Merge pull request #12067 from marcusburghardt/cis_rhel9_200

Update CIS RHEL9 control file to v2.0.0
ComplianceAsCode · Jun 26, 2024 · f0a0c51 · f0a0c51
2 parents 4fb533d + fc85059
commit f0a0c51
Show file tree

Hide file tree

Showing 30 changed files with 3,068 additions and 2,428 deletions.
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
diff --git a/..._os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var b/..._os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var
@@ -20,3 +20,4 @@ options:
     ignore: ignore
     cis_rhel7: single|halt
     cis_rhel8: single|halt
+    cis_rhel9: single|halt
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
@@ -23,3 +23,4 @@ options:
     rhel8: syslog|single|halt
     cis_rhel7: syslog|single|halt
     cis_rhel8: syslog|single|halt
+    cis_rhel9: syslog|single|halt
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
@@ -24,3 +24,4 @@ options:
     rhel8: syslog|single|halt
     cis_rhel7: halt|single
     cis_rhel8: syslog|single|halt
+    cis_rhel9: halt|single
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var
@@ -20,3 +20,4 @@ options:
     ignore: ignore
     cis_rhel7: email|exec|single|halt
     cis_rhel8: email|exec|single|halt
+    cis_rhel9: email|exec|single|halt
diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml
@@ -17,6 +17,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-86531-1
+    cce@rhel9: CCE-86772-1
     cce@sle12: CCE-92320-1
     cce@sle15: CCE-92478-7
 

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -48,6 +48,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27295-5
     cce@rhel8: CCE-81032-5
+    cce@rhel9: CCE-86767-1
     cce@sle12: CCE-83181-8
     cce@sle15: CCE-91337-6
 

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml
@@ -20,6 +20,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-86090-8
     cce@rhel8: CCE-86518-8
+    cce@rhel9: CCE-86768-9
     cce@sle12: CCE-92339-1
     cce@sle15: CCE-92626-1
 

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-82364-1
     cce@rhel8: CCE-86504-8
+    cce@rhel9: CCE-86769-7
     cce@sle12: CCE-92280-7
     cce@sle15: CCE-91396-2
 

diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
@@ -17,6 +17,7 @@ options:
     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]
     cis_rhel7: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected]
+    cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected]
     cis_sle12: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     cis_sle15: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     cis_ubuntu: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
@@ -15,6 +15,7 @@ options:
     pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     cis_rhel7: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
     cis_rhel8: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+    cis_rhel9: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
     cis_sle12: curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
     cis_sle15: curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
     cis_ubuntu2004: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var
@@ -14,6 +14,7 @@ options:
     default: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     cis_rhel7: [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
+    cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
     cis_sle12: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     cis_sle15: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     cis_ubuntu2204: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256
diff --git a/...ounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var b/...ounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var
@@ -14,6 +14,7 @@ options:
     30: 30
     35: 35
     40: 40
+    45: 45
     60: 60
     90: 90
     default: 35
diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-87415-6
     cce@rhel8: CCE-86467-8
+    cce@rhel9: CCE-86760-6
 
 references:
     cis@ubuntu2204: 4.2.1.1.1

diff --git a/...ide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/...ide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml
@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-27328-4
     cce@rhel8: CCE-87231-7
+    cce@rhel9: CCE-86761-4
 
 references:
     cis-csc: 11,12,14,15,3,8,9

diff --git a/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-87198-8
     cce@rhel8: CCE-86140-1
+    cce@rhel9: CCE-86762-2
     cce@sle12: CCE-83172-7
     cce@sle15: CCE-85572-6
 

diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhcos4: CCE-82713-9
     cce@rhel7: CCE-80138-1
     cce@rhel8: CCE-86615-2
+    cce@rhel9: CCE-86763-0
 
 references:
     cis-csc: 11,14,3,9

diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhcos4: CCE-82714-7
     cce@rhel7: CCE-80140-7
     cce@rhel8: CCE-86616-0
+    cce@rhel9: CCE-86764-8
 
 references:
     cis-csc: 11,14,3,9

diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhcos4: CCE-82715-4
     cce@rhel7: CCE-80141-5
     cce@rhel8: CCE-86617-8
+    cce@rhel9: CCE-86765-5
 
 references:
     cis-csc: 11,14,3,9

diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml
@@ -17,6 +17,7 @@ identifiers:
     cce@rhcos4: CCE-82716-2
     cce@rhel7: CCE-80139-9
     cce@rhel8: CCE-86618-6
+    cce@rhel9: CCE-86766-3
 
 references:
     cis-csc: 11,14,3,9

diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
@@ -1,11 +1,11 @@
 documentation_complete: true
 
 metadata:
-    version: 1.0.0
+    version: 2.0.0
     SMEs:
         - marcusburghardt
+        - mab879
         - vojtapolasek
-        - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
@@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server'
 description: |-
     This profile defines a baseline that aligns to the "Level 2 - Server"
     configuration from the Center for Internet Security® Red Hat Enterprise
-    Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+    Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
 
     This profile includes Center for Internet Security®
     Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile
@@ -1,11 +1,11 @@
 documentation_complete: true
 
 metadata:
-    version: 1.0.0
+    version: 2.0.0
     SMEs:
         - marcusburghardt
+        - mab879
         - vojtapolasek
-        - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
@@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server'
 description: |-
     This profile defines a baseline that aligns to the "Level 1 - Server"
     configuration from the Center for Internet Security® Red Hat Enterprise
-    Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+    Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
 
     This profile includes Center for Internet Security®
     Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile
@@ -1,11 +1,11 @@
 documentation_complete: true
 
 metadata:
-    version: 1.0.0
+    version: 2.0.0
     SMEs:
         - marcusburghardt
+        - mab879
         - vojtapolasek
-        - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
@@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation'
 description: |-
     This profile defines a baseline that aligns to the "Level 1 - Workstation"
     configuration from the Center for Internet Security® Red Hat Enterprise
-    Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+    Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
 
     This profile includes Center for Internet Security®
     Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile
@@ -1,11 +1,11 @@
 documentation_complete: true
 
 metadata:
-    version: 1.0.0
+    version: 2.0.0
     SMEs:
         - marcusburghardt
+        - mab879
         - vojtapolasek
-        - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
@@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation'
 description: |-
     This profile defines a baseline that aligns to the "Level 2 - Workstation"
     configuration from the Center for Internet Security® Red Hat Enterprise
-    Linux 9 Benchmark™, v1.0.0, released 2022-11-28.
+    Linux 9 Benchmark™, v2.0.0, released 2024-06-20.
 
     This profile includes Center for Internet Security®
     Red Hat Enterprise Linux 9 CIS Benchmarks™ content.

diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
@@ -553,3 +553,5 @@ selections:
     - sebool_polipo_session_users
     - sebool_cluster_manage_all_files
     - configure_firewalld_ports
+    - journald_forward_to_syslog
+    - rsyslog_filecreatemode
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -244,17 +244,6 @@ CCE-86750-7
 CCE-86751-5
 CCE-86752-3
 CCE-86753-1
-CCE-86760-6
-CCE-86761-4
-CCE-86762-2
-CCE-86763-0
-CCE-86764-8
-CCE-86765-5
-CCE-86766-3
-CCE-86767-1
-CCE-86768-9
-CCE-86769-7
-CCE-86772-1
 CCE-86773-9
 CCE-86774-7
 CCE-86775-4