From 570036ed1d996bb2b2a6945ad72f864451eb1775 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 12:27:25 +0100 Subject: [PATCH 01/20] Update CIS version in RHEL8 control file --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 92d75fa1043..a8e1173df95 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -2,7 +2,7 @@ policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' title: 'CIS Benchmark for Red Hat Enterprise Linux 8' id: cis_rhel8 -version: '2.0.0' +version: '3.0.0' source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux levels: - id: l1_server From 6d43f567370dde7767aec3f0e23385bb6b7ac67d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 13:52:07 +0100 Subject: [PATCH 02/20] Update CIS RHEL8 section 1.1.1 1.1.1 Configure Filesystem Kernel Modules New requirements were included to disable more file system modules. --- controls/cis_rhel8.yml | 53 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a8e1173df95..70d84d0e0c0 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -39,7 +39,7 @@ controls: - enable_authselect - id: 1.1.1.1 - title: Ensure mounting of cramfs filesystems is disabled (Automated) + title: Ensure cramfs kernel module is not available (Automated) levels: - l1_workstation - l1_server @@ -48,16 +48,52 @@ controls: - kernel_module_cramfs_disabled - id: 1.1.1.2 - title: Ensure mounting of squashfs filesystems is disabled (Automated) + title: Ensure freevxfs kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - kernel_module_squashfs_disabled + - kernel_module_freevxfs_disabled - id: 1.1.1.3 - title: Ensure mounting of udf filesystems is disabled (Automated) + title: Ensure hfs kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_hfs_disabled + + - id: 1.1.1.4 + title: Ensure hfsplus kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_hfsplus_disabled + + - id: 1.1.1.5 + title: Ensure jffs2 kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_jffs2_disabled + + - id: 1.1.1.6 + title: Ensure squashfs kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.7 + title: Ensure udf kernel module is not available (Automated) levels: - l2_server - l2_workstation @@ -65,6 +101,15 @@ controls: rules: - kernel_module_udf_disabled + - id: 1.1.1.8 + title: Ensure usb-storage kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_usb-storage_disabled + - id: 1.1.2.1 title: Ensure /tmp is a separate partition (Automated) levels: From 88e0d921d9938c82f30c472ddf980210b4169453 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 13:57:32 +0100 Subject: [PATCH 03/20] Update rules related to CIS RHEL8 1.1.1 4 new rules were included in the control file while other three rules only had their references updated. --- .../mounting/kernel_module_freevxfs_disabled/rule.yml | 2 ++ .../permissions/mounting/kernel_module_hfs_disabled/rule.yml | 2 ++ .../mounting/kernel_module_hfsplus_disabled/rule.yml | 2 ++ .../mounting/kernel_module_jffs2_disabled/rule.yml | 2 ++ .../mounting/kernel_module_squashfs_disabled/rule.yml | 2 +- .../permissions/mounting/kernel_module_udf_disabled/rule.yml | 2 +- .../mounting/kernel_module_usb-storage_disabled/rule.yml | 2 +- shared/references/cce-redhat-avail.txt | 4 ---- 8 files changed, 11 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml index 74729708c02..87640e2560a 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml @@ -17,10 +17,12 @@ severity: low identifiers: cce@rhcos4: CCE-82713-9 cce@rhel7: CCE-80138-1 + cce@rhel8: CCE-86615-2 references: cis-csc: 11,14,3,9 cis@rhel7: 1.1.1.2 + cis@rhel8: 1.1.1.2 cis@ubuntu2004: 1.1.1.2 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 cui: 3.4.6 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml index ec81e6f9aaa..5e60c6ce5b6 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml @@ -17,10 +17,12 @@ severity: low identifiers: cce@rhcos4: CCE-82714-7 cce@rhel7: CCE-80140-7 + cce@rhel8: CCE-86616-0 references: cis-csc: 11,14,3,9 cis@rhel7: 1.1.1.4 + cis@rhel8: 1.1.1.3 cis@ubuntu2004: 1.1.1.4 cis@ubuntu2204: 1.1.1.4 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml index f6080cd7bc4..e1eb7c90b5f 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml @@ -17,10 +17,12 @@ severity: low identifiers: cce@rhcos4: CCE-82715-4 cce@rhel7: CCE-80141-5 + cce@rhel8: CCE-86617-8 references: cis-csc: 11,14,3,9 cis@rhel7: 1.1.1.5 + cis@rhel8: 1.1.1.4 cis@ubuntu2004: 1.1.1.5 cis@ubuntu2204: 1.1.1.5 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml index 47df625c8a5..224bce2b607 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml @@ -17,10 +17,12 @@ severity: low identifiers: cce@rhcos4: CCE-82716-2 cce@rhel7: CCE-80139-9 + cce@rhel8: CCE-86618-6 references: cis-csc: 11,14,3,9 cis@rhel7: 1.1.1.3 + cis@rhel8: 1.1.1.5 cis@ubuntu2004: 1.1.1.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 cui: 3.4.6 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml index 67bc619a3ea..4ce92604abd 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml @@ -35,7 +35,7 @@ references: cis@alinux2: 1.1.1 cis@alinux3: 1.1.1.2 cis@rhel7: 1.1.1.2 - cis@rhel8: 1.1.1.2 + cis@rhel8: 1.1.1.6 cis@rhel9: 1.1.1.1 cis@sle12: 1.1.1.1 cis@sle15: 1.1.1.1 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml index f36e2b226c0..4dbaa95324c 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled/rule.yml @@ -35,7 +35,7 @@ references: cis-csc: 11,14,3,9 cis@alinux3: 1.1.1.3 cis@rhel7: 1.1.1.3 - cis@rhel8: 1.1.1.3 + cis@rhel8: 1.1.1.7 cis@rhel9: 1.1.1.2 cis@sle12: 1.1.1.2 cis@sle15: 1.1.1.2 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 0f437dab4be..dea5da59ce8 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -31,7 +31,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux3: 1.1.10 cis@rhel7: 1.1.24 - cis@rhel8: 1.1.10 + cis@rhel8: 1.1.1.8 cis@rhel9: 1.1.9 cis@sle12: 1.1.23 cis@sle15: 1.1.23 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 81a3d069b6a..1b73a6003d8 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -303,10 +303,6 @@ CCE-86607-9 CCE-86609-5 CCE-86610-3 CCE-86613-7 -CCE-86615-2 -CCE-86616-0 -CCE-86617-8 -CCE-86618-6 CCE-86619-4 CCE-86620-2 CCE-86622-8 From 4f7ff9411c053e6aff1855aef674c3f4554d1370 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 14:34:54 +0100 Subject: [PATCH 04/20] Update CIS RHEL8 section 1.1.2 1.1.2 Configure Filesystem Partitions Requirementes related to quota were removed. Others were reorganized. --- controls/cis_rhel8.yml | 174 ++++++++++++++++++----------------------- 1 file changed, 78 insertions(+), 96 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 70d84d0e0c0..170d901f033 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -110,7 +110,7 @@ controls: rules: - kernel_module_usb-storage_disabled - - id: 1.1.2.1 + - id: 1.1.2.1.1 title: Ensure /tmp is a separate partition (Automated) levels: - l1_server @@ -119,7 +119,7 @@ controls: rules: - partition_for_tmp - - id: 1.1.2.2 + - id: 1.1.2.1.2 title: Ensure nodev option set on /tmp partition (Automated) levels: - l1_server @@ -128,239 +128,221 @@ controls: rules: - mount_option_tmp_nodev - - id: 1.1.2.3 - title: Ensure noexec option set on /tmp partition (Automated) + - id: 1.1.2.1.3 + title: Ensure nosuid option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_noexec + - mount_option_tmp_nosuid - - id: 1.1.2.4 - title: Ensure nosuid option set on /tmp partition (Automated) + - id: 1.1.2.1.4 + title: Ensure noexec option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_nosuid + - mount_option_tmp_noexec - - id: 1.1.3.1 - title: Ensure separate partition exists for /var (Automated) + - id: 1.1.2.2.1 + title: Ensure /dev/shm is a separate partition (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - partition_for_var + - partition_for_dev_shm - - id: 1.1.3.2 - title: Ensure nodev option set on /var partition (Automated) + - id: 1.1.2.2.2 + title: Ensure nodev option set on /dev/shm partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_nodev + - mount_option_dev_shm_nodev - - id: 1.1.3.3 - title: Ensure noexec option set on /var partition (Automated) + - id: 1.1.2.2.3 + title: Ensure nosuid option set on /dev/shm partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_noexec + - mount_option_dev_shm_nosuid - - id: 1.1.3.4 - title: Ensure nosuid option set on /var partition (Automated) + - id: 1.1.2.2.4 + title: Ensure noexec option set on /dev/shm partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_nosuid + - mount_option_dev_shm_noexec - - id: 1.1.4.1 - title: Ensure separate partition exists for /var/tmp (Automated) + - id: 1.1.2.3.1 + title: Ensure separate partition exists for /home (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var_tmp - - - id: 1.1.4.2 - title: Ensure noexec option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_noexec + - partition_for_home - - id: 1.1.4.3 - title: Ensure nosuid option set on /var/tmp partition (Automated) + - id: 1.1.2.3.2 + title: Ensure nodev option set on /home partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_tmp_nosuid + - mount_option_home_nodev - - id: 1.1.4.4 - title: Ensure nodev option set on /var/tmp partition (Automated) + - id: 1.1.2.3.3 + title: Ensure nosuid option set on /home partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_tmp_nodev + - mount_option_home_nosuid - - id: 1.1.5.1 - title: Ensure separate partition exists for /var/log (Automated) + - id: 1.1.2.4.1 + title: Ensure separate partition exists for /var (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var_log - - - id: 1.1.5.2 - title: Ensure nodev option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_nodev + - partition_for_var - - id: 1.1.5.3 - title: Ensure noexec option set on /var/log partition (Automated) + - id: 1.1.2.4.2 + title: Ensure nodev option set on /var partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_noexec + - mount_option_var_nodev - - id: 1.1.5.4 - title: Ensure nosuid option set on /var/log partition (Automated) + - id: 1.1.2.4.3 + title: Ensure nosuid option set on /var partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_nosuid + - mount_option_var_nosuid - - id: 1.1.6.1 - title: Ensure separate partition exists for /var/log/audit (Automated) + - id: 1.1.2.5.1 + title: Ensure separate partition exists for /var/tmp (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var_log_audit + - partition_for_var_tmp - - id: 1.1.6.2 - title: Ensure noexec option set on /var/log/audit partition (Automated) + - id: 1.1.2.5.2 + title: Ensure nodev option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_noexec + - mount_option_var_tmp_nodev - - id: 1.1.6.3 - title: Ensure nodev option set on /var/log/audit partition (Automated) + - id: 1.1.2.5.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_nodev + - mount_option_var_tmp_nosuid - - id: 1.1.6.4 - title: Ensure nosuid option set on /var/log/audit partition (Automated) + - id: 1.1.3.5.4 + title: Ensure noexec option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_nosuid + - mount_option_var_tmp_noexec - - id: 1.1.7.1 - title: Ensure separate partition exists for /home (Automated) + - id: 1.1.2.6.1 + title: Ensure separate partition exists for /var/log (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_home + - partition_for_var_log - - id: 1.1.7.2 - title: Ensure nodev option set on /home partition (Automated) + - id: 1.1.2.6.2 + title: Ensure nodev option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_home_nodev + - mount_option_var_log_nodev - - id: 1.1.7.3 - title: Ensure nosuid option set on /home partition (Automated) + - id: 1.1.2.6.3 + title: Ensure nosuid option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_home_nosuid + - mount_option_var_log_nosuid - - id: 1.1.7.4 - title: Ensure usrquota option set on /home partition (Automated) + - id: 1.1.2.6.4 + title: Ensure noexec option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_home_usrquota + - mount_option_var_log_noexec - - id: 1.1.7.5 - title: Ensure grpquota option set on /home partition (Automated) + - id: 1.1.2.7.1 + title: Ensure separate partition exists for /var/log/audit (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - mount_option_home_grpquota + - partition_for_var_log_audit - - id: 1.1.8.1 - title: Ensure nodev option set on /dev/shm partition (Automated) + - id: 1.1.2.7.2 + title: Ensure nodev option set on /var/log/audit partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_dev_shm_nodev + - mount_option_var_log_audit_nodev - - id: 1.1.8.2 - title: Ensure noexec option set on /dev/shm partition (Automated) + - id: 1.1.2.7.3 + title: Ensure nosuid option set on /var/log/audit partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_dev_shm_noexec + - mount_option_var_log_audit_nosuid - - id: 1.1.8.3 - title: Ensure nosuid option set on /dev/shm partition (Automated) + - id: 1.1.2.7.4 + title: Ensure noexec option set on /var/log/audit partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_dev_shm_nosuid + - mount_option_var_log_audit_noexec - id: 1.1.9 title: Disable Automounting (Automated) From b99cb42eec222bd9a158d53248c211c839c1c2d6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 14:36:49 +0100 Subject: [PATCH 05/20] Update rules related to CIS RHEL8 1.1.2 References were updated in related rules. --- .../permissions/partitions/mount_option_dev_shm_nodev/rule.yml | 2 +- .../partitions/mount_option_dev_shm_noexec/rule.yml | 2 +- .../partitions/mount_option_dev_shm_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_home_grpquota/rule.yml | 1 - .../permissions/partitions/mount_option_home_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_home_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_home_usrquota/rule.yml | 3 --- .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- .../partitions/mount_option_var_log_audit_nodev/rule.yml | 2 +- .../partitions/mount_option_var_log_audit_noexec/rule.yml | 2 +- .../partitions/mount_option_var_log_audit_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_var_log_nodev/rule.yml | 2 +- .../partitions/mount_option_var_log_noexec/rule.yml | 2 +- .../partitions/mount_option_var_log_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_var_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_var_noexec/rule.yml | 1 - .../permissions/partitions/mount_option_var_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_nodev/rule.yml | 2 +- .../partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- .../partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- .../software/disk_partitioning/partition_for_dev_shm/rule.yml | 1 + .../software/disk_partitioning/partition_for_home/rule.yml | 2 +- .../software/disk_partitioning/partition_for_tmp/rule.yml | 2 +- .../software/disk_partitioning/partition_for_var/rule.yml | 2 +- .../software/disk_partitioning/partition_for_var_log/rule.yml | 2 +- .../disk_partitioning/partition_for_var_log_audit/rule.yml | 2 +- .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 2 +- 29 files changed, 26 insertions(+), 30 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml index 594309bbe55..96ed1704f37 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.1.15 cis@alinux3: 1.1.8.1 cis@rhel7: 1.1.8 - cis@rhel8: 1.1.8.1 + cis@rhel8: 1.1.2.2.2 cis@rhel9: 1.1.8.2 cis@sle12: 1.1.8 cis@sle15: 1.1.8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml index b86b80493c3..811f0794325 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -31,7 +31,7 @@ references: cis-csc: 11,13,14,3,8,9 cis@alinux2: 1.1.17 cis@rhel7: 1.1.7 - cis@rhel8: 1.1.8.2 + cis@rhel8: 1.1.2.2.4 cis@rhel9: 1.1.8.3 cis@sle12: 1.1.7 cis@sle15: 1.1.7 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml index 2cd40a6f3c9..318b56f463f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.1.16 cis@alinux3: 1.1.8.3 cis@rhel7: 1.1.9 - cis@rhel8: 1.1.8.3 + cis@rhel8: 1.1.2.2.3 cis@rhel9: 1.1.8.4 cis@sle12: 1.1.9 cis@sle15: 1.1.9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml index dfc449d17c3..3bdc9e736aa 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@rhel9: CCE-86042-9 references: - cis@rhel8: 1.1.7.5 nist: CM-6(b) {{{ complete_ocil_entry_mount_option("/home", "grpquota") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index ba5959a42bd..1c69b9f75b2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -33,7 +33,7 @@ references: cis@alinux2: 1.1.14 cis@alinux3: 1.1.7.2 cis@rhel7: 1.1.18 - cis@rhel8: 1.1.7.2 + cis@rhel8: 1.1.2.3.2 cis@rhel9: 1.1.7.2 cis@sle12: 1.1.18 cis@sle15: 1.1.18 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index 19590c842ee..6857365f2bb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -27,7 +27,7 @@ references: anssi: BP28(R28) cis-csc: 11,13,14,3,8,9 cis@alinux3: 1.1.7.3 - cis@rhel8: 1.1.7.3 + cis@rhel8: 1.1.2.3.3 cis@rhel9: 1.1.7.3 cis@ubuntu2204: 1.1.7.3 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml index 86536b37530..eec25df3e82 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml @@ -22,11 +22,8 @@ identifiers: cce@rhel9: CCE-86036-1 references: - cis@rhel8: 1.1.7.4 nist: CM-6(b) - - {{{ complete_ocil_entry_mount_option("/home", "usrquota") }}} fixtext: '{{{ fixtext_mount_option("/home", "usrquota") }}}' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml index 06a7dc18f36..f6a73fc3835 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.3 cis@alinux3: 1.1.2.2 cis@rhel7: 1.1.4 - cis@rhel8: 1.1.2.2 + cis@rhel8: 1.1.2.1.2 cis@rhel9: 1.1.2.2 cis@sle12: 1.1.4 cis@sle15: 1.1.4 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 5d8d9710fbb..55f8ab87a2d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.5 cis@alinux3: 1.1.2.3 cis@rhel7: 1.1.3 - cis@rhel8: 1.1.2.3 + cis@rhel8: 1.1.2.1.4 cis@rhel9: 1.1.2.3 cis@sle12: 1.1.3 cis@sle15: 1.1.3 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index b7b9fec9237..c59612e33eb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.4 cis@alinux3: 1.1.2.4 cis@rhel7: 1.1.5 - cis@rhel8: 1.1.2.4 + cis@rhel8: 1.1.2.1.3 cis@rhel9: 1.1.2.4 cis@sle12: 1.1.5 cis@sle15: 1.1.5 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index c89966261ae..c768422c979 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@rhel9: CCE-83882-1 references: - cis@rhel8: 1.1.6.3 + cis@rhel8: 1.1.2.7.2 cis@rhel9: 1.1.6.3 cis@ubuntu2204: 1.1.6.3 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index 98a7e9ad027..fc9d8abe217 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@rhel9: CCE-83878-9 references: - cis@rhel8: 1.1.6.2 + cis@rhel8: 1.1.2.7.4 cis@rhel9: 1.1.6.2 cis@ubuntu2204: 1.1.6.2 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index 833e9947017..d494193dfa6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@rhel9: CCE-83893-8 references: - cis@rhel8: 1.1.6.4 + cis@rhel8: 1.1.2.7.3 cis@rhel9: 1.1.6.4 cis@ubuntu2204: 1.1.6.4 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index aae251d622c..5081f5940d6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@rhel9: CCE-83886-2 references: - cis@rhel8: 1.1.5.2 + cis@rhel8: 1.1.2.6.2 cis@rhel9: 1.1.5.2 cis@ubuntu2204: 1.1.5.2 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index 132b09fd293..3a836202783 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -27,7 +27,7 @@ identifiers: references: anssi: BP28(R12) - cis@rhel8: 1.1.5.3 + cis@rhel8: 1.1.2.6.4 cis@rhel9: 1.1.5.3 cis@ubuntu2204: 1.1.5.3 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index 0744827b995..24cdfbb1db9 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -28,7 +28,7 @@ identifiers: references: anssi: BP28(R12) - cis@rhel8: 1.1.5.4 + cis@rhel8: 1.1.2.6.3 cis@rhel9: 1.1.5.4 cis@ubuntu2204: 1.1.5.4 disa: CCI-001764 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml index eb57b5c0174..50d313e5635 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@rhel9: CCE-83868-0 references: - cis@rhel8: 1.1.3.2 + cis@rhel8: 1.1.2.4.2 cis@rhel9: 1.1.3.2 cis@ubuntu2204: 1.1.3.2 nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml index d617a3b2eba..add54cf7d0f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -27,7 +27,6 @@ identifiers: references: anssi: BP28(R12) cis@alinux3: 1.1.3.2 - cis@rhel8: 1.1.3.3 platform: machine and mount[var] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml index 5fe097625e4..e000de7cc52 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml @@ -23,7 +23,7 @@ identifiers: references: anssi: BP28(R12) cis@alinux3: 1.1.3.3 - cis@rhel8: 1.1.3.4 + cis@rhel8: 1.1.2.4.3 cis@rhel9: 1.1.3.3 cis@ubuntu2204: 1.1.3.3 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index b21666373b8..4c2e2448e0d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.8 cis@alinux3: 1.1.4.4 cis@rhel7: 1.1.13 - cis@rhel8: 1.1.4.4 + cis@rhel8: 1.1.2.5.2 cis@rhel9: 1.1.4.4 cis@sle12: 1.1.13 cis@sle15: 1.1.13 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index 3240796eb49..a1479ff2e27 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.10 cis@alinux3: 1.1.4.2 cis@rhel7: 1.1.12 - cis@rhel8: 1.1.4.2 + cis@rhel8: 1.1.2.5.4 cis@rhel9: 1.1.4.2 cis@sle12: 1.1.12 cis@sle15: 1.1.12 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index 49b39bc0610..0060fd5dc0e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.9 cis@alinux3: 1.1.4.3 cis@rhel7: 1.1.14 - cis@rhel8: 1.1.4.3 + cis@rhel8: 1.1.2.5.3 cis@rhel9: 1.1.4.3 cis@sle12: 1.1.14 cis@sle15: 1.1.14 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml index afb9aa2e5c7..82f2567e644 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml @@ -29,6 +29,7 @@ identifiers: references: cis@rhel7: 1.1.6 + cis@rhel8: 1.1.2.2.1 cis@rhel9: 1.1.8.1 cis@sle12: 1.1.6 cis@sle15: 1.1.6 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 39cf4ae4fe3..36071d8a438 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 1.1.13 cis@alinux3: 1.1.7.1 cis@rhel7: 1.1.17 - cis@rhel8: 1.1.7.1 + cis@rhel8: 1.1.2.3.1 cis@rhel9: 1.1.7.1 cis@sle12: 1.1.17 cis@sle15: 1.1.17 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml index 43b1c12e2f4..abaf779507f 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 1.1.2 cis@alinux3: 1.1.2.1 cis@rhel7: 1.1.2 - cis@rhel8: 1.1.2.1 + cis@rhel8: 1.1.2.1.1 cis@rhel9: 1.1.2.1 cis@sle12: 1.1.2 cis@sle15: 1.1.2 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index 753c2d00217..bbd6d43b6e2 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.1.6 cis@alinux3: 1.1.3.1 cis@rhel7: 1.1.10 - cis@rhel8: 1.1.3.1 + cis@rhel8: 1.1.2.4.1 cis@rhel9: 1.1.3.1 cis@sle12: 1.1.10 cis@sle15: 1.1.10 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index c5790aab1d1..780869177bc 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 1.1.11 cis@alinux3: 1.1.5.1 cis@rhel7: 1.1.15 - cis@rhel8: 1.1.5.1 + cis@rhel8: 1.1.2.6.1 cis@rhel9: 1.1.5.1 cis@sle12: 1.1.15 cis@sle15: 1.1.15 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index f2cce01c075..fc11c9d383f 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.12 cis@alinux3: 1.1.6.1 cis@rhel7: 1.1.16 - cis@rhel8: 1.1.6.1 + cis@rhel8: 1.1.2.7.1 cis@rhel9: 1.1.6.1 cis@sle12: 1.1.16 cis@sle15: 1.1.16 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index a5f203a1aca..8629b60ee09 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.1.7 cis@alinux3: 1.1.4.1 cis@rhel7: 1.1.11 - cis@rhel8: 1.1.4.1 + cis@rhel8: 1.1.2.5.1 cis@rhel9: 1.1.4.1 cis@sle12: 1.1.11 cis@sle15: 1.1.11 From 9d4e77fc594fd867b352a10acb0e80cd91fc6c51 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:04:20 +0100 Subject: [PATCH 06/20] Remove dropped filesystem requiremens from CIS RHEL8 1 This commit concludes the review of CIS RHEL8 1.1 - Filesystem. --- controls/cis_rhel8.yml | 18 ------------------ .../mounting/service_autofs_disabled/rule.yml | 1 - 2 files changed, 19 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 170d901f033..40d4d9abc22 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -344,24 +344,6 @@ controls: rules: - mount_option_var_log_audit_noexec - - id: 1.1.9 - title: Disable Automounting (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - service_autofs_disabled - - - id: 1.1.10 - title: Disable USB Storage (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - kernel_module_usb-storage_disabled - - id: 1.2.1 title: Ensure Red Hat Subscription Manager connection is configured (Manual) levels: diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index fd1f7af8d82..b6c4ff436d4 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -37,7 +37,6 @@ references: cis@alinux2: 1.1.19 cis@alinux3: 1.1.9 cis@rhel7: 1.1.23 - cis@rhel8: 1.1.9 cis@sle12: 1.1.23 cis@sle15: 1.1.23 cis@ubuntu1804: 1.1.21 From 1135f8ed74d08d7821128f6087ede41310c8dc01 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:12:57 +0100 Subject: [PATCH 07/20] Update CIS RHEL8 section 1.2 1.2 Configure Software and Patch Management --- controls/cis_rhel8.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 40d4d9abc22..5972aa11ee9 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -345,13 +345,6 @@ controls: - mount_option_var_log_audit_noexec - id: 1.2.1 - title: Ensure Red Hat Subscription Manager connection is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 1.2.2 title: Ensure GPG keys are configured (Manual) levels: - l1_server @@ -360,7 +353,7 @@ controls: related_rules: - ensure_redhat_gpgkey_installed - - id: 1.2.3 + - id: 1.2.2 title: Ensure gpgcheck is globally activated (Automated) levels: - l1_server @@ -369,6 +362,13 @@ controls: rules: - ensure_gpgcheck_globally_activated + - id: 1.2.3 + title: Ensure repo_gpgcheck is globally activated (Manual) + levels: + - l2_server + - l2_workstation + status: manual + - id: 1.2.4 title: Ensure package manager repositories are configured (Manual) levels: @@ -376,6 +376,15 @@ controls: - l1_workstation status: manual + - id: 1.2.5 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - security_patches_up_to_date + - id: 1.3.1 title: Ensure AIDE is installed (Automated) levels: @@ -645,15 +654,6 @@ controls: - dconf_gnome_disable_automount - dconf_gnome_disable_automount_open - - id: "1.9" - title: Ensure updates, patches, and additional security software are installed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - security_patches_up_to_date - - id: "1.10" title: Ensure system-wide crypto policy is not legacy (Automated) levels: From e373a906de98b36f8286763a7099539026fbf66e Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:14:23 +0100 Subject: [PATCH 08/20] Update rules related to CIS RHEL8 1.2 References were updated in related rules. --- .../updating/ensure_gpgcheck_globally_activated/rule.yml | 2 +- .../software/updating/ensure_redhat_gpgkey_installed/rule.yml | 2 +- .../software/updating/security_patches_up_to_date/rule.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index fb7f79793fc..b57b0c8fc51 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -43,7 +43,7 @@ references: cis@alinux2: 1.2.3 cis@alinux3: 1.3.2 cis@rhel7: 1.2.3 - cis@rhel8: 1.2.3 + cis@rhel8: 1.2.2 cis@rhel9: 1.2.2 cis@sle12: 1.2.3 cis@sle15: 1.2.3 diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml index 08aadf21343..2bcbf0161e0 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml @@ -42,7 +42,7 @@ references: anssi: BP28(R15) cis-csc: 11,2,3,9 cis@rhel7: 1.2.3 - cis@rhel8: 1.2.2 + cis@rhel8: 1.2.1 cis@rhel9: 1.2.1 cjis: 5.10.4.1 cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index f0ef023320d..ef2d928fdae 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -50,7 +50,7 @@ references: cis-csc: 18,20,4 cis@alinux2: "1.8" cis@rhel7: "1.8" - cis@rhel8: "1.9" + cis@rhel8: 1.2.5 cis@rhel9: "1.9" cis@sle12: "1.9" cis@sle15: "1.9" From e9a6ab2c707e0413759a002157d563910d1a4c14 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:32:29 +0100 Subject: [PATCH 09/20] Update CIS RHEL8 section 1.3 1.3 Configure Secure Boot Settings Requirements related to AIDE were moved to section 5. Section 5 will be reviewed after. --- controls/cis_rhel8.yml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 5972aa11ee9..bb0bdb05716 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -386,25 +386,6 @@ controls: - security_patches_up_to_date - id: 1.3.1 - title: Ensure AIDE is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_aide_installed - - aide_build_database - - - id: 1.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_periodic_cron_checking - - - id: 1.4.1 title: Ensure bootloader password is set (Automated) levels: - l1_server @@ -414,7 +395,7 @@ controls: - grub2_password - grub2_uefi_password - - id: 1.4.2 + - id: 1.3.2 title: Ensure permissions on bootloader config are configured (Automated) levels: - l1_server @@ -2180,6 +2161,25 @@ controls: - sshd_set_keepalive - var_sshd_set_keepalive=0 + - id: 5.3.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_aide_installed + - aide_build_database + + - id: 5.3.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - aide_periodic_cron_checking + - id: 5.3.1 title: Ensure sudo is installed (Automated) levels: From d0949e61ee0873e772d30a3ab9e93664ee5c795d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:34:22 +0100 Subject: [PATCH 10/20] Update rules related to CIS RHEL8 1.3 References were updated in related rules. Rules related to AIDE were moved to section 5 to be reviewed after, but their references are already updated. --- .../non-uefi/file_groupowner_grub2_cfg/rule.yml | 2 +- .../bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml | 2 +- .../bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml | 2 +- .../bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml | 2 +- .../non-uefi/file_permissions_grub2_cfg/rule.yml | 2 +- .../non-uefi/file_permissions_user_cfg/rule.yml | 2 +- .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- .../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 2 +- .../bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml | 2 +- .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 2 +- .../bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml | 2 +- .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 2 +- .../uefi/file_permissions_efi_user_cfg/rule.yml | 2 +- .../system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 2 +- .../software-integrity/aide/aide_build_database/rule.yml | 2 +- .../aide/aide_periodic_cron_checking/rule.yml | 2 +- .../software-integrity/aide/package_aide_installed/rule.yml | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml index 299748d46f3..bae11df8704 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cis@sle12: 1.5.2 cis@sle15: 1.5.2 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml index a69df22466b..f4da733e752 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml @@ -25,7 +25,7 @@ references: ccn@rhel9: A.6.SEC-RHEL2 cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml index 83b7e7acce4..d0f92c3e81b 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cis@sle12: 1.5.2 cis@sle15: 1.5.2 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml index 079f519bec2..e7cd21dbeaa 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml @@ -25,7 +25,7 @@ references: ccn@rhel9: A.6.SEC-RHEL2 cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml index a2b0132fcda..bff0be343fe 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cis@sle12: 1.5.2 cis@sle15: 1.5.2 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml index dcaaa425b0f..4bb1f49a42e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml @@ -23,7 +23,7 @@ references: ccn@rhel9: A.6.SEC-RHEL2 cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 cui: 3.4.5 diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index 654799a4982..e95d3d2b45f 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -52,7 +52,7 @@ references: cis-csc: 1,11,12,14,15,16,18,3,5 cis@alinux3: 1.5.1 cis@rhel7: 1.4.1 - cis@rhel8: 1.4.1 + cis@rhel8: 1.3.1 cis@rhel9: 1.4.1 cis@sle12: 1.5.1 cis@sle15: 1.5.1 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml index 8a10defcebc..88210ebcdae 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml index 1fa0facd557..2a22f398a93 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml index 9f5bb27454d..b796ae71072 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -24,7 +24,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml index 104fa81e81f..2eac156938a 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cjis: 5.5.2.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index ee5bdcaf823..210cd59be48 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 1.4.1 cis@alinux3: 1.5.2 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 cui: 3.4.5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml index bfea4e0472d..205c15fa917 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml @@ -23,7 +23,7 @@ identifiers: references: cis-csc: 12,13,14,15,16,18,3,5 cis@rhel7: 1.4.2 - cis@rhel8: 1.4.2 + cis@rhel8: 1.3.2 cis@rhel9: 1.4.2 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 cui: 3.4.5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index cdaa2b573e2..14c3fdcdba7 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -52,7 +52,7 @@ references: cis-csc: 11,12,14,15,16,18,3,5 cis@alinux3: 1.5.1 cis@rhel7: 1.4.1 - cis@rhel8: 1.4.1 + cis@rhel8: 1.3.1 cis@rhel9: 1.4.1 cis@sle12: 1.5.1 cis@sle15: 1.5.1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index d4beaad7e4f..595f90231da 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -48,7 +48,7 @@ references: cis-csc: 1,11,12,13,14,15,16,2,3,5,7,8,9 cis@alinux2: 1.3.1 cis@rhel7: 1.3.1 - cis@rhel8: 1.3.1 + cis@rhel8: 5.3.1 cis@rhel9: 1.3.1 cis@sle12: 1.4.1 cis@sle15: 1.4.1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml index 680674c2f19..effa9d75675 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml @@ -48,7 +48,7 @@ references: cis@alinux2: 1.3.2 cis@alinux3: 1.4.2 cis@rhel7: 1.3.2 - cis@rhel8: 1.3.2 + cis@rhel8: 5.3.2 cis@rhel9: 1.3.2 cis@sle12: 1.4.2 cis@sle15: 1.4.2 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index bbebb646fda..862bc568d40 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -24,7 +24,7 @@ references: cis@alinux2: 1.3.1 cis@alinux3: 1.4.1 cis@rhel7: 1.3.1 - cis@rhel8: 1.3.1 + cis@rhel8: 5.3.1 cis@rhel9: 1.3.1 cis@sle12: 1.4.1 cis@sle15: 1.4.1 From a0a88983c9b19a50dd7df88a5b6e5261f57a8965 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:44:02 +0100 Subject: [PATCH 11/20] Update CIS RHEL8 section 1.4 1.4 Configure Additional Process Hardening --- controls/cis_rhel8.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bb0bdb05716..994a7fffcbf 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -415,26 +415,25 @@ controls: - file_permissions_efi_user_cfg - file_permissions_user_cfg - - id: 1.4.3 - title: Ensure authentication is required when booting into rescue mode (Automated) + - id: 1.4.1 + title: Ensure address space layout randomization (ASLR) is enabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - require_singleuser_auth - - require_emergency_target_auth + - sysctl_kernel_randomize_va_space - - id: 1.5.1 - title: Ensure core dump storage is disabled (Automated) + - id: 1.4.2 + title: Ensure ptrace_scope is restricted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - coredump_disable_storage + - sysctl_kernel_yama_ptrace_scope - - id: 1.5.2 + - id: 1.4.3 title: Ensure core dump backtraces are disabled (Automated) levels: - l1_server @@ -443,14 +442,14 @@ controls: rules: - coredump_disable_backtraces - - id: 1.5.3 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + - id: 1.4.4 + title: Ensure core dump storage is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_storage - id: 1.6.1.1 title: Ensure SELinux is installed (Automated) From 61ba31ee704589493a8e93e20c6a2f1eb27392f3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:44:56 +0100 Subject: [PATCH 12/20] Update rules related to CIS RHEL8 1.4 References were updated in related rules. Requirements for authentication in emergency and singleuser modes were dropped. --- .../accounts-physical/require_emergency_target_auth/rule.yml | 1 - .../accounts/accounts-physical/require_singleuser_auth/rule.yml | 2 -- .../restrictions/coredumps/coredump_disable_backtraces/rule.yml | 2 +- .../restrictions/coredumps/coredump_disable_storage/rule.yml | 2 +- .../sysctl_kernel_randomize_va_space/rule.yml | 2 +- .../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + 6 files changed, 4 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 66548c8118f..b16a75d8af0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -31,7 +31,6 @@ references: cis@alinux2: 1.4.2 cis@alinux3: 1.5.3 cis@rhel7: 1.4.3 - cis@rhel8: 1.4.3 cis@sle12: 1.5.3 cis@sle15: 1.5.3 cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 23396156e05..67ce08f1b7d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -4,7 +4,6 @@ prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,openembedded,rhcos title: 'Require Authentication for Single User Mode' - description: |- Single-user mode is intended as a system recovery method, providing a single user root access to the system by @@ -33,7 +32,6 @@ references: cis@alinux2: 1.4.2 cis@alinux3: 1.5.3 cis@rhel7: 1.4.3 - cis@rhel8: 1.4.3 cis@sle12: 1.5.3 cis@sle15: 1.5.3 cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml index b2a21b469e1..faf6c3df153 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml @@ -34,7 +34,7 @@ references: cis@alinux2: 1.5.1 cis@alinux3: 1.6.1 cis@rhel7: 1.5.1 - cis@rhel8: 1.5.2 + cis@rhel8: 1.4.3 cis@rhel9: 1.5.2 cis@sle12: 1.6.1 cis@sle15: 1.6.1 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml index de617d21dee..7e0051ce7cf 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml @@ -34,7 +34,7 @@ references: cis@alinux2: 1.5.1 cis@alinux3: 1.6.1 cis@rhel7: 1.5.1 - cis@rhel8: 1.5.1 + cis@rhel8: 1.4.4 cis@rhel9: 1.5.1 cis@sle12: 1.6.1 cis@sle15: 1.6.1 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index ac0d7f0afd9..f0f0043da26 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 1.5.2 cis@alinux3: 1.6.2 cis@rhel7: 1.5.3 - cis@rhel8: 1.5.3 + cis@rhel8: 1.4.1 cis@rhel9: 1.5.3 cis@sle12: 1.6.3 cis@sle15: 1.6.3 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index c634cf644bf..50e426eea9a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -24,6 +24,7 @@ identifiers: references: anssi: BP28(R25) + cis@rhel8: 1.4.2 disa: CCI-000366 nist: SC-7(10) srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 From faff7584b44ea302b83c73ff3786d070a02214b1 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:55:44 +0100 Subject: [PATCH 13/20] Update CIS RHEL8 section 1.5 1.5 - Mandatory Access Control 1.5.1 - Configure SELinux --- controls/cis_rhel8.yml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 994a7fffcbf..418cf5f983c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -451,7 +451,7 @@ controls: rules: - coredump_disable_storage - - id: 1.6.1.1 + - id: 1.5.1.1 title: Ensure SELinux is installed (Automated) levels: - l1_server @@ -460,7 +460,7 @@ controls: rules: - package_libselinux_installed - - id: 1.6.1.2 + - id: 1.5.1.2 title: Ensure SELinux is not disabled in bootloader configuration (Automated) levels: - l1_server @@ -469,7 +469,7 @@ controls: rules: - grub2_enable_selinux - - id: 1.6.1.3 + - id: 1.5.1.3 title: Ensure SELinux policy is configured (Automated) levels: - l1_server @@ -479,7 +479,7 @@ controls: - var_selinux_policy_name=targeted - selinux_policytype - - id: 1.6.1.4 + - id: 1.5.1.4 title: Ensure the SELinux mode is not disabled (Automated) levels: - l1_server @@ -488,7 +488,7 @@ controls: rules: - selinux_not_disabled - - id: 1.6.1.5 + - id: 1.5.1.5 title: Ensure the SELinux mode is enforcing (Automated) levels: - l2_server @@ -498,7 +498,7 @@ controls: - var_selinux_state=enforcing - selinux_state - - id: 1.6.1.6 + - id: 1.5.1.6 title: Ensure no unconfined services exist (Automated) levels: - l1_server @@ -507,22 +507,23 @@ controls: rules: - selinux_confinement_of_daemons - - id: 1.6.1.7 - title: Ensure SETroubleshoot is not installed (Automated) + - id: 1.5.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) levels: - l1_server + - l1_workstation status: automated rules: - - package_setroubleshoot_removed + - package_mcstrans_removed - - id: 1.6.1.8 - title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + - id: 1.5.1.8 + title: Ensure SETroubleshoot is not installed (Automated) levels: - l1_server - - l1_workstation status: automated rules: - - package_mcstrans_removed + - package_setroubleshoot_removed + - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) From 88a700ce29c2bde650e0bf0db1b800a9eb8e50ea Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 15:57:23 +0100 Subject: [PATCH 14/20] Update rules related to CIS RHEL8 1.5 References were updated in related rules. --- linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml | 2 +- .../guide/system/selinux/package_libselinux_installed/rule.yml | 2 +- linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml | 2 +- .../system/selinux/package_setroubleshoot_removed/rule.yml | 2 +- .../system/selinux/selinux_confinement_of_daemons/rule.yml | 2 +- linux_os/guide/system/selinux/selinux_not_disabled/rule.yml | 2 +- linux_os/guide/system/selinux/selinux_policytype/rule.yml | 2 +- linux_os/guide/system/selinux/selinux_state/rule.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml index 93f558241e0..ca972119e6e 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 1.6.1.1 cis@alinux3: 1.7.1.2 cis@rhel7: 1.6.1.2 - cis@rhel8: 1.6.1.2 + cis@rhel8: 1.5.1.2 cis@rhel9: 1.6.1.2 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml index 1f661961341..e26cb7c0ee4 100644 --- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 1.6.2 cis@alinux3: 1.7.1.1 cis@rhel7: 1.6.1.1 - cis@rhel8: 1.6.1.1 + cis@rhel8: 1.5.1.1 cis@rhel9: 1.6.1.1 pcidss4: '1.2.6' diff --git a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml index f11bd265bbb..3db5341c761 100644 --- a/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_mcstrans_removed/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 1.6.1.5 cis@alinux3: 1.7.1.8 cis@rhel7: 1.6.1.8 - cis@rhel8: 1.6.1.8 + cis@rhel8: 1.5.1.7 cis@rhel9: 1.6.1.8 template: diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml index f8852e96506..74916b84a27 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 1.6.1.4 cis@alinux3: 1.7.1.7 cis@rhel7: 1.6.1.7 - cis@rhel8: 1.6.1.7 + cis@rhel8: 1.5.1.8 cis@rhel9: 1.6.1.7 template: diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml index fcd320803f8..ff40b9db235 100644 --- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml @@ -32,7 +32,7 @@ references: cis@alinux2: 1.6.1.6 cis@alinux3: 1.7.1.6 cis@rhel7: 1.6.1.6 - cis@rhel8: 1.6.1.6 + cis@rhel8: 1.5.1.6 cis@rhel9: 1.6.1.6 cobit5: APO01.06,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06,MEA02.01 cui: 3.1.2,3.1.5,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml index b86f9e2940e..b101a826f0c 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@rhel9: CCE-86152-6 references: - cis@rhel8: 1.6.1.4 + cis@rhel8: 1.5.1.4 cis@rhel9: 1.6.1.4 ocil_clause: 'SELinux is disabled' diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 4a587891234..7f520918aef 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -42,7 +42,7 @@ references: cis@alinux2: 1.6.1.3 cis@alinux3: 1.7.1.3 cis@rhel7: 1.6.1.3 - cis@rhel8: 1.6.1.3 + cis@rhel8: 1.5.1.3 cis@rhel9: 1.6.1.3 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index fdef693b8c0..9ae2f901cd5 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -34,7 +34,7 @@ references: cis@alinux2: 1.6.1.2 cis@alinux3: 1.7.1.4,1.7.1.5 cis@rhel7: 1.6.1.4,1.6.1.5 - cis@rhel8: 1.6.1.5 + cis@rhel8: 1.5.1.5 cis@rhel9: 1.6.1.5 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 From 7396e0434c9dc7d1466c195b5bb1d7489eae5c1a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 16:23:43 +0100 Subject: [PATCH 15/20] Update CIS RHEL8 section 1.6 1.6 - Configure system wide crypto policy 3 new requirements were included. These new requirements are in pending to be better investigated. --- controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 418cf5f983c..669ebe10a53 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -524,6 +524,40 @@ controls: rules: - package_setroubleshoot_removed + - id: 1.6.1 + title: Ensure system wide crypto policy is not set to legacy (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: The selected crypto-policy cannot be legacy + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 1.6.2 + title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: More investigation is necessary on this new requirement. + + - id: 1.6.3 + title: Ensure system wide crypto policy disables cbc for ssh (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: More investigation is necessary on this new requirement. + + - id: 1.6.4 + title: Ensure system wide crypto policy disables macs less than 128 bits (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: More investigation is necessary on this new requirement. - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) @@ -635,17 +669,6 @@ controls: - dconf_gnome_disable_automount - dconf_gnome_disable_automount_open - - id: "1.10" - title: Ensure system-wide crypto policy is not legacy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: The selected crypto-policy cannot be legacy - rules: - - configure_crypto_policy - - var_system_crypto_policy=default_policy - - id: 2.1.1 title: Ensure time synchronization is in use (Automated) levels: From cd68b2cbdafb6589df33c256f3e143d3ff54c837 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 16:25:20 +0100 Subject: [PATCH 16/20] Update rule related to CIS RHEL8 1.6 Reference was updated in related rule. --- .../guide/configure_crypto_policy/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/rule.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/rule.yml index 4cf33806fa0..9d0a0d08789 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/rule.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/configure_crypto_policy/rule.yml @@ -54,7 +54,7 @@ rationale: |- severity: high references: - cis@rhel8: 1.10 + cis@rhel8: 1.6.1 cis@rhel9: 1.10 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.312(e)(1),164.312(e)(2)(ii) ism: "1446" From a772dcb678a07932e605549209a8bdc01a3506b0 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 15 Jan 2024 16:29:12 +0100 Subject: [PATCH 17/20] Update CIS RHEL8 section 1.7 1.7 - Configure Command Line Warning Banners Only minor updates in titles. --- controls/cis_rhel8.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 669ebe10a53..1d3ab7f0800 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -590,7 +590,7 @@ controls: - remote_login_banner_text=cis_banners - id: 1.7.4 - title: Ensure permissions on /etc/motd are configured (Automated) + title: Ensure access to /etc/motd is configured (Automated) levels: - l1_server - l1_workstation @@ -601,7 +601,7 @@ controls: - file_permissions_etc_motd - id: 1.7.5 - title: Ensure permissions on /etc/issue are configured (Automated) + title: Ensure access to /etc/issue is configured (Automated) levels: - l1_server - l1_workstation @@ -612,7 +612,7 @@ controls: - file_permissions_etc_issue - id: 1.7.6 - title: Ensure permissions on /etc/issue.net are configured (Automated) + title: Ensure access to /etc/issue.net is configured (Automated) levels: - l1_server - l1_workstation From ceeada6145e818ecf1fbeb1781f7a331ece49a0a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 16 Jan 2024 10:21:19 +0100 Subject: [PATCH 18/20] Update CIS RHEL8 section 1.8 1.8 - Configure GNOME Display Manager New requirements were included but there were already rules for them. --- controls/cis_rhel8.yml | 70 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 63 insertions(+), 7 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 1d3ab7f0800..586dd090d41 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -623,11 +623,11 @@ controls: - file_permissions_etc_issue_net - id: 1.8.1 - title: Ensure GNOME Display Manager is removed (Manual) + title: Ensure GNOME Display Manager is removed (Automated) levels: - l2_server - status: manual - related_rules: + status: automated + rules: - package_gdm_removed - id: 1.8.2 @@ -642,7 +642,7 @@ controls: - login_banner_text=cis_default - id: 1.8.3 - title: Ensure last logged in user display is disabled (Automated) + title: Ensure GDM disable-user-list option is enabled (Automated) levels: - l1_server - l1_workstation @@ -651,24 +651,80 @@ controls: - dconf_gnome_disable_user_list - id: 1.8.4 - title: Ensure XDMCP is not enabled (Automated) + title: Ensure GDM screen locks when the user is idle (Automated) levels: - l1_server - l1_workstation status: automated rules: - - gnome_gdm_disable_xdmcp + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds - id: 1.8.5 - title: Ensure automatic mounting of removable media is disabled (Automated) + title: Ensure GDM screen locks cannot be overridden (Automated) levels: - l1_server - l1_workstation status: automated rules: + - dconf_gnome_session_idle_user_locks + - dconf_gnome_screensaver_user_locks + + - id: 1.8.6 + title: Ensure GDM automatic mounting of removable media is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.7 + title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The same rules used in 1.8.6 are applicable here since they configure and also lock the + settings. + related_rules: - dconf_gnome_disable_automount - dconf_gnome_disable_automount_open + - id: 1.8.8 + title: Ensure GDM autorun-never is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.9 + title: Ensure GDM autorun-never is not overridden (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The same rules used in 1.8.8 are applicable here since they configure and also lock the + settings. + related_rules: + - dconf_gnome_disable_autorun + + - id: 1.8.10 + title: Ensure XDMCP is not enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - gnome_gdm_disable_xdmcp + - id: 2.1.1 title: Ensure time synchronization is in use (Automated) levels: From 884543d5f2d69d7bb658911c3936d6d11f2ac94a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 16 Jan 2024 10:23:04 +0100 Subject: [PATCH 19/20] Update rules related to CIS RHEL8 1.8 References were updated in related rules. This commit concludes the review of CIS RHEL8 v3.0.0 - Section 1. --- .../gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml | 2 +- .../gnome_media_settings/dconf_gnome_disable_automount/rule.yml | 2 +- .../dconf_gnome_disable_automount_open/rule.yml | 2 +- .../gnome_media_settings/dconf_gnome_disable_autorun/rule.yml | 1 + .../dconf_gnome_screensaver_idle_delay/rule.yml | 1 + .../dconf_gnome_screensaver_lock_delay/rule.yml | 1 + .../dconf_gnome_screensaver_user_locks/rule.yml | 1 + .../dconf_gnome_session_idle_user_locks/rule.yml | 1 + 8 files changed, 8 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml index 03a171259b4..4dadf7e0317 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml @@ -28,7 +28,7 @@ identifiers: references: cis@rhel7: 1.8.4 - cis@rhel8: 1.8.4 + cis@rhel8: 1.8.10 cis@rhel9: 1.8.10 cis@ubuntu2204: 1.8.10 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml index e86c249b340..40dbc8074d0 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -34,7 +34,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 - cis@rhel8: 1.8.5 + cis@rhel8: 1.8.6,1.8.7 cis@rhel9: 1.8.6,1.8.7 cis@ubuntu2204: 1.8.6 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml index e03b12539f2..740032bf29e 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -35,7 +35,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 - cis@rhel8: 1.8.5 + cis@rhel8: 1.8.6,1.8.7 cis@rhel9: 1.8.6,1.8.7 cis@ubuntu2204: 1.8.6 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml index 74ee302023e..99b649d17d7 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -35,6 +35,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 + cis@rhel8: 1.8.8,1.8.9 cis@rhel9: 1.8.8,1.8.9 cis@ubuntu2204: 1.8.8 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index eeb849c86ce..5c5d0c54887 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -33,6 +33,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL7 cis-csc: 1,12,15,16 + cis@rhel8: 1.8.4 cis@rhel9: 1.8.4 cjis: 5.5.5 cobit5: DSS05.04,DSS05.10,DSS06.10 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml index 9514d839fef..170bc8277a6 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -27,6 +27,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL7 cis-csc: 1,12,15,16 + cis@rhel8: 1.8.4 cis@rhel9: 1.8.4 cis@ubuntu2204: 1.8.5 cobit5: DSS05.04,DSS05.10,DSS06.10 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml index 723dfb09672..a51825dd9ea 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml @@ -28,6 +28,7 @@ identifiers: references: cis-csc: 1,12,15,16 + cis@rhel8: 1.8.5 cis@rhel9: 1.8.5 cobit5: DSS05.04,DSS05.10,DSS06.10 cui: 3.1.10 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml index 7f0a52f3332..f47cbd9663a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -30,6 +30,7 @@ identifiers: references: cis-csc: 1,12,15,16 + cis@rhel8: 1.8.5 cis@rhel9: 1.8.5 cobit5: DSS05.04,DSS05.10,DSS06.10 cui: 3.1.10 From 6f4fa95eee983fcb5a6d6c99466042714ae28296 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 16 Jan 2024 10:52:31 +0100 Subject: [PATCH 20/20] Fix references issues detected in tests --- .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- .../software/integrity/crypto/configure_crypto_policy/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index a1479ff2e27..7fa270d3b89 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 1.1.10 cis@alinux3: 1.1.4.2 cis@rhel7: 1.1.12 - cis@rhel8: 1.1.2.5.4 + cis@rhel8: 1.1.3.5.4 cis@rhel9: 1.1.4.2 cis@sle12: 1.1.12 cis@sle15: 1.1.12 diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index 35a74f12648..d0fc7c0fa0b 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -62,7 +62,7 @@ identifiers: references: ccn@rhel9: A.5.SEC-RHEL4 cis@alinux3: "1.10" - cis@rhel8: 1.10,1.11 + cis@rhel8: 1.6.1 cis@rhel9: "1.10" hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.312(e)(1),164.312(e)(2)(ii) ism: "1446"