From 957b1de65b0206f16ab477119c0ba2841f0e93c8 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Tue, 25 Apr 2023 14:36:30 +0200
Subject: [PATCH] Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9

This requirement is now complete and better aligned to the CIS Benchmark
for RHEL8 and RHEL9.
---
 controls/cis_rhel8.yml                                 | 10 +++++-----
 controls/cis_rhel9.yml                                 | 10 +++++-----
 .../audit_rules_kernel_module_loading_finit/rule.yml   |  3 ++-
 .../audit_rules_privileged_commands_insmod/rule.yml    |  2 --
 .../audit_rules_privileged_commands_kmod/rule.yml      |  2 ++
 .../audit_rules_privileged_commands_modprobe/rule.yml  |  2 --
 .../audit_rules_privileged_commands_rmmod/rule.yml     |  2 --
 7 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index dbb5f76e5e7e..eb88beed6c3d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1660,19 +1660,19 @@ controls:
     rules:
       - audit_rules_privileged_commands_usermod
 
-  # NEEDS RULE
   - id: 4.1.3.19
     title: Ensure kernel module loading, unloading and modification is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: partial
+    status: automated
     rules:
+      - audit_rules_kernel_module_loading_create
       - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_finit
       - audit_rules_kernel_module_loading_init
-      - audit_rules_privileged_commands_insmod
-      - audit_rules_privileged_commands_modprobe
-      - audit_rules_privileged_commands_rmmod
+      - audit_rules_kernel_module_loading_query
+      - audit_rules_privileged_commands_kmod
 
   - id: 4.1.3.20
     title: Ensure the audit configuration is immutable (Automated)
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 2f54ad0f0182..ee6736e271d6 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -1412,19 +1412,19 @@ controls:
     rules:
       - audit_rules_privileged_commands_usermod
 
-  # NEEDS RULE
   - id: 4.1.3.19
     title: Ensure kernel module loading, unloading and modification is collected (Automated)
     levels:
       - l2_server
       - l2_workstation
-    status: partial
+    status: automated
     rules:
+      - audit_rules_kernel_module_loading_create
       - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_finit
       - audit_rules_kernel_module_loading_init
-      - audit_rules_privileged_commands_insmod
-      - audit_rules_privileged_commands_modprobe
-      - audit_rules_privileged_commands_rmmod
+      - audit_rules_kernel_module_loading_query
+      - audit_rules_privileged_commands_kmod
 
   - id: 4.1.3.20
     title: Ensure the audit configuration is immutable (Automated)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index a3a2e846e8ed..c5b3743151bd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -43,7 +43,8 @@ references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.17
-    cis@rhel8: 4.1.15
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
     disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
index 4e3c6a4629bb..233236920e69 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml
@@ -36,8 +36,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
index 79e57d9dcf05..a607ea9216c5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml
@@ -45,6 +45,8 @@ identifiers:
 references:
     anssi: BP28(R73)
     cis@alinux3: 4.1.3.20
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
     disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a)
     srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
index c2f7f6a476ac..532a59bedf97 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml
@@ -40,8 +40,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
index c6d2520f9b74..b9bdb75a7e77 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml
@@ -36,8 +36,6 @@ references:
     anssi: BP28(R73)
     cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.3.19
-    cis@rhel9: 4.1.3.19
     cis@sle12: 4.1.16
     cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16