Generate rule references from control files #11540
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jan-cerny
added
enhancement
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
Mab879
reviewed
Feb 2, 2024
jan-cerny
force-pushed
the
compiled_references
branch
2 times, most recently
from
0840ce8
to
965cc15
Compare
|
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_hashes'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_hashes
+++ xccdf_org.ssgproject.content_rule_rpm_verify_hashes
@@ -187,9 +187,6 @@
[reference]:
SRG-OS-000480-GPOS-00227
-[reference]:
-6.1.1
-
[rationale]:
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -322,9 +322,6 @@
[reference]:
SRG-OS-000278-GPOS-00108
-[reference]:
-6.1.14
-
[rationale]:
Ownership of binaries and configuration files that is incorrect could allow an unauthorized
user to gain privileges that they should not have. The ownership set by the vendor should be
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -354,9 +354,6 @@
[reference]:
SRG-OS-000278-GPOS-00108
-[reference]:
-6.1.14
-
[rationale]:
Permissions on system binaries and configuration files that are too generous could allow an
unauthorized user to gain privileges that they should not have. The permissions set by the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'.
--- xccdf_org.ssgproject.content_rule_package_aide_installed
+++ xccdf_org.ssgproject.content_rule_package_aide_installed
@@ -236,10 +236,10 @@
RHEL-08-010359
[reference]:
+SV-251710r880730_rule
+
+[reference]:
5.3.1
-
-[reference]:
-SV-251710r880730_rule
[rationale]:
The AIDE package must be installed if it is to be available for integrity checking.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_build_database'.
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -230,10 +230,10 @@
RHEL-08-010359
[reference]:
+SV-251710r880730_rule
+
+[reference]:
5.3.1
-
-[reference]:
-SV-251710r880730_rule
[rationale]:
For AIDE to be effective, an initial database of "known-good" information about files
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'.
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -21,10 +21,10 @@
RHEL-08-030650
[reference]:
-5.3.3
+SV-230475r880722_rule
[reference]:
-SV-230475r880722_rule
+5.3.3
[rationale]:
Protecting the integrity of the tools used for auditing purposes is a
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_use_fips_hashes'.
--- xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
+++ xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
@@ -104,9 +104,6 @@
[reference]:
SRG-OS-000480-GPOS-00227
-[reference]:
-5.3.3
-
[rationale]:
File integrity tools use cryptographic hashes for verifying file contents and directories
have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -115,10 +115,10 @@
RHEL-08-010020
[reference]:
-1.6.1
+SV-230223r928585_rule
[reference]:
-SV-230223r928585_rule
+1.6.1
[rationale]:
Centralized cryptographic policies simplify applying secure ciphers across an operating system and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -74,10 +74,10 @@
RHEL-08-010287
[reference]:
-4.2.22
+SV-244526r877394_rule
[reference]:
-SV-244526r877394_rule
+4.2.22
[rationale]:
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -88,10 +88,10 @@
RHEL-08-010800
[reference]:
-1.1.2.3.1
+SV-230328r902723_rule
[reference]:
-SV-230328r902723_rule
+1.1.2.3.1
[rationale]:
Ensuring that /home is mounted on its own partition enables the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -83,10 +83,10 @@
RHEL-08-010543
[reference]:
-1.1.2.1.1
+SV-230295r627750_rule
[reference]:
-SV-230295r627750_rule
+1.1.2.1.1
[rationale]:
The /tmp partition is used as temporary storage by many programs.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -83,10 +83,10 @@
RHEL-08-010540
[reference]:
-1.1.2.4.1
+SV-230292r902718_rule
[reference]:
-SV-230292r902718_rule
+1.1.2.4.1
[rationale]:
Ensuring that /var is mounted on its own partition enables the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -177,10 +177,10 @@
RHEL-08-010541
[reference]:
-1.1.2.6.1
+SV-230293r902720_rule
[reference]:
-SV-230293r902720_rule
+1.1.2.6.1
[rationale]:
Placing /var/log in its own partition
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
@@ -212,10 +212,10 @@
RHEL-08-010542
[reference]:
+SV-230294r627750_rule
+
+[reference]:
1.1.2.7.1
-
-[reference]:
-SV-230294r627750_rule
[rationale]:
Placing /var/log/audit in its own partition
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -17,10 +17,10 @@
RHEL-08-010544
[reference]:
-1.1.2.5.1
+SV-244529r902737_rule
[reference]:
-SV-244529r902737_rule
+1.1.2.5.1
[rationale]:
The /var/tmp partition is used as temporary storage by many programs.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_db_up_to_date'.
--- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
+++ xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
@@ -26,7 +26,7 @@
SRG-OS-000480-GPOS-00227
[reference]:
-1.8.2
+reload_dconf_db
[rationale]:
Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
@@ -31,10 +31,10 @@
RHEL-08-020032
[reference]:
-1.8.3
+SV-244536r743857_rule
[reference]:
-SV-244536r743857_rule
+1.8.3
[rationale]:
Leaving the user list enabled is a security risk since it allows anyone
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -139,10 +139,10 @@
RHEL-08-020060
[reference]:
-1.8.4
+SV-230352r646876_rule
[reference]:
-SV-230352r646876_rule
+1.8.4
[rationale]:
A session time-out lock is a temporary action taken when a user stops work and moves away from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -138,10 +138,10 @@
RHEL-08-020031
[reference]:
-1.8.4
+SV-244535r743854_rule
[reference]:
-SV-244535r743854_rule
+1.8.4
[rationale]:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -125,10 +125,10 @@
RHEL-08-020080
[reference]:
-1.8.5
+SV-230354r743990_rule
[reference]:
-SV-230354r743990_rule
+1.8.5
[rationale]:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -131,10 +131,10 @@
RHEL-08-020081
[reference]:
-1.8.5
+SV-244538r743863_rule
[reference]:
-SV-244538r743863_rule
+1.8.5
[rationale]:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -34,10 +34,10 @@
RHEL-08-010384
[reference]:
-4.3.6
+SV-237643r861088_rule
[reference]:
-SV-237643r861088_rule
+4.3.6
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -182,10 +182,10 @@
RHEL-08-010370
[reference]:
+SV-230264r880711_rule
+
+[reference]:
1.2.2
-
-[reference]:
-SV-230264r880711_rule
[rationale]:
Changes to any software components can have significant effects on the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -179,10 +179,10 @@
RHEL-08-010370
[reference]:
-1.2.2
+SV-230264r880711_rule
[reference]:
-SV-230264r880711_rule
+1.2.2
[rationale]:
Verifying the authenticity of the software prior to installation validates
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -198,9 +198,6 @@
RHEL-08-010019
[reference]:
-1.2.1
-
-[reference]:
SV-256973r902752_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'.
--- xccdf_org.ssgproject.content_rule_security_patches_up_to_date
+++ xccdf_org.ssgproject.content_rule_security_patches_up_to_date
@@ -116,9 +116,6 @@
RHEL-08-010010
[reference]:
-1.2.5
-
-[reference]:
SV-230222r627750_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_authselect'.
--- xccdf_org.ssgproject.content_rule_enable_authselect
+++ xccdf_org.ssgproject.content_rule_enable_authselect
@@ -65,7 +65,7 @@
SRG-OS-000480-GPOS-00227
[reference]:
-1.2.3
+enable_authselect
[rationale]:
Authselect is a successor to authconfig.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -168,10 +168,10 @@
RHEL-08-010060
[reference]:
-1.7.2
+SV-230227r627750_rule
[reference]:
-SV-230227r627750_rule
+1.7.2
[rationale]:
Display of a standardized and approved use notification before granting
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -154,10 +154,10 @@
RHEL-08-010049
[reference]:
-1.8.2
+SV-244519r743806_rule
[reference]:
-SV-244519r743806_rule
+1.8.2
[rationale]:
Display of a standardized and approved use notification before granting access to the operating system
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -152,10 +152,10 @@
RHEL-08-010050
[reference]:
-1.8.2
+SV-230226r743916_rule
[reference]:
-SV-230226r743916_rule
+1.8.2
[rationale]:
An appropriate warning message reinforces policy awareness during the logon
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
@@ -18,10 +18,10 @@
RHEL-08-020026
[reference]:
-4.4.2.2
+SV-244534r743851_rule
[reference]:
-SV-244534r743851_rule
+4.4.2.2
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
@@ -18,10 +18,10 @@
RHEL-08-020025
[reference]:
-4.4.2.2
+SV-244533r743848_rule
[reference]:
-SV-244533r743848_rule
+4.4.2.2
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -208,13 +208,10 @@
RHEL-08-020220
[reference]:
+SV-230368r902759_rule
+
+[reference]:
4.4.3.3.1
-
-[reference]:
-4.4.3.3.3
-
-[reference]:
-SV-230368r902759_rule
[rationale]:
Preventing re-use of previous passwords helps ensure that a compromised password is not
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -204,13 +204,10 @@
RHEL-08-020221
[reference]:
+SV-251717r902749_rule
+
+[reference]:
4.4.3.3.1
-
-[reference]:
-4.4.3.3.3
-
-[reference]:
-SV-251717r902749_rule
[rationale]:
Preventing re-use of previous passwords helps ensure that a compromised password is not
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -189,9 +189,6 @@
[reference]:
SRG-OS-000077-GPOS-00045
-[reference]:
-5.4.3
-
[rationale]:
Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -205,10 +205,10 @@
RHEL-08-020011
[reference]:
+SV-230333r743966_rule
+
+[reference]:
4.4.3.1.1
-
-[reference]:
-SV-230333r743966_rule
[rationale]:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -183,10 +183,10 @@
RHEL-08-020023
[reference]:
-4.4.3.1.3
+SV-230345r743984_rule
[reference]:
-SV-230345r743984_rule
+4.4.3.1.3
[rationale]:
By limiting the number of failed logon attempts, the risk of unauthorized system access via
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -218,13 +218,13 @@
RHEL-08-020015
[reference]:
+SV-230336r627750_rule
+
+[reference]:
+SV-230337r743972_rule
+
+[reference]:
4.4.3.1.2
-
-[reference]:
-SV-230336r627750_rule
-
-[reference]:
-SV-230337r743972_rule
[rationale]:
By limiting the number of failed logon attempts the risk of unauthorized system
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -229,9 +229,6 @@
RHEL-08-020130
[reference]:
-4.4.3.2.3
-
-[reference]:
SV-230359r858775_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
@@ -28,10 +28,10 @@
RHEL-08-020300
[reference]:
-4.4.3.2.6
+SV-230377r858789_rule
[reference]:
-SV-230377r858789_rule
+4.4.3.2.6
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -179,10 +179,10 @@
RHEL-08-020170
[reference]:
+SV-230363r858783_rule
+
+[reference]:
4.4.3.2.1
-
-[reference]:
-SV-230363r858783_rule
[rationale]:
Use of a complex password helps to increase the time and resources
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -229,9 +229,6 @@
RHEL-08-020120
[reference]:
-4.4.3.2.3
-
-[reference]:
SV-230358r858773_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -172,10 +172,10 @@
RHEL-08-020150
[reference]:
-4.4.3.2.4
+SV-230361r858779_rule
[reference]:
-SV-230361r858779_rule
+4.4.3.2.4
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -228,10 +228,10 @@
RHEL-08-020160
[reference]:
+SV-230362r858781_rule
+
+[reference]:
4.4.3.2.3
-
-[reference]:
-SV-230362r858781_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -230,10 +230,10 @@
RHEL-08-020230
[reference]:
+SV-230369r858785_rule
+
+[reference]:
4.4.3.2.2
-
-[reference]:
-SV-230369r858785_rule
[rationale]:
The shorter the password, the lower the number of possible combinations
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -225,9 +225,6 @@
RHEL-08-020280
[reference]:
-4.4.3.2.3
-
-[reference]:
SV-230375r858787_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -235,9 +235,6 @@
[reference]:
RHEL-08-020104
-
-[reference]:
-4.4.3.3.1
[reference]:
SV-251716r858737_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -232,9 +232,6 @@
RHEL-08-020110
[reference]:
-4.4.3.2.3
-
-[reference]:
SV-230357r858771_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -194,10 +194,10 @@
RHEL-08-010110
[reference]:
+SV-230231r877397_rule
+
+[reference]:
4.5.1.1
-
-[reference]:
-SV-230231r877397_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -208,10 +208,10 @@
RHEL-08-010160
[reference]:
+SV-230237r809276_rule
+
+[reference]:
4.4.3.4.3
-
-[reference]:
-SV-230237r809276_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
@@ -211,10 +211,10 @@
RHEL-08-010159
[reference]:
+SV-244524r809331_rule
+
+[reference]:
4.4.3.4.3
-
-[reference]:
-SV-244524r809331_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_unique_id'.
--- xccdf_org.ssgproject.content_rule_account_unique_id
+++ xccdf_org.ssgproject.content_rule_account_unique_id
@@ -37,10 +37,10 @@
RHEL-08-020240
[reference]:
-6.2.4
+SV-230371r627750_rule
[reference]:
-SV-230371r627750_rule
+6.2.4
[rationale]:
To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -277,10 +277,10 @@
RHEL-08-020260
[reference]:
+SV-230373r627750_rule
+
+[reference]:
4.5.1.4
-
-[reference]:
-SV-230373r627750_rule
[rationale]:
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
@@ -198,10 +198,10 @@
RHEL-08-020200
[reference]:
+SV-230366r646878_rule
+
+[reference]:
4.5.1.2
-
-[reference]:
-SV-230366r646878_rule
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -29,10 +29,10 @@
RHEL-08-020210
[reference]:
-4.5.1.2
+SV-230367r627750_rule
[reference]:
-SV-230367r627750_rule
+4.5.1.2
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -334,19 +334,13 @@
RHEL-08-020332
[reference]:
-4.4.2.1
-
-[reference]:
-4.4.2.5
+SV-244540r743869_rule
+
+[reference]:
+SV-244541r743872_rule
[reference]:
4.4.3.4.1
-
-[reference]:
-SV-244540r743869_rule
-
-[reference]:
-SV-244541r743872_rule
[rationale]:
If an account has an empty password, anyone could log in and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -36,10 +36,10 @@
RHEL-08-010121
[reference]:
-6.2.2
+SV-251706r809342_rule
[reference]:
-SV-251706r809342_rule
+6.2.2
[rationale]:
If an account has an empty password, anyone could log in and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_netrc_files'.
--- xccdf_org.ssgproject.content_rule_no_netrc_files
+++ xccdf_org.ssgproject.content_rule_no_netrc_files
@@ -306,12 +306,6 @@
[reference]:
PR.PT-3
-[reference]:
-6.2.13
-
-[reference]:
-6.2.15
-
[rationale]:
Unencrypted passwords for remote FTP servers may be stored in .netrc
files.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -310,10 +310,10 @@
RHEL-08-040200
[reference]:
+SV-230534r627750_rule
+
+[reference]:
6.2.9
-
-[reference]:
-SV-230534r627750_rule
[rationale]:
An account has root authority if it has a UID of 0. Multiple accounts
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs'.
--- xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
+++ xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
@@ -17,9 +17,6 @@
RHEL-08-010660
[reference]:
-6.2.12
-
-[reference]:
SV-230309r627750_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists'.
--- xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
+++ xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
@@ -18,10 +18,10 @@
RHEL-08-010750
[reference]:
-6.2.10
+SV-230323r627750_rule
[reference]:
-SV-230323r627750_rule
+6.2.10
[rationale]:
If a local interactive user has a home directory defined that does not exist,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership'.
--- xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
+++ xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
@@ -23,9 +23,6 @@
[reference]:
SRG-OS-000480-GPOS-00227
-[reference]:
-6.2.8
-
[rationale]:
If local interactive users do not own the files in their directories,
unauthorized users may be able to access them. Additionally, if files are not
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_home_directories
+++ xccdf_org.ssgproject.content_rule_file_groupownership_home_directories
@@ -27,9 +27,6 @@
RHEL-08-010740
[reference]:
-6.2.10
-
-[reference]:
SV-230322r880717_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files'.
--- xccdf_org.ssgproject.content_rule_file_permission_user_init_files
+++ xccdf_org.ssgproject.content_rule_file_permission_user_init_files
@@ -17,10 +17,10 @@
RHEL-08-010770
[reference]:
-6.2.11
+SV-230325r917879_rule
[reference]:
-SV-230325r917879_rule
+6.2.11
[rationale]:
Local initialization files are used to configure the user's shell environment
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories'.
--- xccdf_org.ssgproject.content_rule_file_permissions_home_directories
+++ xccdf_org.ssgproject.content_rule_file_permissions_home_directories
@@ -18,10 +18,10 @@
RHEL-08-010730
[reference]:
-6.2.10
+SV-230321r627750_rule
[reference]:
-SV-230321r627750_rule
+6.2.10
[rationale]:
Excessive permissions on local interactive user home directories may allow
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -90,10 +90,10 @@
RHEL-08-020353
[reference]:
-4.5.3.3
+SV-230385r792902_rule
[reference]:
-SV-230385r792902_rule
+4.5.3.3
[rationale]:
The umask value influences the permissions assigned to files when they are created.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
@@ -134,10 +134,10 @@
RHEL-08-020351
[reference]:
-4.5.3.3
+SV-230383r627750_rule
[reference]:
-SV-230383r627750_rule
+4.5.3.3
[rationale]:
The umask value influences the permissions assigned to files when they are created.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
@@ -93,10 +93,10 @@
RHEL-08-020353
[reference]:
-4.5.3.3
+SV-230385r792902_rule
[reference]:
-SV-230385r792902_rule
+4.5.3.3
[rationale]:
The umask value influences the permissions assigned to files when they are created.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
+++ xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
@@ -21,9 +21,6 @@
RHEL-08-020352
[reference]:
-4.5.3.3
-
-[reference]:
SV-230384r858732_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -195,10 +195,10 @@
RHEL-08-030180
[reference]:
+SV-230411r744000_rule
+
+[reference]:
5.2.1.1
-
-[reference]:
-SV-230411r744000_rule
[rationale]:
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -557,10 +557,10 @@
RHEL-08-030181
[reference]:
+SV-244542r818838_rule
+
+[reference]:
5.2.1.4
-
-[reference]:
-SV-244542r818838_rule
[rationale]:
Without establishing what type of events occurred, it would be difficult
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_audit_argument
+++ xccdf_org.ssgproject.content_rule_grub2_audit_argument
@@ -380,10 +380,10 @@
RHEL-08-030601
[reference]:
+SV-230468r792904_rule
+
+[reference]:
5.2.1.2
-
-[reference]:
-SV-230468r792904_rule
[rationale]:
Each process on the system carries an "auditable" flag which indicates whether
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
+++ xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
@@ -71,10 +71,10 @@
RHEL-08-030602
[reference]:
-5.2.1.3
+SV-230469r877391_rule
[reference]:
-SV-230469r877391_rule
+5.2.1.3
[rationale]:
audit_backlog_limit sets the queue length for audit events awaiting transfer
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable'.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -389,10 +389,10 @@
RHEL-08-030121
[reference]:
+SV-230402r627750_rule
+
+[reference]:
5.2.3.20
-
-[reference]:
-SV-230402r627750_rule
[rationale]:
Making the audit configuration immutable prevents accidental as
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export'.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -410,10 +410,10 @@
RHEL-08-030302
[reference]:
+SV-230425r627750_rule
+
+[reference]:
5.2.3.10
-
-[reference]:
-SV-230425r627750_rule
[rationale]:
The unauthorized exportation of data to external media could result in an information leak
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -607,10 +607,10 @@
RHEL-08-030170
[reference]:
+SV-230408r627750_rule
+
+[reference]:
5.2.3.8
-
-[reference]:
-SV-230408r627750_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -607,10 +607,10 @@
RHEL-08-030160
[reference]:
+SV-230407r627750_rule
+
+[reference]:
5.2.3.8
-
-[reference]:
-SV-230407r627750_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -613,10 +613,10 @@
RHEL-08-030140
[reference]:
+SV-230405r627750_rule
+
+[reference]:
5.2.3.8
-
-[reference]:
-SV-230405r627750_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -622,10 +622,10 @@
RHEL-08-030150
[reference]:
+SV-230406r627750_rule
+
+[reference]:
5.2.3.8
-
-[reference]:
-SV-230406r627750_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -607,10 +607,10 @@
RHEL-08-030130
[reference]:
+SV-230404r627750_rule
+
+[reference]:
5.2.3.8
-
-[reference]:
-SV-230404r627750_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
@@ -335,10 +335,10 @@
RHEL-08-030120
[reference]:
+SV-230401r627750_rule
+
+[reference]:
5.2.4.1
-
-[reference]:
-SV-230401r627750_rule
[rationale]:
If users can write to audit logs, audit trails can be modified or destroyed.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
@@ -318,10 +318,10 @@
RHEL-08-030090
[reference]:
+SV-230398r627750_rule
+
+[reference]:
5.2.4.4
-
-[reference]:
-SV-230398r627750_rule
[rationale]:
Unauthorized disclosure of audit records can reveal system and configuration data to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
@@ -311,10 +311,10 @@
RHEL-08-030080
[reference]:
+SV-230397r627750_rule
+
+[reference]:
5.2.4.3
-
-[reference]:
-SV-230397r627750_rule
[rationale]:
Unauthorized disclosure of audit records can reveal system and configuration data to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -345,10 +345,10 @@
RHEL-08-030070
[reference]:
+SV-230396r902733_rule
+
+[reference]:
5.2.4.2
-
-[reference]:
-SV-230396r902733_rule
[rationale]:
If users can write to audit logs, audit trails can be modified or destroyed.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -451,10 +451,10 @@
RHEL-08-030490
[reference]:
+SV-230456r810462_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230456r810462_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -454,10 +454,10 @@
RHEL-08-030480
[reference]:
+SV-230455r810459_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230455r810459_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -451,10 +451,10 @@
RHEL-08-030490
[reference]:
+SV-230456r810462_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230456r810462_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -451,10 +451,10 @@
RHEL-08-030490
[reference]:
+SV-230456r810462_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230456r810462_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -457,10 +457,10 @@
RHEL-08-030480
[reference]:
+SV-230455r810459_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230455r810459_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -454,10 +454,10 @@
RHEL-08-030480
[reference]:
+SV-230455r810459_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230455r810459_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -475,10 +475,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -476,10 +476,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -454,10 +454,10 @@
RHEL-08-030480
[reference]:
+SV-230455r810459_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230455r810459_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -481,10 +481,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -476,10 +476,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -480,10 +480,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -452,10 +452,10 @@
RHEL-08-030200
[reference]:
+SV-230413r810463_rule
+
+[reference]:
5.2.3.9
-
-[reference]:
-SV-230413r810463_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
@@ -60,10 +60,10 @@
RHEL-08-030570
[reference]:
-5.2.3.17
+SV-230464r627750_rule
[reference]:
-SV-230464r627750_rule
+5.2.3.17
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
@@ -54,10 +54,10 @@
RHEL-08-030330
[reference]:
-5.2.3.16
+SV-230435r627750_rule
[reference]:
-SV-230435r627750_rule
+5.2.3.16
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -291,10 +291,10 @@
RHEL-08-030260
[reference]:
+SV-230419r627750_rule
+
+[reference]:
5.2.3.15
-
-[reference]:
-SV-230419r627750_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events
@@ -358,9 +358,6 @@
[reference]:
Req-10.2.7
-[reference]:
-4.1.14
-
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -446,10 +446,10 @@
RHEL-08-030361
[reference]:
+SV-230439r810465_rule
+
+[reference]:
5.2.3.13
-
-[reference]:
-SV-230439r810465_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -446,10 +446,10 @@
RHEL-08-030361
[reference]:
+SV-230439r810465_rule
+
+[reference]:
5.2.3.13
-
-[reference]:
-SV-230439r810465_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -446,9 +446,6 @@
RHEL-08-030361
[reference]:
-4.1.14
-
-[reference]:
SV-230439r810465_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -446,10 +446,10 @@
RHEL-08-030361
[reference]:
+SV-230439r810465_rule
+
+[reference]:
5.2.3.13
-
-[reference]:
-SV-230439r810465_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -446,10 +446,10 @@
RHEL-08-030361
[reference]:
+SV-230439r810465_rule
+
+[reference]:
5.2.3.13
-
-[reference]:
-SV-230439r810465_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
@@ -430,10 +430,10 @@
RHEL-08-030420
[reference]:
+SV-230449r810455_rule
+
+[reference]:
5.2.3.7
-
-[reference]:
-SV-230449r810455_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
@@ -433,10 +433,10 @@
RHEL-08-030420
[reference]:
+SV-230449r810455_rule
+
+[reference]:
5.2.3.7
-
-[reference]:
-SV-230449r810455_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
@@ -433,10 +433,10 @@
RHEL-08-030420
[reference]:
+SV-230449r810455_rule
+
+[reference]:
5.2.3.7
-
-[reference]:
-SV-230449r810455_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
@@ -427,9 +427,6 @@
RHEL-08-030420
[reference]:
-4.1.10
-
-[reference]:
SV-230449r810455_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
@@ -433,10 +433,10 @@
RHEL-08-030420
[reference]:
+SV-230449r810455_rule
+
+[reference]:
5.2.3.7
-
-[reference]:
-SV-230449r810455_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
@@ -433,10 +433,10 @@
RHEL-08-030420
[reference]:
+SV-230449r810455_rule
+
+[reference]:
5.2.3.7
-
-[reference]:
-SV-230449r810455_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading
@@ -345,9 +345,6 @@
[reference]:
Req-10.2.7
-
-[reference]:
-4.1.15
[rationale]:
The addition/removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
@@ -416,10 +416,10 @@
RHEL-08-030390
[reference]:
+SV-230446r627750_rule
+
+[reference]:
5.2.3.19
-
-[reference]:
-SV-230446r627750_rule
[rationale]:
The removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
@@ -416,10 +416,10 @@
RHEL-08-030360
[reference]:
+SV-230438r810464_rule
+
+[reference]:
5.2.3.19
-
-[reference]:
-SV-230438r810464_rule
[rationale]:
The addition/removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
@@ -416,10 +416,10 @@
RHEL-08-030360
[reference]:
+SV-230438r810464_rule
+
+[reference]:
5.2.3.19
-
-[reference]:
-SV-230438r810464_rule
[rationale]:
The addition of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -398,10 +398,10 @@
RHEL-08-030590
[reference]:
+SV-230466r627750_rule
+
+[reference]:
5.2.3.12
-
-[reference]:
-SV-230466r627750_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -425,10 +425,10 @@
RHEL-08-030600
[reference]:
+SV-230467r627750_rule
+
+[reference]:
5.2.3.12
-
-[reference]:
-SV-230467r627750_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
@@ -84,10 +84,10 @@
RHEL-08-030580
[reference]:
-5.2.3.19
+SV-230465r627750_rule
[reference]:
-SV-230465r627750_rule
+5.2.3.19
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
@@ -60,10 +60,10 @@
RHEL-08-030560
[reference]:
-5.2.3.18
+SV-230463r627750_rule
[reference]:
-SV-230463r627750_rule
+5.2.3.18
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action'.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
@@ -247,10 +247,10 @@
RHEL-08-030040
[reference]:
+SV-230390r627750_rule
+
+[reference]:
5.2.2.3
-
-[reference]:
-SV-230390r627750_rule
[rationale]:
Taking appropriate action in case of disk errors will minimize the possibility of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action'.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
@@ -229,10 +229,10 @@
RHEL-08-030060
[reference]:
+SV-230392r627750_rule
+
+[reference]:
5.2.2.3
-
-[reference]:
-SV-230392r627750_rule
[rationale]:
Taking appropriate action in case of a filled audit storage volume will minimize
New content has different text for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct'.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
@@ -280,10 +280,10 @@
RHEL-08-030020
[reference]:
+SV-230388r627750_rule
+
+[reference]:
5.2.2.4
-
-[reference]:
-SV-230388r627750_rule
[rationale]:
Email sent to the root account is typically aliased to the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action'.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
@@ -241,10 +241,10 @@
RHEL-08-030731
[reference]:
+SV-244543r877389_rule
+
+[reference]:
5.2.2.4
-
-[reference]:
-SV-244543r877389_rule
[rationale]:
Notifying administrators of an impending disk space problem may
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_password'.
--- xccdf_org.ssgproject.content_rule_grub2_password
+++ xccdf_org.ssgproject.content_rule_grub2_password
@@ -312,10 +312,10 @@
RHEL-08-010150
[reference]:
+SV-230235r743925_rule
+
+[reference]:
1.3.1
-
-[reference]:
-SV-230235r743925_rule
[rationale]:
Password protection on the boot loader configuration ensures
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'.
--- xccdf_org.ssgproject.content_rule_grub2_uefi_password
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_password
@@ -276,10 +276,10 @@
RHEL-08-010140
[reference]:
+SV-230234r743922_rule
+
+[reference]:
1.3.1
-
-[reference]:
-SV-230234r743922_rule
[rationale]:
Password protection on the boot loader configuration ensures
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'.
--- xccdf_org.ssgproject.content_rule_package_rsyslog_installed
+++ xccdf_org.ssgproject.content_rule_package_rsyslog_installed
@@ -123,10 +123,10 @@
RHEL-08-030670
[reference]:
-5.1.1.1
+SV-230477r627750_rule
[reference]:
-SV-230477r627750_rule
+5.1.1.1
[rationale]:
The rsyslog package provides the rsyslog daemon, which provides
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'.
--- xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
+++ xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
@@ -234,10 +234,10 @@
RHEL-08-010561
[reference]:
+SV-230298r627750_rule
+
+[reference]:
5.1.1.2
-
-[reference]:
-SV-230298r627750_rule
[rationale]:
The rsyslog service must be running in order to provide
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed'.
--- xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
+++ xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed
@@ -7,9 +7,6 @@
log events it gathers to a remote log host or to receive messages
from remote hosts, thus enabling centralised log management.
-[reference]:
-5.1.2.1.1
-
[rationale]:
Storing log data on a remote host protects log integrity from local
attacks. If an attacker gains root access on the local system, they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_logrotate_installed'.
--- xccdf_org.ssgproject.content_rule_package_logrotate_installed
+++ xccdf_org.ssgproject.content_rule_package_logrotate_installed
@@ -110,9 +110,6 @@
[reference]:
10.5.1
-[reference]:
-5.1.3
-
[rationale]:
The logrotate package provides the logrotate services.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_logrotate_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
+++ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
@@ -112,9 +112,6 @@
[reference]:
Req-10.7
-[reference]:
-5.1.3
-
[rationale]:
Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
New content has different text for rule 'xccdf_org.ssgproject.content_rule_timer_logrotate_enabled'.
--- xccdf_org.ssgproject.content_rule_timer_logrotate_enabled
+++ xccdf_org.ssgproject.content_rule_timer_logrotate_enabled
@@ -114,9 +114,6 @@
[reference]:
10.5.1
-[reference]:
-5.1.3
-
[rationale]:
Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
@@ -240,9 +240,6 @@
RHEL-08-030690
[reference]:
-5.1.1.6
-
-[reference]:
SV-230479r917883_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_firewalld_appropriate_zone'.
--- xccdf_org.ssgproject.content_rule_set_firewalld_appropriate_zone
+++ xccdf_org.ssgproject.content_rule_set_firewalld_appropriate_zone
@@ -7,9 +7,6 @@
Note: Changing firewall settings while connected over network can result in
being locked out of the system.
-[reference]:
-3.4.1.6
-
[rationale]:
A network interface not assigned to the appropriate zone can allow unexpected or
undesired network traffic to be accepted on the interface.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'.
--- xccdf_org.ssgproject.content_rule_package_firewalld_installed
+++ xccdf_org.ssgproject.content_rule_package_firewalld_installed
@@ -35,10 +35,10 @@
RHEL-08-040100
[reference]:
-3.4.1.2
+SV-230505r854048_rule
[reference]:
-SV-230505r854048_rule
+3.4.1.2
[rationale]:
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'.
--- xccdf_org.ssgproject.content_rule_service_firewalld_enabled
+++ xccdf_
... The diff is trimmed here ... |
The reference values are stored in rule.yml files as strings that are comma-separated lists of identifiers. We won't change the rule.yml files stored in git because that would be a massive change, but we will change the way how the references are stored internally in build system and also in the resolved files. This should simplify the code but won't have impact on built SCAP data streams.
With this change we will be able to use controls IDs as reference keys, which will allow us to add references to rules based on control files.
Starting from this change the references can be added to rules automatically based on control files control IDs.
Remove references from rule.ymls
For RHEL CIS profiles we will used the control files as the source of reference data.
The CIS references will now be set automatically based on data in control files. They will not be assigned manually to rule.ymls, therefore they won't be present in rule.ymls, therefore we shouldn't test if they're present there.
This commit adds a simple unit test for the feature of compiling rule references by adding references based on control file.
Remove CIS RHEL 7, RHEL 8, RHEL 9 references from rules because they are added automatically based on control files.
jan-cerny
force-pushed
the
compiled_references
branch
from
965cc15
to
25e4d24
Compare
Reduce code complexity by extracting a code to a method.
Reduce code complexity by extracting a code to a new function.
Reduce code complexity by extracting the code to a static method.
jan-cerny
force-pushed
the
compiled_references
branch
from
b5484c8
to
4a5f0a2
Compare
Mab879
requested changes
Feb 5, 2024
| For example, to instruct the build system to use the control file to automatically assign `anssi` references to all rules listed in the control file, add the following line to the control file: | ||
|
|
||
| ``` | ||
| reference_type: anssi |
There was a problem hiding this comment.
What about the product key in the control files? How does the build system behave with and without it?
There was a problem hiding this comment.
It's used for the control files that are specific to some product, eg. cis_rhel9.yml. Unfortunately, we haven't any mapping from the control files to products, it's been indirect using profiles in the given product. I think it's simpler to add this optional field to the control files schema instead of processing profiles during the references resolution process.
I will try to write something about this topic to the documentation.
| @@ -1069,6 +1072,23 @@ controls: | |||
| - other-policy:other-control | |||
| ``` | |||
|
|
|||
| ### Using controls to add references to rules | |||
There was a problem hiding this comment.
Suggested change
| ### Using controls to add references to rules | |
| ### Using Controls to Add References to Rules |
Title case
|
I have reword and extend documentation. |
|
I think that other controls files and references (ANSSI, STIG) should be transformed in a separate PR. |
|
/packit retest-failed |
1 similar comment
|
/packit retest-failed |
Mab879
approved these changes
Feb 6, 2024
|
Code Climate has analyzed commit e87e261 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 69.7% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.4% (0.1% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This pull request adds ability to generate references to rules automatically based on controls in control files.
For example, if a rule is listed in
controls/anssi.ymlin control idR1, the build system will getanssi: R1in thereferencessection in resolved rule.We demonstrate this on CIS profiles in this PR. We remove all CIS references for CIS RHEL 7, RHEL 8, RHEL 9 from all rules. And we will let the build system add references from control files.
For more details, please read commit messages of all commits.
Rationale:
It makes creating new profiles and changing profiles easier because rule files don't need to be updated. Removes data duplication, the references will be stored in a single place in the repository. Prevents inconsistencies in references.
Review Hints:
Build a product, eg.
rhel9, then compare contents of a control file, eg.cis_rhel9.ymlwith thereferencessection of resolved rules under eg.build/rhel9/rules.