator poisoning is not enabled'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||
index d266165cddc..df0f6c3ee98 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83371-5
|
||
+ cce@rhel9: CCE-84094-2
|
||
|
||
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||
|
||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||
index 387f7f13850..52b192ffc52 100644
|
||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83381-4
|
||
+ cce@rhel9: CCE-84100-7
|
||
|
||
ocil_clause: 'vsyscalls are enabled'
|
||
|
||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
||
index 7d78a6963c2..569c0371ec3 100644
|
||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80380-9
|
||
cce@rhel8: CCE-80859-2
|
||
+ cce@rhel9: CCE-83994-4
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-021100
|
||
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
|
||
index c2e28da36f8..b734c694779 100644
|
||
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
|
||
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80195-1
|
||
cce@rhel8: CCE-80794-1
|
||
+ cce@rhel9: CCE-83993-6
|
||
cce@rhcos4: CCE-82689-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
|
||
index afa2afd6671..62982ff8a94 100644
|
||
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
|
||
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82859-0
|
||
+ cce@rhel9: CCE-83987-8
|
||
|
||
references:
|
||
ospp: FTP_ITC_EXT.1.1
|
||
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
|
||
index e5c90880a27..8ded536b23e 100644
|
||
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
|
||
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80192-8
|
||
cce@rhel8: CCE-84275-7
|
||
+ cce@rhel9: CCE-83995-1
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-031010
|
||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||
index bf8e746aac9..1bb9f3625e7 100644
|
||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||
@@ -38,6 +38,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27343-3
|
||
cce@rhel8: CCE-80863-4
|
||
+ cce@rhel9: CCE-83990-2
|
||
cce@sle12: CCE-83180-0
|
||
cce@sle15: CCE-85552-8
|
||
|
||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||
index 2f908980994..6bfe1524ce5 100644
|
||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82457-3
|
||
+ cce@rhel9: CCE-83991-0
|
||
|
||
references:
|
||
nist: AU-9(3),CM-6(a)
|
||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||
index 801684102fe..2398c0317a7 100644
|
||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82458-1
|
||
+ cce@rhel9: CCE-83992-8
|
||
|
||
references:
|
||
ospp: FCS_TLSC_EXT.1,FTP_ITC_EXT.1.1
|
||
diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
|
||
index 8b88773f0ff..7298262fe52 100644
|
||
--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80188-6
|
||
cce@rhel8: CCE-80886-5
|
||
+ cce@rhel9: CCE-83989-4
|
||
|
||
references:
|
||
anssi: BP28(R5),NT28(R46)
|
||
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
|
||
index fc79c5f06e8..b9ce05776a1 100644
|
||
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82999-4
|
||
cce@rhel8: CCE-82998-6
|
||
+ cce@rhel9: CCE-84021-5
|
||
cce@rhcos4: CCE-82521-6
|
||
cce@sle15: CCE-85698-9
|
||
|
||
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
||
index b4afabb15fd..7003d666198 100644
|
||
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80998-8
|
||
cce@rhel8: CCE-80877-4
|
||
+ cce@rhel9: CCE-90833-5
|
||
cce@rhcos4: CCE-82554-7
|
||
cce@sle15: CCE-85751-6
|
||
|
||
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
||
index 636e30e3e1f..51848fc19f4 100644
|
||
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27349-0
|
||
cce@rhel8: CCE-80890-7
|
||
+ cce@rhel9: CCE-84023-1
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-040810
|
||
diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
|
||
index 20e5f729460..e8e06e5b2b4 100644
|
||
--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80170-4
|
||
cce@rhel8: CCE-80845-1
|
||
+ cce@rhel9: CCE-84068-6
|
||
cce@rhcos4: CCE-82525-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
|
||
index 43fd69a2003..5d0fc56b27a 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80180-3
|
||
cce@rhel8: CCE-81006-9
|
||
+ cce@rhel9: CCE-84120-5
|
||
cce@rhcos4: CCE-82467-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
|
||
index ba9182b87a0..979201fc23a 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84271-6
|
||
cce@rhel8: CCE-84272-4
|
||
+ cce@rhel9: CCE-84115-5
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
|
||
index a7a0c007b0b..d430df13480 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84279-9
|
||
cce@rhel8: CCE-84280-7
|
||
+ cce@rhel9: CCE-84122-1
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
|
||
index 909e8cfcfbd..8c009414d35 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84287-2
|
||
cce@rhel8: CCE-84288-0
|
||
+ cce@rhel9: CCE-84111-4
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
||
index 8d92c0fec29..66826772a68 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80182-9
|
||
cce@rhel8: CCE-81009-3
|
||
+ cce@rhel9: CCE-84125-4
|
||
cce@rhcos4: CCE-82471-4
|
||
cce@sle15: CCE-85708-6
|
||
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||
index bf9263a67a8..a77d1f4a21e 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80179-5
|
||
cce@rhel8: CCE-81013-5
|
||
+ cce@rhel9: CCE-84131-2
|
||
cce@rhcos4: CCE-82480-5
|
||
cce@sle12: CCE-83078-6
|
||
cce@sle15: CCE-85649-2
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
|
||
index 7f4cf1b36cc..d0b011dd892 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84265-8
|
||
cce@rhel8: CCE-84266-6
|
||
+ cce@rhel9: CCE-84126-2
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
||
index 0f4330678ac..447e9533a56 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80356-9
|
||
cce@rhel8: CCE-82863-2
|
||
+ cce@rhel9: CCE-84114-8
|
||
cce@sle15: CCE-85713-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
|
||
index 1478ffb0438..038d4b2efbf 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84258-3
|
||
cce@rhel8: CCE-84259-1
|
||
+ cce@rhel9: CCE-84112-2
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
|
||
index 70081798a18..697718eef25 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84281-5
|
||
cce@rhel8: CCE-84109-8
|
||
+ cce@rhel9: CCE-84128-8
|
||
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
|
||
index 0bbf39499bf..3736a8c934d 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80181-1
|
||
cce@rhel8: CCE-81007-7
|
||
+ cce@rhel9: CCE-84124-7
|
||
cce@rhcos4: CCE-82468-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
|
||
index ebd596f9688..2da8c426314 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84267-4
|
||
cce@rhel8: CCE-84268-2
|
||
+ cce@rhel9: CCE-84116-3
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
|
||
index 18882c3a826..2865601da80 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84273-2
|
||
cce@rhel8: CCE-84051-2
|
||
+ cce@rhel9: CCE-84118-9
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
|
||
index b0b27f379f5..6de9820b44a 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84289-8
|
||
cce@rhel8: CCE-84291-4
|
||
+ cce@rhel9: CCE-84121-3
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
|
||
index 49d92c2a763..8f55e1ecf4a 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80183-7
|
||
cce@rhel8: CCE-81010-1
|
||
+ cce@rhel9: CCE-84113-0
|
||
cce@rhcos4: CCE-82477-1
|
||
cce@sle15: CCE-85722-7
|
||
cce@sle12: CCE-83223-8
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
||
index 3f81bf20f53..a5c911aec64 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80355-1
|
||
cce@rhel8: CCE-81015-0
|
||
+ cce@rhel9: CCE-84130-4
|
||
cce@rhcos4: CCE-82481-3
|
||
cce@sle15: CCE-85653-4
|
||
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
|
||
index 37545b05822..95a023ef48e 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84263-3
|
||
cce@rhel8: CCE-84264-1
|
||
+ cce@rhel9: CCE-84133-8
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
|
||
index 5c764c307c6..d7795727431 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84256-7
|
||
cce@rhel8: CCE-84257-5
|
||
+ cce@rhel9: CCE-84117-1
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
|
||
index 36b3016ccf4..d4eeebf721e 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-84283-1
|
||
cce@rhel8: CCE-83477-0
|
||
+ cce@rhel9: CCE-84026-4
|
||
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
|
||
index 0de8259e975..d7aa582a33b 100644
|
||
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82871-5
|
||
cce@rhel8: CCE-82872-3
|
||
+ cce@rhel9: CCE-84024-9
|
||
|
||
references:
|
||
cis@rhel7: 3.3.3
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
||
index e044f2f85b0..0f835e52c11 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80158-9
|
||
cce@rhel8: CCE-80917-8
|
||
+ cce@rhel9: CCE-84011-6
|
||
cce@rhcos4: CCE-82469-8
|
||
cce@sle12: CCE-83090-1
|
||
cce@sle15: CCE-85651-8
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||
index c973a5cd4f5..6e734167503 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27434-0
|
||
cce@rhel8: CCE-81011-9
|
||
+ cce@rhel9: CCE-84001-7
|
||
cce@rhcos4: CCE-82478-9
|
||
cce@sle12: CCE-83064-6
|
||
cce@sle15: CCE-85648-4
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
||
index 43fefc50c5a..48d815feaa2 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80160-5
|
||
cce@rhel8: CCE-81018-4
|
||
+ cce@rhel9: CCE-84000-9
|
||
cce@rhcos4: CCE-82486-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||
index 7f1dcbee78d..dabb3606d6d 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80167-0
|
||
cce@rhel8: CCE-81021-8
|
||
+ cce@rhel9: CCE-84008-2
|
||
cce@rhcos4: CCE-82488-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
||
index 161b76aa880..cd1865f86fb 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80159-7
|
||
cce@rhel8: CCE-81016-8
|
||
+ cce@rhel9: CCE-84016-5
|
||
cce@rhcos4: CCE-82482-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
||
index 8cb3b0a64c1..c1f6770933b 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80163-9
|
||
cce@rhel8: CCE-80919-4
|
||
+ cce@rhel9: CCE-84003-3
|
||
cce@rhcos4: CCE-82470-6
|
||
cce@sle12: CCE-83081-0
|
||
cce@sle15: CCE-85652-6
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||
index 6170a83afb1..783c42ee4c2 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80162-1
|
||
cce@rhel8: CCE-80920-2
|
||
+ cce@rhel9: CCE-84007-4
|
||
cce@rhcos4: CCE-82479-7
|
||
cce@sle12: CCE-83079-4
|
||
cce@sle15: CCE-85650-0
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
||
index 5a7bb934bdf..7ed2e2f1423 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80161-3
|
||
cce@rhel8: CCE-81020-0
|
||
+ cce@rhel9: CCE-84014-0
|
||
cce@rhcos4: CCE-82487-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
|
||
index 8e0687c50a4..32498d5de5a 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80168-8
|
||
cce@rhel8: CCE-81022-6
|
||
+ cce@rhel9: CCE-84009-0
|
||
cce@rhcos4: CCE-82489-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
||
index 8b6378eaf6e..18da604b29d 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80164-7
|
||
cce@rhel8: CCE-81017-6
|
||
+ cce@rhel9: CCE-84019-9
|
||
cce@rhcos4: CCE-82483-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
||
index 11eddda99ed..bd6ee152a31 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80165-4
|
||
cce@rhel8: CCE-80922-8
|
||
+ cce@rhel9: CCE-84004-1
|
||
cce@rhcos4: CCE-82491-2
|
||
cce@sle12: CCE-83080-2
|
||
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||
index ab3e5e8b6e7..70eeb8341b6 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-80166-2
|
||
cce@rhel8: CCE-81023-4
|
||
+ cce@rhel9: CCE-84015-7
|
||
cce@rhcos4: CCE-82490-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
|
||
index c4f398fc3da..84bb91629f2 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-84276-5
|
||
cce@rhel8: CCE-84277-3
|
||
+ cce@rhel9: CCE-90834-3
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
|
||
index f9ff179e2cc..b70279f6cbd 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-84269-0
|
||
cce@rhel8: CCE-84270-8
|
||
+ cce@rhel9: CCE-84012-4
|
||
|
||
references:
|
||
anssi: BP28(R22)
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
||
index 2643f7b34af..4f9ded02621 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27495-1
|
||
cce@rhel8: CCE-80923-6
|
||
+ cce@rhel9: CCE-84006-6
|
||
cce@rhcos4: CCE-82492-0
|
||
cce@sle12: CCE-83179-2
|
||
cce@sle15: CCE-83283-2
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
||
index 5bb3a291d88..4a941677e84 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80156-3
|
||
cce@rhel8: CCE-80918-6
|
||
+ cce@rhel9: CCE-83997-7
|
||
cce@rhcos4: CCE-82484-7
|
||
cce@sle12: CCE-83089-3
|
||
cce@sle15: CCE-85655-9
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||
index c2fca54905b..40dd979e981 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80999-6
|
||
cce@rhel8: CCE-80921-0
|
||
+ cce@rhel9: CCE-83999-3
|
||
cce@rhcos4: CCE-82485-4
|
||
cce@sle12: CCE-83086-9
|
||
cce@sle15: CCE-85654-2
|
||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||
index 4b70eed91d5..0885d759506 100644
|
||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80157-1
|
||
cce@rhel8: CCE-81024-2
|
||
+ cce@rhel9: CCE-83998-5
|
||
cce@sle12: CCE-83088-5
|
||
cce@sle15: CCE-85709-4
|
||
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
|
||
index b35b94c0649..cf538b45c8a 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82162-9
|
||
cce@rhel8: CCE-82028-2
|
||
+ cce@rhel9: CCE-84137-9
|
||
cce@rhcos4: CCE-82518-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
|
||
index 97c10b91f40..5401bf0a552 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82164-5
|
||
cce@rhel8: CCE-82059-7
|
||
+ cce@rhel9: CCE-84134-6
|
||
cce@rhcos4: CCE-82519-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||
index 110a84efcae..f0842cded24 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82024-1
|
||
cce@rhel8: CCE-80833-7
|
||
+ cce@rhel9: CCE-84136-1
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-020101
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
|
||
index 43ba8378d43..845d4d8f67a 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82160-3
|
||
cce@rhel8: CCE-82005-0
|
||
+ cce@rhel9: CCE-84060-3
|
||
cce@rhcos4: CCE-82517-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
|
||
index 85a8a7e02e0..beb0c7ffcc4 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82869-9
|
||
cce@rhel8: CCE-82870-7
|
||
+ cce@rhel9: CCE-84064-5
|
||
|
||
references:
|
||
cis@rhel7: 3.5.3
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
||
index aa074954939..53393d561a4 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82044-9
|
||
cce@rhel8: CCE-80834-5
|
||
+ cce@rhel9: CCE-84139-5
|
||
cce@rhcos4: CCE-82516-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
|
||
index 1b44eeaa816..6f212aae42d 100644
|
||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83395-4
|
||
cce@rhel8: CCE-82297-3
|
||
+ cce@rhel9: CCE-84065-2
|
||
cce@rhcos4: CCE-82520-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
|
||
index 55fa265f7b3..bd79f613f9e 100644
|
||
--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27327-6
|
||
cce@rhel8: CCE-80832-9
|
||
+ cce@rhel9: CCE-84067-8
|
||
cce@rhcos4: CCE-82515-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
||
index aaa17c752cf..6826f72b38d 100644
|
||
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
||
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27358-1
|
||
cce@rhel8: CCE-83501-7
|
||
+ cce@rhel9: CCE-84066-0
|
||
cce@rhcos4: CCE-82660-2
|
||
cce@sle12: CCE-83148-7
|
||
cce@sle15: CCE-83286-5
|
||
diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
|
||
index 9b1e0b4f69d..3048f0bc8d7 100644
|
||
--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
|
||
@@ -29,6 +29,7 @@ platform: machine # The oscap interface probe doesn't support offline mode
|
||
identifiers:
|
||
cce@rhel7: CCE-80174-6
|
||
cce@rhel8: CCE-82283-3
|
||
+ cce@rhel9: CCE-83996-9
|
||
cce@sle12: CCE-83147-9
|
||
cce@sle15: CCE-85656-7
|
||
|
||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||
index 0a4232cae38..8fccb555dc3 100644
|
||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83374-9
|
||
cce@rhel8: CCE-83375-6
|
||
+ cce@rhel9: CCE-83903-5
|
||
|
||
references:
|
||
anssi: BP28(R40)
|
||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||
index 4a72ddda83e..2babda397c8 100644
|
||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80130-8
|
||
cce@rhel8: CCE-80783-4
|
||
+ cce@rhel9: CCE-83895-3
|
||
cce@rhcos4: CCE-82753-5
|
||
cce@sle12: CCE-83047-1
|
||
cce@sle15: CCE-83282-4
|
||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||
index 12b1ed7483c..aa821dccf22 100644
|
||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80132-4
|
||
cce@rhel8: CCE-80816-2
|
||
+ cce@rhel9: CCE-83901-9
|
||
|
||
references:
|
||
anssi: BP28(R37),BP28(R38)
|
||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||
index 079679d5b17..5eccb8ec703 100644
|
||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80133-2
|
||
cce@rhel8: CCE-80817-0
|
||
+ cce@rhel9: CCE-83897-9
|
||
|
||
references:
|
||
anssi: BP28(R37),BP28(R38)
|
||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
|
||
index 37614b561ec..cdab3363005 100644
|
||
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80131-6
|
||
cce@rhel8: CCE-80818-8
|
||
+ cce@rhel9: CCE-83902-7
|
||
|
||
references:
|
||
cis@rhel7: 6.1.10
|
||
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
||
index 9af992d2e71..6ffe95805c8 100644
|
||
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80135-7
|
||
cce@rhel8: CCE-83497-8
|
||
+ cce@rhel9: CCE-83906-8
|
||
cce@sle12: CCE-83073-7
|
||
cce@sle15: CCE-85658-3
|
||
|
||
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||
index 1169d757fd0..087e23ac547 100644
|
||
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80134-0
|
||
cce@rhel8: CCE-83499-4
|
||
+ cce@rhel9: CCE-83896-1
|
||
cce@sle12: CCE-83072-9
|
||
cce@sle15: CCE-85657-5
|
||
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
||
index 8752366d140..a5140984c51 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83474-7
|
||
cce@rhel8: CCE-83475-4
|
||
+ cce@rhel9: CCE-83928-2
|
||
|
||
references:
|
||
cis@rhel7: 6.1.8
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
||
index 4b0f213e2d2..c66413c54a9 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83534-8
|
||
cce@rhel8: CCE-83535-5
|
||
+ cce@rhel9: CCE-83951-4
|
||
|
||
references:
|
||
cis@rhel7: 6.1.9
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
||
index 67a8a2b2f7b..9bdf77e0f43 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83323-6
|
||
cce@rhel8: CCE-83324-4
|
||
+ cce@rhel9: CCE-83933-2
|
||
|
||
references:
|
||
cis@rhel7: 6.1.6
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
||
index 6f5e7c6db4a..4a33f96814c 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83414-3
|
||
cce@rhel8: CCE-83415-0
|
||
+ cce@rhel9: CCE-83938-1
|
||
|
||
references:
|
||
cis@rhel7: 6.1.7
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
|
||
index a30e43191dc..0d93a0096dd 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82037-3
|
||
cce@rhel8: CCE-80796-6
|
||
+ cce@rhel9: CCE-83945-6
|
||
|
||
references:
|
||
cis@rhel7: 6.1.4
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
||
index 081652006fd..162f01db012 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82025-8
|
||
cce@rhel8: CCE-80797-4
|
||
+ cce@rhel9: CCE-83948-0
|
||
|
||
references:
|
||
cis@rhel7: 6.1.5
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
|
||
index ffe20494729..9a4c5d30561 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-26639-5
|
||
cce@rhel8: CCE-80798-2
|
||
+ cce@rhel9: CCE-83950-6
|
||
|
||
references:
|
||
cis@rhel7: 6.1.2
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
||
index a68a86445ba..4f185f7f2a4 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82051-4
|
||
cce@rhel8: CCE-80799-0
|
||
+ cce@rhel9: CCE-83930-8
|
||
|
||
references:
|
||
cis@rhel7: 6.1.3
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
||
index 34cc7261d2b..3a301d0304b 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83472-1
|
||
cce@rhel8: CCE-83473-9
|
||
+ cce@rhel9: CCE-83944-9
|
||
|
||
references:
|
||
cis@rhel7: 6.1.8
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
||
index c7434655b50..55a07f601da 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83532-2
|
||
cce@rhel8: CCE-83533-0
|
||
+ cce@rhel9: CCE-83929-0
|
||
|
||
references:
|
||
cis@rhel7: 6.1.9
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
||
index e4e7e7b493e..79e4ab1fe62 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83325-1
|
||
cce@rhel8: CCE-83326-9
|
||
+ cce@rhel9: CCE-83947-2
|
||
|
||
references:
|
||
cis@rhel7: 6.1.6
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
||
index 11b341fcbb4..389f830f055 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83412-7
|
||
cce@rhel8: CCE-83413-5
|
||
+ cce@rhel9: CCE-83949-8
|
||
|
||
references:
|
||
cis@rhel7: 6.1.7
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
|
||
index cded33d30ce..d19e55104e0 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82031-6
|
||
cce@rhel8: CCE-80801-4
|
||
+ cce@rhel9: CCE-83925-8
|
||
|
||
references:
|
||
cis@rhel7: 6.1.4
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
|
||
index 52fa58671f4..2419015f113 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82195-9
|
||
cce@rhel8: CCE-80802-2
|
||
+ cce@rhel9: CCE-83924-1
|
||
|
||
references:
|
||
cis@rhel7: 6.1.5
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
|
||
index dd04e90f501..e71300f22d1 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82052-2
|
||
cce@rhel8: CCE-80803-0
|
||
+ cce@rhel9: CCE-83943-1
|
||
|
||
references:
|
||
cis@rhel7: 6.1.2
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
|
||
index fbdb621807b..6eb53bc53d4 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82022-5
|
||
cce@rhel8: CCE-80804-8
|
||
+ cce@rhel9: CCE-83926-6
|
||
|
||
references:
|
||
cis@rhel7: 6.1.3
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
||
index 5e69037060a..7e79f387e13 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83482-0
|
||
cce@rhel8: CCE-83483-8
|
||
+ cce@rhel9: CCE-83939-9
|
||
|
||
references:
|
||
cis@rhel7: 6.1.8
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
||
index 3d6857d811b..7c3994e5115 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83572-8
|
||
cce@rhel8: CCE-83573-6
|
||
+ cce@rhel9: CCE-83942-3
|
||
|
||
references:
|
||
cis@rhel7: 6.1.9
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
||
index 43f6675bf3f..1f87b073988 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83331-9
|
||
cce@rhel8: CCE-83332-7
|
||
+ cce@rhel9: CCE-83940-7
|
||
|
||
references:
|
||
cis@rhel7: 6.1.6
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
||
index 7c9b99651bc..d36289cda20 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83416-8
|
||
cce@rhel8: CCE-83417-6
|
||
+ cce@rhel9: CCE-83935-7
|
||
|
||
references:
|
||
cis@rhel7: 6.1.7
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
|
||
index ef8cf0cca28..1a7c3b8854c 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82032-4
|
||
cce@rhel8: CCE-80810-5
|
||
+ cce@rhel9: CCE-83934-0
|
||
|
||
references:
|
||
cis@rhel7: 6.1.4
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
||
index 58c08ac643f..3b3fe738e04 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82192-6
|
||
cce@rhel8: CCE-80811-3
|
||
+ cce@rhel9: CCE-83921-7
|
||
|
||
references:
|
||
anssi: BP28(R36)
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
|
||
index 0a7f729c6cd..9faf0f5313a 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82029-0
|
||
cce@rhel8: CCE-80812-1
|
||
+ cce@rhel9: CCE-83931-6
|
||
|
||
references:
|
||
cis@rhel7: 6.1.2
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
||
index be331eca4a4..700f0a73a5d 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82042-3
|
||
cce@rhel8: CCE-80813-9
|
||
+ cce@rhel9: CCE-83941-5
|
||
|
||
references:
|
||
anssi: BP28(R36)
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||
index 84b58bd8cf3..a9e9d909350 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83659-3
|
||
+ cce@rhel9: CCE-83912-6
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
|
||
index 40811212654..d73e8fe2470 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
|
||
@@ -12,6 +12,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83660-1
|
||
+ cce@rhel9: CCE-83916-7
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
|
||
index b151758b1b0..a897085ca0a 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83661-9
|
||
+ cce@rhel9: CCE-83914-2
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
|
||
index 084e13a1de0..f7e16949999 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_messages/rule.yml
|
||
@@ -12,6 +12,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83662-7
|
||
+ cce@rhel9: CCE-83915-9
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
|
||
index db131144de9..12a62347de7 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83663-5
|
||
+ cce@rhel9: CCE-83917-5
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
|
||
index 0a8d5d1dde0..19ab1f8ff76 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
|
||
@@ -13,6 +13,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-83665-0
|
||
+ cce@rhel9: CCE-83913-4
|
||
|
||
references:
|
||
srg: SRG-OS-000206-GPOS-00084
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
|
||
index 20bd962b3aa..f02d6f4ed7b 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82048-0
|
||
cce@rhel8: CCE-80806-3
|
||
+ cce@rhel9: CCE-83908-4
|
||
cce@sle15: CCE-85730-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||
index ca6fd90c280..df6f29fc2ac 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82021-7
|
||
cce@rhel8: CCE-80807-1
|
||
+ cce@rhel9: CCE-83907-6
|
||
cce@sle15: CCE-85756-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
|
||
index ad69c4f88ec..ea0117bba7e 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82040-7
|
||
cce@rhel8: CCE-80809-7
|
||
+ cce@rhel9: CCE-83911-8
|
||
cce@sle15: CCE-85729-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||
index 0dce477d5f3..6480caed07c 100644
|
||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||
@@ -28,6 +28,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82033-2
|
||
cce@rhel8: CCE-80815-4
|
||
+ cce@rhel9: CCE-83909-2
|
||
cce@sle15: CCE-85670-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
|
||
index 867e0833c64..3a5f2c2a89b 100644
|
||
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81026-7
|
||
cce@rhel8: CCE-81027-5
|
||
+ cce@rhel9: CCE-84110-6
|
||
cce@rhcos4: CCE-82506-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
|
||
index e12a68c95ba..53cb920e90d 100644
|
||
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81029-1
|
||
cce@rhel8: CCE-81030-9
|
||
+ cce@rhel9: CCE-83900-1
|
||
cce@rhcos4: CCE-82507-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
|
||
index 10116e8a543..89603b2e9a7 100644
|
||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
|
||
@@ -24,6 +24,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-80137-3
|
||
cce@rhel8: CCE-81031-7
|
||
+ cce@rhel9: CCE-83853-2
|
||
cce@rhcos4: CCE-82514-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
|
||
index 6b31c36af5e..ef606bfadd8 100644
|
||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml
|
||
@@ -24,6 +24,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-80142-3
|
||
cce@rhel8: CCE-83498-6
|
||
+ cce@rhel9: CCE-83855-7
|
||
cce@rhcos4: CCE-82717-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
|
||
index 11c9f7533a2..51f377830ef 100644
|
||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml
|
||
@@ -25,6 +25,7 @@ platform: machine
|
||
identifiers:
|
||
cce@rhel7: CCE-80143-1
|
||
cce@rhel8: CCE-82729-5
|
||
+ cce@rhel9: CCE-83852-4
|
||
cce@rhcos4: CCE-82718-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||
index 3e3f97d6621..11f1a43f292 100644
|
||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27277-3
|
||
cce@rhel8: CCE-80835-2
|
||
+ cce@rhel9: CCE-83851-6
|
||
cce@rhcos4: CCE-82719-6
|
||
cce@sle12: CCE-83069-5
|
||
cce@sle15: CCE-83294-9
|
||
diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
|
||
index bd08b4b93b1..5553f49c884 100644
|
||
--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27498-5
|
||
cce@rhel8: CCE-80873-3
|
||
+ cce@rhel9: CCE-83850-8
|
||
cce@rhcos4: CCE-82663-6
|
||
cce@sle12: CCE-83070-3
|
||
cce@sle15: CCE-83278-2
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
|
||
index e59ede9c721..ceef17d9ee8 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82135-5
|
||
cce@rhel8: CCE-82941-6
|
||
+ cce@rhel9: CCE-83884-7
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
|
||
index b0e499d4f3a..e6f8d284138 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83315-2
|
||
cce@rhel8: CCE-83316-0
|
||
+ cce@rhel9: CCE-83892-0
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
|
||
index 54902dbdac5..85de23060a0 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82138-9
|
||
cce@rhel8: CCE-81033-3
|
||
+ cce@rhel9: CCE-83877-1
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
||
index 3173c5b3db7..d38bfa5c41c 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80152-2
|
||
cce@rhel8: CCE-80837-8
|
||
+ cce@rhel9: CCE-83881-3
|
||
cce@rhcos4: CCE-82867-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
||
index 845de5fb01d..7d4e76eaca0 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80153-0
|
||
cce@rhel8: CCE-80838-6
|
||
+ cce@rhel9: CCE-83857-3
|
||
cce@rhcos4: CCE-82868-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
||
index 22b2a497522..82ab2971fc3 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80154-8
|
||
cce@rhel8: CCE-80839-4
|
||
+ cce@rhel9: CCE-83891-2
|
||
cce@rhcos4: CCE-82741-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
|
||
index bd4b69f8ec2..84e19796371 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: unknown
|
||
identifiers:
|
||
cce@rhel7: CCE-81047-3
|
||
cce@rhel8: CCE-81048-1
|
||
+ cce@rhel9: CCE-83871-4
|
||
cce@rhcos4: CCE-82740-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
|
||
index c07bd670135..04f12549f1c 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83327-7
|
||
cce@rhel8: CCE-83328-5
|
||
+ cce@rhel9: CCE-83875-5
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
||
index e6fd9ed7240..de14fa41aa8 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81153-9
|
||
cce@rhel8: CCE-81050-7
|
||
+ cce@rhel9: CCE-83894-6
|
||
cce@sle12: CCE-83100-8
|
||
cce@sle15: CCE-85633-6
|
||
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
|
||
index 5f658b2a592..1725c8daf4c 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80145-6
|
||
cce@rhel8: CCE-82069-6
|
||
+ cce@rhel9: CCE-83873-0
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
|
||
index 34fadec6e9b..4d830212c30 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80146-4
|
||
cce@rhel8: CCE-82742-8
|
||
+ cce@rhel9: CCE-83856-5
|
||
cce@rhcos4: CCE-82865-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
|
||
index ab8cec9f91d..4e36f9ef1f5 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80147-2
|
||
cce@rhel8: CCE-82746-9
|
||
+ cce@rhel9: CCE-83883-9
|
||
cce@rhcos4: CCE-82747-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
||
index 054fd19e13e..c0c2c12c634 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80148-0
|
||
cce@rhel8: CCE-82744-4
|
||
+ cce@rhel9: CCE-83874-8
|
||
cce@rhcos4: CCE-82745-1
|
||
cce@sle12: CCE-83101-6
|
||
cce@sle15: CCE-85634-4
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
|
||
index a68d065c2f9..b67d96ba8da 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83317-8
|
||
cce@rhel8: CCE-83319-4
|
||
+ cce@rhel9: CCE-83880-5
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
|
||
index 469f15db079..022dee6db9a 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83320-2
|
||
cce@rhel8: CCE-83322-8
|
||
+ cce@rhel9: CCE-83862-3
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||
index 938f7a58215..6cf42d368a7 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80149-8
|
||
cce@rhel8: CCE-82623-0
|
||
+ cce@rhel9: CCE-83869-8
|
||
|
||
references:
|
||
cis@rhel7: 1.1.4
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||
index 1344518bc2f..055adca538a 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80150-6
|
||
cce@rhel8: CCE-82139-7
|
||
+ cce@rhel9: CCE-83885-4
|
||
|
||
references:
|
||
cis@rhel7: 1.1.3
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||
index 827eeb0381b..16e919a0586 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80151-4
|
||
cce@rhel8: CCE-82140-5
|
||
+ cce@rhel9: CCE-83872-2
|
||
|
||
references:
|
||
cis@rhel7: 1.1.5
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
|
||
index 252de20f49e..de0ed866913 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82079-5
|
||
cce@rhel8: CCE-82080-3
|
||
+ cce@rhel9: CCE-83882-1
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
|
||
index 06b1ee7eddc..8f862132b56 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82146-2
|
||
cce@rhel8: CCE-82975-4
|
||
+ cce@rhel9: CCE-83878-9
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
|
||
index 1443e2a64f4..a991a15ae5e 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82148-8
|
||
cce@rhel8: CCE-82921-8
|
||
+ cce@rhel9: CCE-83893-8
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||
index 97670681e06..920351725ad 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82076-1
|
||
cce@rhel8: CCE-82077-9
|
||
+ cce@rhel9: CCE-83886-2
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
|
||
index 6548012de35..2be49486a16 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82142-1
|
||
cce@rhel8: CCE-82008-4
|
||
+ cce@rhel9: CCE-83887-0
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
|
||
index 34fe89affd0..4c4c2711f37 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82144-7
|
||
cce@rhel8: CCE-82065-4
|
||
+ cce@rhel9: CCE-83870-6
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
|
||
index 92a8dd83813..8a8413b49e6 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82064-7
|
||
cce@rhel8: CCE-82062-1
|
||
+ cce@rhel9: CCE-83868-0
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
|
||
index 1cb6cbab055..7119419eb6b 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83329-3
|
||
cce@rhel8: CCE-83330-1
|
||
+ cce@rhel9: CCE-83865-6
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
|
||
index f15cc75ae19..ca3e15f3878 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
|
||
@@ -16,6 +16,7 @@ rationale: |-
|
||
identifiers:
|
||
cce@rhel7: CCE-83378-0
|
||
cce@rhel8: CCE-83383-0
|
||
+ cce@rhel9: CCE-83867-2
|
||
|
||
references:
|
||
anssi: BP28(R12)
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||
index 03443bd43fd..c78149e13aa 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81052-3
|
||
cce@rhel8: CCE-82068-8
|
||
+ cce@rhel9: CCE-83864-9
|
||
cce@rhcos4: CCE-82735-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||
index 4adc6791d88..87a5f0e2f5d 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82150-4
|
||
cce@rhel8: CCE-82151-2
|
||
+ cce@rhel9: CCE-83866-4
|
||
cce@rhcos4: CCE-82866-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||
index a22d658a6b2..7df03f1bf13 100644
|
||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82153-8
|
||
cce@rhel8: CCE-82154-6
|
||
+ cce@rhel9: CCE-83863-1
|
||
cce@rhcos4: CCE-82736-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
|
||
index dd32d225db8..3047f5790ab 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80169-6
|
||
cce@rhel8: CCE-81038-2
|
||
+ cce@rhel9: CCE-83980-3
|
||
cce@rhcos4: CCE-82526-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||
index baa8a448026..290d91abacf 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||
@@ -20,6 +20,7 @@ platform: machine
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82881-4
|
||
+ cce@rhel9: CCE-83974-6
|
||
cce@rhcos4: CCE-82530-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
|
||
index b9521a9a648..9734bd75112 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-26900-1
|
||
cce@rhel8: CCE-80912-9
|
||
+ cce@rhel9: CCE-83981-1
|
||
|
||
references:
|
||
cis@rhel7: 1.5.1
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
|
||
index 9e018613784..7ddbcbfc0a3 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml
|
||
@@ -27,6 +27,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode
|
||
identifiers:
|
||
cce@rhel7: CCE-27211-2
|
||
cce@rhel8: CCE-80914-5
|
||
+ cce@rhel9: CCE-83970-4
|
||
|
||
references:
|
||
cis@rhel7: 1.5.2
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||
index c678f8f086c..9474fed6098 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80659-6
|
||
cce@rhel8: CCE-80915-2
|
||
+ cce@rhel9: CCE-83972-0
|
||
cce@rhcos4: CCE-82498-7
|
||
cce@sle12: CCE-83125-5
|
||
cce@sle15: CCE-83299-8
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
|
||
index aa46075cdce..c96a8018909 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27127-0
|
||
cce@rhel8: CCE-80916-0
|
||
+ cce@rhel9: CCE-83971-2
|
||
cce@sle12: CCE-83146-1
|
||
cce@sle15: CCE-83300-4
|
||
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
index 9b18bee588f..77e58a78250 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82158-7
|
||
cce@rhel8: CCE-80944-2
|
||
+ cce@rhel9: CCE-83985-2
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
index f6059044f14..36241872a02 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82157-9
|
||
cce@rhel8: CCE-80945-9
|
||
+ cce@rhel9: CCE-83986-0
|
||
|
||
references:
|
||
srg: SRG-OS-000433-GPOS-00192,SRG-OS-000134-GPOS-00068
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||
index fb3cd558c0b..dd1f67bad8c 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82215-5
|
||
+ cce@rhel9: CCE-83961-3
|
||
cce@rhcos4: CCE-82527-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
|
||
index c7ba7b2821b..e7eb3f5caf3 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27050-4
|
||
cce@rhel8: CCE-80913-7
|
||
+ cce@rhel9: CCE-83952-2
|
||
cce@rhcos4: CCE-82499-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
|
||
index 97fab077088..6433967ce7f 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81056-4
|
||
cce@rhel8: CCE-80952-5
|
||
+ cce@rhel9: CCE-83954-8
|
||
cce@rhcos4: CCE-82500-0
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||
index 2bb534d8382..1722b9370da 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83392-1
|
||
cce@rhel8: CCE-83397-0
|
||
+ cce@rhel9: CCE-83967-0
|
||
|
||
references:
|
||
anssi: BP28(R24)
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
|
||
index 147e1f0a96a..52456967c53 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83369-9
|
||
cce@rhel8: CCE-83373-1
|
||
+ cce@rhel9: CCE-83969-6
|
||
|
||
references:
|
||
anssi: BP28(R23)
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
|
||
index 1cb4a86a14c..f78db1b0dbd 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83367-3
|
||
cce@rhel8: CCE-83368-1
|
||
+ cce@rhel9: CCE-83962-1
|
||
|
||
references:
|
||
anssi: BP28(R23)
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
|
||
index 696994b0f27..c756902afd2 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81053-1
|
||
cce@rhel8: CCE-81054-9
|
||
+ cce@rhel9: CCE-83959-7
|
||
cce@rhcos4: CCE-82502-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
|
||
index 672df86e693..4299f35b9df 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83365-7
|
||
cce@rhel8: CCE-83366-5
|
||
+ cce@rhel9: CCE-83960-5
|
||
|
||
references:
|
||
anssi: BP28(R23)
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
|
||
index 88e9e4e6285..f17eeb7a8fe 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83353-3
|
||
cce@rhel8: CCE-83355-8
|
||
+ cce@rhel9: CCE-83968-8
|
||
|
||
references:
|
||
anssi: BP28(R23)
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
|
||
index 31fde102de8..9a90716debc 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82203-1
|
||
cce@rhel8: CCE-82974-7
|
||
+ cce@rhel9: CCE-83957-1
|
||
cce@rhcos4: CCE-82504-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
|
||
index 7cd437ec14a..b686a606f86 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-81058-0
|
||
cce@rhel8: CCE-80953-3
|
||
+ cce@rhel9: CCE-83965-4
|
||
cce@rhcos4: CCE-82501-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
|
||
index 9812e2beb16..f87be0ff5c6 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82934-1
|
||
+ cce@rhel9: CCE-83966-2
|
||
cce@rhcos4: CCE-82505-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
|
||
index 223619814b5..145c652fa73 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: low
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82211-4
|
||
+ cce@rhel9: CCE-83956-3
|
||
cce@rhcos4: CCE-82503-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
|
||
index c5158c6cbb6..93a11ee5086 100644
|
||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
|
||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83358-2
|
||
cce@rhel8: CCE-83363-2
|
||
+ cce@rhel9: CCE-83958-9
|
||
|
||
references:
|
||
anssi: BP28(R23)
|
||
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
|
||
index 87a081248be..4cda0a17a8d 100644
|
||
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-26961-3
|
||
cce@rhel8: CCE-80827-9
|
||
+ cce@rhel9: CCE-84078-5
|
||
cce@rhcos4: CCE-82666-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
|
||
index c8123f6a4f6..d38f1829771 100644
|
||
--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-82876-4
|
||
cce@rhel8: CCE-82877-2
|
||
+ cce@rhel9: CCE-84069-4
|
||
|
||
references:
|
||
cis@rhel7: 1.6.1.1
|
||
diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
|
||
index becb0dab84a..81f72105a80 100644
|
||
--- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80445-0
|
||
cce@rhel8: CCE-82756-8
|
||
+ cce@rhel9: CCE-84072-8
|
||
|
||
references:
|
||
cis@rhel7: 1.6.1.8
|
||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||
index a18a57dcbb3..74c92194136 100644
|
||
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82724-6
|
||
+ cce@rhel9: CCE-84070-2
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||
index acce754e9d2..cf3e71a1fc0 100644
|
||
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||
@@ -26,6 +26,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-82977-0
|
||
cce@rhel8: CCE-82976-2
|
||
+ cce@rhel9: CCE-84071-0
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
|
||
index c7ec916622c..8992283aecc 100644
|
||
--- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80444-3
|
||
cce@rhel8: CCE-82755-0
|
||
+ cce@rhel9: CCE-84073-6
|
||
|
||
references:
|
||
anssi: BP28(R68)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
|
||
index bc189ce4d43..f3be1c78a09 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_auditadm_exec_content/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80424-5
|
||
cce@rhel8: CCE-84297-1
|
||
+ cce@rhel9: CCE-84090-0
|
||
|
||
references:
|
||
cui: 80424-5
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||
index e8453fbfb8d..2a35a2db9eb 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82290-8
|
||
cce@rhel8: CCE-83307-9
|
||
+ cce@rhel9: CCE-84082-7
|
||
|
||
references:
|
||
anssi: BP28(R67)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
|
||
index e3591519dc7..53f154e7e84 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82305-4
|
||
cce@rhel8: CCE-84230-2
|
||
+ cce@rhel9: CCE-84083-5
|
||
|
||
references:
|
||
anssi: BP28(R39)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
|
||
index 6942f1e2114..428bb90bb94 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82308-8
|
||
cce@rhel8: CCE-83310-3
|
||
+ cce@rhel9: CCE-84087-6
|
||
|
||
{{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}}
|
||
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||
index 7fedaab6130..6c6fbb73b26 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82312-0
|
||
cce@rhel8: CCE-80949-1
|
||
+ cce@rhel9: CCE-84084-3
|
||
|
||
references:
|
||
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
|
||
index b94d70c0989..f90ef1183de 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82313-8
|
||
cce@rhel8: CCE-80950-9
|
||
+ cce@rhel9: CCE-84086-8
|
||
|
||
references:
|
||
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||
index 2e0b19f881d..21072e4401e 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82314-6
|
||
cce@rhel8: CCE-80951-7
|
||
+ cce@rhel9: CCE-84089-2
|
||
|
||
references:
|
||
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
|
||
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
|
||
index 98673f57c98..f4b47393a75 100644
|
||
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82327-8
|
||
cce@rhel8: CCE-83311-1
|
||
+ cce@rhel9: CCE-84081-9
|
||
|
||
{{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}}
|
||
|
||
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
||
index cc0319a4121..216518475e8 100644
|
||
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27288-0
|
||
cce@rhel8: CCE-80867-5
|
||
+ cce@rhel9: CCE-84075-1
|
||
cce@rhcos4: CCE-82688-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
||
index e4202dcd2c6..44e001c9049 100644
|
||
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27279-9
|
||
cce@rhel8: CCE-80868-3
|
||
+ cce@rhel9: CCE-84074-4
|
||
cce@rhcos4: CCE-82532-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
||
index 1a8066e5f07..ca0a7a04bae 100644
|
||
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
|
||
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27334-2
|
||
cce@rhel8: CCE-80869-1
|
||
+ cce@rhel9: CCE-84079-3
|
||
cce@rhcos4: CCE-82531-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||
index ef544f33d48..083d02a36e5 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||
@@ -53,6 +53,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27128-8
|
||
cce@rhel8: CCE-80789-1
|
||
+ cce@rhel9: CCE-90849-1
|
||
cce@sle12: CCE-83046-3
|
||
cce@sle15: CCE-85719-3
|
||
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
|
||
index c44f0c7ce98..35d766d9f9d 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80144-9
|
||
cce@rhel8: CCE-81044-0
|
||
+ cce@rhel9: CCE-83468-9
|
||
cce@rhcos4: CCE-82739-4
|
||
cce@sle12: CCE-83152-9
|
||
cce@sle15: CCE-85639-3
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
|
||
index ff22050a248..bbfd28c10ce 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml
|
||
@@ -25,6 +25,7 @@ references:
|
||
identifiers:
|
||
cce@rhel7: CCE-83376-4
|
||
cce@rhel8: CCE-83387-1
|
||
+ cce@rhel9: CCE-90846-7
|
||
|
||
{{{ complete_ocil_entry_separate_partition(part="/srv") }}}
|
||
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
|
||
index 799dfb99dd7..3a3a28cec04 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82053-0
|
||
cce@rhel8: CCE-80851-9
|
||
+ cce@rhel9: CCE-90845-9
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-021340
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
|
||
index 834dbbbf210..856a09540ba 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82014-2
|
||
cce@rhel8: CCE-80852-7
|
||
+ cce@rhel9: CCE-83466-3
|
||
cce@sle12: CCE-83153-7
|
||
cce@sle15: CCE-85640-1
|
||
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
|
||
index 7f1a8c7ddb9..08ba9a843f0 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82034-0
|
||
cce@rhel8: CCE-80853-5
|
||
+ cce@rhel9: CCE-90848-3
|
||
cce@rhcos4: CCE-82737-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
|
||
index e76d455bf3a..10113499614 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82035-7
|
||
cce@rhel8: CCE-80854-3
|
||
+ cce@rhel9: CCE-90847-5
|
||
cce@rhcos4: CCE-82738-6
|
||
cce@sle12: CCE-83154-5
|
||
cce@sle15: CCE-85618-7
|
||
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
|
||
index 535c0096b46..01c3f9b76ab 100644
|
||
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
|
||
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82353-4
|
||
cce@rhel8: CCE-82730-3
|
||
+ cce@rhel9: CCE-83487-9
|
||
cce@rhcos4: CCE-82734-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
|
||
index 1222bbf54e5..f5ca4062d3d 100644
|
||
--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82348-4
|
||
cce@rhel8: CCE-82367-4
|
||
+ cce@rhel9: CCE-83549-6
|
||
|
||
references:
|
||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||
index 8a36d5691b7..0a6b95ea19e 100644
|
||
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-82371-6
|
||
cce@rhel8: CCE-80947-5
|
||
+ cce@rhel9: CCE-83453-1
|
||
cce@sle12: CCE-83001-8
|
||
cce@sle15: CCE-83260-0
|
||
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||
index b232fdb7bbf..666ae4e2b2c 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80934-3
|
||
+ cce@rhel9: CCE-83451-5
|
||
cce@rhcos4: CCE-82544-8
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||
index 726f555e385..f95c16b271b 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||
@@ -55,6 +55,7 @@ severity: high
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80935-0
|
||
+ cce@rhel9: CCE-83450-7
|
||
cce@rhcos4: CCE-82541-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||
index 5f19ce25f9f..64bb048f8e5 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80936-8
|
||
+ cce@rhel9: CCE-83449-9
|
||
cce@rhcos4: CCE-82547-1
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||
index c156144f2c9..c1e7fb6f9e0 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||
@@ -24,6 +24,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80937-6
|
||
+ cce@rhel9: CCE-83446-5
|
||
cce@rhcos4: CCE-82546-3
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||
index a7d6351eb4b..3953f7f2372 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80938-4
|
||
+ cce@rhel9: CCE-83452-3
|
||
cce@rhcos4: CCE-82545-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||
index dfe105771cc..eba82b5fb78 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-84255-9
|
||
+ cce@rhel9: CCE-83448-1
|
||
|
||
references:
|
||
nist: AC-17(2)
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||
index 77030b4c6ed..ff24032229e 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-80939-2
|
||
+ cce@rhel9: CCE-83445-7
|
||
|
||
references:
|
||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
||
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||
index 10974a995e1..68ce39792ba 100644
|
||
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82723-8
|
||
+ cce@rhel9: CCE-83442-4
|
||
|
||
references:
|
||
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
|
||
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
|
||
index b373970d241..6d0c3b42890 100644
|
||
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
|
||
@@ -24,6 +24,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode
|
||
identifiers:
|
||
cce@rhel7: CCE-80658-8
|
||
cce@rhel8: CCE-84027-2
|
||
+ cce@rhel9: CCE-83441-6
|
||
|
||
references:
|
||
disa: CCI-000068,CCI-000803,CCI-002450
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||
index d28e3222980..460641ed4e3 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||
@@ -29,6 +29,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27220-3
|
||
cce@rhel8: CCE-80675-2
|
||
+ cce@rhel9: CCE-83438-2
|
||
|
||
references:
|
||
anssi: BP28(R51)
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
||
index 7feef66f859..2d7a3ac28b2 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
||
@@ -34,6 +34,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-26952-2
|
||
cce@rhel8: CCE-80676-0
|
||
+ cce@rhel9: CCE-83437-4
|
||
cce@sle15: CCE-85671-6
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||
index a73fb0a39ad..51dae72ee6d 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||
@@ -30,6 +30,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80374-2
|
||
cce@rhel8: CCE-82891-3
|
||
+ cce@rhel9: CCE-90844-2
|
||
cce@sle12: CCE-83048-9
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||
index f527068022a..3342599f5f6 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80375-9
|
||
cce@rhel8: CCE-84220-3
|
||
+ cce@rhel9: CCE-90837-6
|
||
cce@sle12: CCE-83150-3
|
||
cce@sle15: CCE-85623-7
|
||
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||
index 7961f3b5a67..54351d15423 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||
@@ -25,6 +25,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80376-7
|
||
cce@rhel8: CCE-83733-6
|
||
+ cce@rhel9: CCE-83439-0
|
||
cce@sle12: CCE-83151-1
|
||
cce@sle15: CCE-85624-5
|
||
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||
index 264dd298c11..681da5b976e 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||
@@ -14,6 +14,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-27096-7
|
||
cce@rhel8: CCE-80844-4
|
||
+ cce@rhel9: CCE-90843-4
|
||
cce@sle12: CCE-83067-9
|
||
cce@sle15: CCE-83289-9
|
||
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
|
||
index 873110cc9c3..3d0f77d825b 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml
|
||
@@ -36,6 +36,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27157-7
|
||
cce@rhel8: CCE-80857-6
|
||
+ cce@rhel9: CCE-90841-8
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-010020
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
|
||
index 97c0957fd68..f085d9a79f9 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
|
||
@@ -27,6 +27,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-80545-7
|
||
cce@rhel8: CCE-82196-7
|
||
+ cce@rhel9: CCE-90842-6
|
||
cce@rhcos4: CCE-82686-7
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
|
||
index 8875abd83fe..915cf839a68 100644
|
||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
|
||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
|
||
@@ -32,6 +32,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-27209-6
|
||
cce@rhel8: CCE-80858-4
|
||
+ cce@rhel9: CCE-90840-0
|
||
cce@rhcos4: CCE-82687-5
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
|
||
index af33fe43359..f2ae5406c24 100644
|
||
--- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml
|
||
+++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83691-6
|
||
cce@rhel8: CCE-83694-0
|
||
+ cce@rhel9: CCE-90839-2
|
||
|
||
references:
|
||
anssi: BP28(R10)
|
||
diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
|
||
index 2392bdc2c44..1fb36944e43 100644
|
||
--- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82213-0
|
||
cce@rhel8: CCE-82214-8
|
||
+ cce@rhel9: CCE-83523-1
|
||
cce@rhcos4: CCE-82523-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
|
||
index fb6e9833b31..cc7fbbc0959 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-83740-1
|
||
cce@rhel8: CCE-83747-6
|
||
+ cce@rhel9: CCE-83537-1
|
||
|
||
references:
|
||
anssi: BP28(R58)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
|
||
index 00e56a1427d..e7c96e8d5ac 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83787-2
|
||
cce@rhel8: CCE-83790-6
|
||
+ cce@rhel9: CCE-83539-7
|
||
|
||
references:
|
||
anssi: BP28(R58)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
|
||
index 2164cefec8c..67f9fcb1a42 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-83797-1
|
||
cce@rhel8: CCE-83798-9
|
||
+ cce@rhel9: CCE-83538-9
|
||
|
||
references:
|
||
anssi: BP28(R58)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||
index 05a3127c6ae..90760109e3c 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-83600-7
|
||
cce@rhel8: CCE-83601-5
|
||
+ cce@rhel9: CCE-83527-2
|
||
|
||
references:
|
||
cis@rhel7: 5.2.3
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
|
||
index 3c96138cbc9..a9a594e87f8 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80350-2
|
||
cce@rhel8: CCE-82202-3
|
||
+ cce@rhel9: CCE-83544-7
|
||
cce@sle12: CCE-83013-3
|
||
cce@sle15: CCE-83291-5
|
||
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
|
||
index 172eedba548..a8658c9ed88 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
|
||
@@ -21,6 +21,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-80351-0
|
||
cce@rhel8: CCE-82197-5
|
||
+ cce@rhel9: CCE-83536-3
|
||
cce@sle12: CCE-83012-5
|
||
cce@sle15: CCE-85663-3
|
||
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
|
||
index 2138ea9ead0..cae15396bfe 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82278-3
|
||
cce@rhel8: CCE-82279-1
|
||
+ cce@rhel9: CCE-83543-9
|
||
cce@sle15: CCE-85673-2
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||
index 930915327e0..a708f7a073b 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||
@@ -23,6 +23,7 @@ identifiers:
|
||
cce@sle15: CCE-85712-8
|
||
cce@rhel7: CCE-83423-4
|
||
cce@rhel8: CCE-83425-9
|
||
+ cce@rhel9: CCE-83525-6
|
||
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
|
||
index 32bff061c95..a32e759eee4 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82349-2
|
||
cce@rhel8: CCE-82365-8
|
||
+ cce@rhel9: CCE-83528-0
|
||
|
||
ocil_clause: 'nopasswd is set for any users beyond vdsm'
|
||
|
||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||
index a0590c8b0b7..8bd794aa2b2 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||
@@ -22,8 +22,9 @@ rationale: |-
|
||
severity: medium
|
||
|
||
identifiers:
|
||
- cce@rhel7: CCE-83631-2
|
||
- cce@rhel8: CCE-83632-0
|
||
+ cce@rhel7: CCE-83631-2
|
||
+ cce@rhel8: CCE-83632-0
|
||
+ cce@rhel9: CCE-83545-4
|
||
|
||
references:
|
||
anssi: BP28(R63)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
|
||
index 5421c589098..896c103747c 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml
|
||
@@ -21,8 +21,9 @@ rationale: |-
|
||
severity: medium
|
||
|
||
identifiers:
|
||
- cce@rhel7: CCE-83517-3
|
||
- cce@rhel8: CCE-83518-1
|
||
+ cce@rhel7: CCE-83517-3
|
||
+ cce@rhel8: CCE-83518-1
|
||
+ cce@rhel9: CCE-83524-9
|
||
|
||
references:
|
||
anssi: BP28(R61)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
|
||
index ef2dd6e27dc..bcc9ecd0ee3 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml
|
||
@@ -18,8 +18,9 @@ rationale: |-
|
||
severity: medium
|
||
|
||
identifiers:
|
||
- cce@rhel7: CCE-83597-5
|
||
- cce@rhel8: CCE-83598-3
|
||
+ cce@rhel7: CCE-83597-5
|
||
+ cce@rhel8: CCE-83598-3
|
||
+ cce@rhel9: CCE-83531-4
|
||
|
||
references:
|
||
anssi: BP28(R60)
|
||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||
index d17f33852db..f336906294a 100644
|
||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||
@@ -22,6 +22,7 @@ rationale: |-
|
||
identifiers:
|
||
cce@rhel7: CCE-83421-8
|
||
cce@rhel8: CCE-83422-6
|
||
+ cce@rhel9: CCE-83529-8
|
||
cce@sle15: CCE-85747-4
|
||
|
||
references:
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
|
||
index 61ec3bb5041..acaf85219c8 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82920-0
|
||
cce@rhel8: CCE-82919-2
|
||
+ cce@rhel9: CCE-83507-4
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
|
||
index 8b71752795a..15757ec7a6a 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82927-5
|
||
cce@rhel8: CCE-82926-7
|
||
+ cce@rhel9: CCE-83508-2
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
|
||
index fe5b1710349..5440804c82b 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82924-2
|
||
cce@rhel8: CCE-82923-4
|
||
+ cce@rhel9: CCE-83510-8
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
|
||
index 6cd038c7614..7723195d483 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82908-5
|
||
cce@rhel8: CCE-82907-7
|
||
+ cce@rhel9: CCE-83512-4
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
|
||
index 6fea7c33159..74b217d9e4e 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82914-3
|
||
cce@rhel8: CCE-82913-5
|
||
+ cce@rhel9: CCE-83513-2
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
|
||
index 9950ab14215..b058c92597b 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82917-6
|
||
cce@rhel8: CCE-82916-8
|
||
+ cce@rhel9: CCE-83514-0
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
|
||
index f98b732a50a..43da8d34b26 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82911-9
|
||
cce@rhel8: CCE-82910-1
|
||
+ cce@rhel9: CCE-83515-7
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||
index c53a12edfc7..1af48c1611b 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82395-5
|
||
+ cce@rhel9: CCE-83494-5
|
||
|
||
references:
|
||
ospp: FIA_X509_EXT
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
|
||
index aa1ae14ade9..3e46bd39a7e 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82944-0
|
||
cce@rhel8: CCE-82943-2
|
||
+ cce@rhel9: CCE-83516-5
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
|
||
index 651bf3eb4c1..6a99a5b82e6 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82947-3
|
||
cce@rhel8: CCE-82946-5
|
||
+ cce@rhel9: CCE-83519-9
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||
index b26dc2dbdf3..845167a237b 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82930-9
|
||
cce@rhel8: CCE-82931-7
|
||
+ cce@rhel9: CCE-83520-7
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
|
||
index 475980cd54e..c2c8a19aa64 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
|
||
@@ -17,6 +17,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82219-7
|
||
cce@rhel8: CCE-82220-5
|
||
+ cce@rhel9: CCE-83502-5
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000191-GPOS-00080
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||
index 1d0ed040448..2396f5bb118 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82882-2
|
||
cce@rhel8: CCE-82883-0
|
||
+ cce@rhel9: CCE-83503-3
|
||
|
||
ocil_clause: 'the package is not installed'
|
||
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||
index f0ca76b6953..1acb18a6866 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82969-7
|
||
cce@rhel8: CCE-82968-9
|
||
+ cce@rhel9: CCE-83504-1
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
|
||
index 2c272a01e3b..a7f9dfd8d76 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82951-5
|
||
cce@rhel8: CCE-82949-9
|
||
+ cce@rhel9: CCE-83505-8
|
||
|
||
references:
|
||
srg: SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
||
index 0742a1638fd..e79b482e89a 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
|
||
@@ -19,6 +19,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82638-8
|
||
cce@rhel8: CCE-82316-1
|
||
+ cce@rhel9: CCE-83506-6
|
||
|
||
references:
|
||
srg: SRG-OS-000366-GPOS-00153
|
||
diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
|
||
index 66f864069e2..728a04f5ac8 100644
|
||
--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
|
||
+++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-82905-1
|
||
cce@rhel8: CCE-82904-4
|
||
+ cce@rhel9: CCE-83521-5
|
||
|
||
references:
|
||
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
|
||
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||
index d0289b311c6..43e3a975354 100644
|
||
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||
@@ -23,6 +23,7 @@ severity: low
|
||
identifiers:
|
||
cce@rhel7: CCE-80346-0
|
||
cce@rhel8: CCE-82476-3
|
||
+ cce@rhel9: CCE-83458-0
|
||
cce@sle12: CCE-83186-7
|
||
cce@sle15: CCE-85551-0
|
||
|
||
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||
index 7a10f5dd9ed..a8834659ed5 100644
|
||
--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||
@@ -20,6 +20,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82494-6
|
||
+ cce@rhel9: CCE-83456-4
|
||
|
||
references:
|
||
ospp: FMT_SMF_EXT.1
|
||
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
|
||
index 10e9e0ac2e9..5a4ad9e674e 100644
|
||
--- a/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/dnf-automatic_security_updates_only/rule.yml
|
||
@@ -18,6 +18,7 @@ severity: low
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82267-6
|
||
+ cce@rhel9: CCE-83461-4
|
||
|
||
references:
|
||
ospp: FMT_SMF_EXT.1
|
||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||
index 8b2f877b60a..668d4b95f9e 100644
|
||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||
@@ -33,6 +33,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-26989-4
|
||
cce@rhel8: CCE-80790-9
|
||
+ cce@rhel9: CCE-83457-2
|
||
cce@sle12: CCE-83068-7
|
||
cce@sle15: CCE-83290-7
|
||
|
||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
||
index 67459838987..52c23b17f11 100644
|
||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-80347-8
|
||
cce@rhel8: CCE-80791-7
|
||
+ cce@rhel9: CCE-83463-0
|
||
|
||
references:
|
||
stigid@ol7: OL07-00-020060
|
||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
|
||
index 6adc5810034..53f832bdce8 100644
|
||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml
|
||
@@ -22,6 +22,7 @@ severity: high
|
||
identifiers:
|
||
cce@rhel7: CCE-26876-3
|
||
cce@rhel8: CCE-80792-5
|
||
+ cce@rhel9: CCE-83464-8
|
||
|
||
references:
|
||
srg: SRG-OS-000366-GPOS-00153
|
||
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||
index 0bdace740b4..490683fe252 100644
|
||
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||
@@ -16,6 +16,7 @@ severity: medium
|
||
identifiers:
|
||
cce@rhel7: CCE-82986-1
|
||
cce@rhel8: CCE-82985-3
|
||
+ cce@rhel9: CCE-83454-9
|
||
|
||
references:
|
||
srg: SRG-OS-000191-GPOS-00080
|
||
diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||
index 07aa5c3575b..7451f5637b5 100644
|
||
--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||
+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||
@@ -15,6 +15,7 @@ severity: medium
|
||
|
||
identifiers:
|
||
cce@rhel8: CCE-82360-9
|
||
+ cce@rhel9: CCE-83459-8
|
||
|
||
references:
|
||
ospp: FMT_SMF_EXT.1
|
||
From 4325e8a4ec9f02766ae873ad25f0bbcf926bd72b Mon Sep 17 00:00:00 2001
|
||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
Date: Wed, 23 Jun 2021 17:20:40 +0200
|
||
Subject: [PATCH 4/4] Resolved chrony vs ntp rules.
|
||
|
||
Profiles should select only chrony rules, as ntp is not
|
||
supposed to be used in RHEL9.
|
||
---
|
||
rhel9/profiles/ism_o.profile | 3 +--
|
||
rhel9/profiles/pci-dss.profile | 6 +++---
|
||
rhel9/profiles/stig.profile | 2 +-
|
||
3 files changed, 5 insertions(+), 6 deletions(-)
|
||
|
||
diff --git a/rhel9/profiles/ism_o.profile b/rhel9/profiles/ism_o.profile
|
||
index 3a884f8371d..2aa4af470e9 100644
|
||
--- a/rhel9/profiles/ism_o.profile
|
||
+++ b/rhel9/profiles/ism_o.profile
|
||
@@ -90,9 +90,8 @@ selections:
|
||
- rsyslog_remote_tls_cacert
|
||
- package_chrony_installed
|
||
- service_chronyd_enabled
|
||
-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
|
||
+ # - chronyd_specify_multiple_servers
|
||
- chronyd_specify_remote_server
|
||
-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
|
||
|
||
## Events to be logged
|
||
## Identifiers 0580 / 0584 / 0582 / 0585 / 0586 / 0846 / 0957
|
||
diff --git a/rhel9/profiles/pci-dss.profile b/rhel9/profiles/pci-dss.profile
|
||
index 6b00be5f76a..2c027af5236 100644
|
||
--- a/rhel9/profiles/pci-dss.profile
|
||
+++ b/rhel9/profiles/pci-dss.profile
|
||
@@ -79,9 +79,9 @@ selections:
|
||
- audit_rules_kernel_module_loading_init
|
||
- audit_rules_immutable
|
||
- var_multiple_time_servers=rhel
|
||
-# - service_chronyd_or_ntpd_enabled # not supported in RHEL9 ATM
|
||
-# - chronyd_or_ntpd_specify_remote_server # not supported in RHEL9 ATM
|
||
-# - chronyd_or_ntpd_specify_multiple_servers # not supported in RHEL9 ATM
|
||
+ - service_chronyd_enabled
|
||
+ - chronyd_specify_remote_server
|
||
+ # - chronyd_specify_multiple_servers
|
||
- rpm_verify_permissions
|
||
- rpm_verify_hashes
|
||
# - install_hids # not supported in RHEL9 ATM
|
||
diff --git a/rhel9/profiles/stig.profile b/rhel9/profiles/stig.profile
|
||
index 1baafe6f751..eef1f901ab5 100644
|
||
e-- a/rhel9/profiles/stig.profile
|
||
+++ b/rhel9/profiles/stig.profile
|
||
@@ -820,7 +820,7 @@ selections:
|
||
|
||
# RHEL-08-030740
|
||
# remediation fails because default configuration file contains pool instead of server keyword
|
||
-# - chronyd_or_ntpd_set_maxpoll # not supported in RHEL9 ATM
|
||
+ # - chronyd_set_maxpoll # Doesn't exist in RHEL9, but it should
|
||
|
||
# RHEL-08-030741
|
||
# - chronyd_client_only # not supported in RHEL9 ATM
|