diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index b6dfc5736ab..3da3a816858 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2,7 +2,7 @@ policy: 'CIS Benchmark for Red Hat Enterprise Linux 9' title: 'CIS Benchmark for Red Hat Enterprise Linux 9' id: cis_rhel9 -version: '1.0.0' +version: '2.0.0' source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux levels: - id: l1_server @@ -41,267 +41,319 @@ controls: - enable_authselect - id: 1.1.1.1 - title: Ensure mounting of squashfs filesystems is disabled (Automated) + title: Ensure cramfs kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - kernel_module_squashfs_disabled + - kernel_module_cramfs_disabled - id: 1.1.1.2 - title: Ensure mounting of udf filesystems is disabled (Automated) + title: Ensure freevxfs kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - kernel_module_udf_disabled + - kernel_module_freevxfs_disabled - - id: 1.1.2.1 - title: Ensure /tmp is a separate partition (Automated) + - id: 1.1.1.3 + title: Ensure hfs kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - partition_for_tmp + - kernel_module_hfs_disabled - - id: 1.1.2.2 - title: Ensure nodev option set on /tmp partition (Automated) + - id: 1.1.1.4 + title: Ensure hfsplus kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_nodev + - kernel_module_hfsplus_disabled - - id: 1.1.2.3 - title: Ensure noexec option set on /tmp partition (Automated) + - id: 1.1.1.5 + title: Ensure jffs2 kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_noexec + - kernel_module_jffs2_disabled - - id: 1.1.2.4 - title: Ensure nosuid option set on /tmp partition (Automated) + - id: 1.1.1.6 + title: Ensure squashfs kernel module is not available (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - mount_option_tmp_nosuid + - kernel_module_squashfs_disabled - - id: 1.1.3.1 - title: Ensure separate partition exists for /var (Automated) + - id: 1.1.1.7 + title: Ensure udf kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var + - kernel_module_udf_disabled - - id: 1.1.3.2 - title: Ensure nodev option set on /var partition (Automated) + - id: 1.1.1.8 + title: Ensure usb-storage kernel module is not available (Automated) + levels: + - l1_server + - l2_workstation + status: automated + rules: + - kernel_module_usb-storage_disabled + + - id: 1.1.1.9 + title: Ensure unused filesystems kernel modules are not available (Manual) + levels: + - l1_server + - l2_workstation + status: manual + + - id: 1.1.2.1.1 + title: Ensure /tmp is a separate partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_nodev + - partition_for_tmp - - id: 1.1.3.3 - title: Ensure nosuid option set on /var partition (Automated) + - id: 1.1.2.1.2 + title: Ensure nodev option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_nosuid + - mount_option_tmp_nodev - - id: 1.1.4.1 - title: Ensure separate partition exists for /var/tmp (Automated) + - id: 1.1.2.1.3 + title: Ensure nosuid option set on /tmp partition (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - partition_for_var_tmp + - mount_option_tmp_nosuid - - id: 1.1.4.2 - title: Ensure noexec option set on /var/tmp partition (Automated) + - id: 1.1.2.1.4 + title: Ensure noexec option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_tmp_noexec + - mount_option_tmp_noexec - - id: 1.1.4.3 - title: Ensure nosuid option set on /var/tmp partition (Automated) + - id: 1.1.2.2.1 + title: Ensure /dev/shm is a separate partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_tmp_nosuid + - partition_for_dev_shm - - id: 1.1.4.4 - title: Ensure nodev option set on /var/tmp partition (Automated) + - id: 1.1.2.2.2 + title: Ensure nodev option set on /dev/shm partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_tmp_nodev + - mount_option_dev_shm_nodev - - id: 1.1.5.1 - title: Ensure separate partition exists for /var/log (Automated) + - id: 1.1.2.2.3 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_dev_shm_nosuid + + - id: 1.1.2.2.4 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_dev_shm_noexec + + - id: 1.1.2.3.1 + title: Ensure separate partition exists for /home (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var_log + - partition_for_home - - id: 1.1.5.2 - title: Ensure nodev option set on /var/log partition (Automated) + - id: 1.1.2.3.2 + title: Ensure nodev option set on /home partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_nodev + - mount_option_home_nodev - - id: 1.1.5.3 - title: Ensure noexec option set on /var/log partition (Automated) + - id: 1.1.2.3.3 + title: Ensure nosuid option set on /home partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_noexec + - mount_option_home_nosuid - - id: 1.1.5.4 - title: Ensure nosuid option set on /var/log partition (Automated) + - id: 1.1.2.4.1 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_var + + - id: 1.1.2.4.2 + title: Ensure nodev option set on /var partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_nosuid + - mount_option_var_nodev - - id: 1.1.6.1 - title: Ensure separate partition exists for /var/log/audit (Automated) + - id: 1.1.2.4.3 + title: Ensure nosuid option set on /var partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_nosuid + + - id: 1.1.2.5.1 + title: Ensure separate partition exists for /var/tmp (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_var_log_audit + - partition_for_var_tmp - - id: 1.1.6.2 - title: Ensure noexec option set on /var/log/audit partition (Automated) + - id: 1.1.2.5.2 + title: Ensure nodev option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_noexec + - mount_option_var_tmp_nodev - - id: 1.1.6.3 - title: Ensure nodev option set on /var/log/audit partition (Automated) + - id: 1.1.2.5.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_nodev + - mount_option_var_tmp_nosuid - - id: 1.1.6.4 - title: Ensure nosuid option set on /var/log/audit partition (Automated) + - id: 1.1.2.5.4 + title: Ensure noexec option set on /var/tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_var_log_audit_nosuid + - mount_option_var_tmp_noexec - - id: 1.1.7.1 - title: Ensure separate partition exists for /home (Automated) + - id: 1.1.2.6.1 + title: Ensure separate partition exists for /var/log (Automated) levels: - l2_server - l2_workstation status: automated rules: - - partition_for_home + - partition_for_var_log - - id: 1.1.7.2 - title: Ensure nodev option set on /home partition (Automated) + - id: 1.1.2.6.2 + title: Ensure nodev option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_home_nodev + - mount_option_var_log_nodev - - id: 1.1.7.3 - title: Ensure nosuid option set on /home partition (Automated) + - id: 1.1.2.6.3 + title: Ensure nosuid option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_home_nosuid + - mount_option_var_log_nosuid - - id: 1.1.8.1 - title: Ensure /dev/shm is a separate partition (Automated) + - id: 1.1.2.6.4 + title: Ensure noexec option set on /var/log partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - partition_for_dev_shm + - mount_option_var_log_noexec - - id: 1.1.8.2 - title: Ensure nodev option set on /dev/shm partition (Automated) + - id: 1.1.2.7.1 + title: Ensure separate partition exists for /var/log/audit (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - mount_option_dev_shm_nodev + - partition_for_var_log_audit - - id: 1.1.8.3 - title: Ensure noexec option set on /dev/shm partition (Automated) + - id: 1.1.2.7.2 + title: Ensure nodev option set on /var/log/audit partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_dev_shm_noexec + - mount_option_var_log_audit_nodev - - id: 1.1.8.4 - title: Ensure nosuid option set on /dev/shm partition (Automated) + - id: 1.1.2.7.3 + title: Ensure nosuid option set on /var/log/audit partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_dev_shm_nosuid + - mount_option_var_log_audit_nosuid - - id: 1.1.9 - title: Disable USB Storage (Automated) + - id: 1.1.2.7.4 + title: Ensure noexec option set on /var/log/audit partition (Automated) levels: - l1_server - - l2_workstation + - l1_workstation status: automated rules: - - kernel_module_usb-storage_disabled + - mount_option_var_log_audit_noexec - - id: 1.2.1 + - id: 1.2.1.1 title: Ensure GPG keys are configured (Manual) levels: - l1_server @@ -310,7 +362,7 @@ controls: related_rules: - ensure_redhat_gpgkey_installed - - id: 1.2.2 + - id: 1.2.1.2 title: Ensure gpgcheck is globally activated (Automated) levels: - l1_server @@ -319,49 +371,101 @@ controls: rules: - ensure_gpgcheck_globally_activated - - id: 1.2.3 + - id: 1.2.1.3 + title: Ensure repo_gpgcheck is globally activated (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 1.2.1.4 title: Ensure package manager repositories are configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 1.2.4 - title: Ensure repo_gpgcheck is globally activated (Manual) + - id: 1.2.2.1 + title: Ensure updates, patches, and additional security software are installed (Manual) levels: - l1_server - l1_workstation status: manual + related_rules: + - security_patches_up_to_date - - id: 1.3.1 - title: Ensure AIDE is installed (Automated) + - id: 1.3.1.1 + title: Ensure SELinux is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_aide_installed - - aide_build_database + - package_libselinux_installed - - id: 1.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) + - id: 1.3.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) levels: - l1_server - l1_workstation status: automated rules: - - aide_periodic_cron_checking + - grub2_enable_selinux - - id: 1.3.3 - title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + - id: 1.3.1.3 + title: Ensure SELinux policy is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - aide_check_audit_tools + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.3.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - selinux_not_disabled + + - id: 1.3.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.3.1.6 + title: Ensure no unconfined services exist (Manual) + levels: + - l2_server + - l2_workstation + status: manual related_rules: - - aide_use_fips_hashes + - selinux_confinement_of_daemons + + - id: 1.3.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_mcstrans_removed + + - id: 1.3.1.8 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_setroubleshoot_removed - id: 1.4.1 title: Ensure bootloader password is set (Automated) @@ -377,13 +481,14 @@ controls: - grub2_uefi_password - id: 1.4.2 - title: Ensure permissions on bootloader config are configured (Automated) + title: Ensure access to bootloader config is configured (Automated) levels: - l1_server - l1_workstation - status: automated + status: pending notes: <- RHEL9 unified the paths for grub2 files. + This requirement demands a deeper review of the rules. rules: - file_groupowner_grub2_cfg - file_owner_grub2_cfg @@ -400,104 +505,110 @@ controls: - file_permissions_efi_user_cfg - id: 1.5.1 - title: Ensure core dump storage is disabled (Automated) + title: Ensure address space layout randomization is enabled (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Address Space Layout Randomization (ASLR) rules: - - coredump_disable_storage + - sysctl_kernel_randomize_va_space - id: 1.5.2 - title: Ensure core dump backtraces are disabled (Automated) + title: Ensure ptrace_scope is restricted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - coredump_disable_backtraces + - sysctl_kernel_yama_ptrace_scope - id: 1.5.3 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + title: Ensure core dump backtraces are disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_backtraces - - id: 1.6.1.1 - title: Ensure SELinux is installed (Automated) + - id: 1.5.4 + title: Ensure core dump storage is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_libselinux_installed + - coredump_disable_storage - - id: 1.6.1.2 - title: Ensure SELinux is not disabled in bootloader configuration (Automated) + - id: 1.6.1 + title: Ensure system wide crypto policy is not set to legacy (Automated) levels: - l1_server - l1_workstation status: automated rules: - - grub2_enable_selinux + - configure_crypto_policy + - var_system_crypto_policy=default_nosha1 - - id: 1.6.1.3 - title: Ensure SELinux policy is configured (Automated) + - id: 1.6.2 + title: Ensure system wide crypto policy is not set in sshd configuration (Automated) levels: - l1_server - l1_workstation status: automated rules: - - var_selinux_policy_name=targeted - - selinux_policytype + - configure_ssh_crypto_policy - - id: 1.6.1.4 - title: Ensure the SELinux mode is not disabled (Automated) + - id: 1.6.3 + title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) levels: - l1_server - l1_workstation status: automated - rules: - - selinux_not_disabled + notes: |- + This requirement is already satisfied by 1.6.1. + related_rules: + - configure_crypto_policy - - id: 1.6.1.5 - title: Ensure the SELinux mode is enforcing (Automated) + - id: 1.6.4 + title: Ensure system wide crypto policy disables macs less than 128 bits (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - var_selinux_state=enforcing - - selinux_state + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure a module disabling weak MACs in + /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. + related_rules: + - configure_crypto_policy - - id: 1.6.1.6 - title: Ensure no unconfined services exist (Automated) + - id: 1.6.5 + title: Ensure system wide crypto policy disables cbc for ssh (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - selinux_confinement_of_daemons + status: pending + notes: |- + It is necessary a new rule to ensure a module disabling CBC in + /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. + related_rules: + - configure_crypto_policy - - id: 1.6.1.7 - title: Ensure SETroubleshoot is not installed (Automated) + - id: 1.6.6 + title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated) levels: - l1_server - status: automated - rules: - - package_setroubleshoot_removed + - l1_workstation + status: manual - - id: 1.6.1.8 - title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + - id: 1.6.7 + title: Ensure system wide crypto policy disables EtM for ssh (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - package_mcstrans_removed + status: manual - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) @@ -530,7 +641,7 @@ controls: - remote_login_banner_text=cis_banners - id: 1.7.4 - title: Ensure permissions on /etc/motd are configured (Automated) + title: Ensure access to /etc/motd is configured (Automated) levels: - l1_server - l1_workstation @@ -541,7 +652,7 @@ controls: - file_permissions_etc_motd - id: 1.7.5 - title: Ensure permissions on /etc/issue are configured (Automated) + title: Ensure access to /etc/issue is configured (Automated) levels: - l1_server - l1_workstation @@ -552,7 +663,7 @@ controls: - file_permissions_etc_issue - id: 1.7.6 - title: Ensure permissions on /etc/issue.net are configured (Automated) + title: Ensure access to /etc/issue.net is configured (Automated) levels: - l1_server - l1_workstation @@ -616,7 +727,7 @@ controls: title: Ensure GDM automatic mounting of removable media is disabled (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - dconf_gnome_disable_automount @@ -626,7 +737,7 @@ controls: title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - dconf_gnome_disable_automount @@ -659,56 +770,17 @@ controls: rules: - gnome_gdm_disable_xdmcp - - id: 1.9 - title: Ensure updates, patches, and additional security software are installed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - security_patches_up_to_date - - - id: "1.10" - title: Ensure system-wide crypto policy is not legacy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: The selected crypto-policy cannot be legacy - rules: - - configure_crypto_policy - - var_system_crypto_policy=default_policy - - id: 2.1.1 - title: Ensure time synchronization is in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - package_chrony_installed - - - id: 2.1.2 - title: Ensure chrony is configured (Automated) + title: Ensure autofs services are not in use (Automated) levels: - l1_server - - l1_workstation - status: automated - rules: - - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - - var_multiple_time_servers=rhel - - - id: 2.2.1 - title: Ensure xorg-x11-server-common is not installed (Automated) - levels: - - l2_server + - l2_workstation status: automated rules: - - package_xorg-x11-server-common_removed + - service_autofs_disabled - - id: 2.2.2 - title: Ensure Avahi Server is not installed (Automated) + - id: 2.1.2 + title: Ensure avahi daemon services are not in use (Automated) levels: - l1_server - l2_workstation @@ -718,64 +790,61 @@ controls: related_rules: - service_avahi-daemon_disabled - - id: 2.2.3 - title: Ensure CUPS is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_cups_removed - related_rules: - - service_cups_disabled - - - id: 2.2.4 - title: Ensure DHCP Server is not installed (Automated) + - id: 2.1.3 + title: Ensure dhcp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_dhcp_removed + related_rules: + - service_dhcpd_disabled - - id: 2.2.5 - title: Ensure DNS Server is not installed (Automated) + - id: 2.1.4 + title: Ensure dns server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_bind_removed + related_rules: + - service_named_disabled - - id: 2.2.6 - title: Ensure VSFTP Server is not installed (Automated) + - id: 2.1.5 + title: Ensure dnsmasq services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_vsftpd_removed + - package_dnsmasq_removed - - id: 2.2.7 - title: Ensure TFTP Server is not installed (Automated) + - id: 2.1.6 + title: Ensure samba file server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_tftp-server_removed + - package_samba_removed + related_rules: + - service_smb_disabled - - id: 2.2.8 - title: Ensure a web server is not installed (Automated) + - id: 2.1.7 + title: Ensure ftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_httpd_removed - - package_nginx_removed + - package_vsftpd_removed + related_rules: + - service_vsftpd_disabled - - id: 2.2.9 - title: Ensure IMAP and POP3 server is not installed (Automated) + - id: 2.1.8 + title: Ensure message access server services are not in use (Automated) levels: - l1_server - l1_workstation @@ -783,1497 +852,2024 @@ controls: rules: - package_dovecot_removed - package_cyrus-imapd_removed + related_rules: + - service_dovecot_disabled + # new rule would be nice to disable cyrus-imapd service - - id: 2.2.10 - title: Ensure Samba is not installed (Automated) + - id: 2.1.9 + title: Ensure network file system services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the + nfs-utils package. rules: - - package_samba_removed + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed - - id: 2.2.11 - title: Ensure HTTP Proxy Server is not installed (Automated) + - id: 2.1.10 + title: Ensure nis server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_squid_removed + - package_ypserv_removed + related_rules: + - service_ypserv_disabled - - id: 2.2.12 - title: Ensure net-snmp is not installed (Automated) + - id: 2.1.11 + title: Ensure print server services are not in use (Automated) levels: - l1_server - - l1_workstation status: automated rules: - - package_net-snmp_removed + - package_cups_removed + related_rules: + - service_cups_disabled - - id: 2.2.13 - title: Ensure telnet-server is not installed (Automated) + - id: 2.1.12 + title: Ensure rpcbind services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind package. rules: - - package_telnet-server_removed + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed - - id: 2.2.14 - title: Ensure dnsmasq is not installed (Automated) + - id: 2.1.13 + title: Ensure rsync services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_dnsmasq_removed + - package_rsync_removed + related_rules: + - service_rsyncd_disabled - - id: 2.2.15 - title: Ensure mail transfer agent is configured for local-only mode (Automated) + - id: 2.1.14 + title: Ensure snmp services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - postfix_network_listening_disabled - - var_postfix_inet_interfaces=loopback-only - - has_nonlocal_mta + - package_net-snmp_removed + related_rules: + - service_snmpd_disabled - - id: 2.2.16 - title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) + - id: 2.1.15 + title: Ensure telnet server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_nfs_disabled + - package_telnet-server_removed related_rules: - - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages + - service_telnet_disabled - - id: 2.2.17 - title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + - id: 2.1.16 + title: Ensure tftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_rpcbind_disabled + - package_tftp-server_removed related_rules: - - package_rpcbind_removed + - service_tftp_disabled - - id: 2.2.18 - title: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated) + - id: 2.1.17 + title: Ensure web proxy server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_rsync_removed + - package_squid_removed related_rules: - - service_rsyncd_disabled + - service_squid_disabled - - id: 2.3.1 - title: Ensure telnet client is not installed (Automated) + - id: 2.1.18 + title: Ensure web server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_telnet_removed + - package_httpd_removed + - package_nginx_removed + related_rules: + - service_httpd_disabled + # rule would be nice to disable nginx service - - id: 2.3.2 - title: Ensure LDAP client is not installed (Automated) + - id: 2.1.19 + title: Ensure xinetd services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_openldap-clients_removed + - package_xinetd_removed + related_rules: + - service_xinetd_disabled - - id: 2.3.3 - title: Ensure TFTP client is not installed (Automated) + - id: 2.1.20 + title: Ensure X window server services are not in use (Automated) levels: - - l1_server - - l1_workstation + - l2_server status: automated + notes: |- + The rule also configures correct run level to prevent unbootable system. rules: - - package_tftp_removed + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target - - id: 2.3.4 - title: Ensure FTP client is not installed (Automated) + - id: 2.1.21 + title: Ensure mail transfer agents are configured for local-only mode (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + The rule has_nonlocal_mta currently checks for services listening only on port 25, + but the policy checks also for ports 465 and 587 rules: - - package_ftp_removed + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta - - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) + - id: 2.1.22 + title: Ensure only approved services are listening on a network interface (Manual) levels: - l1_server - l1_workstation status: manual - - id: 3.1.1 - title: Ensure IPv6 status is identified (Manual) + - id: 2.2.1 + title: Ensure ftp client is not installed (Automated) levels: - l1_server - l1_workstation - status: manual - - - id: 3.1.2 - title: Ensure wireless interfaces are disabled (Automated) - levels: - - l1_server status: automated rules: - - wireless_disable_interfaces + - package_ftp_removed - - id: 3.1.3 - title: Ensure TIPC is disabled (Automated) + - id: 2.2.2 + title: Ensure ldap client is not installed (Automated) levels: - l2_server - l2_workstation status: automated rules: - - kernel_module_tipc_disabled + - package_openldap-clients_removed - - id: 3.2.1 - title: Ensure IP forwarding is disabled (Automated) + - id: 2.2.3 + title: Ensure nis client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - package_ypbind_removed - - id: 3.2.2 - title: Ensure packet redirect sending is disabled (Automated) + - id: 2.2.4 + title: Ensure telnet client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects + - package_telnet_removed - - id: 3.3.1 - title: Ensure source routed packets are not accepted (Automated) + - id: 2.2.5 + title: Ensure tftp client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - package_tftp_removed - - id: 3.3.2 - title: Ensure ICMP redirects are not accepted (Automated) + - id: 2.3.1 + title: Ensure time synchronization is in use (Automated) levels: - l1_server - l1_workstation status: automated - rules: - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + related_rules: + - package_chrony_installed - - id: 3.3.3 - title: Ensure secure ICMP redirects are not accepted (Automated) + - id: 2.3.2 + title: Ensure chrony is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - chronyd_specify_remote_server + - var_multiple_time_servers=rhel - - id: 3.3.4 - title: Ensure suspicious packets are logged (Automated) + - id: 2.3.3 + title: Ensure chrony is not run as the root user (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - chronyd_run_as_chrony_user - - id: 3.3.5 - title: Ensure broadcast ICMP requests are ignored (Automated) + - id: 2.4.1.1 + title: Ensure cron daemon is enabled and active (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - service_crond_enabled - - id: 3.3.6 - title: Ensure bogus ICMP responses are ignored (Automated) + - id: 2.4.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab - - id: 3.3.7 - title: Ensure Reverse Path Filtering is enabled (Automated) + - id: 2.4.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly - - id: 3.3.8 - title: Ensure TCP SYN Cookies is enabled (Automated) + - id: 2.4.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily - - id: 3.3.9 - title: Ensure IPv6 router advertisements are not accepted (Automated) + - id: 2.4.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly - - id: 3.4.1.1 - title: Ensure nftables is installed (Automated) + - id: 2.4.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_nftables_installed - - - id: 3.4.1.2 - title: Ensure a single firewall configuration utility is in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_firewalld_enabled - - package_firewalld_installed - - service_nftables_disabled + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly - - id: 3.4.2.1 - title: Ensure firewalld default zone is set (Automated) + - id: 2.4.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - set_firewalld_default_zone + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d - - id: 3.4.2.2 - title: Ensure at least one nftables table exists (Automated) + - id: 2.4.1.8 + title: Ensure crontab is restricted to authorized users (Automated) levels: - l1_server - l1_workstation - status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. + status: automated rules: - - set_nftables_table - - var_nftables_family=inet - - var_nftables_table=firewalld + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow - - id: 3.4.2.3 - title: Ensure nftables base chains exist (Automated) + - id: 2.4.2.1 + title: Ensure at is restricted to authorized users (Automated) levels: - l1_server - l1_workstation - status: supported + status: partial notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. - related_rules: - - set_nftables_base_chain - - var_nftables_table=firewalld - - var_nftables_family=inet - - var_nftables_base_chain_names=chain_names - - var_nftables_base_chain_types=chain_types - - var_nftables_base_chain_hooks=chain_hooks - - var_nftables_base_chain_priorities=chain_priorities - - var_nftables_base_chain_policies=chain_policies - - - id: 3.4.2.4 - title: Ensure host based firewall loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated + It is necessary to create a rule to ensure the existence of at.allow. + file_cron_allow_exists can be used as reference for a new templated rule. rules: - - firewalld_loopback_traffic_trusted - - firewalld_loopback_traffic_restricted + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow - - id: 3.4.2.5 - title: Ensure firewalld drops unnecessary services and ports (Manual) + - id: 3.1.1 + title: Ensure IPv6 status is identified (Manual) levels: - l1_server - l1_workstation status: manual - related_rules: - - configure_firewalld_ports - - id: 3.4.2.6 - title: Ensure nftables established connections are configured (Manual) + - id: 3.1.2 + title: Ensure wireless interfaces are disabled (Automated) levels: - l1_server - - l1_workstation - status: manual + status: automated + rules: + - wireless_disable_interfaces - - id: 3.4.2.7 - title: Ensure nftables default deny firewall policy (Automated) + - id: 3.1.3 + title: Ensure bluetooth services are not in use (Automated) levels: - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. - related_rules: - - nftables_ensure_default_deny_policy - - - id: 4.1.1.1 - title: Ensure auditd is installed (Automated) - levels: - - l2_server - l2_workstation status: automated rules: - - package_audit_installed + - service_bluetooth_disabled - - id: 4.1.1.2 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + - id: 3.2.1 + title: Ensure dccp kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - grub2_audit_argument + - kernel_module_dccp_disabled - - id: 4.1.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) + - id: 3.2.2 + title: Ensure tipc kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - grub2_audit_backlog_limit_argument + - kernel_module_tipc_disabled - - id: 4.1.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 3.2.3 + title: Ensure rds kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - service_auditd_enabled + - kernel_module_rds_disabled - - id: 4.1.2.1 - title: Ensure audit log storage size is configured (Automated) + - id: 3.2.4 + title: Ensure sctp kernel module is not available (Automated) levels: - l2_server - l2_workstation status: automated rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - kernel_module_sctp_disabled - - id: 4.1.2.2 - title: Ensure audit logs are not automatically deleted (Automated) + - id: 3.3.1 + title: Ensure IP forwarding is disabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - id: 4.1.2.3 - title: Ensure system is disabled when audit logs are full (Automated) + - id: 3.3.2 + title: Ensure packet redirect sending is disabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_space_left_action - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=halt - - var_auditd_space_left_action=email + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects - - id: 4.1.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 3.3.3 + title: Ensure bogus icmp responses are ignored (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_sysadmin_actions + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - id: 4.1.3.2 - title: Ensure actions as another user are always logged (Automated) + - id: 3.3.4 + title: Ensure broadcast icmp requests are ignored (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_suid_auid_privilege_function + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - id: 4.1.3.3 - title: Ensure events that modify the sudo log file are collected (Automated) + - id: 3.3.5 + title: Ensure icmp redirects are not accepted (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_sudo_log_events + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - id: 4.1.3.4 - title: Ensure events that modify date and time information are collected (Automated) + - id: 3.3.6 + title: Ensure secure icmp redirects are not accepted (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - id: 4.1.3.5 - title: Ensure events that modify the system's network environment are collected (Automated) + - id: 3.3.7 + title: Ensure reverse path filtering is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_networkconfig_modification - - audit_rules_networkconfig_modification_network_scripts + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - id: 4.1.3.6 - title: Ensure use of privileged commands is collected (Automated) + - id: 3.3.8 + title: Ensure source routed packets are not accepted (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_privileged_commands + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - id: 4.1.3.7 - title: Ensure unsuccessful file access attempts are collected (Automated) + - id: 3.3.9 + title: Ensure suspicious packets are logged (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - id: 4.1.3.8 - title: Ensure events that modify user/group information are collected (Automated) + - id: 3.3.10 + title: Ensure tcp syn cookies is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled - - id: 4.1.3.9 - title: Ensure discretionary access control permission modification events are collected (Automated) + - id: 3.3.11 + title: Ensure IPv6 router advertisements are not accepted (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - id: 4.1.3.10 - title: Ensure successful file system mounts are collected (Automated) + - id: 4.1.1 + title: Ensure nftables is installed (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_media_export + - package_nftables_installed - - id: 4.1.3.11 - title: Ensure session initiation information is collected (Automated) + - id: 4.1.2 + title: Ensure a single firewall configuration utility is in use (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_session_events + - service_firewalld_enabled + - package_firewalld_installed + - service_nftables_disabled - - id: 4.1.3.12 - title: Ensure login and logout events are collected (Automated) + - id: 4.2.1 + title: Ensure firewalld drops unnecessary services and ports (Manual) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation + status: manual + related_rules: + - configure_firewalld_ports + + - id: 4.2.2 + title: Ensure firewalld loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation status: automated rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - var_accounts_passwords_pam_faillock_dir=run + - firewalld_loopback_traffic_trusted + - firewalld_loopback_traffic_restricted - - id: 4.1.3.13 - title: Ensure file deletion events by users are collected (Automated) + - id: 4.3.1 + title: Ensure nftables base chains exist (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. When using firewalld the base chains are installed by default. + related_rules: + - set_nftables_base_chain + - var_nftables_table=firewalld + - var_nftables_family=inet + - var_nftables_base_chain_names=chain_names + - var_nftables_base_chain_types=chain_types + - var_nftables_base_chain_hooks=chain_hooks + - var_nftables_base_chain_priorities=chain_priorities + - var_nftables_base_chain_policies=chain_policies + + - id: 4.3.2 + title: Ensure nftables established connections are configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 4.3.3 + title: Ensure nftables default deny firewall policy (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. + related_rules: + - nftables_ensure_default_deny_policy + + - id: 4.3.4 + title: Ensure nftables loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. + related_rules: + - set_nftables_loopback_traffic + + - id: 5.1.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + - id: 5.1.2 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key + + - id: 5.1.3 + title: Ensure permissions on SSH public host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key + + - id: 5.1.4 + title: Ensure sshd Ciphers are configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0 + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_approved_ciphers + - sshd_approved_ciphers=cis_rhel9 + + - id: 5.1.5 + title: Ensure sshd KexAlgorithms is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_strong_kex + - sshd_strong_kex=cis_rhel9 + + - id: 5.1.6 + title: Ensure sshd MACs are configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_strong_macs + - sshd_strong_macs=cis_rhel9 + + - id: 5.1.7 + title: Ensure sshd access is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_limit_user_access + + - id: 5.1.8 + title: Ensure sshd Banner is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner + + - id: 5.1.9 + title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The requirement gives an example of 45 seconds, but is flexible about the values. It is only + necessary to ensure there is a timeout configured in alignment to the site policy. + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + + - id: 5.1.10 + title: Ensure sshd DisableForwarding is enabled (Automated) levels: - l2_server - - l2_workstation + - l1_workstation + status: pending + notes: |- + New templated rule is necessary for "disableforwarding" option. + related_rules: + - sshd_disable_tcp_forwarding + - sshd_disable_x11_forwarding + + - id: 5.1.11 + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) + levels: + - l2_server + - l1_workstation status: automated + notes: |- + Introduced in CIS RHEL9 v2.0.0 rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + - sshd_disable_gssapi_auth - - id: 4.1.3.14 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + - id: 5.1.12 + title: Ensure sshd HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - disable_host_auth + + - id: 5.1.13 + title: Ensure sshd IgnoreRhosts is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_rhosts + + - id: 5.1.14 + title: Ensure sshd LoginGraceTime is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + + - id: 5.1.15 + title: Ensure sshd LogLevel is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The CIS benchmark is not opinionated about which loglevel is selected here. Here, this + profile uses VERBOSE by default, as it allows for the capture of login and logout activity + as well as key fingerprints. + rules: + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info + + - id: 5.1.16 + title: Ensure sshd MaxAuthTries is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + - id: 5.1.17 + title: Ensure sshd MaxStartups is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + + - id: 5.1.18 + title: Ensure sshd MaxSessions is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + + - id: 5.1.19 + title: Ensure sshd PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_empty_passwords + + - id: 5.1.20 + title: Ensure sshd PermitRootLogin is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_root_login + + - id: 5.1.21 + title: Ensure sshd PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_do_not_permit_user_env + + - id: 5.1.22 + title: Ensure sshd UsePAM is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_enable_pam + + - id: 5.2.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_sudo_installed + + - id: 5.2.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_add_use_pty + + - id: 5.2.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_custom_logfile + + - id: 5.2.4 + title: Ensure users must provide password for escalation (Automated) levels: - l2_server - l2_workstation status: automated rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share + - sudo_require_authentication + + - id: 5.2.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.2.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.2.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. + rules: + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty + + - id: 5.3.1.1 + title: Ensure latest version of pam is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure PAM package is updated. + + - id: 5.3.1.2 + title: Ensure latest version of authselect is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure authselect package is updated. + + - id: 5.3.1.3 + title: Ensure latest version of libpwquality is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure libpwquality package is updated. + rules: + - package_pam_pwquality_installed + + - id: 5.3.2.1 + title: Ensure active authselect profile includes pam modules (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + This requirement is hard to be automated without any specific requirement. The policy even + states that provided commands are examples, other custom settings might be in place and the + settings might be different depending on site policies. The other rules will already make + sure there is a correct autheselect profile regardless of the existing settings. It is + necessary to better discuss with CIS Community. + related_rules: + - no_empty_passwords + + - id: 5.3.2.2 + title: Ensure pam_faillock module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.3.3.1. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + + - id: 5.3.2.3 + title: Ensure pam_pwquality module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.3.3.2. + related_rules: + - package_pam_pwquality_installed + + - id: 5.3.2.4 + title: Ensure pam_pwhistory module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The module is properly enabled by the rules mentioned in related_rules. + Requirements in 5.3.3.3 use these rules. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + + - id: 5.3.2.5 + title: Ensure pam_unix module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + This module is always present by default. It is necessary to investigate if a new rule to + check its existence needs to be created. But so far the rule no_empty_passwords, used in + 5.3.3.4 can ensure this requirement is attended. + related_rules: + - no_empty_passwords + + - id: 5.3.3.1.1 + title: Ensure password failed attempts lockout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=5 - - id: 4.1.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + - id: 5.3.3.1.2 + title: Ensure password unlock time is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated + notes: |- + The policy also accepts value 0, which means the locked accounts should be manually unlocked + by an administrator. However, it also mentions that using value 0 can facilitate a DoS + attack to legitimate users. rules: - - audit_rules_execution_chcon + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 4.1.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + - id: 5.3.3.1.3 + title: Ensure password failed attempts lockout includes root account (Automated) levels: - l2_server - l2_workstation status: automated rules: - - audit_rules_execution_setfacl + - accounts_passwords_pam_faillock_deny_root - - id: 4.1.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + - id: 5.3.3.2.1 + title: Ensure password number of changed characters is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_execution_chacl + - accounts_password_pam_difok + - var_password_pam_difok=2 - - id: 4.1.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + - id: 5.3.3.2.2 + title: Ensure password length is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_privileged_commands_usermod + - accounts_password_pam_minlen + - var_password_pam_minlen=14 - - id: 4.1.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 5.3.3.2.3 + title: Ensure password complexity is configured (Manual) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated + notes: |- + This requirement is expected to be manual. However, in previous versions of the policy + it was already automated the configuration of "minclass" option. This posture was kept for + RHEL 9 in this new version. Rules related to other options are informed in related_rules. + In short, minclass=4 alone can achieve the same result achieved by the combination of the + other 4 options mentioned in the policy. rules: - - audit_rules_kernel_module_loading_create - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_query - - audit_rules_privileged_commands_kmod + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + related_rules: + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit - - id: 4.1.3.20 - title: Ensure the audit configuration is immutable (Automated) + - id: 5.3.3.2.4 + title: Ensure password same consecutive characters is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_immutable + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 - - id: 4.1.3.21 - title: Ensure the running and on disk configuration is the same (Manual) + - id: 5.3.3.2.5 + title: Ensure password maximum sequential characters is configured (Automated) levels: - - l2_server - - l2_workstation - status: manual + - l1_server + - l1_workstation + status: planned + notes: |- + A new templated rule and variable are necessary for the maxsequence option. - - id: 4.1.4.1 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 5.3.3.2.6 + title: Ensure password dictionary check is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_var_log_audit + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 - - id: 4.1.4.2 - title: Ensure only authorized users own audit log files (Automated) + - id: 5.3.3.2.7 + title: Ensure password quality is enforced for the root user (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - file_ownership_var_log_audit_stig + - accounts_password_pam_enforce_root - - id: 4.1.4.3 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 5.3.3.3.1 + title: Ensure password history remember is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated + notes: |- + Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure + retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry + can be used. rules: - - file_group_ownership_var_log_audit + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=24 + related_rules: + - accounts_password_pam_retry - - id: 4.1.4.4 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 5.3.3.3.2 + title: Ensure password history is enforced for the root user (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - directory_permissions_var_log_audit + - l1_server + - l1_workstation + status: planned + notes: |- + A new rule needs to be created to check and remediate the enforce_for_root option in + /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. - - id: 4.1.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 5.3.3.3.3 + title: Ensure pam_pwhistory includes use_authtok (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 9 pam_pwhistory is enabled via authselect feature, as required in 5.3.2.4. The + feature automatically set "use_authok" option. In any case, we don't have a rule to check + this option specifically. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + + - id: 5.3.3.4.1 + title: Ensure pam_unix does not include nullok (Automated) + levels: + - l1_server + - l1_workstation status: automated + notes: |- + The rule more specifically used in this requirement also satify the requirement 5.3.2.5. rules: - - file_permissions_audit_configuration + - no_empty_passwords - - id: 4.1.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 5.3.3.4.2 + title: Ensure pam_unix does not include remember (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation + status: pending + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not + recommened by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 5.3.3.3.1. See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + A new rule needs to be created to remove the remember option from pam_unix module. + + - id: 5.3.3.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + levels: + - l1_server + - l1_workstation status: automated + notes: |- + Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4 rules: - - file_ownership_audit_configuration + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth - - id: 4.1.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 5.3.3.4.4 + title: Ensure pam_unix includes use_authtok (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 9 pam_unix is enabled by default in all authselect profiles already with the + use_authtok option set. In any case, we don't have a rule to check this option specifically, + like in 5.3.3.3.3. + + - id: 5.4.1.1 + title: Ensure password expiration is configured (Automated) + levels: + - l1_server + - l1_workstation status: automated rules: - - file_groupownership_audit_configuration + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing - - id: 4.1.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 5.4.1.2 + title: Ensure minimum password days is configured (Automated) levels: - l2_server - l2_workstation status: automated rules: - - file_permissions_audit_binaries + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing - - id: 4.1.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 5.4.1.3 + title: Ensure password expiration warning days is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - file_ownership_audit_binaries + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing - - id: 4.1.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 5.4.1.4 + title: Ensure strong password hashing algorithm is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - file_groupownership_audit_binaries + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 - - id: 4.2.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 5.4.1.5 + title: Ensure inactive password lock is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_rsyslog_installed + - account_disable_post_pw_expiration + - accounts_set_post_pw_existing + - var_account_disable_post_pw_expiration=45 - - id: 4.2.1.2 - title: Ensure rsyslog Service is enabled (Automated) + - id: 5.4.1.6 + title: Ensure all users last password change date is in the past (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_rsyslog_enabled + - accounts_password_last_change_is_in_past - - id: 4.2.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 5.4.2.1 + title: Ensure root is the only UID 0 account (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_forward_to_syslog + - accounts_no_uid_except_zero - - id: 4.2.1.4 - title: Ensure rsyslog default file permissions configured (Automated) + - id: 5.4.2.2 + title: Ensure root is the only GID 0 account (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + The rule confirms the primary group for root, but doesn't check if any other user are also + using GID 0. New rule is necessary. + There is assessment but no automated remediation for this rule and this sounds reasonable. rules: - - rsyslog_filecreatemode + - accounts_root_gid_zero - - id: 4.2.1.5 - title: Ensure logging is configured (Manual) + - id: 5.4.2.3 + title: Ensure group root is the only GID 0 group (Automated) levels: - l1_server - l1_workstation - status: manual + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New rule is necessary. - - id: 4.2.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + - id: 5.4.2.4 + title: Ensure root account access is controlled (Automated) levels: - l1_server - l1_workstation status: automated - related_rules: - - rsyslog_remote_loghost + rules: + - ensure_root_password_configured - - id: 4.2.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + - id: 5.4.2.5 + title: Ensure root path integrity (Automated) levels: - l1_server - l1_workstation status: automated rules: - - rsyslog_nolisten + - accounts_root_path_dirs_no_write + - root_path_no_dot - - id: 4.2.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) + - id: 5.4.2.6 + title: Ensure root user umask is configured (Automated) levels: - l1_server - l1_workstation - status: manual + status: pending + notes: |- + There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have + to be created. It can be based on accounts_umask_interactive_users. - - id: 4.2.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + - id: 5.4.2.7 + title: Ensure system accounts do not have a valid login shell (Automated) levels: - l1_server - l1_workstation - status: manual + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts - - id: 4.2.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + - id: 5.4.2.8 + title: Ensure accounts without a valid login shell are locked (Automated) levels: - l1_server - l1_workstation - status: manual + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New rule is necessary. + + - id: 5.4.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation + status: pending + notes: |- + It is necessary to create a new rule to check and remove nologin from /etc/shells. + The no_tmux_in_shells rule can be used as referece. - - id: 4.2.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + - id: 5.4.3.2 + title: Ensure default user shell timeout is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - socket_systemd-journal-remote_disabled + - accounts_tmout + - var_accounts_tmout=15_min - - id: 4.2.2.2 - title: Ensure journald service is enabled (Automated) + - id: 5.4.3.3 + title: Ensure default user umask is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_systemd-journald_enabled + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 - - id: 4.2.2.3 - title: Ensure journald is configured to compress large log files (Automated) + - id: 6.1.1 + title: Ensure AIDE is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_compress + - package_aide_installed + - aide_build_database - - id: 4.2.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 6.1.2 + title: Ensure filesystem integrity is regularly checked (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_storage + - aide_periodic_cron_checking - - id: 4.2.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) + - id: 6.1.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) levels: - l1_server - l1_workstation - status: manual + status: automated + rules: + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes - - id: 4.2.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) + - id: 6.2.1.1 + title: Ensure journald service is enabled and active (Automated) levels: - l1_server - l1_workstation - status: manual + status: automated + rules: + - service_systemd-journald_enabled - - id: 4.2.2.7 - title: Ensure journald default file permissions configured (Manual) + - id: 6.2.1.2 + title: Ensure journald log file access is configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 4.2.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) + - id: 6.2.1.3 + title: Ensure journald log file rotation is configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - rsyslog_files_groupownership - - rsyslog_files_ownership - - rsyslog_files_permissions + status: manual - - id: 4.3 - title: Ensure logrotate is configured (Manual) + - id: 6.2.1.4 + title: Ensure only one logging system is in use (Automated) levels: - l1_server - l1_workstation - status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled + status: pending + notes: |- + It is necessary to create a new rule to check the status of journald and rsyslog. + It would also be necessary a new rule to disable or remove rsyslog. - - id: 5.1.1 - title: Ensure cron daemon is enabled (Automated) + - id: 6.2.2.1.1 + title: Ensure systemd-journal-remote is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_crond_enabled + - package_systemd-journal-remote_installed - - id: 5.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) + - id: 6.2.2.1.2 + title: Ensure systemd-journal-upload authentication is configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab + status: manual - - id: 5.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) + - id: 6.2.2.1.3 + title: Ensure systemd-journal-upload is enabled and active (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New templated rule is necessary. - - id: 5.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) + - id: 6.2.2.1.4 + title: Ensure systemd-journal-remote service is not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily + - socket_systemd-journal-remote_disabled - - id: 5.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) + - id: 6.2.2.2 + title: Ensure journald ForwardToSyslog is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + This rule conflicts with 6.2.3.3. More investigation is needed to properly solve this. + related_rules: + - journald_forward_to_syslog + + - id: 6.2.2.3 + title: Ensure journald Compress is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly + - journald_compress - - id: 5.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) + - id: 6.2.2.4 + title: Ensure journald Storage is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly + - journald_storage - - id: 5.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) + - id: 6.2.3.1 + title: Ensure rsyslog is installed (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d + status: supported + related_rules: + - package_rsyslog_installed - - id: 5.1.8 - title: Ensure cron is restricted to authorized users (Automated) + - id: 6.2.3.2 + title: Ensure rsyslog service is enabled and active (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow + status: supported + related_rules: + - service_rsyslog_enabled - - id: 5.1.9 - title: Ensure at is restricted to authorized users (Automated) + - id: 6.2.3.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_at_deny_not_exist - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow + status: supported + related_rules: + - journald_forward_to_syslog - - id: 5.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + - id: 6.2.3.4 + title: Ensure rsyslog log file creation mode is configured (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config + status: supported + related_rules: + - rsyslog_filecreatemode - - id: 5.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) + - id: 6.2.3.5 + title: Ensure rsyslog logging is configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key + status: manual - - id: 5.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) + - id: 6.2.3.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key + status: manual + related_rules: + - rsyslog_remote_loghost - - id: 5.2.4 - title: Ensure SSH access is limited (Automated) + - id: 6.2.3.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - sshd_limit_user_access + status: supported + related_rules: + - rsyslog_nolisten - - id: 5.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) + - id: 6.2.3.8 + title: Ensure rsyslog logrotate is configured (Manual) levels: - l1_server - l1_workstation - status: automated - # The CIS benchmark is not opinionated about which loglevel is selected - # here. Here, this profile uses VERBOSE by default, as it allows for - # the capture of login and logout activity as well as key fingerprints. - rules: - - sshd_set_loglevel_verbose + status: manual related_rules: - - sshd_set_loglevel_info + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled - - id: 5.2.6 - title: Ensure SSH PAM is enabled (Automated) + - id: 6.2.4.1 + title: Ensure access to all logfiles has been configured (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + It is not harmful to run these rules even if rsyslog is not installed or active. rules: - - sshd_enable_pam + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions - - id: 5.2.7 - title: Ensure SSH root login is disabled (Automated) + - id: 6.3.1.1 + title: Ensure auditd packages are installed (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_disable_root_login + - package_audit_installed + - package_audit-libs_installed - - id: 5.2.8 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) + - id: 6.3.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - disable_host_auth + - grub2_audit_argument - - id: 5.2.9 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + - id: 6.3.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_disable_empty_passwords + - grub2_audit_backlog_limit_argument - - id: 5.2.10 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) + - id: 6.3.1.4 + title: Ensure auditd service is enabled and active (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_do_not_permit_user_env + - service_auditd_enabled - - id: 5.2.11 - title: Ensure SSH IgnoreRhosts is enabled (Automated) + - id: 6.3.2.1 + title: Ensure audit log storage size is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_disable_rhosts + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - - id: 5.2.12 - title: Ensure SSH X11 forwarding is disabled (Automated) + - id: 6.3.2.2 + title: Ensure audit logs are not automatically deleted (Automated) levels: - l2_server - - l1_workstation + - l2_workstation status: automated rules: - - sshd_disable_x11_forwarding + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - - id: 5.2.13 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) + - id: 6.3.2.3 + title: Ensure system is disabled when audit logs are full (Automated) levels: - l2_server - l2_workstation status: automated rules: - - sshd_disable_tcp_forwarding + - auditd_data_disk_error_action + - auditd_data_disk_full_action + - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_disk_full_action=cis_rhel9 - - id: 5.2.14 - title: Ensure system-wide crypto policy is not over-ridden (Automated) + - id: 6.3.2.4 + title: Ensure system warns when audit logs are low on space (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - configure_ssh_crypto_policy + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_space_left_action=cis_rhel9 - - id: 5.2.15 - title: Ensure SSH warning banner is configured (Automated) + - id: 6.3.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner + - audit_rules_sysadmin_actions - - id: 5.2.16 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + - id: 6.3.3.2 + title: Ensure actions as another user are always logged (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries + - audit_rules_suid_auid_privilege_function - - id: 5.2.17 - title: Ensure SSH MaxStartups is configured (Automated) + - id: 6.3.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 + - audit_sudo_log_events - - id: 5.2.18 - title: Ensure SSH MaxSessions is set to 10 or less (Automated) + - id: 6.3.3.4 + title: Ensure events that modify date and time information are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + related_rules: + - audit_rules_time_stime - - id: 5.2.19 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + - id: 6.3.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) levels: - - l1_server - - l1_workstation - status: automated + - l2_server + - l2_workstation + status: partial + notes: |- + These rules are not covering "/etc/hostname" and "/etc/NetworkManager/". rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification_network_scripts - - id: 5.2.20 - title: Ensure SSH Idle Timeout Interval is configured (Automated) + - id: 6.3.3.6 + title: Ensure use of privileged commands are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sshd_idle_timeout_value=15_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 + - audit_rules_privileged_commands - - id: 5.3.1 - title: Ensure sudo is installed (Automated) + - id: 6.3.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - package_sudo_installed + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate - - id: 5.3.2 - title: Ensure sudo commands use pty (Automated) + - id: 6.3.3.8 + title: Ensure events that modify user/group information are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation + status: partial + notes: |- + Missing rules to check "/etc/nsswitch.conf", "/etc/pam.conf" and "/etc/pam.d" + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + + - id: 6.3.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) + levels: + - l2_server + - l2_workstation status: automated rules: - - sudo_add_use_pty + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr - - id: 5.3.3 - title: Ensure sudo log file exists (Automated) + - id: 6.3.3.10 + title: Ensure successful file system mounts are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sudo_custom_logfile + - audit_rules_media_export - - id: 5.3.4 - title: Ensure users must provide password for escalation (Automated) + - id: 6.3.3.11 + title: Ensure session initiation information is collected (Automated) levels: - l2_server - l2_workstation status: automated rules: - - sudo_require_authentication + - audit_rules_session_events - - id: 5.3.5 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + - id: 6.3.3.12 + title: Ensure login and logout events are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sudo_require_reauthentication + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run - - id: 5.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) + - id: 6.3.3.13 + title: Ensure file deletion events by users are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sudo_require_reauthentication + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat - - id: 5.3.7 - title: Ensure access to the su command is restricted (Automated) + - id: 6.3.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - - id: 5.4.1 - title: Ensure custom authselect profile is used (Manual) + - id: 6.3.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) levels: - - l1_server - - l1_workstation - status: manual + - l2_server + - l2_workstation + status: automated rules: - - no_empty_passwords + - audit_rules_execution_chcon - - id: 5.4.2 - title: Ensure authselect includes with-faillock (Automated) + - id: 6.3.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth + - audit_rules_execution_setfacl - - id: 5.5.1 - title: Ensure password creation requirements are configured (Automated) + - id: 6.3.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so - module. However, the pam_pwquality.so module, by default, is always the first module from in - the PAM password stack. Therefore, the option is useless and not necessary. It was already - proposed to update the requirement in the next CIS version. rules: - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_retry - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 + - audit_rules_execution_chacl - - id: 5.5.2 - title: Ensure lockout for failed password attempts is configured (Automated) + - id: 6.3.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 + - audit_rules_privileged_commands_usermod - - id: 5.5.3 - title: Ensure password reuse is limited (Automated) + - id: 6.3.3.19 + title: Ensure kernel module loading unloading and modification is collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. - See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=5 + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod - - id: 5.5.4 - title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) + - id: 6.3.3.20 + title: Ensure the audit configuration is immutable (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 + - audit_rules_immutable - - id: 5.6.1.1 - title: Ensure password expiration is 365 days or less (Automated) + - id: 6.3.3.21 + title: Ensure the running and on disk configuration is the same (Manual) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation + status: manual + + - id: 6.3.4.1 + title: Ensure the audit log file directory mode is configured (Automated) + levels: + - l2_server + - l2_workstation status: automated rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=365 - - accounts_password_set_max_life_existing + - directory_permissions_var_log_audit - - id: 5.6.1.2 - title: Ensure minimum days between password changes is configured (Automated) + - id: 6.3.4.2 + title: Ensure audit log files mode is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - - accounts_password_set_min_life_existing + - file_permissions_var_log_audit - - id: 5.6.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 6.3.4.3 + title: Ensure audit log files owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_set_warn_age_existing + - file_ownership_var_log_audit_stig - - id: 5.6.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 6.3.4.4 + title: Ensure audit log files group owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=30 - - accounts_set_post_pw_existing + - file_group_ownership_var_log_audit - - id: 5.6.1.5 - title: Ensure all users last password change date is in the past (Automated) + - id: 6.3.4.5 + title: Ensure audit configuration files mode is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_last_change_is_in_past + - file_permissions_audit_configuration - - id: 5.6.2 - title: Ensure system accounts are secured (Automated) + - id: 6.3.4.6 + title: Ensure audit configuration files owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts + - file_ownership_audit_configuration - - id: 5.6.3 - title: Ensure default user shell timeout is 900 seconds or less (Automated) + - id: 6.3.4.7 + title: Ensure audit configuration files group owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_tmout - - var_accounts_tmout=15_min + - file_groupownership_audit_configuration - - id: 5.6.4 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 6.3.4.8 + title: Ensure audit tools mode is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_root_gid_zero + - file_permissions_audit_binaries - - id: 5.6.5 - title: Ensure default user umask is 027 or more restrictive (Automated) + - id: 6.3.4.9 + title: Ensure audit tools owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 + - file_ownership_audit_binaries - - id: 5.6.6 - title: Ensure root password is set (Automated) + - id: 6.3.4.10 + title: Ensure audit tools group owner is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - ensure_root_password_configured - - no_empty_passwords_etc_shadow + - file_groupownership_audit_binaries - - id: 6.1.1 + - id: 7.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) levels: - l1_server @@ -2284,7 +2880,7 @@ controls: - file_owner_etc_passwd - file_permissions_etc_passwd - - id: 6.1.2 + - id: 7.1.2 title: Ensure permissions on /etc/passwd- are configured (Automated) levels: - l1_server @@ -2295,7 +2891,7 @@ controls: - file_owner_backup_etc_passwd - file_permissions_backup_etc_passwd - - id: 6.1.3 + - id: 7.1.3 title: Ensure permissions on /etc/group are configured (Automated) levels: - l1_server @@ -2306,7 +2902,7 @@ controls: - file_owner_etc_group - file_permissions_etc_group - - id: 6.1.4 + - id: 7.1.4 title: Ensure permissions on /etc/group- are configured (Automated) levels: - l1_server @@ -2317,7 +2913,7 @@ controls: - file_owner_backup_etc_group - file_permissions_backup_etc_group - - id: 6.1.5 + - id: 7.1.5 title: Ensure permissions on /etc/shadow are configured (Automated) levels: - l1_server @@ -2328,7 +2924,7 @@ controls: - file_groupowner_etc_shadow - file_permissions_etc_shadow - - id: 6.1.6 + - id: 7.1.6 title: Ensure permissions on /etc/shadow- are configured (Automated) levels: - l1_server @@ -2339,7 +2935,7 @@ controls: - file_owner_backup_etc_shadow - file_permissions_backup_etc_shadow - - id: 6.1.7 + - id: 7.1.7 title: Ensure permissions on /etc/gshadow are configured (Automated) levels: - l1_server @@ -2350,7 +2946,7 @@ controls: - file_owner_etc_gshadow - file_permissions_etc_gshadow - - id: 6.1.8 + - id: 7.1.8 title: Ensure permissions on /etc/gshadow- are configured (Automated) levels: - l1_server @@ -2361,61 +2957,59 @@ controls: - file_owner_backup_etc_gshadow - file_permissions_backup_etc_gshadow - - id: 6.1.9 - title: Ensure no world writable files exist (Automated) + - id: 7.1.9 + title: Ensure permissions on /etc/shells are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_unauthorized_world_writable + - file_groupowner_etc_shells + - file_owner_etc_shells + - file_permissions_etc_shells - - id: 6.1.10 - title: Ensure no unowned files or directories exist (Automated) + - id: 7.1.10 + title: Ensure permissions on /etc/security/opasswd are configured (Automated) levels: - - l1_server - - l1_workstation - status: automated + - l1_server + - l1_workstation + status: partial rules: - - no_files_unowned_by_user + # TODO: We need another rule that checks /etc/security/opasswd.old + - file_etc_security_opasswd - - id: 6.1.11 - title: Ensure no ungrouped files or directories exist (Automated) + - id: 7.1.11 + title: Ensure world writable files and directories are secured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_ungroupowned + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits - - id: 6.1.12 - title: Ensure sticky bit is set on all world-writable directories (Automated) + - id: 7.1.12 + title: Ensure no files or directories without an owner and a group exist (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial rules: - - dir_perms_world_writable_sticky_bits + # TODO: add rules for unowned/ungrouped directories + - no_files_unowned_by_user + - file_permissions_ungroupowned - - id: 6.1.13 - title: Audit SUID executables (Manual) + - id: 7.1.13 + title: Ensure SUID and SGID files are reviewed (Manual) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: manual related_rules: - file_permissions_unauthorized_suid - - - id: 6.1.14 - title: Audit SGID executables (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - file_permissions_unauthorized_sgid - - id: 6.1.15 + - id: 7.1.14 title: Audit system file permissions (Manual) levels: - l2_server @@ -2425,7 +3019,7 @@ controls: - rpm_verify_permissions - rpm_verify_ownership - - id: 6.2.1 + - id: 7.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: - l1_server @@ -2434,7 +3028,7 @@ controls: rules: - accounts_password_all_shadowed - - id: 6.2.2 + - id: 7.2.2 title: Ensure /etc/shadow password fields are not empty (Automated) levels: - l1_server @@ -2443,7 +3037,7 @@ controls: rules: - no_empty_passwords_etc_shadow - - id: 6.2.3 + - id: 7.2.3 title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) levels: - l1_server @@ -2452,7 +3046,7 @@ controls: rules: - gid_passwd_group_same - - id: 6.2.4 + - id: 7.2.4 title: Ensure no duplicate UIDs exist (Automated) levels: - l1_server @@ -2461,7 +3055,7 @@ controls: rules: - account_unique_id - - id: 6.2.5 + - id: 7.2.5 title: Ensure no duplicate GIDs exist (Automated) levels: - l1_server @@ -2470,7 +3064,7 @@ controls: rules: - group_unique_id - - id: 6.2.6 + - id: 7.2.6 title: Ensure no duplicate user names exist (Automated) levels: - l1_server @@ -2479,7 +3073,7 @@ controls: rules: - account_unique_name - - id: 6.2.7 + - id: 7.2.7 title: Ensure no duplicate group names exist (Automated) levels: - l1_server @@ -2488,86 +3082,35 @@ controls: rules: - group_unique_name - - id: 6.2.8 - title: Ensure root PATH Integrity (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_path_dirs_no_write - - root_path_no_dot - - - id: 6.2.9 - title: Ensure root is the only UID 0 account (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_no_uid_except_zero - - - id: 6.2.10 - title: Ensure local interactive user home directories exist (Automated) + - id: 7.2.8 + title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - accounts_user_interactive_home_directory_exists - - - id: 6.2.11 - title: Ensure local interactive users own their home directories (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_ownership_home_directories - - file_groupownership_home_directories - - - id: 6.2.12 - title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_permissions_home_directories + related_rules: + - file_groupownership_home_directories - - id: 6.2.13 - title: Ensure no local interactive user has .netrc files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_netrc_files - - - id: 6.2.14 - title: Ensure no local interactive user has .forward files (Automated) + - id: 7.2.9 + title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server - l1_workstation - status: automated + notes: |- + Missing a rule to check that .bash_history is mode 0600 or more restrictive. + status: partial rules: + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - accounts_user_dot_no_world_writable_programs + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles - no_forward_files - - - id: 6.2.15 - title: Ensure no local interactive user has .rhosts files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: The rule also removes /etc/hosts.equiv - rules: + - no_netrc_files - no_rsh_trust_files - - - id: 6.2.16 - title: Ensure local interactive user dot files are not group or world writable (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_user_dot_no_world_writable_programs + related_rules: + - accounts_users_netrc_file_permissions diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var index 1f7a6968a02..fd60e0ce24b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var @@ -20,3 +20,4 @@ options: ignore: ignore cis_rhel7: single|halt cis_rhel8: single|halt + cis_rhel9: single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var index 5a20593197a..200609182d4 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var @@ -23,3 +23,4 @@ options: rhel8: syslog|single|halt cis_rhel7: syslog|single|halt cis_rhel8: syslog|single|halt + cis_rhel9: syslog|single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var index a911ab727b0..5d6f1f423cc 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var @@ -24,3 +24,4 @@ options: rhel8: syslog|single|halt cis_rhel7: halt|single cis_rhel8: syslog|single|halt + cis_rhel9: halt|single diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var index 84ccf94caa2..87a744d6e8f 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var @@ -20,3 +20,4 @@ options: ignore: ignore cis_rhel7: email|exec|single|halt cis_rhel8: email|exec|single|halt + cis_rhel9: email|exec|single|halt diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml index ca6080f5fee..2cfa1377ba7 100644 --- a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-86531-1 + cce@rhel9: CCE-86772-1 cce@sle12: CCE-92320-1 cce@sle15: CCE-92478-7 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index 2801ac8511f..3ca461e2451 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -48,6 +48,7 @@ severity: medium identifiers: cce@rhel7: CCE-27295-5 cce@rhel8: CCE-81032-5 + cce@rhel9: CCE-86767-1 cce@sle12: CCE-83181-8 cce@sle15: CCE-91337-6 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml index a2ffc8f02e1..4b00f39ee86 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel7: CCE-86090-8 cce@rhel8: CCE-86518-8 + cce@rhel9: CCE-86768-9 cce@sle12: CCE-92339-1 cce@sle15: CCE-92626-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index 761fae58ed4..a4621f128b3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-82364-1 cce@rhel8: CCE-86504-8 + cce@rhel9: CCE-86769-7 cce@sle12: CCE-92280-7 cce@sle15: CCE-91396-2 diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 2cad2423cd1..0f5ef88db44 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -17,6 +17,7 @@ options: default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel7: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_sle15: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_ubuntu: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var index f281a491620..ac25c735a77 100644 --- a/linux_os/guide/services/ssh/sshd_strong_kex.var +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -15,6 +15,7 @@ options: pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 cis_rhel8: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 + cis_rhel9: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_ubuntu2004: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var index 1caca07a64c..824888a7e99 100644 --- a/linux_os/guide/services/ssh/sshd_strong_macs.var +++ b/linux_os/guide/services/ssh/sshd_strong_macs.var @@ -14,6 +14,7 @@ options: default: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 cis_rhel7: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com + cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var index ba64dbd5b17..4b3214d3f8f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var @@ -14,6 +14,7 @@ options: 30: 30 35: 35 40: 40 + 45: 45 60: 60 90: 90 default: 35 diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml index 8c0e0261d8d..8d2eea0384e 100644 --- a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml +++ b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-87415-6 cce@rhel8: CCE-86467-8 + cce@rhel9: CCE-86760-6 references: cis@ubuntu2204: 4.2.1.1.1 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml index 4906a306f9f..b3766b3e23a 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-27328-4 cce@rhel8: CCE-87231-7 + cce@rhel9: CCE-86761-4 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index b802e10bd23..3faae884ca3 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-87198-8 cce@rhel8: CCE-86140-1 + cce@rhel9: CCE-86762-2 cce@sle12: CCE-83172-7 cce@sle15: CCE-85572-6 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml index 56e0f968ef9..0fea3e1753b 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82713-9 cce@rhel7: CCE-80138-1 cce@rhel8: CCE-86615-2 + cce@rhel9: CCE-86763-0 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml index b6ff25b1321..388928502c9 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82714-7 cce@rhel7: CCE-80140-7 cce@rhel8: CCE-86616-0 + cce@rhel9: CCE-86764-8 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml index 81b1147ad0f..885b14f7400 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82715-4 cce@rhel7: CCE-80141-5 cce@rhel8: CCE-86617-8 + cce@rhel9: CCE-86765-5 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml index 34874bb7e2a..2b8c615acd8 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82716-2 cce@rhel7: CCE-80139-9 cce@rhel8: CCE-86618-6 + cce@rhel9: CCE-86766-3 references: cis-csc: 11,14,3,9 diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile index fc95feca30d..447e34d5eb4 100644 --- a/products/rhel9/profiles/cis.profile +++ b/products/rhel9/profiles/cis.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server' description: |- This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile index 4d4295665eb..914bfa25f0e 100644 --- a/products/rhel9/profiles/cis_server_l1.profile +++ b/products/rhel9/profiles/cis_server_l1.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server' description: |- This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile index 957555d6cff..dca0beca93c 100644 --- a/products/rhel9/profiles/cis_workstation_l1.profile +++ b/products/rhel9/profiles/cis_workstation_l1.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile index 56ddc036082..5f9e92ca63f 100644 --- a/products/rhel9/profiles/cis_workstation_l2.profile +++ b/products/rhel9/profiles/cis_workstation_l2.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index d9b50f7fa35..5ef04a92e96 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -553,3 +553,5 @@ selections: - sebool_polipo_session_users - sebool_cluster_manage_all_files - configure_firewalld_ports + - journald_forward_to_syslog + - rsyslog_filecreatemode diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c14232535be..52a83813145 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -244,17 +244,6 @@ CCE-86750-7 CCE-86751-5 CCE-86752-3 CCE-86753-1 -CCE-86760-6 -CCE-86761-4 -CCE-86762-2 -CCE-86763-0 -CCE-86764-8 -CCE-86765-5 -CCE-86766-3 -CCE-86767-1 -CCE-86768-9 -CCE-86769-7 -CCE-86772-1 CCE-86773-9 CCE-86774-7 CCE-86775-4 diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index d0eecd81138..ac3f53eaebe 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -1,435 +1,466 @@ description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- sysctl_net_ipv4_conf_all_accept_redirects -- auditd_data_retention_max_log_file -- audit_rules_session_events -- sysctl_net_ipv6_conf_all_accept_redirects -- audit_rules_login_events_lastlog -- file_owner_cron_daily -- ensure_root_password_configured -- file_owner_backup_etc_shadow -- package_setroubleshoot_removed -- audit_rules_dac_modification_lsetxattr -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- sysctl_net_ipv4_conf_default_log_martians -- audit_rules_unsuccessful_file_modification_truncate -- auditd_data_retention_space_left_action -- audit_sudo_log_events -- grub2_audit_backlog_limit_argument -- audit_rules_file_deletion_events_unlinkat -- file_permissions_home_directories -- file_permissions_crontab -- audit_rules_kernel_module_loading_finit -- sudo_require_reauthentication -- file_cron_deny_not_exist -- accounts_no_uid_except_zero -- disable_host_auth -- package_tftp-server_removed -- file_groupowner_backup_etc_gshadow +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_unique_id -- file_groupowner_etc_motd -- grub2_password +- account_unique_name - accounts_maximum_age_login_defs -- file_owner_etc_group -- audit_rules_execution_setfacl -- service_crond_enabled -- file_permissions_backup_etc_gshadow -- file_owner_crontab -- sysctl_net_ipv4_tcp_syncookies -- file_owner_etc_issue_net -- sshd_set_keepalive -- set_firewalld_default_zone +- accounts_minimum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_min_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny +- accounts_passwords_pam_faillock_deny_root +- accounts_passwords_pam_faillock_unlock_time +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout - accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev -- service_auditd_enabled -- file_permissions_grub2_cfg +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_setfacl +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_create - audit_rules_kernel_module_loading_delete -- dconf_gnome_screensaver_user_locks -- no_empty_passwords +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_kernel_module_loading_query +- audit_rules_login_events_faillock +- audit_rules_login_events_lastlog +- audit_rules_mac_modification +- audit_rules_mac_modification_usr_share +- audit_rules_media_export +- audit_rules_networkconfig_modification +- audit_rules_networkconfig_modification_network_scripts +- audit_rules_privileged_commands +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_usermod +- audit_rules_session_events +- audit_rules_suid_auid_privilege_function +- audit_rules_sysadmin_actions - audit_rules_time_adjtimex -- accounts_password_pam_minlen -- audit_rules_dac_modification_fchmodat -- grub2_audit_argument -- sysctl_net_ipv4_conf_all_secure_redirects -- file_groupowner_sshd_config - audit_rules_time_clock_settime -- dir_perms_world_writable_sticky_bits -- mount_option_var_log_audit_nosuid -- kernel_module_squashfs_disabled -- accounts_user_dot_no_world_writable_programs -- sshd_set_max_auth_tries -- package_telnet-server_removed - audit_rules_time_settimeofday -- file_groupownership_home_directories -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_dac_modification_fsetxattr -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- audit_rules_immutable -- mount_option_dev_shm_nodev -- package_cups_removed -- file_permissions_cron_monthly -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- audit_rules_dac_modification_fchownat -- kernel_module_usb-storage_disabled -- mount_option_tmp_nodev +- audit_rules_time_watch_localtime +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow -- gid_passwd_group_same -- sysctl_net_ipv6_conf_default_accept_redirects -- set_password_hashing_algorithm_passwordauth -- dconf_gnome_session_idle_user_locks -- sudo_require_authentication -- accounts_password_set_min_life_existing -- kernel_module_tipc_disabled -- dconf_gnome_banner_enabled -- sysctl_net_ipv4_conf_default_secure_redirects -- file_groupowner_cron_d - audit_rules_usergroup_modification_opasswd -- audit_rules_mac_modification_usr_share -- accounts_passwords_pam_faillock_unlock_time -- file_owner_grub2_cfg -- audit_rules_kernel_module_loading_query -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow -- dconf_gnome_screensaver_idle_delay -- directory_permissions_var_log_audit -- package_samba_removed -- sshd_set_loglevel_verbose -- audit_rules_time_stime -- accounts_user_interactive_home_directory_exists -- accounts_tmout -- file_groupowner_backup_etc_shadow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- partition_for_home -- audit_rules_file_deletion_events_rename -- package_rsync_removed -- accounts_password_pam_retry -- chronyd_run_as_chrony_user -- file_permissions_cron_weekly -- file_permissions_etc_group -- file_permissions_ungroupowned -- aide_build_database -- accounts_password_all_shadowed -- set_nftables_table -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs -- mount_option_tmp_nosuid -- package_xorg-x11-server-common_removed -- service_firewalld_enabled -- rsyslog_nolisten -- accounts_password_pam_pwhistory_remember_password_auth -- package_net-snmp_removed -- coredump_disable_backtraces -- partition_for_dev_shm +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- auditd_data_disk_error_action +- auditd_data_disk_full_action +- auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action +- auditd_data_retention_max_log_file +- auditd_data_retention_max_log_file_action +- auditd_data_retention_space_left_action +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy - configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- directory_permissions_var_log_audit +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated - ensure_pam_wheel_group_empty -- package_vsftpd_removed -- auditd_data_retention_max_log_file_action -- sshd_disable_x11_forwarding -- sshd_enable_pam -- audit_rules_kernel_module_loading_init -- audit_rules_time_watch_localtime -- package_dnsmasq_removed -- sshd_enable_warning_banner_net -- file_permissions_sshd_pub_key -- file_permissions_cron_allow -- file_owner_etc_motd -- rsyslog_filecreatemode -- file_owner_cron_d -- audit_rules_unsuccessful_file_modification_open -- accounts_umask_etc_login_defs -- mount_option_home_nodev -- mount_option_dev_shm_noexec -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- journald_forward_to_syslog -- audit_rules_execution_chcon -- audit_rules_dac_modification_lremovexattr -- package_ftp_removed -- accounts_password_last_change_is_in_past -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians +- ensure_root_password_configured +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_group_ownership_var_log_audit +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab - file_groupowner_etc_group -- package_libselinux_installed -- file_owner_cron_weekly -- mount_option_var_nosuid -- file_owner_etc_shadow -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- audit_rules_dac_modification_chown -- has_nonlocal_mta -- accounts_password_warn_age_login_defs -- mount_option_var_log_nosuid -- file_groupowner_etc_shadow -- file_permissions_cron_hourly -- coredump_disable_storage -- auditd_data_retention_action_mail_acct - file_groupowner_etc_gshadow -- audit_rules_unsuccessful_file_modification_ftruncate -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- mount_option_var_tmp_noexec -- mount_option_var_nodev -- audit_rules_privileged_commands_kmod -- audit_rules_sysadmin_actions - file_groupowner_etc_issue +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_audit_binaries +- file_groupownership_audit_configuration +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group -- file_permissions_cron_daily -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- sshd_set_max_sessions -- journald_compress -- package_sudo_installed +- file_owner_backup_etc_gshadow - file_owner_backup_etc_passwd -- audit_rules_login_events_faillock -- file_groupowner_etc_passwd -- package_firewalld_installed -- file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- audit_rules_dac_modification_fchown -- file_at_deny_not_exist -- mount_option_home_nosuid -- file_permissions_var_log_audit -- mount_option_dev_shm_nosuid +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config - file_owner_user_cfg -- sysctl_net_ipv6_conf_all_forwarding -- audit_rules_mac_modification -- file_permissions_cron_d -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- audit_rules_usergroup_modification_passwd -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- package_httpd_removed -- audit_rules_dac_modification_lchown -- audit_rules_kernel_module_loading_create -- group_unique_id -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount -- package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled -- enable_authselect -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv4_conf_all_send_redirects -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_shadow -- journald_storage -- sudo_custom_logfile -- audit_rules_dac_modification_fchmod -- account_disable_post_pw_expiration -- aide_check_audit_tools +- file_ownership_audit_binaries - file_ownership_audit_configuration -- selinux_state -- service_nfs_disabled -- partition_for_var_tmp -- grub2_enable_selinux -- service_nftables_disabled -- use_pam_wheel_group_for_su -- file_permissions_audit_configuration -- package_nginx_removed -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net +- file_ownership_sshd_private_key - file_ownership_sshd_pub_key -- file_ownership_audit_binaries -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_default_accept_redirects -- file_permissions_backup_etc_passwd - file_ownership_var_log_audit_stig -- package_tftp_removed -- file_groupownership_audit_binaries -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- package_aide_installed -- mount_option_tmp_noexec -- sshd_disable_rhosts -- file_permissions_audit_binaries -- package_avahi_removed -- service_rpcbind_disabled -- accounts_umask_etc_profile -- file_owner_etc_issue -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- package_squid_removed -- file_groupowner_cron_daily -- package_openldap-clients_removed -- partition_for_var_log -- audit_rules_suid_auid_privilege_function -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- configure_crypto_policy -- aide_periodic_cron_checking +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_audit_binaries +- file_permissions_audit_configuration +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d +- file_permissions_cron_daily +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly +- file_permissions_crontab +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd - file_permissions_etc_passwd -- file_groupownership_sshd_private_key -- package_dovecot_removed +- file_permissions_etc_shadow +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key +- file_permissions_unauthorized_world_writable +- file_permissions_ungroupowned +- file_permissions_user_cfg +- file_permissions_var_log_audit - firewalld_loopback_traffic_restricted -- mount_option_var_log_nodev +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_audit_argument +- grub2_audit_backlog_limit_argument +- grub2_enable_selinux +- grub2_password +- has_nonlocal_mta +- journald_compress +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_dccp_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_rds_disabled +- kernel_module_sctp_disabled +- kernel_module_squashfs_disabled +- kernel_module_tipc_disabled +- kernel_module_udf_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec +- mount_option_tmp_nosuid +- mount_option_var_log_audit_nodev - mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- dconf_gnome_disable_automount_open -- selinux_not_disabled -- service_systemd-journald_enabled -- package_nftables_installed +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev - mount_option_var_log_noexec -- partition_for_var -- package_mcstrans_removed -- sshd_limit_user_access -- root_path_no_dot -- file_permissions_at_allow -- file_permissions_etc_shadow +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid -- package_telnet_removed -- file_groupowner_crontab -- selinux_confinement_of_daemons -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- package_audit_installed -- sshd_disable_empty_passwords -- audit_rules_execution_chacl -- audit_rules_file_deletion_events_renameat -- audit_rules_privileged_commands_usermod -- accounts_set_post_pw_existing -- file_groupowner_cron_hourly -- file_owner_sshd_config -- file_owner_cron_monthly -- no_password_auth_for_systemaccounts -- audit_rules_privileged_commands -- file_permissions_etc_issue +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- selinux_policytype -- file_permissions_user_cfg +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_audit-libs_installed +- package_audit_installed +- package_avahi_removed +- package_bind_removed +- package_cups_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed - package_gdm_removed -- dconf_gnome_screensaver_lock_delay -- audit_rules_usergroup_modification_shadow -- sshd_disable_tcp_forwarding -- file_groupownership_sshd_pub_key -- audit_rules_file_deletion_events_unlink +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed +- package_net-snmp_removed +- package_nftables_installed +- package_nginx_removed +- package_openldap-clients_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_samba_removed +- package_setroubleshoot_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed +- package_vsftpd_removed +- package_xinetd_removed +- package_xorg-x11-server-common_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_home +- partition_for_tmp +- partition_for_var +- partition_for_var_log +- partition_for_var_log_audit +- partition_for_var_tmp - postfix_network_listening_disabled +- root_path_no_dot - rsyslog_files_groupownership -- accounts_minimum_age_login_defs -- file_permissions_etc_gshadow -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_gshadow -- package_rsyslog_installed -- sysctl_kernel_randomize_va_space -- audit_rules_dac_modification_chmod -- gnome_gdm_disable_xdmcp -- sshd_disable_root_login -- file_groupownership_audit_configuration -- file_group_ownership_var_log_audit -- audit_rules_unsuccessful_file_modification_openat -- banner_etc_issue_net -- audit_rules_media_export -- sysctl_net_ipv4_conf_default_accept_source_route - rsyslog_files_ownership -- file_groupowner_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- dconf_gnome_disable_user_list -- partition_for_tmp +- rsyslog_files_permissions +- selinux_not_disabled +- selinux_policytype +- selinux_state +- service_auditd_enabled +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled +- service_nfs_disabled +- service_nftables_disabled +- service_rpcbind_disabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login - sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- accounts_passwords_pam_faillock_deny -- no_files_unowned_by_user -- audit_rules_dac_modification_fremovexattr -- firewalld_loopback_traffic_trusted -- partition_for_var_log_audit +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_authentication +- sudo_require_reauthentication +- sysctl_kernel_randomize_va_space +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv4_conf_default_accept_redirects +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv4_conf_default_log_martians +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv6_conf_default_accept_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su - wireless_disable_interfaces -- accounts_root_gid_zero -- audit_rules_unsuccessful_file_modification_creat -- accounts_password_set_warn_age_existing +- xwindows_runlevel_target +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_dir=run - var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=halt -- var_auditd_space_left_action=email +- var_auditd_admin_space_left_action=cis_rhel9 +- var_auditd_space_left_action=cis_rhel9 +- var_auditd_disk_error_action=cis_rhel9 +- var_auditd_disk_full_action=cis_rhel9 - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=6 +- var_accounts_minimum_age_login_defs=1 - var_selinux_state=enforcing unselected_groups: [] platforms: !!set {} @@ -439,5 +470,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index 8eb73a288db..98285383d42 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -1,341 +1,358 @@ description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- coredump_disable_storage -- package_dovecot_removed +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth +- account_unique_id +- account_unique_name +- accounts_maximum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time -- sysctl_net_ipv4_conf_all_accept_redirects -- firewalld_loopback_traffic_restricted -- sysctl_net_ipv6_conf_all_accept_redirects -- mount_option_var_log_nodev -- file_groupowner_etc_gshadow -- file_owner_grub2_cfg -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout +- accounts_umask_etc_bashrc +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy +- configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated +- ensure_pam_wheel_group_empty - ensure_root_password_configured -- file_owner_cron_daily -- file_owner_backup_etc_shadow -- mount_option_var_log_audit_noexec -- package_setroubleshoot_removed -- sshd_set_login_grace_time -- file_owner_cron_hourly -- package_samba_removed -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- dconf_gnome_disable_automount_open -- mount_option_var_tmp_noexec -- selinux_not_disabled -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_default_log_martians -- service_systemd-journald_enabled -- package_nftables_installed -- mount_option_var_nodev -- accounts_user_interactive_home_directory_exists -- accounts_tmout +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab +- file_groupowner_etc_group +- file_groupowner_etc_gshadow - file_groupowner_etc_issue -- mount_option_var_log_noexec +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group +- file_owner_backup_etc_gshadow +- file_owner_backup_etc_passwd +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config +- file_owner_user_cfg +- file_ownership_sshd_private_key +- file_ownership_sshd_pub_key +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d - file_permissions_cron_daily -- file_groupowner_backup_etc_shadow -- file_permissions_home_directories -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- package_mcstrans_removed -- sshd_limit_user_access -- sshd_set_max_sessions +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly - file_permissions_crontab -- journald_compress -- file_permissions_at_allow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- file_owner_backup_etc_passwd -- package_sudo_installed -- root_path_no_dot +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd +- file_permissions_etc_passwd - file_permissions_etc_shadow -- file_groupowner_etc_passwd -- mount_option_var_tmp_nosuid -- package_rsync_removed -- accounts_password_pam_retry -- package_firewalld_installed -- package_telnet_removed -- sudo_require_reauthentication +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key - file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- chronyd_run_as_chrony_user -- file_at_deny_not_exist -- file_groupowner_crontab -- selinux_confinement_of_daemons -- mount_option_home_nosuid -- file_permissions_cron_weekly -- file_cron_deny_not_exist -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- file_permissions_etc_group -- accounts_no_uid_except_zero -- disable_host_auth - file_permissions_ungroupowned -- sshd_disable_empty_passwords -- mount_option_dev_shm_nosuid -- aide_build_database -- file_owner_user_cfg -- package_tftp-server_removed -- sysctl_net_ipv6_conf_all_forwarding -- file_groupowner_backup_etc_gshadow -- accounts_password_all_shadowed -- account_unique_id -- set_nftables_table -- accounts_set_post_pw_existing -- file_groupowner_etc_motd -- file_permissions_cron_d +- file_permissions_user_cfg +- firewalld_loopback_traffic_restricted +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_enable_selinux - grub2_password -- file_groupowner_cron_hourly -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- file_owner_sshd_config -- file_owner_cron_monthly -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs +- has_nonlocal_mta +- journald_compress +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec - mount_option_tmp_nosuid -- no_password_auth_for_systemaccounts -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_maximum_age_login_defs -- file_permissions_etc_issue -- package_httpd_removed +- mount_option_var_log_audit_nodev +- mount_option_var_log_audit_noexec +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev +- mount_option_var_log_noexec +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec +- mount_option_var_tmp_nosuid +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- service_firewalld_enabled -- rsyslog_nolisten -- file_owner_etc_group -- accounts_password_pam_pwhistory_remember_password_auth -- group_unique_id -- selinux_policytype -- sysctl_net_ipv4_conf_default_secure_redirects -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_avahi_removed - package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled +- package_cups_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed - package_net-snmp_removed -- coredump_disable_backtraces -- enable_authselect -- partition_for_dev_shm -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- service_crond_enabled -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv6_conf_default_accept_ra -- dconf_gnome_screensaver_lock_delay -- configure_ssh_crypto_policy -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_gshadow -- file_permissions_etc_passwd -- ensure_pam_wheel_group_empty -- file_permissions_backup_etc_shadow -- journald_storage -- file_owner_crontab +- package_nftables_installed +- package_nginx_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_samba_removed +- package_setroubleshoot_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed - package_vsftpd_removed -- sudo_custom_logfile -- file_groupownership_sshd_pub_key -- file_owner_etc_issue_net -- account_disable_post_pw_expiration -- sshd_enable_pam -- sshd_set_keepalive -- sysctl_net_ipv4_tcp_syncookies -- set_firewalld_default_zone -- aide_check_audit_tools +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_tmp - postfix_network_listening_disabled -- accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev +- root_path_no_dot - rsyslog_files_groupownership +- rsyslog_files_ownership +- rsyslog_files_permissions +- selinux_not_disabled +- selinux_policytype +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled - service_nfs_disabled -- accounts_minimum_age_login_defs -- file_permissions_grub2_cfg -- dconf_gnome_screensaver_user_locks -- file_permissions_etc_gshadow -- sshd_enable_warning_banner_net -- package_dnsmasq_removed -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- no_empty_passwords -- grub2_enable_selinux -- file_permissions_sshd_pub_key - service_nftables_disabled -- mount_option_var_log_nosuid -- accounts_password_pam_minlen -- file_permissions_cron_allow -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_motd -- use_pam_wheel_group_for_su -- rsyslog_filecreatemode -- sysctl_net_ipv4_conf_all_secure_redirects -- file_owner_cron_d -- file_groupowner_sshd_config -- file_owner_etc_gshadow -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net -- package_nginx_removed -- dir_perms_world_writable_sticky_bits -- file_ownership_sshd_pub_key -- mount_option_var_log_audit_nosuid -- package_rsyslog_installed -- accounts_umask_etc_login_defs -- kernel_module_squashfs_disabled +- service_rpcbind_disabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_rhosts +- sshd_disable_root_login +- sshd_do_not_permit_user_env +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_reauthentication - sysctl_kernel_randomize_va_space -- accounts_user_dot_no_world_writable_programs +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter -- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects -- package_telnet-server_removed -- gnome_gdm_disable_xdmcp -- mount_option_home_nodev -- file_groupownership_home_directories -- sshd_disable_root_login -- mount_option_dev_shm_noexec -- sysctl_net_ipv6_conf_default_accept_source_route -- file_permissions_backup_etc_passwd -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- banner_etc_issue_net -- journald_forward_to_syslog -- package_tftp_removed -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- mount_option_dev_shm_nodev -- package_aide_installed -- package_cups_removed -- file_permissions_cron_monthly -- mount_option_tmp_noexec - sysctl_net_ipv4_conf_default_accept_source_route -- package_ftp_removed -- rsyslog_files_ownership -- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians -- sshd_disable_rhosts -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- file_groupowner_grub2_cfg -- package_avahi_removed -- banner_etc_issue -- accounts_umask_etc_profile -- kernel_module_usb-storage_disabled -- file_owner_etc_issue -- mount_option_tmp_nodev -- package_libselinux_installed -- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_user_list -- file_owner_cron_weekly -- gid_passwd_group_same +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects -- partition_for_tmp -- mount_option_var_nosuid -- set_password_hashing_algorithm_passwordauth -- package_squid_removed -- sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- dconf_gnome_session_idle_user_locks -- accounts_passwords_pam_faillock_deny -- accounts_password_set_min_life_existing -- file_groupowner_cron_daily -- file_owner_etc_shadow -- package_openldap-clients_removed -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- no_files_unowned_by_user -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- firewalld_loopback_traffic_trusted -- configure_crypto_policy -- has_nonlocal_mta +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su - wireless_disable_interfaces -- accounts_root_gid_zero -- dconf_gnome_banner_enabled -- accounts_password_warn_age_login_defs -- accounts_password_set_warn_age_existing -- aide_periodic_cron_checking -- file_groupowner_etc_shadow -- file_groupowner_cron_d -- file_groupownership_sshd_private_key -- file_permissions_cron_hourly +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd unselected_groups: [] @@ -346,5 +363,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_server_l1.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 0c1a4e07df3..5b76018b737 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -1,337 +1,350 @@ description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- coredump_disable_storage -- package_dovecot_removed +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth +- account_unique_id +- account_unique_name +- accounts_maximum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time -- sysctl_net_ipv4_conf_all_accept_redirects -- firewalld_loopback_traffic_restricted -- sysctl_net_ipv6_conf_all_accept_redirects -- mount_option_var_log_nodev -- file_groupowner_etc_gshadow -- file_owner_grub2_cfg -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout +- accounts_umask_etc_bashrc +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy +- configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated +- ensure_pam_wheel_group_empty - ensure_root_password_configured -- file_owner_cron_daily -- file_owner_backup_etc_shadow -- mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- package_samba_removed -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- dconf_gnome_disable_automount_open -- mount_option_var_tmp_noexec -- selinux_not_disabled -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_default_log_martians -- service_systemd-journald_enabled -- package_nftables_installed -- mount_option_var_nodev -- accounts_user_interactive_home_directory_exists -- accounts_tmout +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab +- file_groupowner_etc_group +- file_groupowner_etc_gshadow - file_groupowner_etc_issue -- mount_option_var_log_noexec +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group +- file_owner_backup_etc_gshadow +- file_owner_backup_etc_passwd +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config +- file_owner_user_cfg +- file_ownership_sshd_private_key +- file_ownership_sshd_pub_key +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d - file_permissions_cron_daily -- file_groupowner_backup_etc_shadow -- file_permissions_home_directories -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- package_mcstrans_removed -- sshd_limit_user_access -- sshd_set_max_sessions +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly - file_permissions_crontab -- journald_compress -- file_permissions_at_allow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- file_owner_backup_etc_passwd -- package_sudo_installed -- root_path_no_dot +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd +- file_permissions_etc_passwd - file_permissions_etc_shadow -- file_groupowner_etc_passwd -- mount_option_var_tmp_nosuid -- package_rsync_removed -- accounts_password_pam_retry -- package_firewalld_installed -- package_telnet_removed -- sudo_require_reauthentication +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key - file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- chronyd_run_as_chrony_user -- file_at_deny_not_exist -- file_groupowner_crontab -- selinux_confinement_of_daemons -- mount_option_home_nosuid -- file_permissions_cron_weekly -- file_cron_deny_not_exist -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- file_permissions_etc_group -- accounts_no_uid_except_zero -- disable_host_auth - file_permissions_ungroupowned -- sshd_disable_empty_passwords -- mount_option_dev_shm_nosuid -- aide_build_database -- file_owner_user_cfg -- package_tftp-server_removed -- sysctl_net_ipv6_conf_all_forwarding -- file_groupowner_backup_etc_gshadow -- accounts_password_all_shadowed -- account_unique_id -- set_nftables_table -- accounts_set_post_pw_existing -- file_groupowner_etc_motd -- file_permissions_cron_d +- file_permissions_user_cfg +- firewalld_loopback_traffic_restricted +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_enable_selinux - grub2_password -- file_groupowner_cron_hourly -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- file_owner_sshd_config -- file_owner_cron_monthly -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs +- has_nonlocal_mta +- journald_compress +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec - mount_option_tmp_nosuid -- no_password_auth_for_systemaccounts -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_maximum_age_login_defs -- file_permissions_etc_issue -- package_httpd_removed +- mount_option_var_log_audit_nodev +- mount_option_var_log_audit_noexec +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev +- mount_option_var_log_noexec +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec +- mount_option_var_tmp_nosuid +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- service_firewalld_enabled -- rsyslog_nolisten -- file_owner_etc_group -- accounts_password_pam_pwhistory_remember_password_auth -- group_unique_id -- selinux_policytype -- sysctl_net_ipv4_conf_default_secure_redirects -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed - package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed - package_net-snmp_removed -- coredump_disable_backtraces -- enable_authselect -- partition_for_dev_shm -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- service_crond_enabled -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv6_conf_default_accept_ra -- dconf_gnome_screensaver_lock_delay -- configure_ssh_crypto_policy -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_gshadow -- file_permissions_etc_passwd -- ensure_pam_wheel_group_empty -- file_permissions_backup_etc_shadow -- journald_storage -- file_owner_crontab +- package_nftables_installed +- package_nginx_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_samba_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed - package_vsftpd_removed -- sudo_custom_logfile -- sshd_disable_x11_forwarding -- file_groupownership_sshd_pub_key -- file_owner_etc_issue_net -- account_disable_post_pw_expiration -- sshd_enable_pam -- sshd_set_keepalive -- sysctl_net_ipv4_tcp_syncookies -- set_firewalld_default_zone -- aide_check_audit_tools +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_tmp - postfix_network_listening_disabled -- accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev +- root_path_no_dot - rsyslog_files_groupownership +- rsyslog_files_ownership +- rsyslog_files_permissions +- selinux_not_disabled +- selinux_policytype +- service_crond_enabled +- service_firewalld_enabled - service_nfs_disabled -- accounts_minimum_age_login_defs -- file_permissions_grub2_cfg -- dconf_gnome_screensaver_user_locks -- file_permissions_etc_gshadow -- sshd_enable_warning_banner_net -- package_dnsmasq_removed -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- no_empty_passwords -- grub2_enable_selinux -- file_permissions_sshd_pub_key - service_nftables_disabled -- mount_option_var_log_nosuid -- accounts_password_pam_minlen -- file_permissions_cron_allow -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_motd -- use_pam_wheel_group_for_su -- rsyslog_filecreatemode -- sysctl_net_ipv4_conf_all_secure_redirects -- file_owner_cron_d -- file_groupowner_sshd_config -- file_owner_etc_gshadow -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net -- package_nginx_removed -- dir_perms_world_writable_sticky_bits -- file_ownership_sshd_pub_key -- mount_option_var_log_audit_nosuid -- package_rsyslog_installed -- accounts_umask_etc_login_defs -- kernel_module_squashfs_disabled +- service_rpcbind_disabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login +- sshd_do_not_permit_user_env +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_reauthentication - sysctl_kernel_randomize_va_space -- accounts_user_dot_no_world_writable_programs +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter -- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects -- package_telnet-server_removed -- gnome_gdm_disable_xdmcp -- mount_option_home_nodev -- file_groupownership_home_directories -- sshd_disable_root_login -- mount_option_dev_shm_noexec -- sysctl_net_ipv6_conf_default_accept_source_route -- file_permissions_backup_etc_passwd -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- banner_etc_issue_net -- journald_forward_to_syslog -- package_tftp_removed -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- mount_option_dev_shm_nodev -- package_aide_installed -- file_permissions_cron_monthly -- mount_option_tmp_noexec - sysctl_net_ipv4_conf_default_accept_source_route -- package_ftp_removed -- rsyslog_files_ownership -- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians -- sshd_disable_rhosts -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- accounts_umask_etc_profile -- mount_option_tmp_nodev -- file_owner_etc_issue -- package_libselinux_installed -- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_user_list -- file_owner_cron_weekly -- gid_passwd_group_same +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects -- partition_for_tmp -- mount_option_var_nosuid -- set_password_hashing_algorithm_passwordauth -- package_squid_removed -- sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- dconf_gnome_session_idle_user_locks -- accounts_passwords_pam_faillock_deny -- accounts_password_set_min_life_existing -- file_groupowner_cron_daily -- file_owner_etc_shadow -- package_openldap-clients_removed -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- no_files_unowned_by_user -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- firewalld_loopback_traffic_trusted -- configure_crypto_policy -- has_nonlocal_mta -- accounts_root_gid_zero -- dconf_gnome_banner_enabled -- accounts_password_warn_age_login_defs -- accounts_password_set_warn_age_existing -- aide_periodic_cron_checking -- file_groupowner_etc_shadow -- file_groupowner_cron_d -- file_groupownership_sshd_private_key -- file_permissions_cron_hourly +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd unselected_groups: [] @@ -342,5 +355,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l1.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 6e082b2280a..a0a5678dad3 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -1,429 +1,459 @@ description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- sysctl_net_ipv4_conf_all_accept_redirects -- auditd_data_retention_max_log_file -- audit_rules_session_events -- sysctl_net_ipv6_conf_all_accept_redirects -- audit_rules_login_events_lastlog -- file_owner_cron_daily -- ensure_root_password_configured -- file_owner_backup_etc_shadow -- audit_rules_dac_modification_lsetxattr -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- sysctl_net_ipv4_conf_default_log_martians -- audit_rules_unsuccessful_file_modification_truncate -- auditd_data_retention_space_left_action -- audit_sudo_log_events -- grub2_audit_backlog_limit_argument -- audit_rules_file_deletion_events_unlinkat -- file_permissions_home_directories -- file_permissions_crontab -- audit_rules_kernel_module_loading_finit -- sudo_require_reauthentication -- file_cron_deny_not_exist -- accounts_no_uid_except_zero -- disable_host_auth -- package_tftp-server_removed -- file_groupowner_backup_etc_gshadow +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_unique_id -- file_groupowner_etc_motd -- grub2_password +- account_unique_name - accounts_maximum_age_login_defs -- file_owner_etc_group -- audit_rules_execution_setfacl -- service_crond_enabled -- file_permissions_backup_etc_gshadow -- file_owner_crontab -- sysctl_net_ipv4_tcp_syncookies -- file_owner_etc_issue_net -- sshd_set_keepalive -- set_firewalld_default_zone +- accounts_minimum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_min_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny +- accounts_passwords_pam_faillock_deny_root +- accounts_passwords_pam_faillock_unlock_time +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout - accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev -- service_auditd_enabled -- file_permissions_grub2_cfg +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_setfacl +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_create - audit_rules_kernel_module_loading_delete -- dconf_gnome_screensaver_user_locks -- no_empty_passwords +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_kernel_module_loading_query +- audit_rules_login_events_faillock +- audit_rules_login_events_lastlog +- audit_rules_mac_modification +- audit_rules_mac_modification_usr_share +- audit_rules_media_export +- audit_rules_networkconfig_modification +- audit_rules_networkconfig_modification_network_scripts +- audit_rules_privileged_commands +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_usermod +- audit_rules_session_events +- audit_rules_suid_auid_privilege_function +- audit_rules_sysadmin_actions - audit_rules_time_adjtimex -- accounts_password_pam_minlen -- audit_rules_dac_modification_fchmodat -- grub2_audit_argument -- sysctl_net_ipv4_conf_all_secure_redirects -- file_groupowner_sshd_config - audit_rules_time_clock_settime -- dir_perms_world_writable_sticky_bits -- mount_option_var_log_audit_nosuid -- kernel_module_squashfs_disabled -- accounts_user_dot_no_world_writable_programs -- sshd_set_max_auth_tries -- package_telnet-server_removed - audit_rules_time_settimeofday -- file_groupownership_home_directories -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_dac_modification_fsetxattr -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- audit_rules_immutable -- mount_option_dev_shm_nodev -- file_permissions_cron_monthly -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- audit_rules_dac_modification_fchownat -- kernel_module_usb-storage_disabled -- mount_option_tmp_nodev +- audit_rules_time_watch_localtime +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow -- gid_passwd_group_same -- sysctl_net_ipv6_conf_default_accept_redirects -- set_password_hashing_algorithm_passwordauth -- dconf_gnome_session_idle_user_locks -- sudo_require_authentication -- accounts_password_set_min_life_existing -- kernel_module_tipc_disabled -- dconf_gnome_banner_enabled -- sysctl_net_ipv4_conf_default_secure_redirects -- file_groupowner_cron_d - audit_rules_usergroup_modification_opasswd -- audit_rules_mac_modification_usr_share -- accounts_passwords_pam_faillock_unlock_time -- file_owner_grub2_cfg -- audit_rules_kernel_module_loading_query -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow -- dconf_gnome_screensaver_idle_delay -- directory_permissions_var_log_audit -- package_samba_removed -- sshd_set_loglevel_verbose -- audit_rules_time_stime -- accounts_user_interactive_home_directory_exists -- accounts_tmout -- file_groupowner_backup_etc_shadow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- partition_for_home -- audit_rules_file_deletion_events_rename -- package_rsync_removed -- accounts_password_pam_retry -- chronyd_run_as_chrony_user -- file_permissions_cron_weekly -- file_permissions_etc_group -- file_permissions_ungroupowned -- aide_build_database -- accounts_password_all_shadowed -- set_nftables_table -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs -- mount_option_tmp_nosuid -- service_firewalld_enabled -- rsyslog_nolisten -- accounts_password_pam_pwhistory_remember_password_auth -- package_net-snmp_removed -- coredump_disable_backtraces -- partition_for_dev_shm +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- auditd_data_disk_error_action +- auditd_data_disk_full_action +- auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action +- auditd_data_retention_max_log_file +- auditd_data_retention_max_log_file_action +- auditd_data_retention_space_left_action +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy - configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- directory_permissions_var_log_audit +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated - ensure_pam_wheel_group_empty -- package_vsftpd_removed -- auditd_data_retention_max_log_file_action -- sshd_disable_x11_forwarding -- sshd_enable_pam -- audit_rules_kernel_module_loading_init -- audit_rules_time_watch_localtime -- package_dnsmasq_removed -- sshd_enable_warning_banner_net -- file_permissions_sshd_pub_key -- file_permissions_cron_allow -- file_owner_etc_motd -- rsyslog_filecreatemode -- file_owner_cron_d -- audit_rules_unsuccessful_file_modification_open -- accounts_umask_etc_login_defs -- mount_option_home_nodev -- mount_option_dev_shm_noexec -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- journald_forward_to_syslog -- audit_rules_execution_chcon -- audit_rules_dac_modification_lremovexattr -- package_ftp_removed -- accounts_password_last_change_is_in_past -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians +- ensure_root_password_configured +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_group_ownership_var_log_audit +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab - file_groupowner_etc_group -- package_libselinux_installed -- file_owner_cron_weekly -- mount_option_var_nosuid -- file_owner_etc_shadow -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- audit_rules_dac_modification_chown -- has_nonlocal_mta -- accounts_password_warn_age_login_defs -- mount_option_var_log_nosuid -- file_groupowner_etc_shadow -- file_permissions_cron_hourly -- coredump_disable_storage -- auditd_data_retention_action_mail_acct - file_groupowner_etc_gshadow -- audit_rules_unsuccessful_file_modification_ftruncate -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- mount_option_var_tmp_noexec -- mount_option_var_nodev -- audit_rules_privileged_commands_kmod -- audit_rules_sysadmin_actions - file_groupowner_etc_issue -- file_owner_backup_etc_group -- file_permissions_cron_daily -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- sshd_set_max_sessions -- journald_compress -- package_sudo_installed -- file_owner_backup_etc_passwd -- audit_rules_login_events_faillock +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd - file_groupowner_etc_passwd -- package_firewalld_installed -- file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- audit_rules_dac_modification_fchown -- file_at_deny_not_exist -- mount_option_home_nosuid -- file_permissions_var_log_audit -- mount_option_dev_shm_nosuid -- file_owner_user_cfg -- sysctl_net_ipv6_conf_all_forwarding -- audit_rules_mac_modification -- file_permissions_cron_d -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- audit_rules_usergroup_modification_passwd -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- package_httpd_removed -- audit_rules_dac_modification_lchown -- audit_rules_kernel_module_loading_create -- group_unique_id -- file_cron_allow_exists +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config - file_groupowner_user_cfg -- dconf_gnome_disable_automount -- package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled -- enable_authselect -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv4_conf_all_send_redirects -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_shadow -- journald_storage -- sudo_custom_logfile -- audit_rules_dac_modification_fchmod -- account_disable_post_pw_expiration -- aide_check_audit_tools -- file_ownership_audit_configuration -- selinux_state -- service_nfs_disabled -- partition_for_var_tmp -- grub2_enable_selinux -- service_nftables_disabled -- use_pam_wheel_group_for_su -- file_permissions_audit_configuration -- package_nginx_removed -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net -- file_ownership_sshd_pub_key -- file_ownership_audit_binaries -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_default_accept_redirects -- file_permissions_backup_etc_passwd -- file_ownership_var_log_audit_stig -- package_tftp_removed - file_groupownership_audit_binaries -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- package_aide_installed -- mount_option_tmp_noexec -- sshd_disable_rhosts -- file_permissions_audit_binaries -- service_rpcbind_disabled -- accounts_umask_etc_profile +- file_groupownership_audit_configuration +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key +- file_owner_backup_etc_group +- file_owner_backup_etc_gshadow +- file_owner_backup_etc_passwd +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow - file_owner_etc_issue -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- package_squid_removed -- file_groupowner_cron_daily -- package_openldap-clients_removed -- partition_for_var_log -- audit_rules_suid_auid_privilege_function -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- configure_crypto_policy -- aide_periodic_cron_checking +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config +- file_owner_user_cfg +- file_ownership_audit_binaries +- file_ownership_audit_configuration +- file_ownership_sshd_private_key +- file_ownership_sshd_pub_key +- file_ownership_var_log_audit_stig +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_audit_binaries +- file_permissions_audit_configuration +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d +- file_permissions_cron_daily +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly +- file_permissions_crontab +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd - file_permissions_etc_passwd -- file_groupownership_sshd_private_key -- package_dovecot_removed +- file_permissions_etc_shadow +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key +- file_permissions_unauthorized_world_writable +- file_permissions_ungroupowned +- file_permissions_user_cfg +- file_permissions_var_log_audit - firewalld_loopback_traffic_restricted -- mount_option_var_log_nodev +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_audit_argument +- grub2_audit_backlog_limit_argument +- grub2_enable_selinux +- grub2_password +- has_nonlocal_mta +- journald_compress +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_dccp_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_rds_disabled +- kernel_module_sctp_disabled +- kernel_module_squashfs_disabled +- kernel_module_tipc_disabled +- kernel_module_udf_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec +- mount_option_tmp_nosuid +- mount_option_var_log_audit_nodev - mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- dconf_gnome_disable_automount_open -- selinux_not_disabled -- service_systemd-journald_enabled -- package_nftables_installed +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev - mount_option_var_log_noexec -- partition_for_var -- package_mcstrans_removed -- sshd_limit_user_access -- root_path_no_dot -- file_permissions_at_allow -- file_permissions_etc_shadow +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid -- package_telnet_removed -- file_groupowner_crontab -- selinux_confinement_of_daemons -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- package_audit_installed -- sshd_disable_empty_passwords -- audit_rules_execution_chacl -- audit_rules_file_deletion_events_renameat -- audit_rules_privileged_commands_usermod -- accounts_set_post_pw_existing -- file_groupowner_cron_hourly -- file_owner_sshd_config -- file_owner_cron_monthly -- no_password_auth_for_systemaccounts -- audit_rules_privileged_commands -- file_permissions_etc_issue +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- selinux_policytype -- file_permissions_user_cfg -- dconf_gnome_screensaver_lock_delay -- audit_rules_usergroup_modification_shadow -- sshd_disable_tcp_forwarding -- file_groupownership_sshd_pub_key -- audit_rules_file_deletion_events_unlink +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_audit-libs_installed +- package_audit_installed +- package_bind_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed +- package_net-snmp_removed +- package_nftables_installed +- package_nginx_removed +- package_openldap-clients_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_samba_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed +- package_vsftpd_removed +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_home +- partition_for_tmp +- partition_for_var +- partition_for_var_log +- partition_for_var_log_audit +- partition_for_var_tmp - postfix_network_listening_disabled +- root_path_no_dot - rsyslog_files_groupownership -- accounts_minimum_age_login_defs -- file_permissions_etc_gshadow -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_gshadow -- package_rsyslog_installed -- sysctl_kernel_randomize_va_space -- audit_rules_dac_modification_chmod -- gnome_gdm_disable_xdmcp -- sshd_disable_root_login -- file_groupownership_audit_configuration -- file_group_ownership_var_log_audit -- audit_rules_unsuccessful_file_modification_openat -- banner_etc_issue_net -- audit_rules_media_export -- sysctl_net_ipv4_conf_default_accept_source_route - rsyslog_files_ownership -- file_groupowner_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- dconf_gnome_disable_user_list -- partition_for_tmp +- rsyslog_files_permissions +- selinux_not_disabled +- selinux_policytype +- selinux_state +- service_auditd_enabled +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled +- service_nfs_disabled +- service_nftables_disabled +- service_rpcbind_disabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login - sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- accounts_passwords_pam_faillock_deny -- no_files_unowned_by_user -- audit_rules_dac_modification_fremovexattr -- firewalld_loopback_traffic_trusted -- partition_for_var_log_audit -- accounts_root_gid_zero -- audit_rules_unsuccessful_file_modification_creat -- accounts_password_set_warn_age_existing +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_authentication +- sudo_require_reauthentication +- sysctl_kernel_randomize_va_space +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv4_conf_default_accept_redirects +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv4_conf_default_log_martians +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv6_conf_default_accept_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_dir=run - var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=halt -- var_auditd_space_left_action=email +- var_auditd_admin_space_left_action=cis_rhel9 +- var_auditd_space_left_action=cis_rhel9 +- var_auditd_disk_error_action=cis_rhel9 +- var_auditd_disk_full_action=cis_rhel9 - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=6 +- var_accounts_minimum_age_login_defs=1 - var_selinux_state=enforcing unselected_groups: [] platforms: !!set {} @@ -433,5 +463,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l2.profile documentation_complete: true