From 666414370862aa3bc9d43367469a685cc371e294 Mon Sep 17 00:00:00 2001 From: hipponix Date: Fri, 31 May 2024 09:56:39 +0000 Subject: [PATCH 01/28] fix merge conflicts --- CMakeLists.txt | 5 + build_product | 1 + controls/cis_al2023.yml | 2317 +++++++++++++++++ products/al2023/CMakeLists.txt | 10 + products/al2023/product.yml | 44 + products/al2023/profiles/cis.profile | 24 + .../al2023/profiles/cis_server_l1.profile | 24 + products/al2023/transforms/constants.xslt | 12 + products/al2023/transforms/table-style.xslt | 5 + .../al2023/transforms/xccdf2table-cce.xslt | 9 + shared/checks/oval/installed_OS_is_al2023.xml | 34 + ssg/constants.py | 8 +- 12 files changed, 2491 insertions(+), 2 deletions(-) create mode 100644 controls/cis_al2023.yml create mode 100644 products/al2023/CMakeLists.txt create mode 100644 products/al2023/product.yml create mode 100644 products/al2023/profiles/cis.profile create mode 100644 products/al2023/profiles/cis_server_l1.profile create mode 100644 products/al2023/transforms/constants.xslt create mode 100644 products/al2023/transforms/table-style.xslt create mode 100644 products/al2023/transforms/xccdf2table-cce.xslt create mode 100644 shared/checks/oval/installed_OS_is_al2023.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index 11037cb8505..4d0d01abefc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -116,6 +116,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_AL2023 "If enabled, the AL2023 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) # Products derivatives option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE) @@ -344,6 +345,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") +message(STATUS "AL 2023: ${SSG_PRODUCT_AL2023}") message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}") message(STATUS " ") @@ -466,6 +468,9 @@ endif() if(SSG_PRODUCT_UOS20) add_subdirectory("products/uos20" "uos20") endif() +if(SSG_PRODUCT_AL2023) + add_subdirectory("products/al2023" "al2023") +endif() if(SSG_PRODUCT_OPENEMBEDDED) add_subdirectory("products/openembedded" "openembedded") endif() diff --git a/build_product b/build_product index e6fb86991b0..a43fa92ae08 100755 --- a/build_product +++ b/build_product @@ -378,6 +378,7 @@ all_cmake_products=( MACOS1015 OPENEMBEDDED OPENEULER2203 + AL2023 ) DEFAULT_OVAL_MAJOR_VERSION=5 diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml new file mode 100644 index 00000000000..ea9d9f392af --- /dev/null +++ b/controls/cis_al2023.yml @@ -0,0 +1,2317 @@ +--- +policy: 'CIS Benchmark for Amazon Linux 2023' +title: 'CIS Benchmark for Amazon Linux 2023' +id: cis_al2023 +version: '1.0.0' +source: https://www.cisecurity.org/benchmark/amazon_linux +levels: + - id: l1_server + - id: l2_server + inherits_from: + - l1_server +reference_type: cis +product: al2023 + +controls: + - id: reload_dconf_db + title: Reload Dconf database + levels: + - l1_server + notes: <- + This is a helper rule to reload Dconf database correctly. + status: automated + rules: + - dconf_db_up_to_date + + - id: enable_authselect + title: Enable Authselect + levels: + - l1_server + notes: <- + We need this in all CIS versions, but the policy doesn't have any section where this would fit better. + status: automated + rules: + - var_authselect_profile=sssd + - enable_authselect + + - id: 1.1.1.1 + title: Ensure mounting of squashfs filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.2 + title: Ensure mounting of udf filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_udf_disabled + + - id: 1.1.2.1 + title: Ensure /tmp is a separate partition (Automated) + levels: + - l1_server + status: automated + rules: + - partition_for_tmp + + - id: 1.1.2.2 + title: Ensure nodev option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_nodev + + - id: 1.1.2.3 + title: Ensure noexec option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_noexec + + - id: 1.1.2.4 + title: Ensure nosuid option set on /tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_tmp_nosuid + + - id: 1.1.3.1 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var + + - id: 1.1.3.2 + title: Ensure nodev option set on /var partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_nodev + + - id: 1.1.3.3 + title: Ensure nosuid option set on /var partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_nosuid + + - id: 1.1.4.1 + title: Ensure separate partition exists for /var/tmp (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_tmp + + - id: 1.1.4.2 + title: Ensure noexec option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_noexec + + - id: 1.1.4.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_nosuid + + - id: 1.1.4.4 + title: Ensure nodev option set on /var/tmp partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_tmp_nodev + + - id: 1.1.5.1 + title: Ensure separate partition exists for /var/log (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_log + + - id: 1.1.5.2 + title: Ensure nodev option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_nodev + + - id: 1.1.5.3 + title: Ensure noexec option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_noexec + + - id: 1.1.5.4 + title: Ensure nosuid option set on /var/log partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_nosuid + + - id: 1.1.6.1 + title: Ensure separate partition exists for /var/log/audit (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_var_log_audit + + - id: 1.1.6.2 + title: Ensure noexec option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_noexec + + - id: 1.1.6.3 + title: Ensure nodev option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_nodev + + - id: 1.1.6.4 + title: Ensure nosuid option set on /var/log/audit partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_var_log_audit_nosuid + + - id: 1.1.7.1 + title: Ensure separate partition exists for /home (Automated) + levels: + - l2_server + status: automated + rules: + - partition_for_home + + - id: 1.1.7.2 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_home_nodev + + - id: 1.1.7.3 + title: Ensure nosuid option set on /home partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_home_nosuid + + - id: 1.1.8.1 + title: Ensure /dev/shm is a separate partition (Automated) + levels: + - l1_server + status: automated + rules: + - partition_for_dev_shm + + - id: 1.1.8.2 + title: Ensure nodev option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_nodev + + - id: 1.1.8.3 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_noexec + + - id: 1.1.8.4 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + status: automated + rules: + - mount_option_dev_shm_nosuid + + - id: 1.1.9 + title: Disable USB Storage (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_usb-storage_disabled + + #- id: 1.2.1 + #title: Ensure GPG keys are configured (Manual) + #levels: + #- l1_server + #status: manual + #related_rules: + #- ensure_amazon_gpgkey_installed + + - id: 1.2.2 + title: Ensure gpgcheck is globally activated (Automated) + levels: + - l1_server + status: automated + rules: + - ensure_gpgcheck_globally_activated + + - id: 1.2.3 + title: Ensure package manager repositories are configured (Manual) + levels: + - l1_server + status: manual + + - id: 1.2.4 + title: Ensure repo_gpgcheck is globally activated (Manual) + levels: + - l1_server + status: manual + + - id: 1.3.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_aide_installed + - aide_build_database + + - id: 1.3.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + status: automated + rules: + - aide_periodic_cron_checking + + - id: 1.3.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l1_server + status: automated + rules: + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes + + - id: 1.4.1 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server + status: automated + notes: <- + RHEL9 unified the paths for grub2 files. + rules: + - grub2_password + related_rules: + - grub2_uefi_password + + - id: 1.4.2 + title: Ensure permissions on bootloader config are configured (Automated) + levels: + - l1_server + status: automated + notes: <- + RHEL9 unified the paths for grub2 files. + rules: + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_grub2_cfg + - file_groupowner_user_cfg + - file_owner_user_cfg + - file_permissions_user_cfg + related_rules: + - file_groupowner_efi_grub2_cfg + - file_owner_efi_grub2_cfg + - file_permissions_efi_grub2_cfg + - file_groupowner_efi_user_cfg + - file_owner_efi_user_cfg + - file_permissions_efi_user_cfg + + - id: 1.5.1 + title: Ensure core dump storage is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_storage + + - id: 1.5.2 + title: Ensure core dump backtraces are disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_backtraces + + - id: 1.5.3 + title: Ensure address space layout randomization (ASLR) is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_kernel_randomize_va_space + + - id: 1.6.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_libselinux_installed + + - id: 1.6.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l1_server + status: automated + rules: + - grub2_enable_selinux + + - id: 1.6.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l1_server + status: automated + rules: + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.6.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + status: automated + rules: + - selinux_not_disabled + + - id: 1.6.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + status: automated + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.6.1.6 + title: Ensure no unconfined services exist (Automated) + levels: + - l1_server + status: automated + rules: + - selinux_confinement_of_daemons + + - id: 1.6.1.7 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_setroubleshoot_removed + + - id: 1.6.1.8 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_mcstrans_removed + + - id: 1.7.1 + title: Ensure message of the day is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_motd + - motd_banner_text=cis_banners + + - id: 1.7.2 + title: Ensure local login warning banner is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_issue + - login_banner_text=cis_banners + + - id: 1.7.3 + title: Ensure remote login warning banner is configured properly (Automated) + levels: + - l1_server + status: automated + rules: + - banner_etc_issue_net + - remote_login_banner_text=cis_banners + + - id: 1.7.4 + title: Ensure permissions on /etc/motd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.7.5 + title: Ensure permissions on /etc/issue are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + + - id: 1.7.6 + title: Ensure permissions on /etc/issue.net are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_issue_net + - file_owner_etc_issue_net + - file_permissions_etc_issue_net + + - id: 1.8.1 + title: Ensure GNOME Display Manager is removed (Automated) + levels: + - l2_server + status: automated + rules: + - package_gdm_removed + + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - login_banner_text=cis_banners + + - id: 1.8.3 + title: Ensure GDM disable-user-list option is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_user_list + + - id: 1.8.4 + title: Ensure GDM screen locks when the user is idle (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + + - id: 1.8.5 + title: Ensure GDM screen locks cannot be overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_session_idle_user_locks + - dconf_gnome_screensaver_user_locks + + - id: 1.8.6 + title: Ensure GDM automatic mounting of removable media is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.7 + title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.8 + title: Ensure GDM autorun-never is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.9 + title: Ensure GDM autorun-never is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.10 + title: Ensure XDMCP is not enabled (Automated) + levels: + - l1_server + status: automated + rules: + - gnome_gdm_disable_xdmcp + + - id: 1.9 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + status: manual + related_rules: + - security_patches_up_to_date + + - id: "1.10" + title: Ensure system-wide crypto policy is not legacy (Automated) + levels: + - l1_server + status: automated + notes: The selected crypto-policy cannot be legacy + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 2.1.1 + title: Ensure time synchronization is in use (Automated) + levels: + - l1_server + status: automated + related_rules: + - package_chrony_installed + + - id: 2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + status: automated + rules: + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + - var_multiple_time_servers=rhel + + - id: 2.2.1 + title: Ensure xorg-x11-server-common is not installed (Automated) + levels: + - l2_server + status: automated + rules: + - package_xorg-x11-server-common_removed + + - id: 2.2.2 + title: Ensure Avahi Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_avahi_removed + related_rules: + - service_avahi-daemon_disabled + + - id: 2.2.3 + title: Ensure CUPS is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_cups_removed + related_rules: + - service_cups_disabled + + - id: 2.2.4 + title: Ensure DHCP Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dhcp_removed + + - id: 2.2.5 + title: Ensure DNS Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_bind_removed + + - id: 2.2.6 + title: Ensure VSFTP Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_vsftpd_removed + + - id: 2.2.7 + title: Ensure TFTP Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_tftp-server_removed + + - id: 2.2.8 + title: Ensure a web server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_httpd_removed + - package_nginx_removed + + - id: 2.2.9 + title: Ensure IMAP and POP3 server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dovecot_removed + - package_cyrus-imapd_removed + + - id: 2.2.10 + title: Ensure Samba is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_samba_removed + + - id: 2.2.11 + title: Ensure HTTP Proxy Server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_squid_removed + + - id: 2.2.12 + title: Ensure net-snmp is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_net-snmp_removed + + - id: 2.2.13 + title: Ensure telnet-server is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_telnet-server_removed + + - id: 2.2.14 + title: Ensure dnsmasq is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_dnsmasq_removed + + - id: 2.2.15 + title: Ensure mail transfer agent is configured for local-only mode (Automated) + levels: + - l1_server + status: automated + rules: + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta + + - id: 2.2.16 + title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) + levels: + - l1_server + status: automated + rules: + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed + # The nfs-utils package is required for systems with GUI or by some libvirt packages + + - id: 2.2.17 + title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + levels: + - l1_server + status: automated + rules: + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed + + - id: 2.2.18 + title: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated) + levels: + - l1_server + status: automated + rules: + - package_rsync_removed + related_rules: + - service_rsyncd_disabled + + - id: 2.3.1 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_telnet_removed + + - id: 2.3.2 + title: Ensure LDAP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_openldap-clients_removed + + - id: 2.3.3 + title: Ensure TFTP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_tftp_removed + + - id: 2.3.4 + title: Ensure FTP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_ftp_removed + + - id: 2.4 + title: Ensure nonessential services are removed or masked (Manual) + levels: + - l1_server + status: manual + + - id: 3.1.1 + title: Ensure IPv6 status is identified (Manual) + levels: + - l1_server + status: manual + + - id: 3.1.2 + title: Ensure wireless interfaces are disabled (Automated) + levels: + - l1_server + status: automated + rules: + - wireless_disable_interfaces + + - id: 3.1.3 + title: Ensure TIPC is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_tipc_disabled + + - id: 3.2.1 + title: Ensure IP forwarding is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.2.2 + title: Ensure packet redirect sending is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + + - id: 3.3.1 + title: Ensure source routed packets are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.3.2 + title: Ensure ICMP redirects are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + + - id: 3.3.3 + title: Ensure secure ICMP redirects are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + + - id: 3.3.4 + title: Ensure suspicious packets are logged (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + + - id: 3.3.5 + title: Ensure broadcast ICMP requests are ignored (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.3.6 + title: Ensure bogus ICMP responses are ignored (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.3.7 + title: Ensure Reverse Path Filtering is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.3.8 + title: Ensure TCP SYN Cookies is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 3.3.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) + levels: + - l1_server + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + + - id: 3.4.1.1 + title: Ensure nftables is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_nftables_installed + + - id: 3.4.1.2 + title: Ensure a single firewall configuration utility is in use (Automated) + levels: + - l1_server + status: automated + rules: + - service_firewalld_enabled + - package_firewalld_installed + - service_nftables_disabled + + - id: 3.4.2.1 + title: Ensure firewalld default zone is set (Automated) + levels: + - l1_server + status: automated + rules: + - set_firewalld_default_zone + + - id: 3.4.2.2 + title: Ensure at least one nftables table exists (Automated) + levels: + - l1_server + status: supported + notes: + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. firewalld uses the inet firewalld that is created when firewalld is installed. + The OVAL check cannot be automated but an SCE is availble. + rules: + - set_nftables_table + - var_nftables_family=inet + - var_nftables_table=firewalld + + - id: 3.4.2.3 + title: Ensure nftables base chains exist (Automated) + levels: + - l1_server + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. When using firewalld the base chains are installed by default. + related_rules: + - set_nftables_base_chain + - var_nftables_table=firewalld + - var_nftables_family=inet + - var_nftables_base_chain_names=chain_names + - var_nftables_base_chain_types=chain_types + - var_nftables_base_chain_hooks=chain_hooks + - var_nftables_base_chain_priorities=chain_priorities + - var_nftables_base_chain_policies=chain_policies + + - id: 3.4.2.4 + title: Ensure host based firewall loopback traffic is configured (Automated) + levels: + - l1_server + status: automated + rules: + - firewalld_loopback_traffic_trusted + - firewalld_loopback_traffic_restricted + + - id: 3.4.2.5 + title: Ensure firewalld drops unnecessary services and ports (Manual) + levels: + - l1_server + status: manual + related_rules: + - configure_firewalld_ports + + - id: 3.4.2.6 + title: Ensure nftables established connections are configured (Manual) + levels: + - l1_server + status: manual + + - id: 3.4.2.7 + title: Ensure nftables default deny firewall policy (Automated) + levels: + - l1_server + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. + related_rules: + - nftables_ensure_default_deny_policy + + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) + levels: + - l2_server + status: automated + rules: + - package_audit_installed + + - id: 4.1.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + levels: + - l2_server + status: automated + rules: + - grub2_audit_argument + + - id: 4.1.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) + levels: + - l2_server + status: automated + rules: + - grub2_audit_backlog_limit_argument + + - id: 4.1.1.4 + title: Ensure auditd service is enabled (Automated) + levels: + - l2_server + status: automated + rules: + - service_auditd_enabled + + - id: 4.1.2.1 + title: Ensure audit log storage size is configured (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 + + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs + + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + levels: + - l2_server + status: automated + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email + + - id: 4.1.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_sysadmin_actions + + - id: 4.1.3.2 + title: Ensure actions as another user are always logged (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_suid_auid_privilege_function + + - id: 4.1.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_sudo_log_events + + - id: 4.1.3.4 + title: Ensure events that modify date and time information are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + - id: 4.1.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification_network_scripts + + - id: 4.1.3.6 + title: Ensure use of privileged commands is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_privileged_commands + + - id: 4.1.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + + - id: 4.1.3.8 + title: Ensure events that modify user/group information are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + + - id: 4.1.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + + - id: 4.1.3.10 + title: Ensure successful file system mounts are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_media_export + + - id: 4.1.3.11 + title: Ensure session initiation information is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_session_events + + - id: 4.1.3.12 + title: Ensure login and logout events are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run + + - id: 4.1.3.13 + title: Ensure file deletion events by users are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + + - id: 4.1.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + + - id: 4.1.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_chcon + + - id: 4.1.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_setfacl + + - id: 4.1.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_execution_chacl + + - id: 4.1.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_privileged_commands_usermod + + - id: 4.1.3.19 + title: Ensure kernel module loading, unloading and modification is collected (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod + + - id: 4.1.3.20 + title: Ensure the audit configuration is immutable (Automated) + levels: + - l2_server + status: automated + rules: + - audit_rules_immutable + + - id: 4.1.3.21 + title: Ensure the running and on disk configuration is the same (Manual) + levels: + - l2_server + status: manual + + - id: 4.1.4.1 + title: Ensure audit log files are mode 0640 or less permissive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_var_log_audit + + - id: 4.1.4.2 + title: Ensure only authorized users own audit log files (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_var_log_audit_stig + + - id: 4.1.4.3 + title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + levels: + - l2_server + status: automated + rules: + - file_group_ownership_var_log_audit + + - id: 4.1.4.4 + title: Ensure the audit log directory is 0750 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - directory_permissions_var_log_audit + + - id: 4.1.4.5 + title: Ensure audit configuration files are 640 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_audit_configuration + + - id: 4.1.4.6 + title: Ensure audit configuration files are owned by root (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_audit_configuration + + - id: 4.1.4.7 + title: Ensure audit configuration files belong to group root (Automated) + levels: + - l2_server + status: automated + rules: + - file_groupownership_audit_configuration + + - id: 4.1.4.8 + title: Ensure audit tools are 755 or more restrictive (Automated) + levels: + - l2_server + status: automated + rules: + - file_permissions_audit_binaries + + - id: 4.1.4.9 + title: Ensure audit tools are owned by root (Automated) + levels: + - l2_server + status: automated + rules: + - file_ownership_audit_binaries + + - id: 4.1.4.10 + title: Ensure audit tools belong to group root (Automated) + levels: + - l2_server + status: automated + rules: + - file_groupownership_audit_binaries + + - id: 4.2.1.1 + title: Ensure rsyslog is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_rsyslog_installed + + - id: 4.2.1.2 + title: Ensure rsyslog Service is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - service_rsyslog_enabled + + - id: 4.2.1.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + status: automated + rules: + - journald_forward_to_syslog + + - id: 4.2.1.4 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_filecreatemode + + - id: 4.2.1.5 + title: Ensure logging is configured (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.1.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + levels: + - l1_server + status: automated + related_rules: + - rsyslog_remote_loghost + + - id: 4.2.1.7 + title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_nolisten + + - id: 4.2.2.1.1 + title: Ensure systemd-journal-remote is installed (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.2.1.2 + title: Ensure systemd-journal-remote is configured (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.2.1.3 + title: Ensure systemd-journal-remote is enabled (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.2.1.4 + title: Ensure journald is not configured to recieve logs from a remote client (Automated) + levels: + - l1_server + status: automated + rules: + - socket_systemd-journal-remote_disabled + + - id: 4.2.2.2 + title: Ensure journald service is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - service_systemd-journald_enabled + + - id: 4.2.2.3 + title: Ensure journald is configured to compress large log files (Automated) + levels: + - l1_server + status: automated + rules: + - journald_compress + + - id: 4.2.2.4 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) + levels: + - l1_server + status: automated + rules: + - journald_storage + + - id: 4.2.2.5 + title: Ensure journald is not configured to send logs to rsyslog (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.2.6 + title: Ensure journald log rotation is configured per site policy (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.2.7 + title: Ensure journald default file permissions configured (Manual) + levels: + - l1_server + status: manual + + - id: 4.2.3 + title: Ensure all logfiles have appropriate permissions and ownership (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions + + - id: 4.3 + title: Ensure logrotate is configured (Manual) + levels: + - l1_server + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled + + - id: 5.1.1 + title: Ensure cron daemon is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - service_crond_enabled + + - id: 5.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 5.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 5.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 5.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 5.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 5.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + - id: 5.1.8 + title: Ensure cron is restricted to authorized users (Automated) + levels: + - l1_server + status: automated + rules: + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow + + - id: 5.1.9 + title: Ensure at is restricted to authorized users (Automated) + levels: + - l1_server + status: automated + rules: + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow + + - id: 5.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + - id: 5.2.2 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key + + - id: 5.2.3 + title: Ensure permissions on SSH public host key files are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key + + - id: 5.2.4 + title: Ensure SSH access is limited (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_limit_user_access + + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) + levels: + - l1_server + status: automated + # The CIS benchmark is not opinionated about which loglevel is selected + # here. Here, this profile uses VERBOSE by default, as it allows for + # the capture of login and logout activity as well as key fingerprints. + rules: + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info + + - id: 5.2.6 + title: Ensure SSH PAM is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_enable_pam + + - id: 5.2.7 + title: Ensure SSH root login is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_root_login + + - id: 5.2.8 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - disable_host_auth + + - id: 5.2.9 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_empty_passwords + + - id: 5.2.10 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_do_not_permit_user_env + + - id: 5.2.11 + title: Ensure SSH IgnoreRhosts is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_disable_rhosts + + - id: 5.2.12 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - sshd_disable_x11_forwarding + + - id: 5.2.13 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - sshd_disable_tcp_forwarding + + - id: 5.2.14 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + levels: + - l1_server + status: automated + rules: + - configure_ssh_crypto_policy + + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner + + - id: 5.2.16 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + - id: 5.2.17 + title: Ensure SSH MaxStartups is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + + - id: 5.2.18 + title: Ensure SSH MaxSessions is set to 10 or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + + - id: 5.2.19 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + + - id: 5.2.20 + title: Ensure SSH Idle Timeout Interval is configured (Automated) + levels: + - l1_server + status: automated + rules: + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + + - id: 5.3.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_sudo_installed + + - id: 5.3.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_add_use_pty + + - id: 5.3.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_custom_logfile + + - id: 5.3.4 + title: Ensure users must provide password for escalation (Automated) + levels: + - l2_server + status: automated + rules: + - sudo_require_authentication + + - id: 5.3.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.3.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.3.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. + rules: + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty + + - id: 5.4.1 + title: Ensure custom authselect profile is used (Manual) + levels: + - l1_server + status: manual + rules: + - no_empty_passwords + + - id: 5.4.2 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.5.2. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + + - id: 5.5.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + status: automated + notes: |- + The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so + module. However, the pam_pwquality.so module, by default, is always the first module from in + the PAM password stack. Therefore, the option is useless and not necessary. It was already + proposed to update the requirement in the next CIS version. + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + + - id: 5.5.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 + + - id: 5.5.3 + title: Ensure password reuse is limited (Automated) + levels: + - l1_server + status: automated + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. + See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 + + - id: 5.5.4 + title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) + levels: + - l1_server + status: automated + rules: + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + + - id: 5.6.1.1 + title: Ensure password expiration is 365 days or less (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing + + - id: 5.6.1.2 + title: Ensure minimum days between password changes is configured (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing + + - id: 5.6.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing + + - id: 5.6.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + status: automated + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - accounts_set_post_pw_existing + + - id: 5.6.1.5 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_last_change_is_in_past + + - id: 5.6.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts + + - id: 5.6.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_tmout + - var_accounts_tmout=15_min + + - id: 5.6.4 + title: Ensure default group for the root account is GID 0 (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_root_gid_zero + + - id: 5.6.5 + title: Ensure default user umask is 027 or more restrictive (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + - id: 5.6.6 + title: Ensure root password is set (Automated) + levels: + - l1_server + status: automated + rules: + - ensure_root_password_configured + - no_empty_passwords_etc_shadow + + - id: 6.1.1 + title: Ensure permissions on /etc/passwd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 6.1.2 + title: Ensure permissions on /etc/passwd- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + + - id: 6.1.3 + title: Ensure permissions on /etc/group are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + + - id: 6.1.4 + title: Ensure permissions on /etc/group- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + + - id: 6.1.5 + title: Ensure permissions on /etc/shadow are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + + - id: 6.1.6 + title: Ensure permissions on /etc/shadow- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + + - id: 6.1.7 + title: Ensure permissions on /etc/gshadow are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + + - id: 6.1.8 + title: Ensure permissions on /etc/gshadow- are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + + - id: 6.1.9 + title: Ensure no world writable files exist (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_unauthorized_world_writable + + - id: 6.1.10 + title: Ensure no unowned files or directories exist (Automated) + levels: + - l1_server + status: automated + rules: + - no_files_unowned_by_user + + - id: 6.1.11 + title: Ensure no ungrouped files or directories exist (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_ungroupowned + + - id: 6.1.12 + title: Ensure sticky bit is set on all world-writable directories (Automated) + levels: + - l1_server + status: automated + rules: + - dir_perms_world_writable_sticky_bits + + - id: 6.1.13 + title: Audit SUID executables (Manual) + levels: + - l1_server + status: manual + related_rules: + - file_permissions_unauthorized_suid + + - id: 6.1.14 + title: Audit SGID executables (Manual) + levels: + - l1_server + status: manual + related_rules: + - file_permissions_unauthorized_sgid + + - id: 6.1.15 + title: Audit system file permissions (Manual) + levels: + - l2_server + status: manual + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership + + - id: 6.2.1 + title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_password_all_shadowed + + - id: 6.2.2 + title: Ensure /etc/shadow password fields are not empty (Automated) + levels: + - l1_server + status: automated + rules: + - no_empty_passwords_etc_shadow + + - id: 6.2.3 + title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) + levels: + - l1_server + status: automated + rules: + - gid_passwd_group_same + + - id: 6.2.4 + title: Ensure no duplicate UIDs exist (Automated) + levels: + - l1_server + status: automated + rules: + - account_unique_id + + - id: 6.2.5 + title: Ensure no duplicate GIDs exist (Automated) + levels: + - l1_server + status: automated + rules: + - group_unique_id + + - id: 6.2.6 + title: Ensure no duplicate user names exist (Automated) + levels: + - l1_server + status: automated + rules: + - account_unique_name + + - id: 6.2.7 + title: Ensure no duplicate group names exist (Automated) + levels: + - l1_server + status: automated + rules: + - group_unique_name + + - id: 6.2.8 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot + + - id: 6.2.9 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_no_uid_except_zero + + - id: 6.2.10 + title: Ensure local interactive user home directories exist (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_user_interactive_home_directory_exists + + - id: 6.2.11 + title: Ensure local interactive users own their home directories (Automated) + levels: + - l1_server + status: automated + rules: + - file_ownership_home_directories + - file_groupownership_home_directories + + - id: 6.2.12 + title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) + levels: + - l1_server + status: automated + rules: + - file_permissions_home_directories + + - id: 6.2.13 + title: Ensure no local interactive user has .netrc files (Automated) + levels: + - l1_server + status: automated + rules: + - no_netrc_files + + - id: 6.2.14 + title: Ensure no local interactive user has .forward files (Automated) + levels: + - l1_server + status: automated + rules: + - no_forward_files + + - id: 6.2.15 + title: Ensure no local interactive user has .rhosts files (Automated) + levels: + - l1_server + status: automated + notes: The rule also removes /etc/hosts.equiv + rules: + - no_rsh_trust_files + + - id: 6.2.16 + title: Ensure local interactive user dot files are not group or world writable (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_user_dot_no_world_writable_programs diff --git a/products/al2023/CMakeLists.txt b/products/al2023/CMakeLists.txt new file mode 100644 index 00000000000..63f7db32c8c --- /dev/null +++ b/products/al2023/CMakeLists.txt @@ -0,0 +1,10 @@ +# Sometimes our users will try to do: "cd al2023; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +set(PRODUCT "al2023") + +ssg_build_product(${PRODUCT}) + +ssg_build_html_cce_table(${PRODUCT}) diff --git a/products/al2023/product.yml b/products/al2023/product.yml new file mode 100644 index 00000000000..e432c7430d1 --- /dev/null +++ b/products/al2023/product.yml @@ -0,0 +1,44 @@ +product: al2023 +full_name: Amazon Linux 2023 +type: platform + +families: + - rhel + - rhel-like + +major_version_ordinal: 2023 + +benchmark_id: AL-2023 +benchmark_root: "../../linux_os/guide" +components_root: "../../components" + +profiles_root: "./profiles" + +pkg_manager: "dnf" + +init_system: "systemd" + +groups: + dedicated_ssh_keyowner: + name: ssh_keys + +sshd_distributed_config: "true" + +dconf_gdm_dir: "distro.d" + +faillock_path: "/var/log/faillock" + +cpes_root: "../../shared/applicability" +cpes: + - al2023: + name: "cpe:2.3:o:amazon:linux_2023:-:*:*:*:*:*:*:*" + title: "Amazon Linux 2023" + check_id: installed_OS_is_al2023 + +platform_package_overrides: + login_defs: "shadow-utils" + +reference_uris: + cis: 'https://www.cisecurity.org/benchmark/amazon_linux/' + +journald_conf_dir_path: /etc/systemd/journald.conf.d diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis.profile new file mode 100644 index 00000000000..52db9fb2cb4 --- /dev/null +++ b/products/al2023/profiles/cis.profile @@ -0,0 +1,24 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - hipponix + +reference: https://www.cisecurity.org/benchmark/amazon_linux/ + +title: 'CIS Amazon Linux 2023 Benchmark for Level 2 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Server" + configuration from the Center for Internet Security® Amazon Linux + 2023 Benchmark™, v1.0.0, released 2023-06-26. + + This profile includes Center for Internet Security® + Amazon Linux 9 CIS Benchmarks™ content. + +selections: + - cis_al2023:all:l2_server + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile new file mode 100644 index 00000000000..83f56d01fa9 --- /dev/null +++ b/products/al2023/profiles/cis_server_l1.profile @@ -0,0 +1,24 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - hipponix + +reference: https://www.cisecurity.org/benchmark/amazon_linux/ + +title: 'CIS Amazon Linux 2023 Benchmark for Level 1 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Server" + configuration from the Center for Internet Security® Amazon Linux + 2023 Benchmark™, v1.0.0, released 2023-06-26. + + This profile includes Center for Internet Security® + Amazon Linux 9 CIS Benchmarks™ content. + +selections: + - cis_al2023:all:l1_server + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/al2023/transforms/constants.xslt b/products/al2023/transforms/constants.xslt new file mode 100644 index 00000000000..9f9b9807141 --- /dev/null +++ b/products/al2023/transforms/constants.xslt @@ -0,0 +1,12 @@ + + + + +Amazon Linux 2023 +AL 2023 +al2023 + +https://www.cisecurity.org/benchmark/amazon_linux/ + + + diff --git a/products/al2023/transforms/table-style.xslt b/products/al2023/transforms/table-style.xslt new file mode 100644 index 00000000000..8b6caeab8cd --- /dev/null +++ b/products/al2023/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/al2023/transforms/xccdf2table-cce.xslt b/products/al2023/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000000..f156a669566 --- /dev/null +++ b/products/al2023/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml new file mode 100644 index 00000000000..4c77e1f6d9c --- /dev/null +++ b/shared/checks/oval/installed_OS_is_al2023.xml @@ -0,0 +1,34 @@ + + + + Amazon Linux 2023 + + multi_platform_all + + + The operating system installed on the system is Amazon Linux 2023 + + + + + + + + + + + + + /etc/al + + + + + + + /etc/al + ^2023.[0-9]+$ + 1 + + + diff --git a/ssg/constants.py b/ssg/constants.py index 14c6cb5d5f3..b1b2c98b4c2 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -60,6 +60,7 @@ 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204', 'uos20', + 'al2023', ] JINJA_MACROS_DIRECTORY = os.path.abspath(os.path.join(os.path.dirname(os.path.dirname( @@ -229,7 +230,8 @@ "Ubuntu 22.04": "ubuntu2204", "UnionTech OS Server 20": "uos20", "OpenEmbedded": "openembedded", - "Not Applicable" : "example" + "Not Applicable" : "example", + "Amazon Linux 2023": "al2023" } @@ -281,7 +283,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", "openeuler", "opensuse", "sle", "ol", "ocp", "rhcos", - "example", "eks", "alinux", "uos", "anolis", "openembedded"] + "example", "eks", "alinux", "uos", "anolis", "openembedded", "al"] MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], @@ -301,6 +303,7 @@ "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], "multi_platform_uos": ["uos20"], "multi_platform_openembedded": ["openembedded"], + "multi_platform_al": ["al2023"], } RHEL_CENTOS_CPE_MAPPING = { @@ -472,6 +475,7 @@ 'ocp': 'Red Hat OpenShift Container Platform', 'rhcos': 'Red Hat Enterprise Linux CoreOS', 'eks': 'Amazon Elastic Kubernetes Service', + 'al': 'Amazon Linux', 'openembedded': 'OpenEmbedded', } From 4a7d1feb1956ad5df54a6c41fdb6b90376a1f3da Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 2 May 2024 21:15:55 +0200 Subject: [PATCH 02/28] Add al2023 to gate_fedora.yml - fix a merge conflict --- .github/workflows/gate_fedora.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 452722f3e24..085805d6f8a 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -47,7 +47,9 @@ jobs: rhel10 \ rhv4 \ uos20 \ - ocp4 + ocp4 \ + uos20 \ + al2023 env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test From 6c57fedc0666bd103f85c96fc1acdacf56393d6b Mon Sep 17 00:00:00 2001 From: hipponix Date: Fri, 3 May 2024 13:37:32 +0000 Subject: [PATCH 03/28] Fix al2023 faling test on CPE validation --- products/al2023/product.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/al2023/product.yml b/products/al2023/product.yml index e432c7430d1..d2e027af210 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -31,7 +31,7 @@ faillock_path: "/var/log/faillock" cpes_root: "../../shared/applicability" cpes: - al2023: - name: "cpe:2.3:o:amazon:linux_2023:-:*:*:*:*:*:*:*" + name: "cpe:/o:amazon:linux:2023" title: "Amazon Linux 2023" check_id: installed_OS_is_al2023 From c5172c2c60ffa3b138e56807dc4c742779479116 Mon Sep 17 00:00:00 2001 From: hipponix Date: Fri, 3 May 2024 18:27:25 +0000 Subject: [PATCH 04/28] Build al2023 on centos, sle and fedora --- .github/workflows/gate.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 482c477ca01..9fe40cf9c74 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v3 - name: Build run: |- - ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives + ./build_product rhel7 rhel8 rhel9 rhel10 al2023 --derivatives env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test @@ -54,7 +54,11 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Build +<<<<<<< HEAD run: ./build_product sle12 sle15 +======= + run: ./build_product alinux2 alinux3 chromium fedora firefox rhcos4 rhel7 rhel8 rhel9 al2023 sle12 sle15 ubuntu2004 ubuntu2204 uos20 +>>>>>>> 2626c779d7 (Build al2023 on centos, sle and fedora) - name: Test run: ctest -j2 --output-on-failure -E unique-stigids working-directory: ./build @@ -168,7 +172,11 @@ jobs: rhel7 \ rhel8 \ rhel9 \ +<<<<<<< HEAD rhel10 \ +======= + al2023 \ +>>>>>>> 2626c779d7 (Build al2023 on centos, sle and fedora) uos20 \ ocp4 env: From 762edc89560d3ee8003b3e6887d9b57dadce5204 Mon Sep 17 00:00:00 2001 From: hipponix Date: Fri, 3 May 2024 19:16:12 +0000 Subject: [PATCH 05/28] Build al2023 sle and fedora --- .github/workflows/gate.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 9fe40cf9c74..197098c1827 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -54,11 +54,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Build -<<<<<<< HEAD run: ./build_product sle12 sle15 -======= - run: ./build_product alinux2 alinux3 chromium fedora firefox rhcos4 rhel7 rhel8 rhel9 al2023 sle12 sle15 ubuntu2004 ubuntu2204 uos20 ->>>>>>> 2626c779d7 (Build al2023 on centos, sle and fedora) - name: Test run: ctest -j2 --output-on-failure -E unique-stigids working-directory: ./build @@ -172,13 +168,10 @@ jobs: rhel7 \ rhel8 \ rhel9 \ -<<<<<<< HEAD rhel10 \ -======= - al2023 \ ->>>>>>> 2626c779d7 (Build al2023 on centos, sle and fedora) uos20 \ - ocp4 + ocp4 \ + al2023 env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test From 578e9d89db9d58db3a5cd0fb69e0bf7a96dfd718 Mon Sep 17 00:00:00 2001 From: hipponix Date: Wed, 15 May 2024 17:02:44 +0000 Subject: [PATCH 06/28] Fix os version check/name on AL2023 --- controls/cis_al2023.yml | 80 ------------------- products/al2023/product.yml | 10 +-- shared/checks/oval/installed_OS_is_al2023.xml | 43 ++++++---- 3 files changed, 27 insertions(+), 106 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index ea9d9f392af..3907246bf17 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -510,86 +510,6 @@ controls: rules: - package_gdm_removed - - id: 1.8.2 - title: Ensure GDM login banner is configured (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - login_banner_text=cis_banners - - - id: 1.8.3 - title: Ensure GDM disable-user-list option is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_user_list - - - id: 1.8.4 - title: Ensure GDM screen locks when the user is idle (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - - id: 1.8.5 - title: Ensure GDM screen locks cannot be overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_user_locks - - - id: 1.8.6 - title: Ensure GDM automatic mounting of removable media is disabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.7 - title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.8 - title: Ensure GDM autorun-never is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.9 - title: Ensure GDM autorun-never is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.10 - title: Ensure XDMCP is not enabled (Automated) - levels: - - l1_server - status: automated - rules: - - gnome_gdm_disable_xdmcp - - id: 1.9 title: Ensure updates, patches, and additional security software are installed (Manual) levels: diff --git a/products/al2023/product.yml b/products/al2023/product.yml index d2e027af210..961fd3368f7 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -2,12 +2,6 @@ product: al2023 full_name: Amazon Linux 2023 type: platform -families: - - rhel - - rhel-like - -major_version_ordinal: 2023 - benchmark_id: AL-2023 benchmark_root: "../../linux_os/guide" components_root: "../../components" @@ -24,14 +18,12 @@ groups: sshd_distributed_config: "true" -dconf_gdm_dir: "distro.d" - faillock_path: "/var/log/faillock" cpes_root: "../../shared/applicability" cpes: - al2023: - name: "cpe:/o:amazon:linux:2023" + name: "cpe:/o:amazon:amazon_linux:2023" title: "Amazon Linux 2023" check_id: installed_OS_is_al2023 diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml index 4c77e1f6d9c..0755643adbe 100644 --- a/shared/checks/oval/installed_OS_is_al2023.xml +++ b/shared/checks/oval/installed_OS_is_al2023.xml @@ -1,34 +1,43 @@ - + Amazon Linux 2023 multi_platform_all - + The operating system installed on the system is Amazon Linux 2023 - + - - + + - - - - - /etc/al - - - - + + + + + + /etc/os-release + ^ID=\"(\w+)\"$ + 1 + + + amzn + + + + - - /etc/al - ^2023.[0-9]+$ + + /etc/os-release + ^VERSION_ID=\"(\w+)\"$ 1 + + 2023 + From 58ad915f3822a662e78756313711d4f9ca2106d5 Mon Sep 17 00:00:00 2001 From: hipponix Date: Sun, 19 May 2024 16:37:41 +0000 Subject: [PATCH 07/28] Complete al2023 setup (add components, controls, linux_os) --- components/rpm.yml | 1 + controls/cis_al2023.yml | 1407 ++++++++--------- .../ansible/shared.yml | 38 + .../bash/shared.sh | 20 + .../oval/shared.xml | 37 + .../ensure_amazon_gpgkey_installed/rule.yml | 49 + .../tests/key_installed.pass.sh | 5 + .../tests/missing_key.fail.sh | 12 + 8 files changed, 830 insertions(+), 739 deletions(-) create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh create mode 100644 linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh diff --git a/components/rpm.yml b/components/rpm.yml index 2b00bd90874..f32f248ad7c 100644 --- a/components/rpm.yml +++ b/components/rpm.yml @@ -17,6 +17,7 @@ rules: - ensure_oracle_gpgkey_installed - ensure_package_repositories_are_configured - ensure_redhat_gpgkey_installed +- ensure_amazon_gpgkey_installed - ensure_suse_gpgkey_installed - package_dnf-automatic_installed - package_gnome_software_installed diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 3907246bf17..9e9f09070cd 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -13,42 +13,62 @@ reference_type: cis product: al2023 controls: - - id: reload_dconf_db - title: Reload Dconf database + + - id: 1.1.1.1 + title: Ensure mounting of squashfs filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.2 + title: Ensure mounting of udf filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_udf_disabled + + - id: 1.1.1.3 + title: Ensure mounting of cramfs filesystems is disabled (Automated) levels: - l1_server - notes: <- - This is a helper rule to reload Dconf database correctly. status: automated rules: - - dconf_db_up_to_date + - kernel_module_cramfs_disabled - - id: enable_authselect - title: Enable Authselect + - id: 1.1.1.4 + title: Ensure mounting of freevxfs filesystems is disabled (Automated) levels: - l1_server - notes: <- - We need this in all CIS versions, but the policy doesn't have any section where this would fit better. status: automated rules: - - var_authselect_profile=sssd - - enable_authselect + - kernel_module_freevxfs_disabled - - id: 1.1.1.1 - title: Ensure mounting of squashfs filesystems is disabled (Automated) + - id: 1.1.1.5 + title: Ensure mounting of jffs2 filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_squashfs_disabled + - kernel_module_jffs2_disabled - - id: 1.1.1.2 - title: Ensure mounting of udf filesystems is disabled (Automated) + - id: 1.1.1.6 + title: Ensure mounting of hfs filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_udf_disabled + - kernel_module_hfs_disabled + + - id: 1.1.1.7 + title: Ensure mounting of hfsplus filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_hfsplus_disabled - id: 1.1.2.1 title: Ensure /tmp is a separate partition (Automated) @@ -259,20 +279,20 @@ controls: - mount_option_dev_shm_nosuid - id: 1.1.9 - title: Disable USB Storage (Automated) + title: Ensure usb-storage is disabled (Automated) levels: - l1_server status: automated rules: - kernel_module_usb-storage_disabled - #- id: 1.2.1 - #title: Ensure GPG keys are configured (Manual) - #levels: - #- l1_server - #status: manual - #related_rules: - #- ensure_amazon_gpgkey_installed + - id: 1.2.1 + title: Ensure GPG keys are configured (Manual) + levels: + - l1_server + status: manual + related_rules: + - ensure_amazon_gpgkey_installed - id: 1.2.2 title: Ensure gpgcheck is globally activated (Automated) @@ -291,7 +311,7 @@ controls: - id: 1.2.4 title: Ensure repo_gpgcheck is globally activated (Manual) levels: - - l1_server + - l2_server status: manual - id: 1.3.1 @@ -322,24 +342,10 @@ controls: - aide_use_fips_hashes - id: 1.4.1 - title: Ensure bootloader password is set (Automated) - levels: - - l1_server - status: automated - notes: <- - RHEL9 unified the paths for grub2 files. - rules: - - grub2_password - related_rules: - - grub2_uefi_password - - - id: 1.4.2 title: Ensure permissions on bootloader config are configured (Automated) levels: - l1_server status: automated - notes: <- - RHEL9 unified the paths for grub2 files. rules: - file_groupowner_grub2_cfg - file_owner_grub2_cfg @@ -356,28 +362,36 @@ controls: - file_permissions_efi_user_cfg - id: 1.5.1 - title: Ensure core dump storage is disabled (Automated) + title: Ensure address space layout randomization (ASLR) is enabled (Automated) levels: - l1_server status: automated rules: - - coredump_disable_storage + - sysctl_kernel_randomize_va_space - id: 1.5.2 - title: Ensure core dump backtraces are disabled (Automated) + title: Ensure ptrace_scope is restricted (Automated) levels: - l1_server status: automated rules: - - coredump_disable_backtraces + - sysctl_kernel_yama_ptrace_scope - id: 1.5.3 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + title: Ensure core dump storage is disabled (Automated) levels: - l1_server status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_storage + + - id: 1.5.4 + title: Ensure core dump backtraces are disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_backtraces - id: 1.6.1.1 title: Ensure SELinux is installed (Automated) @@ -502,15 +516,7 @@ controls: - file_owner_etc_issue_net - file_permissions_etc_issue_net - - id: 1.8.1 - title: Ensure GNOME Display Manager is removed (Automated) - levels: - - l2_server - status: automated - rules: - - package_gdm_removed - - - id: 1.9 + - id: 1.8 title: Ensure updates, patches, and additional security software are installed (Manual) levels: - l1_server @@ -518,7 +524,7 @@ controls: related_rules: - security_patches_up_to_date - - id: "1.10" + - id: "1.9" title: Ensure system-wide crypto policy is not legacy (Automated) levels: - l1_server @@ -555,7 +561,7 @@ controls: - package_xorg-x11-server-common_removed - id: 2.2.2 - title: Ensure Avahi Server is not installed (Automated) + title: Ensure avahi is not installed (Automated) levels: - l1_server status: automated @@ -565,7 +571,7 @@ controls: - service_avahi-daemon_disabled - id: 2.2.3 - title: Ensure CUPS is not installed (Automated) + title: Ensure a print server is not installed (Automated) levels: - l1_server status: automated @@ -591,7 +597,7 @@ controls: - package_bind_removed - id: 2.2.6 - title: Ensure VSFTP Server is not installed (Automated) + title: Ensure ftp Server is not installed (Automated) levels: - l1_server status: automated @@ -606,8 +612,8 @@ controls: rules: - package_tftp-server_removed - - id: 2.2.8 - title: Ensure a web server is not installed (Automated) +# - id: 2.2.8 +# title: Ensure a web server is not installed (Automated) levels: - l1_server status: automated @@ -640,13 +646,13 @@ controls: rules: - package_squid_removed - - id: 2.2.12 - title: Ensure net-snmp is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_net-snmp_removed +# - id: 2.2.12 +# title: Ensure net-snmp is not installed or the snmpd service is not enabled (Automated) +# levels: +# - l1_server +# status: automated +# rules: +# - TODO - id: 2.2.13 title: Ensure telnet-server is not installed (Automated) @@ -683,7 +689,6 @@ controls: - service_nfs_disabled related_rules: - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages - id: 2.2.17 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) @@ -722,14 +727,6 @@ controls: - package_openldap-clients_removed - id: 2.3.3 - title: Ensure TFTP client is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_tftp_removed - - - id: 2.3.4 title: Ensure FTP client is not installed (Automated) levels: - l1_server @@ -738,7 +735,7 @@ controls: - package_ftp_removed - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) + title: Ensure nonessential services listening on the system are removed or masked (Manual) levels: - l1_server status: manual @@ -750,14 +747,30 @@ controls: status: manual - id: 3.1.2 - title: Ensure wireless interfaces are disabled (Automated) + title: Ensure DCCP is disabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - wireless_disable_interfaces + - kernel_module_dccp_disabled - id: 3.1.3 + title: Ensure SCTP is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_sctp_disabled + + - id: 3.1.4 + title: Ensure RDS is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_rds_disabled + + - id: 3.1.5 title: Ensure TIPC is disabled (Automated) levels: - l2_server @@ -888,7 +901,7 @@ controls: - id: 3.4.1.1 title: Ensure nftables is installed (Automated) levels: - - l1_server + - l2_server status: automated rules: - package_nftables_installed @@ -896,7 +909,7 @@ controls: - id: 3.4.1.2 title: Ensure a single firewall configuration utility is in use (Automated) levels: - - l1_server + - l2_server status: automated rules: - service_firewalld_enabled @@ -906,7 +919,7 @@ controls: - id: 3.4.2.1 title: Ensure firewalld default zone is set (Automated) levels: - - l1_server + - l2_server status: automated rules: - set_firewalld_default_zone @@ -914,13 +927,8 @@ controls: - id: 3.4.2.2 title: Ensure at least one nftables table exists (Automated) levels: - - l1_server + - l2_server status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. rules: - set_nftables_table - var_nftables_family=inet @@ -929,12 +937,8 @@ controls: - id: 3.4.2.3 title: Ensure nftables base chains exist (Automated) levels: - - l1_server + - l2_server status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. related_rules: - set_nftables_base_chain - var_nftables_table=firewalld @@ -948,7 +952,7 @@ controls: - id: 3.4.2.4 title: Ensure host based firewall loopback traffic is configured (Automated) levels: - - l1_server + - l2_server status: automated rules: - firewalld_loopback_traffic_trusted @@ -957,7 +961,7 @@ controls: - id: 3.4.2.5 title: Ensure firewalld drops unnecessary services and ports (Manual) levels: - - l1_server + - l2_server status: manual related_rules: - configure_firewalld_ports @@ -965,1008 +969,989 @@ controls: - id: 3.4.2.6 title: Ensure nftables established connections are configured (Manual) levels: - - l1_server + - l2_server status: manual - id: 3.4.2.7 title: Ensure nftables default deny firewall policy (Automated) levels: - - l1_server + - l2_server status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. related_rules: - nftables_ensure_default_deny_policy - - id: 4.1.1.1 - title: Ensure auditd is installed (Automated) + - id: 4.1.1 + title: Ensure cron daemon is installed and enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - package_audit_installed + - service_crond_enabled - - id: 4.1.1.2 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + - id: 4.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_argument + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 4.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly - - id: 4.1.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) + - id: 4.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_backlog_limit_argument + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily - - id: 4.1.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 4.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - service_auditd_enabled + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly - - id: 4.1.2.1 - title: Ensure audit log storage size is configured (Automated) + - id: 4.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly - - id: 4.1.2.2 - title: Ensure audit logs are not automatically deleted (Automated) + - id: 4.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d - - id: 4.1.2.3 - title: Ensure system is disabled when audit logs are full (Automated) + - id: 4.1.8 + title: Ensure cron is restricted to authorized users (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_space_left_action - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=halt - - var_auditd_space_left_action=email + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow - - id: 4.1.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 4.1.9 + title: Ensure at is restricted to authorized users (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_sysadmin_actions + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow - - id: 4.1.3.2 - title: Ensure actions as another user are always logged (Automated) + - id: 4.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_suid_auid_privilege_function + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config - - id: 4.1.3.3 - title: Ensure events that modify the sudo log file are collected (Automated) + - id: 4.2.2 + title: Ensure permissions on SSH private host key files are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_sudo_log_events + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key - - id: 4.1.3.4 - title: Ensure events that modify date and time information are collected (Automated) + - id: 4.2.3 + title: Ensure permissions on SSH public host key files are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key - - id: 4.1.3.5 - title: Ensure events that modify the system's network environment are collected (Automated) + - id: 4.2.4 + title: Ensure SSH access is limited (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_networkconfig_modification - - audit_rules_networkconfig_modification_network_scripts + - sshd_limit_user_access - - id: 4.1.3.6 - title: Ensure use of privileged commands is collected (Automated) + - id: 4.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_privileged_commands + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info - - id: 4.1.3.7 - title: Ensure unsuccessful file access attempts are collected (Automated) + - id: 4.2.6 + title: Ensure SSH PAM is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate + - sshd_enable_pam - - id: 4.1.3.8 - title: Ensure events that modify user/group information are collected (Automated) + - id: 4.2.7 + title: Ensure SSH root login is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow + - sshd_disable_root_login - - id: 4.1.3.9 - title: Ensure discretionary access control permission modification events are collected (Automated) + - id: 4.2.8 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - disable_host_auth - - id: 4.1.3.10 - title: Ensure successful file system mounts are collected (Automated) + - id: 4.2.9 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_media_export + - sshd_disable_empty_passwords - - id: 4.1.3.11 - title: Ensure session initiation information is collected (Automated) + - id: 4.2.10 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_session_events + - sshd_do_not_permit_user_env - - id: 4.1.3.12 - title: Ensure login and logout events are collected (Automated) + - id: 4.2.11 + title: Ensure SSH IgnoreRhosts is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - var_accounts_passwords_pam_faillock_dir=run + - sshd_disable_rhosts - - id: 4.1.3.13 - title: Ensure file deletion events by users are collected (Automated) + - id: 4.2.12 + title: Ensure SSH X11 forwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + - sshd_disable_x11_forwarding - - id: 4.1.3.14 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + - id: 4.2.13 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share + - sshd_disable_tcp_forwarding - - id: 4.1.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + - id: 4.2.14 + title: Ensure system-wide crypto policy is not over-ridden (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_chcon + - configure_ssh_crypto_policy - - id: 4.1.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + - id: 4.2.15 + title: Ensure SSH warning banner is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_setfacl + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner - - id: 4.1.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + - id: 4.2.16 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_chacl + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries - - id: 4.1.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + - id: 4.2.17 + title: Ensure SSH MaxStartups is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_privileged_commands_usermod + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 - - id: 4.1.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 4.2.18 + title: Ensure SSH MaxSessions is set to 10 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_kernel_module_loading_create - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_query - - audit_rules_privileged_commands_kmod + - sshd_set_max_sessions + - var_sshd_max_sessions=10 - - id: 4.1.3.20 - title: Ensure the audit configuration is immutable (Automated) + - id: 4.2.19 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_immutable - - - id: 4.1.3.21 - title: Ensure the running and on disk configuration is the same (Manual) - levels: - - l2_server - status: manual + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 - - id: 4.1.4.1 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 4.2.20 + title: Ensure SSH Idle Timeout Interval is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_var_log_audit + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 - - id: 4.1.4.2 - title: Ensure only authorized users own audit log files (Automated) + - id: 4.3.1 + title: Ensure sudo is installed (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_var_log_audit_stig + - package_sudo_installed - - id: 4.1.4.3 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 4.3.2 + title: Ensure sudo commands use pty (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_group_ownership_var_log_audit + - sudo_add_use_pty - - id: 4.1.4.4 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 4.3.3 + title: Ensure sudo log file exists (Automated) levels: - - l2_server + - l1_server status: automated rules: - - directory_permissions_var_log_audit + - sudo_custom_logfile - - id: 4.1.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 4.3.4 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_audit_configuration + - sudo_require_reauthentication - - id: 4.1.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 4.3.5 + title: Ensure sudo authentication timeout is configured correctly (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_audit_configuration + - sudo_require_reauthentication - - id: 4.1.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 4.3.6 + title: Ensure access to the su command is restricted (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. rules: - - file_groupownership_audit_configuration + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty - - id: 4.1.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 4.4.1 + title: Ensure custom authselect profile is used (Manual) levels: - - l2_server - status: automated + - l1_server + status: manual rules: - - file_permissions_audit_binaries + - no_empty_passwords - - id: 4.1.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 4.4.2 + title: Ensure authselect includes with-faillock (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - file_ownership_audit_binaries + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth - - id: 4.1.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 4.5.1 + title: Ensure password creation requirements are configured (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so + module. However, the pam_pwquality.so module, by default, is always the first module from in + the PAM password stack. Therefore, the option is useless and not necessary. It was already + proposed to update the requirement in the next CIS version. rules: - - file_groupownership_audit_binaries + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 - - id: 4.2.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 4.5.2 + title: Ensure lockout for failed password attempts is configured (Automated) levels: - l1_server status: automated rules: - - package_rsyslog_installed + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 4.2.1.2 - title: Ensure rsyslog Service is enabled (Automated) + - id: 4.5.3 + title: Ensure password reuse is limited (Automated) levels: - l1_server status: automated rules: - - service_rsyslog_enabled + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 - - id: 4.2.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 4.5.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) levels: - l1_server status: automated rules: - - journald_forward_to_syslog + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 - - id: 4.2.1.4 - title: Ensure rsyslog default file permissions configured (Automated) + - id: 4.6.1.1 + title: Ensure password expiration is 365 days or less (Automated) levels: - l1_server status: automated rules: - - rsyslog_filecreatemode - - - id: 4.2.1.5 - title: Ensure logging is configured (Manual) - levels: - - l1_server - status: manual + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing - - id: 4.2.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + - id: 4.6.1.2 + title: Ensure minimum days between password changes is configured (Automated) levels: - l1_server status: automated - related_rules: - - rsyslog_remote_loghost + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing - - id: 4.2.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + - id: 4.6.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) levels: - l1_server status: automated rules: - - rsyslog_nolisten - - - id: 4.2.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) - levels: - - l1_server - status: manual + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing - - id: 4.2.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + - id: 4.6.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) levels: - l1_server - status: manual + status: automated + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - accounts_set_post_pw_existing - - id: 4.2.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + - id: 4.6.1.5 + title: Ensure all users last password change date is in the past (Automated) levels: - l1_server - status: manual + status: automated + rules: + - accounts_password_last_change_is_in_past - - id: 4.2.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + - id: 4.6.2 + title: Ensure system accounts are secured (Automated) levels: - l1_server status: automated rules: - - socket_systemd-journal-remote_disabled + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts - - id: 4.2.2.2 - title: Ensure journald service is enabled (Automated) + - id: 4.6.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) levels: - l1_server status: automated rules: - - service_systemd-journald_enabled + - accounts_tmout + - var_accounts_tmout=15_min - - id: 4.2.2.3 - title: Ensure journald is configured to compress large log files (Automated) + - id: 4.6.4 + title: Ensure default group for the root account is GID 0 (Automated) levels: - l1_server status: automated rules: - - journald_compress + - accounts_root_gid_zero - - id: 4.2.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 4.6.5 + title: Ensure default user umask is 027 or more restrictive (Automated) levels: - l1_server status: automated rules: - - journald_storage + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 - - id: 4.2.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) + - id: 4.6.6 + title: Ensure root password is set (Automated) levels: - l1_server - status: manual + status: automated + rules: + - ensure_root_password_configured + - no_empty_passwords_etc_shadow - - id: 4.2.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) + - id: 5.1.1.1 + title: Ensure rsyslog is installed (Automated) levels: - l1_server - status: manual + status: automated + rules: + - package_rsyslog_installed - - id: 4.2.2.7 - title: Ensure journald default file permissions configured (Manual) + - id: 5.1.1.2 + title: Ensure rsyslog Service is enabled (Automated) levels: - l1_server - status: manual + status: automated + rules: + - service_rsyslog_enabled - - id: 4.2.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) + - id: 5.1.1.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) levels: - l1_server status: automated rules: - - rsyslog_files_groupownership - - rsyslog_files_ownership - - rsyslog_files_permissions + - journald_forward_to_syslog - - id: 4.3 - title: Ensure logrotate is configured (Manual) + - id: 5.1.1.4 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + status: automated + rules: + - rsyslog_filecreatemode + + - id: 5.1.1.5 + title: Ensure logging is configured (Manual) levels: - l1_server status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled - - id: 5.1.1 - title: Ensure cron daemon is enabled (Automated) + - id: 5.1.1.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server status: automated - rules: - - service_crond_enabled + related_rules: + - rsyslog_remote_loghost - - id: 5.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) + - id: 5.1.1.7 + title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab + - rsyslog_nolisten - - id: 5.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) + - id: 5.1.2.1.1 + title: Ensure systemd-journal-remote is installed (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly + status: manual - - id: 5.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) + - id: 5.1.2.1.2 + title: Ensure systemd-journal-remote is configured (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily + status: manual - - id: 5.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) + - id: 5.1.2.1.3 + title: Ensure systemd-journal-remote is enabled (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly + status: manual - - id: 5.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) + - id: 5.1.2.1.4 + title: Ensure journald is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly + - socket_systemd-journal-remote_disabled - - id: 5.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) + - id: 5.1.2.2 + title: Ensure journald service is enabled (Automated) levels: - l1_server status: automated rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d + - service_systemd-journald_enabled - - id: 5.1.8 - title: Ensure cron is restricted to authorized users (Automated) + - id: 5.1.2.3 + title: Ensure journald is configured to compress large log files (Automated) levels: - l1_server status: automated rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow + - journald_compress - - id: 5.1.9 - title: Ensure at is restricted to authorized users (Automated) + - id: 5.1.2.4 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) levels: - l1_server status: automated rules: - - file_at_deny_not_exist - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow + - journald_storage - - id: 5.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + - id: 5.1.2.5 + title: Ensure journald is not configured to send logs to rsyslog (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config + status: manual - - id: 5.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) + - id: 5.1.2.6 + title: Ensure journald log rotation is configured per site policy (Manual) levels: - l1_server - status: automated - rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key + status: manual - - id: 5.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) + - id: 5.1.2.7 + title: Ensure journald default file permissions configured (Manual) levels: - l1_server - status: automated - rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key + status: manual - - id: 5.2.4 - title: Ensure SSH access is limited (Automated) + - id: 5.1.3 + title: Ensure all logfiles have appropriate permissions and ownership (Automated) levels: - l1_server status: automated rules: - - sshd_limit_user_access + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions - - id: 5.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) + - id: 5.2.1.1 + title: Ensure auditd is installed (Automated) levels: - - l1_server + - l2_server status: automated - # The CIS benchmark is not opinionated about which loglevel is selected - # here. Here, this profile uses VERBOSE by default, as it allows for - # the capture of login and logout activity as well as key fingerprints. rules: - - sshd_set_loglevel_verbose - related_rules: - - sshd_set_loglevel_info + - package_audit_installed - - id: 5.2.6 - title: Ensure SSH PAM is enabled (Automated) + - id: 5.2.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_pam + - grub2_audit_argument - - id: 5.2.7 - title: Ensure SSH root login is disabled (Automated) + - id: 5.2.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_root_login + - grub2_audit_backlog_limit_argument - - id: 5.2.8 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) + - id: 5.2.1.4 + title: Ensure auditd service is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - disable_host_auth + - service_auditd_enabled - - id: 5.2.9 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + - id: 5.2.2.1 + title: Ensure audit log storage size is configured (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_empty_passwords + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - - id: 5.2.10 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) + - id: 5.2.2.2 + title: Ensure audit logs are not automatically deleted (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_do_not_permit_user_env + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - - id: 5.2.11 - title: Ensure SSH IgnoreRhosts is enabled (Automated) + - id: 5.2.2.3 + title: Ensure system is disabled when audit logs are full (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_rhosts + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email - - id: 5.2.12 - title: Ensure SSH X11 forwarding is disabled (Automated) + - id: 5.2.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - l2_server status: automated rules: - - sshd_disable_x11_forwarding + - audit_rules_sysadmin_actions - - id: 5.2.13 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) + - id: 5.2.3.2 + title: Ensure actions as another user are always logged (Automated) levels: - l2_server status: automated rules: - - sshd_disable_tcp_forwarding + - audit_rules_suid_auid_privilege_function - - id: 5.2.14 - title: Ensure system-wide crypto policy is not over-ridden (Automated) + - id: 5.2.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - configure_ssh_crypto_policy + - audit_sudo_log_events - - id: 5.2.15 - title: Ensure SSH warning banner is configured (Automated) + - id: 5.2.3.4 + title: Ensure events that modify date and time information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime - - id: 5.2.16 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + - id: 5.2.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification_network_scripts - - id: 5.2.17 - title: Ensure SSH MaxStartups is configured (Automated) + - id: 5.2.3.6 + title: Ensure use of privileged commands is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 + - audit_rules_privileged_commands - - id: 5.2.18 - title: Ensure SSH MaxSessions is set to 10 or less (Automated) + - id: 5.2.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate - - id: 5.2.19 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + - id: 5.2.3.8 + title: Ensure events that modify user/group information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow - - id: 5.2.20 - title: Ensure SSH Idle Timeout Interval is configured (Automated) + - id: 5.2.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_idle_timeout_value=15_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr - - id: 5.3.1 - title: Ensure sudo is installed (Automated) + - id: 5.2.3.10 + title: Ensure successful file system mounts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - package_sudo_installed + - audit_rules_media_export - - id: 5.3.2 - title: Ensure sudo commands use pty (Automated) + - id: 5.2.3.11 + title: Ensure session initiation information is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_add_use_pty + - audit_rules_session_events - - id: 5.3.3 - title: Ensure sudo log file exists (Automated) + - id: 5.2.3.12 + title: Ensure login and logout events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_custom_logfile + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run - - id: 5.3.4 - title: Ensure users must provide password for escalation (Automated) + - id: 5.2.3.13 + title: Ensure file deletion events by users are collected (Automated) levels: - l2_server status: automated rules: - - sudo_require_authentication + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat - - id: 5.3.5 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + - id: 5.2.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - - id: 5.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) + - id: 5.2.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - audit_rules_execution_chcon - - id: 5.3.7 - title: Ensure access to the su command is restricted (Automated) + - id: 5.2.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty + - audit_rules_execution_setfacl - - id: 5.4.1 - title: Ensure custom authselect profile is used (Manual) + - id: 5.2.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) levels: - - l1_server - status: manual + - l2_server + status: automated rules: - - no_empty_passwords + - audit_rules_execution_chacl - - id: 5.4.2 - title: Ensure authselect includes with-faillock (Automated) + - id: 5.2.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth + - audit_rules_privileged_commands_usermod - - id: 5.5.1 - title: Ensure password creation requirements are configured (Automated) + - id: 5.2.3.19 + title: Ensure kernel module loading, unloading and modification is collected (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so - module. However, the pam_pwquality.so module, by default, is always the first module from in - the PAM password stack. Therefore, the option is useless and not necessary. It was already - proposed to update the requirement in the next CIS version. rules: - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_retry - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod - - id: 5.5.2 - title: Ensure lockout for failed password attempts is configured (Automated) + - id: 5.2.3.20 + title: Ensure the audit configuration is immutable (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 + - audit_rules_immutable - - id: 5.5.3 - title: Ensure password reuse is limited (Automated) + - id: 5.2.3.21 + title: Ensure the running and on disk configuration is the same (Manual) levels: - - l1_server - status: automated - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. - See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=5 + - l2_server + status: manual - - id: 5.5.4 - title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) + - id: 5.2.4.1 + title: Ensure audit log files are mode 0640 or less permissive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 + - file_permissions_var_log_audit - - id: 5.6.1.1 - title: Ensure password expiration is 365 days or less (Automated) + - id: 5.2.4.2 + title: Ensure only authorized users own audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=365 - - accounts_password_set_max_life_existing + - file_ownership_var_log_audit_stig - - id: 5.6.1.2 - title: Ensure minimum days between password changes is configured (Automated) + - id: 5.2.4.3 + title: Ensure only authorized groups are assigned ownership of audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - - accounts_password_set_min_life_existing + - file_group_ownership_var_log_audit - - id: 5.6.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 5.2.4.4 + title: Ensure the audit log directory is 0750 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_set_warn_age_existing + - directory_permissions_var_log_audit - - id: 5.6.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 5.2.4.5 + title: Ensure audit configuration files are 640 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=30 - - accounts_set_post_pw_existing + - file_permissions_audit_configuration - - id: 5.6.1.5 - title: Ensure all users last password change date is in the past (Automated) + - id: 5.2.4.6 + title: Ensure audit configuration files are owned by root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_password_last_change_is_in_past + - file_ownership_audit_configuration - - id: 5.6.2 - title: Ensure system accounts are secured (Automated) + - id: 5.2.4.7 + title: Ensure audit configuration files belong to group root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts + - file_groupownership_audit_configuration - - id: 5.6.3 - title: Ensure default user shell timeout is 900 seconds or less (Automated) + - id: 5.2.4.8 + title: Ensure audit tools are 755 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_tmout - - var_accounts_tmout=15_min + - file_permissions_audit_binaries - - id: 5.6.4 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 5.2.4.9 + title: Ensure audit tools are owned by root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_root_gid_zero + - file_ownership_audit_binaries - - id: 5.6.5 - title: Ensure default user umask is 027 or more restrictive (Automated) + - id: 5.2.4.10 + title: Ensure audit tools belong to group root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 + - file_groupownership_audit_binaries - - id: 5.6.6 - title: Ensure root password is set (Automated) + - id: 5.3 + title: Ensure logrotate is configured (Manual) levels: - l1_server - status: automated - rules: - - ensure_root_password_configured - - no_empty_passwords_etc_shadow + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) @@ -2049,62 +2034,39 @@ controls: - file_permissions_backup_etc_gshadow - id: 6.1.9 - title: Ensure no world writable files exist (Automated) + title: Audit system file permissions (Manual) levels: - - l1_server - status: automated - rules: - - file_permissions_unauthorized_world_writable + - l2_server + status: manual + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership - id: 6.1.10 - title: Ensure no unowned files or directories exist (Automated) + title: Ensure world writable files and directories are secured (Automated) levels: - l1_server - status: automated rules: - - no_files_unowned_by_user + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits - id: 6.1.11 - title: Ensure no ungrouped files or directories exist (Automated) + title: Ensure no unowned or ungrouped files or directories exist (Automated) levels: - l1_server status: automated rules: + - no_files_unowned_by_user - file_permissions_ungroupowned - id: 6.1.12 - title: Ensure sticky bit is set on all world-writable directories (Automated) + title: Ensure SUID and SGID files are reviewed (Manual) levels: - l1_server - status: automated rules: - - dir_perms_world_writable_sticky_bits - - - id: 6.1.13 - title: Audit SUID executables (Manual) - levels: - - l1_server - status: manual - related_rules: - file_permissions_unauthorized_suid - - - id: 6.1.14 - title: Audit SGID executables (Manual) - levels: - - l1_server - status: manual - related_rules: - file_permissions_unauthorized_sgid - - id: 6.1.15 - title: Audit system file permissions (Manual) - levels: - - l2_server - status: manual - related_rules: - - rpm_verify_permissions - - rpm_verify_ownership - - id: 6.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: @@ -2179,59 +2141,26 @@ controls: - accounts_no_uid_except_zero - id: 6.2.10 - title: Ensure local interactive user home directories exist (Automated) + title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server status: automated rules: - accounts_user_interactive_home_directory_exists - - - id: 6.2.11 - title: Ensure local interactive users own their home directories (Automated) - levels: - - l1_server - status: automated - rules: - file_ownership_home_directories - - file_groupownership_home_directories - - - id: 6.2.12 - title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - levels: - - l1_server - status: automated - rules: - file_permissions_home_directories - - id: 6.2.13 - title: Ensure no local interactive user has .netrc files (Automated) - levels: - - l1_server - status: automated - rules: - - no_netrc_files - - - id: 6.2.14 - title: Ensure no local interactive user has .forward files (Automated) + - id: 6.2.11 + title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server - status: automated + status: partial rules: + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles - no_forward_files - - - id: 6.2.15 - title: Ensure no local interactive user has .rhosts files (Automated) - levels: - - l1_server - status: automated - notes: The rule also removes /etc/hosts.equiv - rules: - no_rsh_trust_files + - accounts_users_netrc_file_permissions - - id: 6.2.16 - title: Ensure local interactive user dot files are not group or world writable (Automated) - levels: - - l1_server - status: automated - rules: - - accounts_user_dot_no_world_writable_programs diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml new file mode 100644 index 00000000000..2c142109f95 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -0,0 +1,38 @@ +# platform = multi_platform_al +# reboot = false +# strategy = restrict +# complexity = medium +# disruption = medium +- name: "Read permission of GPG key directory" + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: no + +# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. + +- name: Read signatures in GPG key + # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 + command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" + changed_when: False + register: gpg_fingerprints + check_mode: no + +- name: Set Fact - Installed GPG Fingerprints + set_fact: + gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" + +- name: Set Fact - Valid fingerprints + set_fact: + gpg_valid_fingerprints: + - "{{{ release_key_fingerprint }}}" + +- name: Import Amazon GPG key + rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 + when: + - gpg_key_directory_permission.stat.mode <= '0755' + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 + - ansible_distribution == "Amazon" and ansible_distribution_version == "2023" diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh new file mode 100644 index 00000000000..bf03f3c3f96 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh @@ -0,0 +1,20 @@ +# platform = multi_platform_al + +# Location of the key we would like to import (once it's integrity verified) +readonly AMAZON_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" + +RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$AMAZON_RELEASE_KEY")") + +# Verify /etc/pki/rpm-gpg directory permissions are safe +if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] +then + # If they are safe, try to obtain fingerprints from the key file + # (to ensure there won't be e.g. CRC error). + readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$AMAZON_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) + GPG_RESULT=$? + # No CRC error, safe to proceed + if [ "${GPG_RESULT}" -eq "0" ] + then + rpm --import "${AMAZON_RELEASE_KEY}" + fi +fi diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml new file mode 100644 index 00000000000..a403cc8ccb7 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/oval/shared.xml @@ -0,0 +1,37 @@ +{{% if pkg_version %}} +{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}} + + + {{{ oval_metadata("The Amazon release packages are required to be installed.") }}} + + + + + + + + + + + + + gpg-pubkey + + + + + + + + + + + {{{ pkg_release }}} + {{{ pkg_version }}} + + + +{{% endif %}} diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml new file mode 100644 index 00000000000..316cfb26571 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/rule.yml @@ -0,0 +1,49 @@ +documentation_complete: true + + +title: 'Ensure Amazon GPG Key Installed' + +description: |- + To ensure the system can cryptographically verify base software packages + come from Amazon (and to connect to the Amazon Network to receive them), + the Amazon GPG key must properly be installed. To install the Amazon GPG + key, run: + 
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
+ +rationale: |- + Changes to software components can have significant effects on the overall + security of the operating system. This requirement ensures the software has + not been tampered with and that it has been provided by a trusted vendor. + The Amazon GPG key is necessary to cryptographically verify packages are + from Amazon. + +severity: high + +references: + cis-csc: 11,2,3,9 + cjis: 5.10.4.1 + cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02 + cui: 3.4.8 + disa: CCI-001749 + hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4 + isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6' + iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 + nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,CIP-007-3 R5.1 + nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a) + nist-csf: PR.DS-6,PR.DS-8,PR.IP-1 + ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 + pcidss: Req-6.2 + srg: SRG-OS-000366-GPOS-00153 + +ocil_clause: 'the Amazon GPG Key is not installed' + +ocil: |- + To ensure that the GPG key is installed, run: + 
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
+ The command should return the string below: + 
Amazon Linux  public key
+ +fixtext: |- + Install {{{ full_name }}} GPG key. Run the following command: + $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh new file mode 100644 index 00000000000..dc7b063860b --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/key_installed.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# +# platform = Amazon Linux 2023 + +rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh new file mode 100644 index 00000000000..32a39a04487 --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/tests/missing_key.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# + +# remove all available keys + +KEYS=$(rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\n') + +if [ $? = 0 ]; then + for KEY in $KEYS; do + rpm -e $KEY + done +fi From 3d60664b81cbd80b0811f31dde0d39a28823b8c3 Mon Sep 17 00:00:00 2001 From: hipponix Date: Sun, 19 May 2024 20:29:14 +0000 Subject: [PATCH 08/28] Add aws fingerprint and fix ensure_amazon_gpgkey_installed --- .../updating/ensure_amazon_gpgkey_installed/bash/shared.sh | 5 +++++ products/al2023/product.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh index bf03f3c3f96..d4d302e3b04 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/bash/shared.sh @@ -1,4 +1,6 @@ # platform = multi_platform_al +# The fingerprint below are retrieved from the offical amazon linux 2023 machine +readonly AMAZON_RELEASE_FINGERPRINT="{{{ release_key_fingerprint }}}" # Location of the key we would like to import (once it's integrity verified) readonly AMAZON_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" @@ -15,6 +17,9 @@ then # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then + echo "${GPG_OUT[*]}" | grep -vE "${AMAZON_RELEASE_FINGERPRINT}" || { + # If $AMAZON_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${AMAZON_RELEASE_KEY}" + } fi fi diff --git a/products/al2023/product.yml b/products/al2023/product.yml index 961fd3368f7..a06078a09fb 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -20,6 +20,8 @@ sshd_distributed_config: "true" faillock_path: "/var/log/faillock" +release_key_fingerprint: "B21C50FA44A99720EAA72F7FE951904AD832C631" + cpes_root: "../../shared/applicability" cpes: - al2023: @@ -34,3 +36,4 @@ reference_uris: cis: 'https://www.cisecurity.org/benchmark/amazon_linux/' journald_conf_dir_path: /etc/systemd/journald.conf.d + From ff39928da8473535729348a8887a3fc0a0e59bc0 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Tue, 21 May 2024 16:09:57 +0200 Subject: [PATCH 09/28] fix a typo in cis.profile --- products/al2023/profiles/cis.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis.profile index 52db9fb2cb4..039dfd9f1ec 100644 --- a/products/al2023/profiles/cis.profile +++ b/products/al2023/profiles/cis.profile @@ -15,7 +15,7 @@ description: |- 2023 Benchmark™, v1.0.0, released 2023-06-26. This profile includes Center for Internet Security® - Amazon Linux 9 CIS Benchmarks™ content. + Amazon Linux 2023 CIS Benchmarks™ content. selections: - cis_al2023:all:l2_server From 472659cfbbb946efa745a14c2ad04c2f0bd682bd Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Tue, 21 May 2024 16:11:12 +0200 Subject: [PATCH 10/28] fix a typo in cis_server_l1.profile --- products/al2023/profiles/cis_server_l1.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile index 83f56d01fa9..9bc38700b84 100644 --- a/products/al2023/profiles/cis_server_l1.profile +++ b/products/al2023/profiles/cis_server_l1.profile @@ -15,7 +15,7 @@ description: |- 2023 Benchmark™, v1.0.0, released 2023-06-26. This profile includes Center for Internet Security® - Amazon Linux 9 CIS Benchmarks™ content. + Amazon Linux 2023 CIS Benchmarks™ content. selections: - cis_al2023:all:l1_server From 170ae4ff4f71d3bdfbdf7d2aecce1b9c449318fc Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 30 May 2024 14:44:51 +0200 Subject: [PATCH 11/28] Update linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml thanks Co-authored-by: Matthew Burket --- .../updating/ensure_amazon_gpgkey_installed/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml index 2c142109f95..8cd3c497f9c 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -23,7 +23,7 @@ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" - name: Set Fact - Valid fingerprints - set_fact: + ansible.builtin.set_fact: gpg_valid_fingerprints: - "{{{ release_key_fingerprint }}}" From 443589226b6712574f55c6dd430f79e943b0e366 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 30 May 2024 14:45:06 +0200 Subject: [PATCH 12/28] Update linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml thanks Co-authored-by: Matthew Burket --- .../updating/ensure_amazon_gpgkey_installed/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml index 8cd3c497f9c..991f94d059e 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -28,7 +28,7 @@ - "{{{ release_key_fingerprint }}}" - name: Import Amazon GPG key - rpm_key: + ansible.builtin.rpm_key: state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 when: From 32686e46445b31de7de580837ccf0af814ddf95d Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 30 May 2024 14:45:48 +0200 Subject: [PATCH 13/28] Update linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml thanks Co-authored-by: Matthew Burket --- .../updating/ensure_amazon_gpgkey_installed/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml index 991f94d059e..4b729c83482 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -19,7 +19,7 @@ check_mode: no - name: Set Fact - Installed GPG Fingerprints - set_fact: + ansible.builtin.set_fact: gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" - name: Set Fact - Valid fingerprints From 73a1121168b6894e463023dca273c0155348e975 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 30 May 2024 14:46:14 +0200 Subject: [PATCH 14/28] Update linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml thanks Co-authored-by: Matthew Burket --- .../updating/ensure_amazon_gpgkey_installed/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml index 4b729c83482..13707433283 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -4,7 +4,7 @@ # complexity = medium # disruption = medium - name: "Read permission of GPG key directory" - stat: + ansible.builtin.stat: path: /etc/pki/rpm-gpg/ register: gpg_key_directory_permission check_mode: no From f362c435f9dd2c741cc3657c1f1342a8a557333a Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 30 May 2024 14:47:01 +0200 Subject: [PATCH 15/28] Update linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml thanks Co-authored-by: Matthew Burket --- .../updating/ensure_amazon_gpgkey_installed/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml index 13707433283..aba0effec26 100644 --- a/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_amazon_gpgkey_installed/ansible/shared.yml @@ -13,7 +13,7 @@ - name: Read signatures in GPG key # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 - command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" + ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" changed_when: False register: gpg_fingerprints check_mode: no From 067ac60fb0c10860145658ec5a25b96297f37045 Mon Sep 17 00:00:00 2001 From: hipponix Date: Fri, 31 May 2024 09:45:33 +0000 Subject: [PATCH 16/28] remove not needed controls from cis profiles - fix chronyd conf by pointing to aws servers --- build/.gitkeep | 0 controls/cis_al2023.yml | 2 +- products/al2023/profiles/cis.profile | 3 --- products/al2023/profiles/cis_server_l1.profile | 3 --- 4 files changed, 1 insertion(+), 7 deletions(-) delete mode 100644 build/.gitkeep diff --git a/build/.gitkeep b/build/.gitkeep deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 9e9f09070cd..acbccf81a14 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -550,7 +550,7 @@ controls: rules: - chronyd_specify_remote_server - chronyd_run_as_chrony_user - - var_multiple_time_servers=rhel + - var_multiple_time_servers=amazon - id: 2.2.1 title: Ensure xorg-x11-server-common is not installed (Automated) diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis.profile index 039dfd9f1ec..10bd27080c0 100644 --- a/products/al2023/profiles/cis.profile +++ b/products/al2023/profiles/cis.profile @@ -19,6 +19,3 @@ description: |- selections: - cis_al2023:all:l2_server - - '!file_ownership_home_directories' - - '!group_unique_name' - - '!file_owner_at_allow' diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile index 9bc38700b84..f9e9e4879d7 100644 --- a/products/al2023/profiles/cis_server_l1.profile +++ b/products/al2023/profiles/cis_server_l1.profile @@ -19,6 +19,3 @@ description: |- selections: - cis_al2023:all:l1_server - - '!file_ownership_home_directories' - - '!group_unique_name' - - '!file_owner_at_allow' From 668b8295b95aa0b8c9102958e0da88602955fd16 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 2 May 2024 17:34:12 +0200 Subject: [PATCH 17/28] Add AL2023 product --- controls/cis_al2023.yml | 1461 +++++++++-------- shared/checks/oval/installed_OS_is_al2023.xml | 2 +- 2 files changed, 807 insertions(+), 656 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index acbccf81a14..4057b8815b7 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -13,62 +13,42 @@ reference_type: cis product: al2023 controls: - - - id: 1.1.1.1 - title: Ensure mounting of squashfs filesystems is disabled (Automated) - levels: - - l2_server - status: automated - rules: - - kernel_module_squashfs_disabled - - - id: 1.1.1.2 - title: Ensure mounting of udf filesystems is disabled (Automated) - levels: - - l2_server - status: automated - rules: - - kernel_module_udf_disabled - - - id: 1.1.1.3 - title: Ensure mounting of cramfs filesystems is disabled (Automated) - levels: - - l1_server - status: automated - rules: - - kernel_module_cramfs_disabled - - - id: 1.1.1.4 - title: Ensure mounting of freevxfs filesystems is disabled (Automated) + - id: reload_dconf_db + title: Reload Dconf database levels: - l1_server + notes: <- + This is a helper rule to reload Dconf database correctly. status: automated rules: - - kernel_module_freevxfs_disabled + - dconf_db_up_to_date - - id: 1.1.1.5 - title: Ensure mounting of jffs2 filesystems is disabled (Automated) + - id: enable_authselect + title: Enable Authselect levels: - l1_server + notes: <- + We need this in all CIS versions, but the policy doesn't have any section where this would fit better. status: automated rules: - - kernel_module_jffs2_disabled + - var_authselect_profile=sssd + - enable_authselect - - id: 1.1.1.6 - title: Ensure mounting of hfs filesystems is disabled (Automated) + - id: 1.1.1.1 + title: Ensure mounting of squashfs filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_hfs_disabled + - kernel_module_squashfs_disabled - - id: 1.1.1.7 - title: Ensure mounting of hfsplus filesystems is disabled (Automated) + - id: 1.1.1.2 + title: Ensure mounting of udf filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_hfsplus_disabled + - kernel_module_udf_disabled - id: 1.1.2.1 title: Ensure /tmp is a separate partition (Automated) @@ -311,7 +291,7 @@ controls: - id: 1.2.4 title: Ensure repo_gpgcheck is globally activated (Manual) levels: - - l2_server + - l1_server status: manual - id: 1.3.1 @@ -342,10 +322,24 @@ controls: - aide_use_fips_hashes - id: 1.4.1 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server + status: automated + notes: <- + RHEL9 unified the paths for grub2 files. + rules: + - grub2_password + related_rules: + - grub2_uefi_password + + - id: 1.4.2 title: Ensure permissions on bootloader config are configured (Automated) levels: - l1_server status: automated + notes: <- + RHEL9 unified the paths for grub2 files. rules: - file_groupowner_grub2_cfg - file_owner_grub2_cfg @@ -362,36 +356,28 @@ controls: - file_permissions_efi_user_cfg - id: 1.5.1 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + title: Ensure core dump storage is disabled (Automated) levels: - l1_server status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_storage - id: 1.5.2 - title: Ensure ptrace_scope is restricted (Automated) + title: Ensure core dump backtraces are disabled (Automated) levels: - l1_server status: automated rules: - - sysctl_kernel_yama_ptrace_scope + - coredump_disable_backtraces - id: 1.5.3 - title: Ensure core dump storage is disabled (Automated) - levels: - - l1_server - status: automated - rules: - - coredump_disable_storage - - - id: 1.5.4 - title: Ensure core dump backtraces are disabled (Automated) + title: Ensure address space layout randomization (ASLR) is enabled (Automated) levels: - l1_server status: automated rules: - - coredump_disable_backtraces + - sysctl_kernel_randomize_va_space - id: 1.6.1.1 title: Ensure SELinux is installed (Automated) @@ -516,7 +502,95 @@ controls: - file_owner_etc_issue_net - file_permissions_etc_issue_net - - id: 1.8 + - id: 1.8.1 + title: Ensure GNOME Display Manager is removed (Automated) + levels: + - l2_server + status: automated + rules: + - package_gdm_removed + + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - login_banner_text=cis_banners + + - id: 1.8.3 + title: Ensure GDM disable-user-list option is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_user_list + + - id: 1.8.4 + title: Ensure GDM screen locks when the user is idle (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + + - id: 1.8.5 + title: Ensure GDM screen locks cannot be overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_session_idle_user_locks + - dconf_gnome_screensaver_user_locks + + - id: 1.8.6 + title: Ensure GDM automatic mounting of removable media is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.7 + title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.8 + title: Ensure GDM autorun-never is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.9 + title: Ensure GDM autorun-never is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.10 + title: Ensure XDMCP is not enabled (Automated) + levels: + - l1_server + status: automated + rules: + - gnome_gdm_disable_xdmcp + + - id: 1.9 title: Ensure updates, patches, and additional security software are installed (Manual) levels: - l1_server @@ -524,7 +598,7 @@ controls: related_rules: - security_patches_up_to_date - - id: "1.9" + - id: "1.10" title: Ensure system-wide crypto policy is not legacy (Automated) levels: - l1_server @@ -561,7 +635,7 @@ controls: - package_xorg-x11-server-common_removed - id: 2.2.2 - title: Ensure avahi is not installed (Automated) + title: Ensure Avahi Server is not installed (Automated) levels: - l1_server status: automated @@ -571,7 +645,7 @@ controls: - service_avahi-daemon_disabled - id: 2.2.3 - title: Ensure a print server is not installed (Automated) + title: Ensure CUPS is not installed (Automated) levels: - l1_server status: automated @@ -597,7 +671,7 @@ controls: - package_bind_removed - id: 2.2.6 - title: Ensure ftp Server is not installed (Automated) + title: Ensure VSFTP Server is not installed (Automated) levels: - l1_server status: automated @@ -612,8 +686,8 @@ controls: rules: - package_tftp-server_removed -# - id: 2.2.8 -# title: Ensure a web server is not installed (Automated) + - id: 2.2.8 + title: Ensure a web server is not installed (Automated) levels: - l1_server status: automated @@ -646,13 +720,13 @@ controls: rules: - package_squid_removed -# - id: 2.2.12 -# title: Ensure net-snmp is not installed or the snmpd service is not enabled (Automated) -# levels: -# - l1_server -# status: automated -# rules: -# - TODO + - id: 2.2.12 + title: Ensure net-snmp is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_net-snmp_removed - id: 2.2.13 title: Ensure telnet-server is not installed (Automated) @@ -727,6 +801,14 @@ controls: - package_openldap-clients_removed - id: 2.3.3 + title: Ensure TFTP client is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_tftp_removed + + - id: 2.3.4 title: Ensure FTP client is not installed (Automated) levels: - l1_server @@ -735,7 +817,7 @@ controls: - package_ftp_removed - id: 2.4 - title: Ensure nonessential services listening on the system are removed or masked (Manual) + title: Ensure nonessential services are removed or masked (Manual) levels: - l1_server status: manual @@ -747,30 +829,14 @@ controls: status: manual - id: 3.1.2 - title: Ensure DCCP is disabled (Automated) + title: Ensure wireless interfaces are disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - kernel_module_dccp_disabled + - wireless_disable_interfaces - id: 3.1.3 - title: Ensure SCTP is disabled (Automated) - levels: - - l2_server - status: automated - rules: - - kernel_module_sctp_disabled - - - id: 3.1.4 - title: Ensure RDS is disabled (Automated) - levels: - - l2_server - status: automated - rules: - - kernel_module_rds_disabled - - - id: 3.1.5 title: Ensure TIPC is disabled (Automated) levels: - l2_server @@ -901,7 +967,7 @@ controls: - id: 3.4.1.1 title: Ensure nftables is installed (Automated) levels: - - l2_server + - l1_server status: automated rules: - package_nftables_installed @@ -909,7 +975,7 @@ controls: - id: 3.4.1.2 title: Ensure a single firewall configuration utility is in use (Automated) levels: - - l2_server + - l1_server status: automated rules: - service_firewalld_enabled @@ -919,7 +985,7 @@ controls: - id: 3.4.2.1 title: Ensure firewalld default zone is set (Automated) levels: - - l2_server + - l1_server status: automated rules: - set_firewalld_default_zone @@ -927,8 +993,13 @@ controls: - id: 3.4.2.2 title: Ensure at least one nftables table exists (Automated) levels: - - l2_server + - l1_server status: supported + notes: + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. firewalld uses the inet firewalld that is created when firewalld is installed. + The OVAL check cannot be automated but an SCE is availble. rules: - set_nftables_table - var_nftables_family=inet @@ -937,8 +1008,12 @@ controls: - id: 3.4.2.3 title: Ensure nftables base chains exist (Automated) levels: - - l2_server + - l1_server status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. When using firewalld the base chains are installed by default. related_rules: - set_nftables_base_chain - var_nftables_table=firewalld @@ -952,7 +1027,7 @@ controls: - id: 3.4.2.4 title: Ensure host based firewall loopback traffic is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - firewalld_loopback_traffic_trusted @@ -961,7 +1036,7 @@ controls: - id: 3.4.2.5 title: Ensure firewalld drops unnecessary services and ports (Manual) levels: - - l2_server + - l1_server status: manual related_rules: - configure_firewalld_ports @@ -969,989 +1044,1008 @@ controls: - id: 3.4.2.6 title: Ensure nftables established connections are configured (Manual) levels: - - l2_server + - l1_server status: manual - id: 3.4.2.7 title: Ensure nftables default deny firewall policy (Automated) levels: - - l2_server + - l1_server status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. related_rules: - nftables_ensure_default_deny_policy - - id: 4.1.1 - title: Ensure cron daemon is installed and enabled (Automated) + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) levels: - - l1_server + - l2_server status: automated rules: - - service_crond_enabled + - package_audit_installed - - id: 4.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) + - id: 4.1.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab - - - id: 4.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) + - grub2_audit_argument + + - id: 4.1.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly + - grub2_audit_backlog_limit_argument - - id: 4.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) + - id: 4.1.1.4 + title: Ensure auditd service is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily + - service_auditd_enabled - - id: 4.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) + - id: 4.1.2.1 + title: Ensure audit log storage size is configured (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - - id: 4.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - - id: 4.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email - - id: 4.1.8 - title: Ensure cron is restricted to authorized users (Automated) + - id: 4.1.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow + - audit_rules_sysadmin_actions - - id: 4.1.9 - title: Ensure at is restricted to authorized users (Automated) + - id: 4.1.3.2 + title: Ensure actions as another user are always logged (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_at_deny_not_exist - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow + - audit_rules_suid_auid_privilege_function - - id: 4.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + - id: 4.1.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config + - audit_sudo_log_events - - id: 4.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) + - id: 4.1.3.4 + title: Ensure events that modify date and time information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime - - id: 4.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) + - id: 4.1.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification_network_scripts - - id: 4.2.4 - title: Ensure SSH access is limited (Automated) + - id: 4.1.3.6 + title: Ensure use of privileged commands is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_limit_user_access + - audit_rules_privileged_commands - - id: 4.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) + - id: 4.1.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_loglevel_verbose - related_rules: - - sshd_set_loglevel_info + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate - - id: 4.2.6 - title: Ensure SSH PAM is enabled (Automated) + - id: 4.1.3.8 + title: Ensure events that modify user/group information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_pam + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow - - id: 4.2.7 - title: Ensure SSH root login is disabled (Automated) + - id: 4.1.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_root_login + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr - - id: 4.2.8 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) + - id: 4.1.3.10 + title: Ensure successful file system mounts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - disable_host_auth + - audit_rules_media_export - - id: 4.2.9 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + - id: 4.1.3.11 + title: Ensure session initiation information is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_empty_passwords + - audit_rules_session_events - - id: 4.2.10 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) + - id: 4.1.3.12 + title: Ensure login and logout events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_do_not_permit_user_env + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run - - id: 4.2.11 - title: Ensure SSH IgnoreRhosts is enabled (Automated) + - id: 4.1.3.13 + title: Ensure file deletion events by users are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_rhosts + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat - - id: 4.2.12 - title: Ensure SSH X11 forwarding is disabled (Automated) + - id: 4.1.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - l2_server status: automated rules: - - sshd_disable_x11_forwarding + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - - id: 4.2.13 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) + - id: 4.1.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) levels: - l2_server status: automated rules: - - sshd_disable_tcp_forwarding + - audit_rules_execution_chcon - - id: 4.2.14 - title: Ensure system-wide crypto policy is not over-ridden (Automated) + - id: 4.1.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) levels: - - l1_server + - l2_server status: automated rules: - - configure_ssh_crypto_policy + - audit_rules_execution_setfacl - - id: 4.2.15 - title: Ensure SSH warning banner is configured (Automated) + - id: 4.1.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner + - audit_rules_execution_chacl - - id: 4.2.16 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + - id: 4.1.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries + - audit_rules_privileged_commands_usermod - - id: 4.2.17 - title: Ensure SSH MaxStartups is configured (Automated) + - id: 4.1.3.19 + title: Ensure kernel module loading, unloading and modification is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod - - id: 4.2.18 - title: Ensure SSH MaxSessions is set to 10 or less (Automated) + - id: 4.1.3.20 + title: Ensure the audit configuration is immutable (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - audit_rules_immutable - - id: 4.2.19 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + - id: 4.1.3.21 + title: Ensure the running and on disk configuration is the same (Manual) levels: - - l1_server + - l2_server + status: manual + + - id: 4.1.4.1 + title: Ensure audit log files are mode 0640 or less permissive (Automated) + levels: + - l2_server status: automated rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 + - file_permissions_var_log_audit - - id: 4.2.20 - title: Ensure SSH Idle Timeout Interval is configured (Automated) + - id: 4.1.4.2 + title: Ensure only authorized users own audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_idle_timeout_value=15_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 + - file_ownership_var_log_audit_stig - - id: 4.3.1 - title: Ensure sudo is installed (Automated) + - id: 4.1.4.3 + title: Ensure only authorized groups are assigned ownership of audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - package_sudo_installed + - file_group_ownership_var_log_audit - - id: 4.3.2 - title: Ensure sudo commands use pty (Automated) + - id: 4.1.4.4 + title: Ensure the audit log directory is 0750 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_add_use_pty + - directory_permissions_var_log_audit - - id: 4.3.3 - title: Ensure sudo log file exists (Automated) + - id: 4.1.4.5 + title: Ensure audit configuration files are 640 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_custom_logfile + - file_permissions_audit_configuration - - id: 4.3.4 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + - id: 4.1.4.6 + title: Ensure audit configuration files are owned by root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - file_ownership_audit_configuration - - id: 4.3.5 - title: Ensure sudo authentication timeout is configured correctly (Automated) + - id: 4.1.4.7 + title: Ensure audit configuration files belong to group root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - file_groupownership_audit_configuration - - id: 4.3.6 - title: Ensure access to the su command is restricted (Automated) + - id: 4.1.4.8 + title: Ensure audit tools are 755 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty + - file_permissions_audit_binaries - - id: 4.4.1 - title: Ensure custom authselect profile is used (Manual) + - id: 4.1.4.9 + title: Ensure audit tools are owned by root (Automated) levels: - - l1_server - status: manual + - l2_server + status: automated rules: - - no_empty_passwords + - file_ownership_audit_binaries - - id: 4.4.2 - title: Ensure authselect includes with-faillock (Automated) + - id: 4.1.4.10 + title: Ensure audit tools belong to group root (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth + - file_groupownership_audit_binaries - - id: 4.5.1 - title: Ensure password creation requirements are configured (Automated) + - id: 4.2.1.1 + title: Ensure rsyslog is installed (Automated) levels: - l1_server status: automated - notes: |- - The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so - module. However, the pam_pwquality.so module, by default, is always the first module from in - the PAM password stack. Therefore, the option is useless and not necessary. It was already - proposed to update the requirement in the next CIS version. rules: - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_retry - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 + - package_rsyslog_installed - - id: 4.5.2 - title: Ensure lockout for failed password attempts is configured (Automated) + - id: 4.2.1.2 + title: Ensure rsyslog Service is enabled (Automated) levels: - l1_server status: automated rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 + - service_rsyslog_enabled - - id: 4.5.3 - title: Ensure password reuse is limited (Automated) + - id: 4.2.1.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) levels: - l1_server status: automated rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=5 + - journald_forward_to_syslog - - id: 4.5.4 - title: Ensure password hashing algorithm is SHA-512 (Automated) + - id: 4.2.1.4 + title: Ensure rsyslog default file permissions configured (Automated) levels: - l1_server status: automated rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 + - rsyslog_filecreatemode - - id: 4.6.1.1 - title: Ensure password expiration is 365 days or less (Automated) + - id: 4.2.1.5 + title: Ensure logging is configured (Manual) levels: - l1_server - status: automated - rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=365 - - accounts_password_set_max_life_existing + status: manual - - id: 4.6.1.2 - title: Ensure minimum days between password changes is configured (Automated) + - id: 4.2.1.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server status: automated - rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - - accounts_password_set_min_life_existing + related_rules: + - rsyslog_remote_loghost - - id: 4.6.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 4.2.1.7 + title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_set_warn_age_existing + - rsyslog_nolisten - - id: 4.6.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 4.2.2.1.1 + title: Ensure systemd-journal-remote is installed (Manual) levels: - l1_server - status: automated - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=30 - - accounts_set_post_pw_existing + status: manual - - id: 4.6.1.5 - title: Ensure all users last password change date is in the past (Automated) + - id: 4.2.2.1.2 + title: Ensure systemd-journal-remote is configured (Manual) levels: - l1_server - status: automated - rules: - - accounts_password_last_change_is_in_past + status: manual - - id: 4.6.2 - title: Ensure system accounts are secured (Automated) + - id: 4.2.2.1.3 + title: Ensure systemd-journal-remote is enabled (Manual) levels: - l1_server - status: automated - rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts + status: manual - - id: 4.6.3 - title: Ensure default user shell timeout is 900 seconds or less (Automated) + - id: 4.2.2.1.4 + title: Ensure journald is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - accounts_tmout - - var_accounts_tmout=15_min + - socket_systemd-journal-remote_disabled - - id: 4.6.4 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 4.2.2.2 + title: Ensure journald service is enabled (Automated) levels: - l1_server status: automated rules: - - accounts_root_gid_zero + - service_systemd-journald_enabled - - id: 4.6.5 - title: Ensure default user umask is 027 or more restrictive (Automated) + - id: 4.2.2.3 + title: Ensure journald is configured to compress large log files (Automated) levels: - l1_server status: automated rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 + - journald_compress - - id: 4.6.6 - title: Ensure root password is set (Automated) + - id: 4.2.2.4 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) levels: - l1_server status: automated rules: - - ensure_root_password_configured - - no_empty_passwords_etc_shadow + - journald_storage - - id: 5.1.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 4.2.2.5 + title: Ensure journald is not configured to send logs to rsyslog (Manual) levels: - l1_server - status: automated - rules: - - package_rsyslog_installed + status: manual - - id: 5.1.1.2 - title: Ensure rsyslog Service is enabled (Automated) + - id: 4.2.2.6 + title: Ensure journald log rotation is configured per site policy (Manual) levels: - l1_server - status: automated - rules: - - service_rsyslog_enabled + status: manual - - id: 5.1.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 4.2.2.7 + title: Ensure journald default file permissions configured (Manual) levels: - l1_server - status: automated - rules: - - journald_forward_to_syslog + status: manual - - id: 5.1.1.4 - title: Ensure rsyslog default file permissions configured (Automated) + - id: 4.2.3 + title: Ensure all logfiles have appropriate permissions and ownership (Automated) levels: - l1_server status: automated rules: - - rsyslog_filecreatemode + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions - - id: 5.1.1.5 - title: Ensure logging is configured (Manual) + - id: 4.3 + title: Ensure logrotate is configured (Manual) levels: - l1_server status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled - - id: 5.1.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + - id: 5.1.1 + title: Ensure cron daemon is enabled (Automated) levels: - l1_server status: automated - related_rules: - - rsyslog_remote_loghost + rules: + - service_crond_enabled - - id: 5.1.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + - id: 5.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) levels: - l1_server status: automated rules: - - rsyslog_nolisten + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab - - id: 5.1.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) + - id: 5.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly - - id: 5.1.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + - id: 5.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily - - id: 5.1.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + - id: 5.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly - - id: 5.1.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + - id: 5.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) levels: - l1_server status: automated rules: - - socket_systemd-journal-remote_disabled + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly - - id: 5.1.2.2 - title: Ensure journald service is enabled (Automated) + - id: 5.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) levels: - l1_server status: automated rules: - - service_systemd-journald_enabled + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d - - id: 5.1.2.3 - title: Ensure journald is configured to compress large log files (Automated) + - id: 5.1.8 + title: Ensure cron is restricted to authorized users (Automated) levels: - l1_server status: automated rules: - - journald_compress + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow - - id: 5.1.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 5.1.9 + title: Ensure at is restricted to authorized users (Automated) levels: - l1_server status: automated rules: - - journald_storage + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow - - id: 5.1.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) + - id: 5.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config - - id: 5.1.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) + - id: 5.2.2 + title: Ensure permissions on SSH private host key files are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key - - id: 5.1.2.7 - title: Ensure journald default file permissions configured (Manual) + - id: 5.2.3 + title: Ensure permissions on SSH public host key files are configured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key - - id: 5.1.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) + - id: 5.2.4 + title: Ensure SSH access is limited (Automated) levels: - l1_server status: automated rules: - - rsyslog_files_groupownership - - rsyslog_files_ownership - - rsyslog_files_permissions + - sshd_limit_user_access - - id: 5.2.1.1 - title: Ensure auditd is installed (Automated) + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) levels: - - l2_server + - l1_server status: automated + # The CIS benchmark is not opinionated about which loglevel is selected + # here. Here, this profile uses VERBOSE by default, as it allows for + # the capture of login and logout activity as well as key fingerprints. rules: - - package_audit_installed + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info - - id: 5.2.1.2 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + - id: 5.2.6 + title: Ensure SSH PAM is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_argument + - sshd_enable_pam - - id: 5.2.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) + - id: 5.2.7 + title: Ensure SSH root login is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_backlog_limit_argument + - sshd_disable_root_login - - id: 5.2.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 5.2.8 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - service_auditd_enabled + - disable_host_auth - - id: 5.2.2.1 - title: Ensure audit log storage size is configured (Automated) + - id: 5.2.9 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - sshd_disable_empty_passwords - - id: 5.2.2.2 - title: Ensure audit logs are not automatically deleted (Automated) + - id: 5.2.10 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs + - sshd_do_not_permit_user_env - - id: 5.2.2.3 - title: Ensure system is disabled when audit logs are full (Automated) + - id: 5.2.11 + title: Ensure SSH IgnoreRhosts is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_space_left_action - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=halt - - var_auditd_space_left_action=email + - sshd_disable_rhosts - - id: 5.2.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 5.2.12 + title: Ensure SSH X11 forwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_sysadmin_actions + - sshd_disable_x11_forwarding - - id: 5.2.3.2 - title: Ensure actions as another user are always logged (Automated) + - id: 5.2.13 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_suid_auid_privilege_function + - sshd_disable_tcp_forwarding - - id: 5.2.3.3 - title: Ensure events that modify the sudo log file are collected (Automated) + - id: 5.2.14 + title: Ensure system-wide crypto policy is not over-ridden (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_sudo_log_events + - configure_ssh_crypto_policy - - id: 5.2.3.4 - title: Ensure events that modify date and time information are collected (Automated) + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner - - id: 5.2.3.5 - title: Ensure events that modify the system's network environment are collected (Automated) + - id: 5.2.16 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_networkconfig_modification - - audit_rules_networkconfig_modification_network_scripts + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries - - id: 5.2.3.6 - title: Ensure use of privileged commands is collected (Automated) + - id: 5.2.17 + title: Ensure SSH MaxStartups is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_privileged_commands + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 - - id: 5.2.3.7 - title: Ensure unsuccessful file access attempts are collected (Automated) + - id: 5.2.18 + title: Ensure SSH MaxSessions is set to 10 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate + - sshd_set_max_sessions + - var_sshd_max_sessions=10 - - id: 5.2.3.8 - title: Ensure events that modify user/group information are collected (Automated) + - id: 5.2.19 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 - - id: 5.2.3.9 - title: Ensure discretionary access control permission modification events are collected (Automated) + - id: 5.2.20 + title: Ensure SSH Idle Timeout Interval is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 - - id: 5.2.3.10 - title: Ensure successful file system mounts are collected (Automated) + - id: 5.3.1 + title: Ensure sudo is installed (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_media_export + - package_sudo_installed - - id: 5.2.3.11 - title: Ensure session initiation information is collected (Automated) + - id: 5.3.2 + title: Ensure sudo commands use pty (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_session_events + - sudo_add_use_pty - - id: 5.2.3.12 - title: Ensure login and logout events are collected (Automated) + - id: 5.3.3 + title: Ensure sudo log file exists (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - var_accounts_passwords_pam_faillock_dir=run + - sudo_custom_logfile - - id: 5.2.3.13 - title: Ensure file deletion events by users are collected (Automated) + - id: 5.3.4 + title: Ensure users must provide password for escalation (Automated) levels: - l2_server status: automated rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + - sudo_require_authentication - - id: 5.2.3.14 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + - id: 5.3.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share + - sudo_require_reauthentication - - id: 5.2.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + - id: 5.3.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_chcon + - sudo_require_reauthentication - - id: 5.2.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + - id: 5.3.7 + title: Ensure access to the su command is restricted (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. rules: - - audit_rules_execution_setfacl + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty - - id: 5.2.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + - id: 5.4.1 + title: Ensure custom authselect profile is used (Manual) levels: - - l2_server - status: automated + - l1_server + status: manual rules: - - audit_rules_execution_chacl + - no_empty_passwords - - id: 5.2.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + - id: 5.4.2 + title: Ensure authselect includes with-faillock (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - audit_rules_privileged_commands_usermod + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth - - id: 5.2.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 5.5.1 + title: Ensure password creation requirements are configured (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so + module. However, the pam_pwquality.so module, by default, is always the first module from in + the PAM password stack. Therefore, the option is useless and not necessary. It was already + proposed to update the requirement in the next CIS version. rules: - - audit_rules_kernel_module_loading_create - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_query - - audit_rules_privileged_commands_kmod + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 - - id: 5.2.3.20 - title: Ensure the audit configuration is immutable (Automated) + - id: 5.5.2 + title: Ensure lockout for failed password attempts is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_immutable + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 5.2.3.21 - title: Ensure the running and on disk configuration is the same (Manual) + - id: 5.5.3 + title: Ensure password reuse is limited (Automated) levels: - - l2_server - status: manual + - l1_server + status: automated + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. + See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 - - id: 5.2.4.1 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 5.5.4 + title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_var_log_audit + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 - - id: 5.2.4.2 - title: Ensure only authorized users own audit log files (Automated) + - id: 5.6.1.1 + title: Ensure password expiration is 365 days or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_var_log_audit_stig + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing - - id: 5.2.4.3 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 5.6.1.2 + title: Ensure minimum days between password changes is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_group_ownership_var_log_audit + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing - - id: 5.2.4.4 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 5.6.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) levels: - - l2_server + - l1_server status: automated rules: - - directory_permissions_var_log_audit + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing - - id: 5.2.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 5.6.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_audit_configuration + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - accounts_set_post_pw_existing - - id: 5.2.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 5.6.1.5 + title: Ensure all users last password change date is in the past (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_audit_configuration + - accounts_password_last_change_is_in_past - - id: 5.2.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 5.6.2 + title: Ensure system accounts are secured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_groupownership_audit_configuration + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts - - id: 5.2.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 5.6.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_audit_binaries + - accounts_tmout + - var_accounts_tmout=15_min - - id: 5.2.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 5.6.4 + title: Ensure default group for the root account is GID 0 (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_audit_binaries + - accounts_root_gid_zero - - id: 5.2.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 5.6.5 + title: Ensure default user umask is 027 or more restrictive (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_groupownership_audit_binaries + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 - - id: 5.3 - title: Ensure logrotate is configured (Manual) + - id: 5.6.6 + title: Ensure root password is set (Automated) levels: - l1_server - status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled + status: automated + rules: + - ensure_root_password_configured + - no_empty_passwords_etc_shadow - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) @@ -2034,39 +2128,62 @@ controls: - file_permissions_backup_etc_gshadow - id: 6.1.9 - title: Audit system file permissions (Manual) + title: Ensure no world writable files exist (Automated) levels: - - l2_server - status: manual - related_rules: - - rpm_verify_permissions - - rpm_verify_ownership + - l1_server + status: automated + rules: + - file_permissions_unauthorized_world_writable - id: 6.1.10 - title: Ensure world writable files and directories are secured (Automated) + title: Ensure no unowned files or directories exist (Automated) levels: - l1_server + status: automated rules: - - file_permissions_unauthorized_world_writable - - dir_perms_world_writable_sticky_bits + - no_files_unowned_by_user - id: 6.1.11 - title: Ensure no unowned or ungrouped files or directories exist (Automated) + title: Ensure no ungrouped files or directories exist (Automated) levels: - l1_server status: automated rules: - - no_files_unowned_by_user - file_permissions_ungroupowned - id: 6.1.12 - title: Ensure SUID and SGID files are reviewed (Manual) + title: Ensure sticky bit is set on all world-writable directories (Automated) levels: - l1_server + status: automated rules: + - dir_perms_world_writable_sticky_bits + + - id: 6.1.13 + title: Audit SUID executables (Manual) + levels: + - l1_server + status: manual + related_rules: - file_permissions_unauthorized_suid + + - id: 6.1.14 + title: Audit SGID executables (Manual) + levels: + - l1_server + status: manual + related_rules: - file_permissions_unauthorized_sgid + - id: 6.1.15 + title: Audit system file permissions (Manual) + levels: + - l2_server + status: manual + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership + - id: 6.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: @@ -2141,26 +2258,60 @@ controls: - accounts_no_uid_except_zero - id: 6.2.10 - title: Ensure local interactive user home directories are configured (Automated) + title: Ensure local interactive user home directories exist (Automated) levels: - l1_server status: automated rules: - accounts_user_interactive_home_directory_exists + + - id: 6.2.11 + title: Ensure local interactive users own their home directories (Automated) + levels: + - l1_server + status: automated + rules: - file_ownership_home_directories + - file_groupownership_home_directories + + - id: 6.2.12 + title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) + levels: + - l1_server + status: automated + rules: - file_permissions_home_directories - - id: 6.2.11 - title: Ensure local interactive user dot files access is configured (Automated) + - id: 6.2.13 + title: Ensure no local interactive user has .netrc files (Automated) levels: - l1_server - status: partial + status: automated + rules: + - no_netrc_files + + - id: 6.2.14 + title: Ensure no local interactive user has .forward files (Automated) + levels: + - l1_server + status: automated rules: - - accounts_user_dot_group_ownership - - accounts_user_dot_user_ownership - - file_permission_user_init_files - - var_user_initialization_files_regex=all_dotfiles - no_forward_files + + - id: 6.2.15 + title: Ensure no local interactive user has .rhosts files (Automated) + levels: + - l1_server + status: automated + notes: The rule also removes /etc/hosts.equiv + rules: - no_rsh_trust_files - - accounts_users_netrc_file_permissions + + - id: 6.2.16 + title: Ensure local interactive user dot files are not group or world writable (Automated) + levels: + - l1_server + status: automated + rules: + - accounts_user_dot_no_world_writable_programs diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml index 0755643adbe..37a605f7578 100644 --- a/shared/checks/oval/installed_OS_is_al2023.xml +++ b/shared/checks/oval/installed_OS_is_al2023.xml @@ -1,5 +1,5 @@ - + Amazon Linux 2023 From 7ff54a770cc4aa66d754dd31ffdf503a02b079d6 Mon Sep 17 00:00:00 2001 From: hipponix Date: Wed, 15 May 2024 17:02:44 +0000 Subject: [PATCH 18/28] Fix os version check/name on AL2023 --- controls/cis_al2023.yml | 80 ------------------- shared/checks/oval/installed_OS_is_al2023.xml | 2 +- 2 files changed, 1 insertion(+), 81 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 4057b8815b7..1e487a7a6c6 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -510,86 +510,6 @@ controls: rules: - package_gdm_removed - - id: 1.8.2 - title: Ensure GDM login banner is configured (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - login_banner_text=cis_banners - - - id: 1.8.3 - title: Ensure GDM disable-user-list option is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_user_list - - - id: 1.8.4 - title: Ensure GDM screen locks when the user is idle (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - - id: 1.8.5 - title: Ensure GDM screen locks cannot be overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_user_locks - - - id: 1.8.6 - title: Ensure GDM automatic mounting of removable media is disabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.7 - title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.8 - title: Ensure GDM autorun-never is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.9 - title: Ensure GDM autorun-never is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.10 - title: Ensure XDMCP is not enabled (Automated) - levels: - - l1_server - status: automated - rules: - - gnome_gdm_disable_xdmcp - - id: 1.9 title: Ensure updates, patches, and additional security software are installed (Manual) levels: diff --git a/shared/checks/oval/installed_OS_is_al2023.xml b/shared/checks/oval/installed_OS_is_al2023.xml index 37a605f7578..0755643adbe 100644 --- a/shared/checks/oval/installed_OS_is_al2023.xml +++ b/shared/checks/oval/installed_OS_is_al2023.xml @@ -1,5 +1,5 @@ - + Amazon Linux 2023 From f59006fb093cc8693f48abb7c77d20cfe27be999 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Tue, 4 Jun 2024 12:27:52 +0200 Subject: [PATCH 19/28] fix conflicts --- controls/cis_al2023.yml | 81 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 1e487a7a6c6..e8f4405bd7f 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -510,6 +510,86 @@ controls: rules: - package_gdm_removed + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - login_banner_text=cis_banners + + - id: 1.8.3 + title: Ensure GDM disable-user-list option is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_user_list + + - id: 1.8.4 + title: Ensure GDM screen locks when the user is idle (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + + - id: 1.8.5 + title: Ensure GDM screen locks cannot be overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_session_idle_user_locks + - dconf_gnome_screensaver_user_locks + + - id: 1.8.6 + title: Ensure GDM automatic mounting of removable media is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.7 + title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_automount + - dconf_gnome_disable_automount_open + + - id: 1.8.8 + title: Ensure GDM autorun-never is enabled (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.9 + title: Ensure GDM autorun-never is not overridden (Automated) + levels: + - l1_server + status: automated + rules: + - dconf_gnome_disable_autorun + + - id: 1.8.10 + title: Ensure XDMCP is not enabled (Automated) + levels: + - l1_server + status: automated + rules: + - gnome_gdm_disable_xdmcp + - id: 1.9 title: Ensure updates, patches, and additional security software are installed (Manual) levels: @@ -683,6 +763,7 @@ controls: - service_nfs_disabled related_rules: - package_nfs-utils_removed + # The nfs-utils package is required for systems with GUI or by some libvirt packages - id: 2.2.17 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) From 2f2fe799a84c142c3a42eb244e546b10dfd37009 Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Mon, 3 Jun 2024 14:24:26 +0200 Subject: [PATCH 20/28] Revert "remove not needed controls from cis profiles - fix chronyd conf by pointing to aws servers" This reverts commit e745325648f56fa2b74c04352549790d4deb38a9. --- build/.gitkeep | 0 controls/cis_al2023.yml | 2 +- products/al2023/profiles/cis.profile | 3 +++ products/al2023/profiles/cis_server_l1.profile | 3 +++ 4 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 build/.gitkeep diff --git a/build/.gitkeep b/build/.gitkeep new file mode 100644 index 00000000000..e69de29bb2d diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index e8f4405bd7f..d87b3fd596f 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -624,7 +624,7 @@ controls: rules: - chronyd_specify_remote_server - chronyd_run_as_chrony_user - - var_multiple_time_servers=amazon + - var_multiple_time_servers=rhel - id: 2.2.1 title: Ensure xorg-x11-server-common is not installed (Automated) diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis.profile index 10bd27080c0..039dfd9f1ec 100644 --- a/products/al2023/profiles/cis.profile +++ b/products/al2023/profiles/cis.profile @@ -19,3 +19,6 @@ description: |- selections: - cis_al2023:all:l2_server + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile index f9e9e4879d7..9bc38700b84 100644 --- a/products/al2023/profiles/cis_server_l1.profile +++ b/products/al2023/profiles/cis_server_l1.profile @@ -19,3 +19,6 @@ description: |- selections: - cis_al2023:all:l1_server + - '!file_ownership_home_directories' + - '!group_unique_name' + - '!file_owner_at_allow' From 33d926c6763eae5fb44e01d21cd5b675874115bb Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Wed, 12 Jun 2024 11:53:43 +0200 Subject: [PATCH 21/28] Fix indentation/sorting issues --- .github/workflows/gate.yaml | 4 ++-- .github/workflows/gate_fedora.yml | 7 +++---- CMakeLists.txt | 6 +++--- build_product | 2 +- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 197098c1827..88e377579c2 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -157,6 +157,7 @@ jobs: - name: Build run: |- ./build_product \ + al2023 \ alinux2 \ alinux3 \ anolis23 \ @@ -164,14 +165,13 @@ jobs: chromium \ fedora \ firefox \ + ocp4 \ rhcos4 \ rhel7 \ rhel8 \ rhel9 \ rhel10 \ uos20 \ - ocp4 \ - al2023 env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 085805d6f8a..fe727f47b7c 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -25,6 +25,7 @@ jobs: - name: Build run: |- ./build_product -j2 \ + al2023 \ alinux2 \ alinux3 \ anolis23 \ @@ -35,6 +36,7 @@ jobs: fedora \ firefox \ macos1015 \ + ocp4 \ ol7 \ ol8 \ ol9 \ @@ -46,10 +48,7 @@ jobs: rhel9 \ rhel10 \ rhv4 \ - uos20 \ - ocp4 \ - uos20 \ - al2023 + uos20 env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test diff --git a/CMakeLists.txt b/CMakeLists.txt index 4d0d01abefc..60f206be39f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -371,6 +371,9 @@ add_custom_target(render-policies) ssg_build_man_page() +if(SSG_PRODUCT_AL2023) + add_subdirectory("products/al2023" "al2023") +endif() if(SSG_PRODUCT_ALINUX2) add_subdirectory("products/alinux2" "alinux2") endif() @@ -468,9 +471,6 @@ endif() if(SSG_PRODUCT_UOS20) add_subdirectory("products/uos20" "uos20") endif() -if(SSG_PRODUCT_AL2023) - add_subdirectory("products/al2023" "al2023") -endif() if(SSG_PRODUCT_OPENEMBEDDED) add_subdirectory("products/openembedded" "openembedded") endif() diff --git a/build_product b/build_product index a43fa92ae08..9d6ad89ec01 100755 --- a/build_product +++ b/build_product @@ -345,6 +345,7 @@ set_explict_build_targets() { # Get this using # grep 'option(SSG_PRODUCT' CMakeLists.txt | sed -e 's/option(SSG_PRODUCT_\(\w\+\).*/\1/' all_cmake_products=( + AL2023 ALINUX2 ALINUX3 ANOLIS8 @@ -378,7 +379,6 @@ all_cmake_products=( MACOS1015 OPENEMBEDDED OPENEULER2203 - AL2023 ) DEFAULT_OVAL_MAJOR_VERSION=5 From b376bf786ffe4e75cd803de037bd1578e33e41fc Mon Sep 17 00:00:00 2001 From: Mirco Santori Date: Thu, 13 Jun 2024 17:38:15 +0200 Subject: [PATCH 22/28] bring cis_al2023.yml back --- controls/cis_al2023.yml | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index d87b3fd596f..33b2c05222f 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -326,8 +326,6 @@ controls: levels: - l1_server status: automated - notes: <- - RHEL9 unified the paths for grub2 files. rules: - grub2_password related_rules: @@ -338,8 +336,6 @@ controls: levels: - l1_server status: automated - notes: <- - RHEL9 unified the paths for grub2 files. rules: - file_groupowner_grub2_cfg - file_owner_grub2_cfg @@ -624,7 +620,7 @@ controls: rules: - chronyd_specify_remote_server - chronyd_run_as_chrony_user - - var_multiple_time_servers=rhel + - var_multiple_time_servers=amazon - id: 2.2.1 title: Ensure xorg-x11-server-common is not installed (Automated) @@ -763,7 +759,6 @@ controls: - service_nfs_disabled related_rules: - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages - id: 2.2.17 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) @@ -996,11 +991,6 @@ controls: levels: - l1_server status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. rules: - set_nftables_table - var_nftables_family=inet @@ -1011,10 +1001,6 @@ controls: levels: - l1_server status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. related_rules: - set_nftables_base_chain - var_nftables_table=firewalld @@ -1053,10 +1039,6 @@ controls: levels: - l1_server status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. related_rules: - nftables_ensure_default_deny_policy @@ -1681,9 +1663,6 @@ controls: levels: - l1_server status: automated - # The CIS benchmark is not opinionated about which loglevel is selected - # here. Here, this profile uses VERBOSE by default, as it allows for - # the capture of login and logout activity as well as key fingerprints. rules: - sshd_set_loglevel_verbose related_rules: @@ -2315,4 +2294,3 @@ controls: status: automated rules: - accounts_user_dot_no_world_writable_programs - From d20eb657493e2e1865437f801ea72f7f998246d1 Mon Sep 17 00:00:00 2001 From: hipponix Date: Mon, 17 Jun 2024 09:30:36 +0000 Subject: [PATCH 23/28] fix and test on al2023 / add minor changes --- build/.gitkeep | 0 linux_os/guide/services/ntp/group.yml | 2 ++ linux_os/guide/services/ntp/var_multiple_time_pools.var | 1 + linux_os/guide/services/ntp/var_multiple_time_servers.var | 1 + .../updating/security_patches_up_to_date/ansible/shared.yml | 2 +- products/al2023/product.yml | 1 - products/al2023/profiles/cis_server_l1.profile | 3 --- .../al2023/profiles/{cis.profile => cis_server_l2.profile} | 3 --- ssg/constants.py | 4 ++-- tests/unit/ssg-module/test_utils.py | 2 +- 10 files changed, 8 insertions(+), 11 deletions(-) delete mode 100644 build/.gitkeep rename products/al2023/profiles/{cis.profile => cis_server_l2.profile} (85%) diff --git a/build/.gitkeep b/build/.gitkeep deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml index 5424a119d9e..a79cab0e8a9 100644 --- a/linux_os/guide/services/ntp/group.yml +++ b/linux_os/guide/services/ntp/group.yml @@ -67,6 +67,8 @@ description: |- {{{ weblink(link="https://wiki.debian.org/NTP") }}} {{% elif "alinux" in product %}} {{{ weblink(link="https://www.alibabacloud.com/help/en/elastic-compute-service/latest/alibaba-cloud-ntp-server") }}} + {{% elif "al2023" in product %}} + {{{ weblink(link="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html") }}} {{% else %}} {{{ weblink(link="https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/") }}} {{% endif %}} diff --git a/linux_os/guide/services/ntp/var_multiple_time_pools.var b/linux_os/guide/services/ntp/var_multiple_time_pools.var index 4feea20e630..3a432c23369 100644 --- a/linux_os/guide/services/ntp/var_multiple_time_pools.var +++ b/linux_os/guide/services/ntp/var_multiple_time_pools.var @@ -15,3 +15,4 @@ options: ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org" alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com" + amazon: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var index fb3ce1c2122..ce1729eadfc 100644 --- a/linux_os/guide/services/ntp/var_multiple_time_servers.var +++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var @@ -17,3 +17,4 @@ options: ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" suse: "0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org" alinux: "0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com" + amazon: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml index 0b90decc65f..cf355e336fe 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_alinux,multi_platform_anolis,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_uos +# platform = multi_platform_al2023,multi_platform_alinux,multi_platform_anolis,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_uos # reboot = true # strategy = patch # complexity = low diff --git a/products/al2023/product.yml b/products/al2023/product.yml index a06078a09fb..32cf5501a2e 100644 --- a/products/al2023/product.yml +++ b/products/al2023/product.yml @@ -36,4 +36,3 @@ reference_uris: cis: 'https://www.cisecurity.org/benchmark/amazon_linux/' journald_conf_dir_path: /etc/systemd/journald.conf.d - diff --git a/products/al2023/profiles/cis_server_l1.profile b/products/al2023/profiles/cis_server_l1.profile index 9bc38700b84..f9e9e4879d7 100644 --- a/products/al2023/profiles/cis_server_l1.profile +++ b/products/al2023/profiles/cis_server_l1.profile @@ -19,6 +19,3 @@ description: |- selections: - cis_al2023:all:l1_server - - '!file_ownership_home_directories' - - '!group_unique_name' - - '!file_owner_at_allow' diff --git a/products/al2023/profiles/cis.profile b/products/al2023/profiles/cis_server_l2.profile similarity index 85% rename from products/al2023/profiles/cis.profile rename to products/al2023/profiles/cis_server_l2.profile index 039dfd9f1ec..10bd27080c0 100644 --- a/products/al2023/profiles/cis.profile +++ b/products/al2023/profiles/cis_server_l2.profile @@ -19,6 +19,3 @@ description: |- selections: - cis_al2023:all:l2_server - - '!file_ownership_home_directories' - - '!group_unique_name' - - '!file_owner_at_allow' diff --git a/ssg/constants.py b/ssg/constants.py index b1b2c98b4c2..0030370a93d 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -42,6 +42,7 @@ 'alinux3', 'anolis8', 'anolis23', + 'al2023', 'chromium', 'debian10', 'debian11', 'debian12', 'example', @@ -60,7 +61,6 @@ 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204', 'uos20', - 'al2023', ] JINJA_MACROS_DIRECTORY = os.path.abspath(os.path.join(os.path.dirname(os.path.dirname( @@ -201,6 +201,7 @@ "Alibaba Cloud Linux 3": "alinux3", "Anolis OS 8": "anolis8", "Anolis OS 23": "anolis23", + "Amazon Linux 2023": "al2023", "Chromium": "chromium", "Debian 10": "debian10", "Debian 11": "debian11", @@ -231,7 +232,6 @@ "UnionTech OS Server 20": "uos20", "OpenEmbedded": "openembedded", "Not Applicable" : "example", - "Amazon Linux 2023": "al2023" } diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py index 02315463eff..962eb5b4839 100644 --- a/tests/unit/ssg-module/test_utils.py +++ b/tests/unit/ssg-module/test_utils.py @@ -12,7 +12,7 @@ def test_is_applicable(): assert not utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7') assert not utils.is_applicable('ol7', 'rhel7') - assert not utils.is_applicable('alinux2,alinux3,anolis8,anolis23,fedora,debian10,debian11,uos20', + assert not utils.is_applicable('al2023,alinux2,alinux3,anolis8,anolis23,fedora,debian10,debian11,uos20', 'rhel7') From 2a4605862234d47d487b2289750453eee87a903b Mon Sep 17 00:00:00 2001 From: hipponix Date: Tue, 18 Jun 2024 10:54:02 +0000 Subject: [PATCH 24/28] Replace cis_al2023.yml with a previous version - Rename CIS 2 profile file - Add build/.gitkeep back - Remove AL2023 from building derivates --- .github/workflows/gate.yaml | 2 +- build/.gitkeep | 0 controls/cis_al2023.yml | 1426 ++++++++--------- .../{cis_server_l2.profile => cis.profile} | 0 4 files changed, 649 insertions(+), 779 deletions(-) create mode 100644 build/.gitkeep rename products/al2023/profiles/{cis_server_l2.profile => cis.profile} (100%) diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 88e377579c2..bb7aba96fdb 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v3 - name: Build run: |- - ./build_product rhel7 rhel8 rhel9 rhel10 al2023 --derivatives + ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test diff --git a/build/.gitkeep b/build/.gitkeep new file mode 100644 index 00000000000..e69de29bb2d diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 33b2c05222f..889390728f0 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -13,42 +13,62 @@ reference_type: cis product: al2023 controls: - - id: reload_dconf_db - title: Reload Dconf database + + - id: 1.1.1.1 + title: Ensure mounting of squashfs filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.2 + title: Ensure mounting of udf filesystems is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_udf_disabled + + - id: 1.1.1.3 + title: Ensure mounting of cramfs filesystems is disabled (Automated) levels: - l1_server - notes: <- - This is a helper rule to reload Dconf database correctly. status: automated rules: - - dconf_db_up_to_date + - kernel_module_cramfs_disabled - - id: enable_authselect - title: Enable Authselect + - id: 1.1.1.4 + title: Ensure mounting of freevxfs filesystems is disabled (Automated) levels: - l1_server - notes: <- - We need this in all CIS versions, but the policy doesn't have any section where this would fit better. status: automated rules: - - var_authselect_profile=sssd - - enable_authselect + - kernel_module_freevxfs_disabled - - id: 1.1.1.1 - title: Ensure mounting of squashfs filesystems is disabled (Automated) + - id: 1.1.1.5 + title: Ensure mounting of jffs2 filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_squashfs_disabled + - kernel_module_jffs2_disabled - - id: 1.1.1.2 - title: Ensure mounting of udf filesystems is disabled (Automated) + - id: 1.1.1.6 + title: Ensure mounting of hfs filesystems is disabled (Automated) levels: - l1_server status: automated rules: - - kernel_module_udf_disabled + - kernel_module_hfs_disabled + + - id: 1.1.1.7 + title: Ensure mounting of hfsplus filesystems is disabled (Automated) + levels: + - l1_server + status: automated + rules: + - kernel_module_hfsplus_disabled - id: 1.1.2.1 title: Ensure /tmp is a separate partition (Automated) @@ -291,7 +311,7 @@ controls: - id: 1.2.4 title: Ensure repo_gpgcheck is globally activated (Manual) levels: - - l1_server + - l2_server status: manual - id: 1.3.1 @@ -322,16 +342,6 @@ controls: - aide_use_fips_hashes - id: 1.4.1 - title: Ensure bootloader password is set (Automated) - levels: - - l1_server - status: automated - rules: - - grub2_password - related_rules: - - grub2_uefi_password - - - id: 1.4.2 title: Ensure permissions on bootloader config are configured (Automated) levels: - l1_server @@ -352,28 +362,36 @@ controls: - file_permissions_efi_user_cfg - id: 1.5.1 - title: Ensure core dump storage is disabled (Automated) + title: Ensure address space layout randomization (ASLR) is enabled (Automated) levels: - l1_server status: automated rules: - - coredump_disable_storage + - sysctl_kernel_randomize_va_space - id: 1.5.2 - title: Ensure core dump backtraces are disabled (Automated) + title: Ensure ptrace_scope is restricted (Automated) levels: - l1_server status: automated rules: - - coredump_disable_backtraces + - sysctl_kernel_yama_ptrace_scope - id: 1.5.3 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + title: Ensure core dump storage is disabled (Automated) levels: - l1_server status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_storage + + - id: 1.5.4 + title: Ensure core dump backtraces are disabled (Automated) + levels: + - l1_server + status: automated + rules: + - coredump_disable_backtraces - id: 1.6.1.1 title: Ensure SELinux is installed (Automated) @@ -498,95 +516,7 @@ controls: - file_owner_etc_issue_net - file_permissions_etc_issue_net - - id: 1.8.1 - title: Ensure GNOME Display Manager is removed (Automated) - levels: - - l2_server - status: automated - rules: - - package_gdm_removed - - - id: 1.8.2 - title: Ensure GDM login banner is configured (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - login_banner_text=cis_banners - - - id: 1.8.3 - title: Ensure GDM disable-user-list option is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_user_list - - - id: 1.8.4 - title: Ensure GDM screen locks when the user is idle (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - - id: 1.8.5 - title: Ensure GDM screen locks cannot be overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_user_locks - - - id: 1.8.6 - title: Ensure GDM automatic mounting of removable media is disabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.7 - title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.8 - title: Ensure GDM autorun-never is enabled (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.9 - title: Ensure GDM autorun-never is not overridden (Automated) - levels: - - l1_server - status: automated - rules: - - dconf_gnome_disable_autorun - - - id: 1.8.10 - title: Ensure XDMCP is not enabled (Automated) - levels: - - l1_server - status: automated - rules: - - gnome_gdm_disable_xdmcp - - - id: 1.9 + - id: 1.8 title: Ensure updates, patches, and additional security software are installed (Manual) levels: - l1_server @@ -594,7 +524,7 @@ controls: related_rules: - security_patches_up_to_date - - id: "1.10" + - id: "1.9" title: Ensure system-wide crypto policy is not legacy (Automated) levels: - l1_server @@ -631,7 +561,7 @@ controls: - package_xorg-x11-server-common_removed - id: 2.2.2 - title: Ensure Avahi Server is not installed (Automated) + title: Ensure avahi is not installed (Automated) levels: - l1_server status: automated @@ -641,7 +571,7 @@ controls: - service_avahi-daemon_disabled - id: 2.2.3 - title: Ensure CUPS is not installed (Automated) + title: Ensure a print server is not installed (Automated) levels: - l1_server status: automated @@ -667,7 +597,7 @@ controls: - package_bind_removed - id: 2.2.6 - title: Ensure VSFTP Server is not installed (Automated) + title: Ensure ftp Server is not installed (Automated) levels: - l1_server status: automated @@ -717,12 +647,13 @@ controls: - package_squid_removed - id: 2.2.12 - title: Ensure net-snmp is not installed (Automated) + title: Ensure net-snmp is not installed or the snmpd service is not enabled (Automated) levels: - l1_server status: automated rules: - package_net-snmp_removed + - service_snmpd_disabled - id: 2.2.13 title: Ensure telnet-server is not installed (Automated) @@ -797,14 +728,6 @@ controls: - package_openldap-clients_removed - id: 2.3.3 - title: Ensure TFTP client is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_tftp_removed - - - id: 2.3.4 title: Ensure FTP client is not installed (Automated) levels: - l1_server @@ -813,7 +736,7 @@ controls: - package_ftp_removed - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) + title: Ensure nonessential services listening on the system are removed or masked (Manual) levels: - l1_server status: manual @@ -825,14 +748,30 @@ controls: status: manual - id: 3.1.2 - title: Ensure wireless interfaces are disabled (Automated) + title: Ensure DCCP is disabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - wireless_disable_interfaces + - kernel_module_dccp_disabled - id: 3.1.3 + title: Ensure SCTP is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_sctp_disabled + + - id: 3.1.4 + title: Ensure RDS is disabled (Automated) + levels: + - l2_server + status: automated + rules: + - kernel_module_rds_disabled + + - id: 3.1.5 title: Ensure TIPC is disabled (Automated) levels: - l2_server @@ -963,7 +902,7 @@ controls: - id: 3.4.1.1 title: Ensure nftables is installed (Automated) levels: - - l1_server + - l2_server status: automated rules: - package_nftables_installed @@ -971,7 +910,7 @@ controls: - id: 3.4.1.2 title: Ensure a single firewall configuration utility is in use (Automated) levels: - - l1_server + - l2_server status: automated rules: - service_firewalld_enabled @@ -981,7 +920,7 @@ controls: - id: 3.4.2.1 title: Ensure firewalld default zone is set (Automated) levels: - - l1_server + - l2_server status: automated rules: - set_firewalld_default_zone @@ -989,7 +928,7 @@ controls: - id: 3.4.2.2 title: Ensure at least one nftables table exists (Automated) levels: - - l1_server + - l2_server status: supported rules: - set_nftables_table @@ -999,7 +938,7 @@ controls: - id: 3.4.2.3 title: Ensure nftables base chains exist (Automated) levels: - - l1_server + - l2_server status: supported related_rules: - set_nftables_base_chain @@ -1014,7 +953,7 @@ controls: - id: 3.4.2.4 title: Ensure host based firewall loopback traffic is configured (Automated) levels: - - l1_server + - l2_server status: automated rules: - firewalld_loopback_traffic_trusted @@ -1023,7 +962,7 @@ controls: - id: 3.4.2.5 title: Ensure firewalld drops unnecessary services and ports (Manual) levels: - - l1_server + - l2_server status: manual related_rules: - configure_firewalld_ports @@ -1031,1001 +970,989 @@ controls: - id: 3.4.2.6 title: Ensure nftables established connections are configured (Manual) levels: - - l1_server + - l2_server status: manual - id: 3.4.2.7 title: Ensure nftables default deny firewall policy (Automated) levels: - - l1_server + - l2_server status: supported related_rules: - nftables_ensure_default_deny_policy - - id: 4.1.1.1 - title: Ensure auditd is installed (Automated) + - id: 4.1.1 + title: Ensure cron daemon is installed and enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - package_audit_installed + - service_crond_enabled - - id: 4.1.1.2 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + - id: 4.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_argument - - - id: 4.1.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 4.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - grub2_audit_backlog_limit_argument + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly - - id: 4.1.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 4.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - service_auditd_enabled + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily - - id: 4.1.2.1 - title: Ensure audit log storage size is configured (Automated) + - id: 4.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly - - id: 4.1.2.2 - title: Ensure audit logs are not automatically deleted (Automated) + - id: 4.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly - - id: 4.1.2.3 - title: Ensure system is disabled when audit logs are full (Automated) + - id: 4.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - auditd_data_retention_action_mail_acct - - auditd_data_retention_admin_space_left_action - - auditd_data_retention_space_left_action - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=halt - - var_auditd_space_left_action=email + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d - - id: 4.1.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 4.1.8 + title: Ensure cron is restricted to authorized users (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_sysadmin_actions + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow - - id: 4.1.3.2 - title: Ensure actions as another user are always logged (Automated) + - id: 4.1.9 + title: Ensure at is restricted to authorized users (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_suid_auid_privilege_function + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow - - id: 4.1.3.3 - title: Ensure events that modify the sudo log file are collected (Automated) + - id: 4.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_sudo_log_events + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config - - id: 4.1.3.4 - title: Ensure events that modify date and time information are collected (Automated) + - id: 4.2.2 + title: Ensure permissions on SSH private host key files are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key - - id: 4.1.3.5 - title: Ensure events that modify the system's network environment are collected (Automated) + - id: 4.2.3 + title: Ensure permissions on SSH public host key files are configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_networkconfig_modification - - audit_rules_networkconfig_modification_network_scripts + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key - - id: 4.1.3.6 - title: Ensure use of privileged commands is collected (Automated) + - id: 4.2.4 + title: Ensure SSH access is limited (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_privileged_commands + - sshd_limit_user_access - - id: 4.1.3.7 - title: Ensure unsuccessful file access attempts are collected (Automated) + - id: 4.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info - - id: 4.1.3.8 - title: Ensure events that modify user/group information are collected (Automated) + - id: 4.2.6 + title: Ensure SSH PAM is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow + - sshd_enable_pam - - id: 4.1.3.9 - title: Ensure discretionary access control permission modification events are collected (Automated) + - id: 4.2.7 + title: Ensure SSH root login is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - sshd_disable_root_login - - id: 4.1.3.10 - title: Ensure successful file system mounts are collected (Automated) + - id: 4.2.8 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_media_export + - disable_host_auth - - id: 4.1.3.11 - title: Ensure session initiation information is collected (Automated) + - id: 4.2.9 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_session_events + - sshd_disable_empty_passwords - - id: 4.1.3.12 - title: Ensure login and logout events are collected (Automated) + - id: 4.2.10 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - var_accounts_passwords_pam_faillock_dir=run + - sshd_do_not_permit_user_env - - id: 4.1.3.13 - title: Ensure file deletion events by users are collected (Automated) + - id: 4.2.11 + title: Ensure SSH IgnoreRhosts is enabled (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + - sshd_disable_rhosts - - id: 4.1.3.14 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + - id: 4.2.12 + title: Ensure SSH X11 forwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share + - sshd_disable_x11_forwarding - - id: 4.1.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + - id: 4.2.13 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) levels: - l2_server status: automated rules: - - audit_rules_execution_chcon + - sshd_disable_tcp_forwarding - - id: 4.1.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + - id: 4.2.14 + title: Ensure system-wide crypto policy is not over-ridden (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_setfacl + - configure_ssh_crypto_policy - - id: 4.1.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + - id: 4.2.15 + title: Ensure SSH warning banner is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_execution_chacl + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner - - id: 4.1.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + - id: 4.2.16 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_privileged_commands_usermod + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries - - id: 4.1.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 4.2.17 + title: Ensure SSH MaxStartups is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_kernel_module_loading_create - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_kernel_module_loading_query - - audit_rules_privileged_commands_kmod + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 - - id: 4.1.3.20 - title: Ensure the audit configuration is immutable (Automated) + - id: 4.2.18 + title: Ensure SSH MaxSessions is set to 10 or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - audit_rules_immutable - - - id: 4.1.3.21 - title: Ensure the running and on disk configuration is the same (Manual) - levels: - - l2_server - status: manual + - sshd_set_max_sessions + - var_sshd_max_sessions=10 - - id: 4.1.4.1 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 4.2.19 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_var_log_audit + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 - - id: 4.1.4.2 - title: Ensure only authorized users own audit log files (Automated) + - id: 4.2.20 + title: Ensure SSH Idle Timeout Interval is configured (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_var_log_audit_stig + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 - - id: 4.1.4.3 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 4.3.1 + title: Ensure sudo is installed (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_group_ownership_var_log_audit + - package_sudo_installed - - id: 4.1.4.4 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 4.3.2 + title: Ensure sudo commands use pty (Automated) levels: - - l2_server + - l1_server status: automated rules: - - directory_permissions_var_log_audit + - sudo_add_use_pty - - id: 4.1.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 4.3.3 + title: Ensure sudo log file exists (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_permissions_audit_configuration + - sudo_custom_logfile - - id: 4.1.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 4.3.4 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_ownership_audit_configuration + - sudo_require_reauthentication - - id: 4.1.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 4.3.5 + title: Ensure sudo authentication timeout is configured correctly (Automated) levels: - - l2_server + - l1_server status: automated rules: - - file_groupownership_audit_configuration + - sudo_require_reauthentication - - id: 4.1.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 4.3.6 + title: Ensure access to the su command is restricted (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. rules: - - file_permissions_audit_binaries + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty - - id: 4.1.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 4.4.1 + title: Ensure custom authselect profile is used (Manual) levels: - - l2_server - status: automated + - l1_server + status: manual rules: - - file_ownership_audit_binaries + - no_empty_passwords - - id: 4.1.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 4.4.2 + title: Ensure authselect includes with-faillock (Automated) levels: - - l2_server + - l1_server status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - file_groupownership_audit_binaries + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth - - id: 4.2.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 4.5.1 + title: Ensure password creation requirements are configured (Automated) levels: - l1_server status: automated + notes: |- + The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so + module. However, the pam_pwquality.so module, by default, is always the first module from in + the PAM password stack. Therefore, the option is useless and not necessary. It was already + proposed to update the requirement in the next CIS version. rules: - - package_rsyslog_installed + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 - - id: 4.2.1.2 - title: Ensure rsyslog Service is enabled (Automated) + - id: 4.5.2 + title: Ensure lockout for failed password attempts is configured (Automated) levels: - l1_server status: automated rules: - - service_rsyslog_enabled + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 4.2.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 4.5.3 + title: Ensure password reuse is limited (Automated) levels: - l1_server status: automated rules: - - journald_forward_to_syslog + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 - - id: 4.2.1.4 - title: Ensure rsyslog default file permissions configured (Automated) + - id: 4.5.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) levels: - l1_server status: automated rules: - - rsyslog_filecreatemode + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 - - id: 4.2.1.5 - title: Ensure logging is configured (Manual) + - id: 4.6.1.1 + title: Ensure password expiration is 365 days or less (Automated) levels: - l1_server - status: manual + status: automated + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing - - id: 4.2.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + - id: 4.6.1.2 + title: Ensure minimum days between password changes is configured (Automated) levels: - l1_server status: automated - related_rules: - - rsyslog_remote_loghost + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing - - id: 4.2.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + - id: 4.6.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) levels: - l1_server status: automated rules: - - rsyslog_nolisten + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing - - id: 4.2.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) + - id: 4.6.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) levels: - l1_server - status: manual + status: automated + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - accounts_set_post_pw_existing - - id: 4.2.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + - id: 4.6.1.5 + title: Ensure all users last password change date is in the past (Automated) levels: - l1_server - status: manual + status: automated + rules: + - accounts_password_last_change_is_in_past - - id: 4.2.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + - id: 4.6.2 + title: Ensure system accounts are secured (Automated) levels: - l1_server - status: manual + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts - - id: 4.2.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + - id: 4.6.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) levels: - l1_server status: automated rules: - - socket_systemd-journal-remote_disabled + - accounts_tmout + - var_accounts_tmout=15_min - - id: 4.2.2.2 - title: Ensure journald service is enabled (Automated) + - id: 4.6.4 + title: Ensure default group for the root account is GID 0 (Automated) levels: - l1_server status: automated rules: - - service_systemd-journald_enabled + - accounts_root_gid_zero - - id: 4.2.2.3 - title: Ensure journald is configured to compress large log files (Automated) + - id: 4.6.5 + title: Ensure default user umask is 027 or more restrictive (Automated) levels: - l1_server status: automated rules: - - journald_compress + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 - - id: 4.2.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 4.6.6 + title: Ensure root password is set (Automated) levels: - l1_server status: automated rules: - - journald_storage + - ensure_root_password_configured + - no_empty_passwords_etc_shadow - - id: 4.2.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) + - id: 5.1.1.1 + title: Ensure rsyslog is installed (Automated) levels: - l1_server - status: manual + status: automated + rules: + - package_rsyslog_installed - - id: 4.2.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) + - id: 5.1.1.2 + title: Ensure rsyslog Service is enabled (Automated) levels: - l1_server - status: manual + status: automated + rules: + - service_rsyslog_enabled - - id: 4.2.2.7 - title: Ensure journald default file permissions configured (Manual) + - id: 5.1.1.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) levels: - l1_server - status: manual + status: automated + rules: + - journald_forward_to_syslog - - id: 4.2.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) + - id: 5.1.1.4 + title: Ensure rsyslog default file permissions configured (Automated) levels: - l1_server status: automated rules: - - rsyslog_files_groupownership - - rsyslog_files_ownership - - rsyslog_files_permissions + - rsyslog_filecreatemode - - id: 4.3 - title: Ensure logrotate is configured (Manual) + - id: 5.1.1.5 + title: Ensure logging is configured (Manual) levels: - l1_server status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled - - id: 5.1.1 - title: Ensure cron daemon is enabled (Automated) + - id: 5.1.1.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server status: automated - rules: - - service_crond_enabled + related_rules: + - rsyslog_remote_loghost - - id: 5.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) + - id: 5.1.1.7 + title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab + - rsyslog_nolisten - - id: 5.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) + - id: 5.1.2.1.1 + title: Ensure systemd-journal-remote is installed (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly + status: manual - - id: 5.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) + - id: 5.1.2.1.2 + title: Ensure systemd-journal-remote is configured (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily + status: manual - - id: 5.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) + - id: 5.1.2.1.3 + title: Ensure systemd-journal-remote is enabled (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly + status: manual - - id: 5.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) + - id: 5.1.2.1.4 + title: Ensure journald is not configured to recieve logs from a remote client (Automated) levels: - l1_server status: automated rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly + - socket_systemd-journal-remote_disabled - - id: 5.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) + - id: 5.1.2.2 + title: Ensure journald service is enabled (Automated) levels: - l1_server status: automated rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d + - service_systemd-journald_enabled - - id: 5.1.8 - title: Ensure cron is restricted to authorized users (Automated) + - id: 5.1.2.3 + title: Ensure journald is configured to compress large log files (Automated) levels: - l1_server status: automated rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow + - journald_compress - - id: 5.1.9 - title: Ensure at is restricted to authorized users (Automated) + - id: 5.1.2.4 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) levels: - l1_server status: automated rules: - - file_at_deny_not_exist - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow + - journald_storage - - id: 5.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + - id: 5.1.2.5 + title: Ensure journald is not configured to send logs to rsyslog (Manual) levels: - l1_server - status: automated - rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config + status: manual - - id: 5.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) + - id: 5.1.2.6 + title: Ensure journald log rotation is configured per site policy (Manual) levels: - l1_server - status: automated - rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key + status: manual - - id: 5.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) + - id: 5.1.2.7 + title: Ensure journald default file permissions configured (Manual) levels: - l1_server - status: automated - rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key + status: manual - - id: 5.2.4 - title: Ensure SSH access is limited (Automated) + - id: 5.1.3 + title: Ensure all logfiles have appropriate permissions and ownership (Automated) levels: - l1_server status: automated rules: - - sshd_limit_user_access + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions - - id: 5.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) + - id: 5.2.1.1 + title: Ensure auditd is installed (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_loglevel_verbose - related_rules: - - sshd_set_loglevel_info + - package_audit_installed - - id: 5.2.6 - title: Ensure SSH PAM is enabled (Automated) + - id: 5.2.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_pam + - grub2_audit_argument - - id: 5.2.7 - title: Ensure SSH root login is disabled (Automated) + - id: 5.2.1.3 + title: Ensure audit_backlog_limit is sufficient (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_root_login + - grub2_audit_backlog_limit_argument - - id: 5.2.8 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) + - id: 5.2.1.4 + title: Ensure auditd service is enabled (Automated) levels: - - l1_server + - l2_server status: automated rules: - - disable_host_auth + - service_auditd_enabled - - id: 5.2.9 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + - id: 5.2.2.1 + title: Ensure audit log storage size is configured (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_empty_passwords + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - - id: 5.2.10 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) + - id: 5.2.2.2 + title: Ensure audit logs are not automatically deleted (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_do_not_permit_user_env + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - - id: 5.2.11 - title: Ensure SSH IgnoreRhosts is enabled (Automated) + - id: 5.2.2.3 + title: Ensure system is disabled when audit logs are full (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_disable_rhosts + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email - - id: 5.2.12 - title: Ensure SSH X11 forwarding is disabled (Automated) + - id: 5.2.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - l2_server status: automated rules: - - sshd_disable_x11_forwarding + - audit_rules_sysadmin_actions - - id: 5.2.13 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) + - id: 5.2.3.2 + title: Ensure actions as another user are always logged (Automated) levels: - l2_server status: automated rules: - - sshd_disable_tcp_forwarding + - audit_rules_suid_auid_privilege_function - - id: 5.2.14 - title: Ensure system-wide crypto policy is not over-ridden (Automated) + - id: 5.2.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - configure_ssh_crypto_policy + - audit_sudo_log_events - - id: 5.2.15 - title: Ensure SSH warning banner is configured (Automated) + - id: 5.2.3.4 + title: Ensure events that modify date and time information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime - - id: 5.2.16 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + - id: 5.2.3.5 + title: Ensure events that modify the system's network environment are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries + - audit_rules_networkconfig_modification + - audit_rules_networkconfig_modification_network_scripts - - id: 5.2.17 - title: Ensure SSH MaxStartups is configured (Automated) + - id: 5.2.3.6 + title: Ensure use of privileged commands is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 + - audit_rules_privileged_commands - - id: 5.2.18 - title: Ensure SSH MaxSessions is set to 10 or less (Automated) + - id: 5.2.3.7 + title: Ensure unsuccessful file access attempts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate - - id: 5.2.19 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + - id: 5.2.3.8 + title: Ensure events that modify user/group information are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow - - id: 5.2.20 - title: Ensure SSH Idle Timeout Interval is configured (Automated) + - id: 5.2.3.9 + title: Ensure discretionary access control permission modification events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sshd_idle_timeout_value=15_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr - - id: 5.3.1 - title: Ensure sudo is installed (Automated) + - id: 5.2.3.10 + title: Ensure successful file system mounts are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - package_sudo_installed + - audit_rules_media_export - - id: 5.3.2 - title: Ensure sudo commands use pty (Automated) + - id: 5.2.3.11 + title: Ensure session initiation information is collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_add_use_pty + - audit_rules_session_events - - id: 5.3.3 - title: Ensure sudo log file exists (Automated) + - id: 5.2.3.12 + title: Ensure login and logout events are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_custom_logfile + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run - - id: 5.3.4 - title: Ensure users must provide password for escalation (Automated) + - id: 5.2.3.13 + title: Ensure file deletion events by users are collected (Automated) levels: - l2_server status: automated rules: - - sudo_require_authentication + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat - - id: 5.3.5 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + - id: 5.2.3.14 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - - id: 5.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) + - id: 5.2.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) levels: - - l1_server + - l2_server status: automated rules: - - sudo_require_reauthentication + - audit_rules_execution_chcon - - id: 5.3.7 - title: Ensure access to the su command is restricted (Automated) + - id: 5.2.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty + - audit_rules_execution_setfacl - - id: 5.4.1 - title: Ensure custom authselect profile is used (Manual) + - id: 5.2.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) levels: - - l1_server - status: manual + - l2_server + status: automated rules: - - no_empty_passwords + - audit_rules_execution_chacl - - id: 5.4.2 - title: Ensure authselect includes with-faillock (Automated) + - id: 5.2.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth + - audit_rules_privileged_commands_usermod - - id: 5.5.1 - title: Ensure password creation requirements are configured (Automated) + - id: 5.2.3.19 + title: Ensure kernel module loading, unloading and modification is collected (Automated) levels: - - l1_server + - l2_server status: automated - notes: |- - The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so - module. However, the pam_pwquality.so module, by default, is always the first module from in - the PAM password stack. Therefore, the option is useless and not necessary. It was already - proposed to update the requirement in the next CIS version. rules: - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_retry - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 + - audit_rules_kernel_module_loading_create + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_query + - audit_rules_privileged_commands_kmod - - id: 5.5.2 - title: Ensure lockout for failed password attempts is configured (Automated) + - id: 5.2.3.20 + title: Ensure the audit configuration is immutable (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 + - audit_rules_immutable - - id: 5.5.3 - title: Ensure password reuse is limited (Automated) + - id: 5.2.3.21 + title: Ensure the running and on disk configuration is the same (Manual) levels: - - l1_server - status: automated - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. - See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=5 + - l2_server + status: manual - - id: 5.5.4 - title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) + - id: 5.2.4.1 + title: Ensure audit log files are mode 0640 or less permissive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 + - file_permissions_var_log_audit - - id: 5.6.1.1 - title: Ensure password expiration is 365 days or less (Automated) + - id: 5.2.4.2 + title: Ensure only authorized users own audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=365 - - accounts_password_set_max_life_existing + - file_ownership_var_log_audit_stig - - id: 5.6.1.2 - title: Ensure minimum days between password changes is configured (Automated) + - id: 5.2.4.3 + title: Ensure only authorized groups are assigned ownership of audit log files (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - - accounts_password_set_min_life_existing + - file_group_ownership_var_log_audit - - id: 5.6.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 5.2.4.4 + title: Ensure the audit log directory is 0750 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_set_warn_age_existing + - directory_permissions_var_log_audit - - id: 5.6.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 5.2.4.5 + title: Ensure audit configuration files are 640 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=30 - - accounts_set_post_pw_existing + - file_permissions_audit_configuration - - id: 5.6.1.5 - title: Ensure all users last password change date is in the past (Automated) + - id: 5.2.4.6 + title: Ensure audit configuration files are owned by root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_password_last_change_is_in_past + - file_ownership_audit_configuration - - id: 5.6.2 - title: Ensure system accounts are secured (Automated) + - id: 5.2.4.7 + title: Ensure audit configuration files belong to group root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts + - file_groupownership_audit_configuration - - id: 5.6.3 - title: Ensure default user shell timeout is 900 seconds or less (Automated) + - id: 5.2.4.8 + title: Ensure audit tools are 755 or more restrictive (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_tmout - - var_accounts_tmout=15_min + - file_permissions_audit_binaries - - id: 5.6.4 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 5.2.4.9 + title: Ensure audit tools are owned by root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_root_gid_zero + - file_ownership_audit_binaries - - id: 5.6.5 - title: Ensure default user umask is 027 or more restrictive (Automated) + - id: 5.2.4.10 + title: Ensure audit tools belong to group root (Automated) levels: - - l1_server + - l2_server status: automated rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 + - file_groupownership_audit_binaries - - id: 5.6.6 - title: Ensure root password is set (Automated) + - id: 5.3 + title: Ensure logrotate is configured (Manual) levels: - l1_server - status: automated - rules: - - ensure_root_password_configured - - no_empty_passwords_etc_shadow + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) @@ -2108,62 +2035,39 @@ controls: - file_permissions_backup_etc_gshadow - id: 6.1.9 - title: Ensure no world writable files exist (Automated) + title: Audit system file permissions (Manual) levels: - - l1_server - status: automated - rules: - - file_permissions_unauthorized_world_writable + - l2_server + status: manual + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership - id: 6.1.10 - title: Ensure no unowned files or directories exist (Automated) + title: Ensure world writable files and directories are secured (Automated) levels: - l1_server - status: automated rules: - - no_files_unowned_by_user + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits - id: 6.1.11 - title: Ensure no ungrouped files or directories exist (Automated) + title: Ensure no unowned or ungrouped files or directories exist (Automated) levels: - l1_server status: automated rules: + - no_files_unowned_by_user - file_permissions_ungroupowned - id: 6.1.12 - title: Ensure sticky bit is set on all world-writable directories (Automated) + title: Ensure SUID and SGID files are reviewed (Manual) levels: - l1_server - status: automated rules: - - dir_perms_world_writable_sticky_bits - - - id: 6.1.13 - title: Audit SUID executables (Manual) - levels: - - l1_server - status: manual - related_rules: - file_permissions_unauthorized_suid - - - id: 6.1.14 - title: Audit SGID executables (Manual) - levels: - - l1_server - status: manual - related_rules: - file_permissions_unauthorized_sgid - - id: 6.1.15 - title: Audit system file permissions (Manual) - levels: - - l2_server - status: manual - related_rules: - - rpm_verify_permissions - - rpm_verify_ownership - - id: 6.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: @@ -2238,59 +2142,25 @@ controls: - accounts_no_uid_except_zero - id: 6.2.10 - title: Ensure local interactive user home directories exist (Automated) + title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server status: automated rules: - accounts_user_interactive_home_directory_exists - - - id: 6.2.11 - title: Ensure local interactive users own their home directories (Automated) - levels: - - l1_server - status: automated - rules: - file_ownership_home_directories - - file_groupownership_home_directories - - - id: 6.2.12 - title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - levels: - - l1_server - status: automated - rules: - file_permissions_home_directories - - id: 6.2.13 - title: Ensure no local interactive user has .netrc files (Automated) - levels: - - l1_server - status: automated - rules: - - no_netrc_files - - - id: 6.2.14 - title: Ensure no local interactive user has .forward files (Automated) + - id: 6.2.11 + title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server - status: automated + status: partial rules: + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles - no_forward_files - - - id: 6.2.15 - title: Ensure no local interactive user has .rhosts files (Automated) - levels: - - l1_server - status: automated - notes: The rule also removes /etc/hosts.equiv - rules: - no_rsh_trust_files - - - id: 6.2.16 - title: Ensure local interactive user dot files are not group or world writable (Automated) - levels: - - l1_server - status: automated - rules: - - accounts_user_dot_no_world_writable_programs + - accounts_users_netrc_file_permissions diff --git a/products/al2023/profiles/cis_server_l2.profile b/products/al2023/profiles/cis.profile similarity index 100% rename from products/al2023/profiles/cis_server_l2.profile rename to products/al2023/profiles/cis.profile From d0055a5ac3066604e0b3ff4ea99bf58a96f47271 Mon Sep 17 00:00:00 2001 From: hipponix Date: Tue, 18 Jun 2024 14:09:26 +0000 Subject: [PATCH 25/28] fix syntaxt and CIS content errors --- controls/cis_al2023.yml | 62 ++++++++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 889390728f0..75448389ad9 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -13,7 +13,6 @@ reference_type: cis product: al2023 controls: - - id: 1.1.1.1 title: Ensure mounting of squashfs filesystems is disabled (Automated) levels: @@ -581,7 +580,7 @@ controls: - service_cups_disabled - id: 2.2.4 - title: Ensure DHCP Server is not installed (Automated) + title: Ensure a dhcp server is not installed (Automated) levels: - l1_server status: automated @@ -589,7 +588,7 @@ controls: - package_dhcp_removed - id: 2.2.5 - title: Ensure DNS Server is not installed (Automated) + title: Ensure a dns server is not installed (Automated) levels: - l1_server status: automated @@ -597,7 +596,7 @@ controls: - package_bind_removed - id: 2.2.6 - title: Ensure ftp Server is not installed (Automated) + title: Ensure a ftp server is not installed (Automated) levels: - l1_server status: automated @@ -605,7 +604,7 @@ controls: - package_vsftpd_removed - id: 2.2.7 - title: Ensure TFTP Server is not installed (Automated) + title: Ensure a tftp server is not installed (Automated) levels: - l1_server status: automated @@ -998,7 +997,7 @@ controls: - file_groupowner_crontab - file_owner_crontab - file_permissions_crontab - + - id: 4.1.3 title: Ensure permissions on /etc/cron.hourly are configured (Automated) levels: @@ -1317,8 +1316,6 @@ controls: levels: - l1_server status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. rules: - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth @@ -1476,10 +1473,10 @@ controls: - package_rsyslog_installed - id: 5.1.1.2 - title: Ensure rsyslog Service is enabled (Automated) + title: Ensure rsyslog service is enabled (Manual) levels: - l1_server - status: automated + status: manual rules: - service_rsyslog_enabled @@ -1492,7 +1489,7 @@ controls: - journald_forward_to_syslog - id: 5.1.1.4 - title: Ensure rsyslog default file permissions configured (Automated) + title: Ensure rsyslog default file permissions are configured (Automated) levels: - l1_server status: automated @@ -1510,7 +1507,7 @@ controls: levels: - l1_server status: automated - related_rules: + rules: - rsyslog_remote_loghost - id: 5.1.1.7 @@ -1522,19 +1519,19 @@ controls: - rsyslog_nolisten - id: 5.1.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) + title: Ensure systemd-journal-remote is installed (Manual) levels: - l1_server status: manual - id: 5.1.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + title: Ensure systemd-journal-remote is configured (Manual) levels: - l1_server status: manual - id: 5.1.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + title: Ensure systemd-journal-remote is enabled (Manual) levels: - l1_server status: manual @@ -1838,7 +1835,7 @@ controls: - audit_rules_privileged_commands_usermod - id: 5.2.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + title: Ensure kernel module loading unloading and modification is collected (Automated) levels: - l2_server status: automated @@ -1965,6 +1962,16 @@ controls: - file_permissions_etc_passwd - id: 6.1.2 + title: Ensure permissions on /etc/passwd are configured (Automated) + levels: + - l1_server + status: automated + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 6.1.3 title: Ensure permissions on /etc/passwd- are configured (Automated) levels: - l1_server @@ -1974,7 +1981,7 @@ controls: - file_owner_backup_etc_passwd - file_permissions_backup_etc_passwd - - id: 6.1.3 + - id: 6.1.4 title: Ensure permissions on /etc/group are configured (Automated) levels: - l1_server @@ -1984,7 +1991,7 @@ controls: - file_owner_etc_group - file_permissions_etc_group - - id: 6.1.4 + - id: 6.1.5 title: Ensure permissions on /etc/group- are configured (Automated) levels: - l1_server @@ -1994,7 +2001,7 @@ controls: - file_owner_backup_etc_group - file_permissions_backup_etc_group - - id: 6.1.5 + - id: 6.1.6 title: Ensure permissions on /etc/shadow are configured (Automated) levels: - l1_server @@ -2004,7 +2011,7 @@ controls: - file_groupowner_etc_shadow - file_permissions_etc_shadow - - id: 6.1.6 + - id: 6.1.7 title: Ensure permissions on /etc/shadow- are configured (Automated) levels: - l1_server @@ -2014,7 +2021,7 @@ controls: - file_owner_backup_etc_shadow - file_permissions_backup_etc_shadow - - id: 6.1.7 + - id: 6.1.8 title: Ensure permissions on /etc/gshadow are configured (Automated) levels: - l1_server @@ -2024,7 +2031,7 @@ controls: - file_owner_etc_gshadow - file_permissions_etc_gshadow - - id: 6.1.8 + - id: 6.1.9 title: Ensure permissions on /etc/gshadow- are configured (Automated) levels: - l1_server @@ -2034,7 +2041,7 @@ controls: - file_owner_backup_etc_gshadow - file_permissions_backup_etc_gshadow - - id: 6.1.9 + - id: 6.1.10 title: Audit system file permissions (Manual) levels: - l2_server @@ -2043,15 +2050,16 @@ controls: - rpm_verify_permissions - rpm_verify_ownership - - id: 6.1.10 + - id: 6.1.11 title: Ensure world writable files and directories are secured (Automated) + status: automated levels: - l1_server rules: - file_permissions_unauthorized_world_writable - dir_perms_world_writable_sticky_bits - - id: 6.1.11 + - id: 6.1.12 title: Ensure no unowned or ungrouped files or directories exist (Automated) levels: - l1_server @@ -2060,10 +2068,11 @@ controls: - no_files_unowned_by_user - file_permissions_ungroupowned - - id: 6.1.12 + - id: 6.1.13 title: Ensure SUID and SGID files are reviewed (Manual) levels: - l1_server + status: manual rules: - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid @@ -2150,6 +2159,7 @@ controls: - accounts_user_interactive_home_directory_exists - file_ownership_home_directories - file_permissions_home_directories + - file_groupownership_home_directories - id: 6.2.11 title: Ensure local interactive user dot files access is configured (Automated) From 3532dd8e178e2e6e95385dac0c80eef137d03aab Mon Sep 17 00:00:00 2001 From: hipponix Date: Tue, 18 Jun 2024 18:35:28 +0000 Subject: [PATCH 26/28] address additional syntax settings --- controls/cis_al2023.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 75448389ad9..45b52e0d9cd 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -596,7 +596,7 @@ controls: - package_bind_removed - id: 2.2.6 - title: Ensure a ftp server is not installed (Automated) + title: Ensure an ftp server is not installed (Automated) levels: - l1_server status: automated @@ -1503,7 +1503,7 @@ controls: status: manual - id: 5.1.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) levels: - l1_server status: automated @@ -1705,7 +1705,7 @@ controls: - audit_rules_networkconfig_modification_network_scripts - id: 5.2.3.6 - title: Ensure use of privileged commands is collected (Automated) + title: Ensure use of privileged commands are collected (Automated) levels: - l2_server status: automated @@ -2052,9 +2052,9 @@ controls: - id: 6.1.11 title: Ensure world writable files and directories are secured (Automated) - status: automated levels: - l1_server + status: automated rules: - file_permissions_unauthorized_world_writable - dir_perms_world_writable_sticky_bits From 5892000e6f9db4cc16929c22d97c128a49beda14 Mon Sep 17 00:00:00 2001 From: hipponix Date: Thu, 20 Jun 2024 10:41:11 +0000 Subject: [PATCH 27/28] Fix typos --- controls/cis_al2023.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 45b52e0d9cd..9a67aafaf9a 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -1477,7 +1477,7 @@ controls: levels: - l1_server status: manual - rules: + related_rules: - service_rsyslog_enabled - id: 5.1.1.3 @@ -1511,7 +1511,7 @@ controls: - rsyslog_remote_loghost - id: 5.1.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) levels: - l1_server status: automated @@ -1537,7 +1537,7 @@ controls: status: manual - id: 5.1.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + title: Ensure journald is not configured to receive logs from a remote client (Automated) levels: - l1_server status: automated From 1324b12e4fa3d3f32422583d7e013db8bd46441b Mon Sep 17 00:00:00 2001 From: hipponix Date: Tue, 25 Jun 2024 11:29:52 +0000 Subject: [PATCH 28/28] fix cis_al2023.yml and its manual settings --- controls/cis_al2023.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 9a67aafaf9a..0f06a25f490 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -1308,7 +1308,7 @@ controls: levels: - l1_server status: manual - rules: + related_rules: - no_empty_passwords - id: 4.4.2 @@ -2073,7 +2073,7 @@ controls: levels: - l1_server status: manual - rules: + related_rules: - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid