Merge pull request #10511 from marcusburghardt/cis_rhel8_netrc

Update netrc requirement in CIS for RHEL8
ComplianceAsCode · May 2, 2023 · 5a228b6 · 5a228b6
2 parents 3d9b19c + e304bc5
commit 5a228b6
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 8 deletions.
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -2656,11 +2656,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: supported
-    notes: |-
-      It is not expected this requirement be automated in favor of 6.2.15.
-    related_rules:
-      - no_netrc_files
+    status: automated
+    rules:
+      - accounts_users_netrc_file_permissions
 
   - id: 6.2.14
     title: Ensure no users have .forward files (Automated)

diff --git a/...de/system/accounts/accounts-session/accounts_users_netrc_file_permissions/oval/shared.xml b/...de/system/accounts/accounts-session/accounts_users_netrc_file_permissions/oval/shared.xml
@@ -44,7 +44,7 @@
   </unix:file_state>
 
   <unix:file_test id="test_accounts_users_home_netrc_file_permissions" check="all" version="1"
-                  comment=".netrc files are not group or world accessible">
+      check_existence="any_exist" comment=".netrc files are not group or world accessible">
     <unix:object object_ref="object_accounts_users_home_netrc_file_permissions"/>
     <unix:state state_ref="state_accounts_users_home_netrc_file_permissions_gread" />
     <unix:state state_ref="state_accounts_users_home_netrc_file_permissions_gwrite" />

diff --git a/..._os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml b/..._os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15
+prodtype: rhel8,sle12,sle15
 
 title: "Ensure users' .netrc Files are not group or world accessible"
 
@@ -19,10 +19,12 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87369-5
     cce@sle12: CCE-92446-4
     cce@sle15: CCE-92697-2
 
 references:
+    cis@rhel8: 6.2.13
     cis@sle12: 6.2.11
     cis@sle15: 6.2.11
 

diff --git a/...nts/accounts-session/accounts_users_netrc_file_permissions/tests/home_dirs_absent.pass.sh b/...nts/accounts-session/accounts_users_netrc_file_permissions/tests/home_dirs_absent.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -M $USER
+# This make sure home dirs related to test environment users are also removed.
+rm -Rf /home/*
diff --git a/...unts-session/accounts_users_netrc_file_permissions/tests/interactive_users_absent.pass.sh b/...unts-session/accounts_users_netrc_file_permissions/tests/interactive_users_absent.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# remove all interactive users (ID >= 1000) from /etc/passwd
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -964,7 +964,6 @@ CCE-87365-3
 CCE-87366-1
 CCE-87367-9
 CCE-87368-7
-CCE-87369-5
 CCE-87371-1
 CCE-87372-9
 CCE-87373-7