From fd73d848cf74559c6c2ae7720f518fbd53455968 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:24:32 +0200 Subject: [PATCH 01/61] CIS RHEL9 v2.0.0 - 1.1.1 Configure Filesystem Kernel Modules --- controls/cis_rhel9.yml | 67 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index b6dfc5736ab..9d675e8aff2 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -41,23 +41,84 @@ controls: - enable_authselect - id: 1.1.1.1 - title: Ensure mounting of squashfs filesystems is disabled (Automated) + title: Ensure cramfs kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated rules: - - kernel_module_squashfs_disabled + - kernel_module_cramfs_disabled - id: 1.1.1.2 - title: Ensure mounting of udf filesystems is disabled (Automated) + title: Ensure freevxfs kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - kernel_module_freevxfs_disabled + + - id: 1.1.1.3 + title: Ensure hfs kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - kernel_module_hfs_disabled + + - id: 1.1.1.4 + title: Ensure hfsplus kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated + rules: + - kernel_module_hfsplus_disabled + + - id: 1.1.1.5 + title: Ensure jffs2 kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - kernel_module_jffs2_disabled + + - id: 1.1.1.6 + title: Ensure squashfs kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.7 + title: Ensure udf kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated rules: - kernel_module_udf_disabled + - id: 1.1.1.8 + title: Ensure usb-storage kernel module is not available (Automated) + levels: + - l1_server + - l2_workstation + status: automated + rules: + - kernel_module_usb-storage_disabled + + - id: 1.1.1.9 + title: Ensure unused filesystems kernel modules are not available (Manual) + levels: + - l1_server + - l2_workstation + status: manual + - id: 1.1.2.1 title: Ensure /tmp is a separate partition (Automated) levels: From 2bde1a11974a4e8c506b7222d78fc90bf612af5c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:28:44 +0200 Subject: [PATCH 02/61] CIS RHEL9 v2.0.0 - 1.1.2.1 Configure /tmp --- controls/cis_rhel9.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 9d675e8aff2..2fe1b708b78 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -119,7 +119,7 @@ controls: - l2_workstation status: manual - - id: 1.1.2.1 + - id: 1.1.2.1.1 title: Ensure /tmp is a separate partition (Automated) levels: - l1_server @@ -128,7 +128,7 @@ controls: rules: - partition_for_tmp - - id: 1.1.2.2 + - id: 1.1.2.1.2 title: Ensure nodev option set on /tmp partition (Automated) levels: - l1_server @@ -137,23 +137,23 @@ controls: rules: - mount_option_tmp_nodev - - id: 1.1.2.3 - title: Ensure noexec option set on /tmp partition (Automated) + - id: 1.1.2.1.3 + title: Ensure nosuid option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_noexec + - mount_option_tmp_nosuid - - id: 1.1.2.4 - title: Ensure nosuid option set on /tmp partition (Automated) + - id: 1.1.2.1.4 + title: Ensure noexec option set on /tmp partition (Automated) levels: - l1_server - l1_workstation status: automated rules: - - mount_option_tmp_nosuid + - mount_option_tmp_noexec - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) From 58a830e9c14e05edf67b993c31858bc1693df8fd Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:31:10 +0200 Subject: [PATCH 03/61] CIS RHEL9 v2.0.0 - 1.1.2.2 Configure /dev/shm --- controls/cis_rhel9.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 2fe1b708b78..ce727cd95d6 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -155,6 +155,42 @@ controls: rules: - mount_option_tmp_noexec + - id: 1.1.2.2.1 + title: Ensure /dev/shm is a separate partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - partition_for_dev_shm + + - id: 1.1.2.2.2 + title: Ensure nodev option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_dev_shm_nodev + + - id: 1.1.2.2.3 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_dev_shm_nosuid + + - id: 1.1.2.2.4 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_dev_shm_noexec + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From 8b56a08903b9b6cb9d0ab8d6729c2328e1ca8b25 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:34:22 +0200 Subject: [PATCH 04/61] CIS RHEL9 v2.0.0 - 1.1.2.3 Configure /home --- controls/cis_rhel9.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index ce727cd95d6..9cef17f72ff 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -191,6 +191,33 @@ controls: rules: - mount_option_dev_shm_noexec + - id: 1.1.2.3.1 + title: Ensure separate partition exists for /home (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_home + + - id: 1.1.2.3.2 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_home_nodev + + - id: 1.1.2.3.3 + title: Ensure nosuid option set on /home partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_home_nosuid + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From b583f317389ca9a030436d76b4a6246ee1ebfe71 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:37:05 +0200 Subject: [PATCH 05/61] CIS RHEL9 v2.0.0 - 1.1.2.4 Configure /var --- controls/cis_rhel9.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 9cef17f72ff..da0e234454d 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -218,6 +218,33 @@ controls: rules: - mount_option_home_nosuid + - id: 1.1.2.4.1 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_var + + - id: 1.1.2.4.2 + title: Ensure nodev option set on /var partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_nodev + + - id: 1.1.2.4.3 + title: Ensure nosuid option set on /var partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_nosuid + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From a9aadf3662f6b70c6c02d250b33c4cbab55cf8d8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:39:46 +0200 Subject: [PATCH 06/61] CIS RHEL9 v2.0.0 - 1.1.2.5 Configure /var/tmp --- controls/cis_rhel9.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index da0e234454d..511128a7509 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -245,6 +245,42 @@ controls: rules: - mount_option_var_nosuid + - id: 1.1.2.5.1 + title: Ensure separate partition exists for /var/tmp (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_var_tmp + + - id: 1.1.2.5.2 + title: Ensure nodev option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_tmp_nodev + + - id: 1.1.2.5.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_tmp_nosuid + + - id: 1.1.2.5.4 + title: Ensure noexec option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_tmp_noexec + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From 6ea5e047f60baff9293d6bc72e26736003f95017 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:52:34 +0200 Subject: [PATCH 07/61] CIS RHEL9 v2.0.0 - 1.1.2.6 Configure /var/log --- controls/cis_rhel9.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 511128a7509..4df3a128d3b 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -281,6 +281,42 @@ controls: rules: - mount_option_var_tmp_noexec + - id: 1.1.2.6.1 + title: Ensure separate partition exists for /var/log (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_var_log + + - id: 1.1.2.6.2 + title: Ensure nodev option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_nodev + + - id: 1.1.2.6.3 + title: Ensure nosuid option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_nosuid + + - id: 1.1.2.6.4 + title: Ensure noexec option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_noexec + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From 00314f76e52f4bb2c802d070a0984e2a1ed7e045 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:54:23 +0200 Subject: [PATCH 08/61] CIS RHEL9 v2.0.0 - 1.1.2.7 Configure /var/log/audit --- controls/cis_rhel9.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 4df3a128d3b..e1fe673f3c3 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -317,6 +317,42 @@ controls: rules: - mount_option_var_log_noexec + - id: 1.1.2.7.1 + title: Ensure separate partition exists for /var/log/audit (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - partition_for_var_log_audit + + - id: 1.1.2.7.2 + title: Ensure nodev option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_audit_nodev + + - id: 1.1.2.7.3 + title: Ensure nosuid option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_audit_nosuid + + - id: 1.1.2.7.4 + title: Ensure noexec option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - mount_option_var_log_audit_noexec + - id: 1.1.3.1 title: Ensure separate partition exists for /var (Automated) levels: From 2e318fed3dca203ad1c65d30c85babb2b65bdbff Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 10:57:04 +0200 Subject: [PATCH 09/61] CIS RHEL9 v2.0.0 - 1.1 Cleanup --- controls/cis_rhel9.yml | 207 ----------------------------------------- 1 file changed, 207 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index e1fe673f3c3..617e8c5cce1 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -353,213 +353,6 @@ controls: rules: - mount_option_var_log_audit_noexec - - id: 1.1.3.1 - title: Ensure separate partition exists for /var (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var - - - id: 1.1.3.2 - title: Ensure nodev option set on /var partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_nodev - - - id: 1.1.3.3 - title: Ensure nosuid option set on /var partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_nosuid - - - id: 1.1.4.1 - title: Ensure separate partition exists for /var/tmp (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_tmp - - - id: 1.1.4.2 - title: Ensure noexec option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_noexec - - - id: 1.1.4.3 - title: Ensure nosuid option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_nosuid - - - id: 1.1.4.4 - title: Ensure nodev option set on /var/tmp partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_tmp_nodev - - - id: 1.1.5.1 - title: Ensure separate partition exists for /var/log (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_log - - - id: 1.1.5.2 - title: Ensure nodev option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_nodev - - - id: 1.1.5.3 - title: Ensure noexec option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_noexec - - - id: 1.1.5.4 - title: Ensure nosuid option set on /var/log partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_nosuid - - - id: 1.1.6.1 - title: Ensure separate partition exists for /var/log/audit (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_var_log_audit - - - id: 1.1.6.2 - title: Ensure noexec option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_noexec - - - id: 1.1.6.3 - title: Ensure nodev option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_nodev - - - id: 1.1.6.4 - title: Ensure nosuid option set on /var/log/audit partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_var_log_audit_nosuid - - - id: 1.1.7.1 - title: Ensure separate partition exists for /home (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - partition_for_home - - - id: 1.1.7.2 - title: Ensure nodev option set on /home partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_home_nodev - - - id: 1.1.7.3 - title: Ensure nosuid option set on /home partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_home_nosuid - - - id: 1.1.8.1 - title: Ensure /dev/shm is a separate partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - partition_for_dev_shm - - - id: 1.1.8.2 - title: Ensure nodev option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_nodev - - - id: 1.1.8.3 - title: Ensure noexec option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_noexec - - - id: 1.1.8.4 - title: Ensure nosuid option set on /dev/shm partition (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - mount_option_dev_shm_nosuid - - - id: 1.1.9 - title: Disable USB Storage (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - kernel_module_usb-storage_disabled - - id: 1.2.1 title: Ensure GPG keys are configured (Manual) levels: From 5a45d4102b3fba5de6ae0ff1ea6eec5565300b99 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 11:02:28 +0200 Subject: [PATCH 10/61] CIS RHEL9 v2.0.0 - 1.2.1 Configure Package Repositories --- controls/cis_rhel9.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 617e8c5cce1..e536c0486a4 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -353,7 +353,7 @@ controls: rules: - mount_option_var_log_audit_noexec - - id: 1.2.1 + - id: 1.2.1.1 title: Ensure GPG keys are configured (Manual) levels: - l1_server @@ -362,7 +362,7 @@ controls: related_rules: - ensure_redhat_gpgkey_installed - - id: 1.2.2 + - id: 1.2.1.2 title: Ensure gpgcheck is globally activated (Automated) levels: - l1_server @@ -371,15 +371,15 @@ controls: rules: - ensure_gpgcheck_globally_activated - - id: 1.2.3 - title: Ensure package manager repositories are configured (Manual) + - id: 1.2.1.3 + title: Ensure repo_gpgcheck is globally activated (Manual) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: manual - - id: 1.2.4 - title: Ensure repo_gpgcheck is globally activated (Manual) + - id: 1.2.1.4 + title: Ensure package manager repositories are configured (Manual) levels: - l1_server - l1_workstation From 51d5ad29d2208e0f4b63557d974d004d3fb7dedb Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 11:04:36 +0200 Subject: [PATCH 11/61] CIS RHEL9 v2.0.0 - 1.2.2 Configure Package Updates --- controls/cis_rhel9.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index e536c0486a4..4e7c8cc693e 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -385,6 +385,15 @@ controls: - l1_workstation status: manual + - id: 1.2.2.1 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - security_patches_up_to_date + - id: 1.3.1 title: Ensure AIDE is installed (Automated) levels: @@ -711,15 +720,6 @@ controls: rules: - gnome_gdm_disable_xdmcp - - id: 1.9 - title: Ensure updates, patches, and additional security software are installed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - security_patches_up_to_date - - id: "1.10" title: Ensure system-wide crypto policy is not legacy (Automated) levels: From 759345015d0b5097a2707646dcf2651e51b807fa Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 11:10:47 +0200 Subject: [PATCH 12/61] CIS RHEL9 v2.0.0 - 1.3.1 Configure SELinux --- controls/cis_rhel9.yml | 146 ++++++++++++++++++++--------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 4e7c8cc693e..fb59798c917 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -394,6 +394,79 @@ controls: related_rules: - security_patches_up_to_date + - id: 1.3.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_libselinux_installed + + - id: 1.3.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - grub2_enable_selinux + + - id: 1.3.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.3.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - selinux_not_disabled + + - id: 1.3.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.3.1.6 + title: Ensure no unconfined services exist (Manual) + levels: + - l2_server + - l2_workstation + status: manual + related_rules: + - selinux_confinement_of_daemons + + - id: 1.3.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_mcstrans_removed + + - id: 1.3.1.8 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_setroubleshoot_removed + - id: 1.3.1 title: Ensure AIDE is installed (Automated) levels: @@ -487,79 +560,6 @@ controls: rules: - sysctl_kernel_randomize_va_space - - id: 1.6.1.1 - title: Ensure SELinux is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_libselinux_installed - - - id: 1.6.1.2 - title: Ensure SELinux is not disabled in bootloader configuration (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - grub2_enable_selinux - - - id: 1.6.1.3 - title: Ensure SELinux policy is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - var_selinux_policy_name=targeted - - selinux_policytype - - - id: 1.6.1.4 - title: Ensure the SELinux mode is not disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - selinux_not_disabled - - - id: 1.6.1.5 - title: Ensure the SELinux mode is enforcing (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - var_selinux_state=enforcing - - selinux_state - - - id: 1.6.1.6 - title: Ensure no unconfined services exist (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - selinux_confinement_of_daemons - - - id: 1.6.1.7 - title: Ensure SETroubleshoot is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_setroubleshoot_removed - - - id: 1.6.1.8 - title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_mcstrans_removed - - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) levels: From 56f9f318ebe707a126086c891f8038d992a83660 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 11:22:11 +0200 Subject: [PATCH 13/61] CIS RHEL9 v2.0.0 - 1.4 Configure Bootloader --- controls/cis_rhel9.yml | 65 +++++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index fb59798c917..df0bdc42a0a 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -467,36 +467,6 @@ controls: rules: - package_setroubleshoot_removed - - id: 1.3.1 - title: Ensure AIDE is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_aide_installed - - aide_build_database - - - id: 1.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_periodic_cron_checking - - - id: 1.3.3 - title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_check_audit_tools - related_rules: - - aide_use_fips_hashes - - id: 1.4.1 title: Ensure bootloader password is set (Automated) levels: @@ -511,13 +481,14 @@ controls: - grub2_uefi_password - id: 1.4.2 - title: Ensure permissions on bootloader config are configured (Automated) + title: Ensure access to bootloader config is configured (Automated) levels: - l1_server - l1_workstation - status: automated + status: pending notes: <- RHEL9 unified the paths for grub2 files. + This requirement demands a deeper review of the rules. rules: - file_groupowner_grub2_cfg - file_owner_grub2_cfg @@ -2325,6 +2296,36 @@ controls: - ensure_root_password_configured - no_empty_passwords_etc_shadow + - id: 1.3.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_aide_installed + - aide_build_database + + - id: 1.3.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - aide_periodic_cron_checking + + - id: 1.3.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes + - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) levels: From 2f75821e2fd25380767803ddd579607e893c5e18 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 12:21:34 +0200 Subject: [PATCH 14/61] CIS RHEL9 v2.0.0 - 1.5 Configure Additional Process Hardening --- controls/cis_rhel9.yml | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index df0bdc42a0a..be0ce55448f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -505,15 +505,26 @@ controls: - file_permissions_efi_user_cfg - id: 1.5.1 - title: Ensure core dump storage is disabled (Automated) + title: Ensure address space layout randomization is enabled (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Address Space Layout Randomization (ASLR) rules: - - coredump_disable_storage + - sysctl_kernel_randomize_va_space - id: 1.5.2 + title: Ensure ptrace_scope is restricted (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_kernel_yama_ptrace_scope + + - id: 1.5.3 title: Ensure core dump backtraces are disabled (Automated) levels: - l1_server @@ -522,14 +533,14 @@ controls: rules: - coredump_disable_backtraces - - id: 1.5.3 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + - id: 1.5.4 + title: Ensure core dump storage is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_kernel_randomize_va_space + - coredump_disable_storage - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) From 96ceda9a6770549a04726537f15b193d22720ec2 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 11 Jun 2024 12:32:43 +0200 Subject: [PATCH 15/61] CIS RHEL9 v2.0.0 - 1.6 Configure system wide crypto policy --- controls/cis_rhel9.yml | 68 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index be0ce55448f..145531accf3 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -542,6 +542,74 @@ controls: rules: - coredump_disable_storage + - id: 1.6.1 + title: Ensure system wide crypto policy is not set to legacy (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_nosha1 + + - id: 1.6.2 + title: Ensure system wide crypto policy is not set in sshd configuration (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - configure_ssh_crypto_policy + + - id: 1.6.3 + title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is already satisfied by 1.6.1. + related_rules: + - configure_crypto_policy + + - id: 1.6.4 + title: Ensure system wide crypto policy disables macs less than 128 bits (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure a module disabling weak MACs in + /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. + related_rules: + - configure_crypto_policy + + - id: 1.6.5 + title: Ensure system wide crypto policy disables cbc for ssh (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure a module disabling CBC in + /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. + related_rules: + - configure_crypto_policy + + - id: 1.6.6 + title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 1.6.7 + title: Ensure system wide crypto policy disables EtM for ssh (Automated) + levels: + - l1_server + - l1_workstation + status: manual + - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) levels: From e7958a25a98682c95938e532566a9e56bab0bd53 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 10:22:01 +0200 Subject: [PATCH 16/61] CIS RHEL9 v2.0.0 - 1.7 Configure Command Line Warning Banners --- controls/cis_rhel9.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 145531accf3..ea549b74f32 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -641,7 +641,7 @@ controls: - remote_login_banner_text=cis_banners - id: 1.7.4 - title: Ensure permissions on /etc/motd are configured (Automated) + title: Ensure access to /etc/motd is configured (Automated) levels: - l1_server - l1_workstation @@ -652,7 +652,7 @@ controls: - file_permissions_etc_motd - id: 1.7.5 - title: Ensure permissions on /etc/issue are configured (Automated) + title: Ensure access to /etc/issue is configured (Automated) levels: - l1_server - l1_workstation @@ -663,7 +663,7 @@ controls: - file_permissions_etc_issue - id: 1.7.6 - title: Ensure permissions on /etc/issue.net are configured (Automated) + title: Ensure access to /etc/issue.net is configured (Automated) levels: - l1_server - l1_workstation From 05e8b2652e267abb39a483b3c1f7dda10427f2c7 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 10:27:21 +0200 Subject: [PATCH 17/61] CIS RHEL9 v2.0.0 - 1.8 Configure GNOME Display Manager --- controls/cis_rhel9.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index ea549b74f32..ca0ac0d534f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -727,7 +727,7 @@ controls: title: Ensure GDM automatic mounting of removable media is disabled (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - dconf_gnome_disable_automount @@ -737,7 +737,7 @@ controls: title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - dconf_gnome_disable_automount From 606ef8d30557c85f8027c7632b78dd840ebb605b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 10:28:52 +0200 Subject: [PATCH 18/61] CIS RHEL9 v2.0.0 - 1 - Initial Setup - Cleanup --- controls/cis_rhel9.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index ca0ac0d534f..51b71cb89cc 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -770,17 +770,6 @@ controls: rules: - gnome_gdm_disable_xdmcp - - id: "1.10" - title: Ensure system-wide crypto policy is not legacy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: The selected crypto-policy cannot be legacy - rules: - - configure_crypto_policy - - var_system_crypto_policy=default_policy - - id: 2.1.1 title: Ensure time synchronization is in use (Automated) levels: From 7faea818291b24aa68c3857de8336d16a1dbf202 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 10:52:56 +0200 Subject: [PATCH 19/61] CIS RHEL9 v2.0.0 - 2.1 Configure Server Services --- controls/cis_rhel9.yml | 223 +++++++++++++++++++++++++++-------------- 1 file changed, 147 insertions(+), 76 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 51b71cb89cc..4bc8377a755 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -771,199 +771,270 @@ controls: - gnome_gdm_disable_xdmcp - id: 2.1.1 - title: Ensure time synchronization is in use (Automated) + title: Ensure autofs services are not in use (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated - related_rules: - - package_chrony_installed + rules: + - service_autofs_disabled - id: 2.1.2 - title: Ensure chrony is configured (Automated) + title: Ensure avahi daemon services are not in use (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - - var_multiple_time_servers=rhel + - package_avahi_removed + related_rules: + - service_avahi-daemon_disabled - - id: 2.2.1 - title: Ensure xorg-x11-server-common is not installed (Automated) + - id: 2.1.3 + title: Ensure dhcp server services are not in use (Automated) levels: - - l2_server + - l1_server + - l1_workstation status: automated rules: - - package_xorg-x11-server-common_removed + - package_dhcp_removed + related_rules: + - service_dhcpd_disabled - - id: 2.2.2 - title: Ensure Avahi Server is not installed (Automated) + - id: 2.1.4 + title: Ensure dns server services are not in use (Automated) levels: - l1_server - - l2_workstation + - l1_workstation status: automated rules: - - package_avahi_removed + - package_bind_removed related_rules: - - service_avahi-daemon_disabled + - service_named_disabled - - id: 2.2.3 - title: Ensure CUPS is not installed (Automated) + - id: 2.1.5 + title: Ensure dnsmasq services are not in use (Automated) levels: - l1_server + - l1_workstation status: automated rules: - - package_cups_removed - related_rules: - - service_cups_disabled + - package_dnsmasq_removed - - id: 2.2.4 - title: Ensure DHCP Server is not installed (Automated) + - id: 2.1.6 + title: Ensure samba file server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_dhcp_removed + - package_samba_removed + related_rules: + - service_smb_disabled - - id: 2.2.5 - title: Ensure DNS Server is not installed (Automated) + - id: 2.1.7 + title: Ensure ftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_bind_removed + - package_vsftpd_removed + related_rules: + - service_vsftpd_disabled - - id: 2.2.6 - title: Ensure VSFTP Server is not installed (Automated) + - id: 2.1.8 + title: Ensure message access server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_vsftpd_removed + - package_dovecot_removed + - package_cyrus-imapd_removed + related_rules: + - service_dovecot_disabled + # new rule would be nice to disable cyrus-imapd service - - id: 2.2.7 - title: Ensure TFTP Server is not installed (Automated) + - id: 2.1.9 + title: Ensure network file system services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the + nfs-utils package. rules: - - package_tftp-server_removed + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed - - id: 2.2.8 - title: Ensure a web server is not installed (Automated) + - id: 2.1.10 + title: Ensure nis server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_httpd_removed - - package_nginx_removed + - package_ypserv_removed + related_rules: + - service_ypserv_disabled - - id: 2.2.9 - title: Ensure IMAP and POP3 server is not installed (Automated) + - id: 2.1.11 + title: Ensure print server services are not in use (Automated) levels: - l1_server - - l1_workstation status: automated rules: - - package_dovecot_removed - - package_cyrus-imapd_removed + - package_cups_removed + related_rules: + - service_cups_disabled - - id: 2.2.10 - title: Ensure Samba is not installed (Automated) + - id: 2.1.12 + title: Ensure rpcbind services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind package. rules: - - package_samba_removed + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed - - id: 2.2.11 - title: Ensure HTTP Proxy Server is not installed (Automated) + - id: 2.1.13 + title: Ensure rsync services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_squid_removed + - package_rsync_removed + related_rules: + - service_rsyncd_disabled - - id: 2.2.12 - title: Ensure net-snmp is not installed (Automated) + - id: 2.1.14 + title: Ensure snmp services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_net-snmp_removed + related_rules: + - service_snmpd_disabled - - id: 2.2.13 - title: Ensure telnet-server is not installed (Automated) + - id: 2.1.15 + title: Ensure telnet server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_telnet-server_removed + related_rules: + - service_telnet_disabled - - id: 2.2.14 - title: Ensure dnsmasq is not installed (Automated) + - id: 2.1.16 + title: Ensure tftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_dnsmasq_removed + - package_tftp-server_removed + related_rules: + - service_tftp_disabled - - id: 2.2.15 - title: Ensure mail transfer agent is configured for local-only mode (Automated) + - id: 2.1.17 + title: Ensure web proxy server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - postfix_network_listening_disabled - - var_postfix_inet_interfaces=loopback-only - - has_nonlocal_mta + - package_squid_removed + related_rules: + - service_squid_disabled - - id: 2.2.16 - title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) + - id: 2.1.18 + title: Ensure web server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_nfs_disabled + - package_httpd_removed + - package_nginx_removed related_rules: - - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages + - service_httpd_disabled + # rule would be nice to disable nginx service - - id: 2.2.17 - title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + - id: 2.1.19 + title: Ensure xinetd services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_rpcbind_disabled + - package_xinetd_removed related_rules: - - package_rpcbind_removed + - service_xinetd_disabled + + - id: 2.1.20 + title: Ensure X window server services are not in use (Automated) + levels: + - l2_server + status: automated + notes: |- + The rule also configures correct run level to prevent unbootable system. + rules: + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target - - id: 2.2.18 - title: Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated) + - id: 2.1.21 + title: Ensure mail transfer agents are configured for local-only mode (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + The rule has_nonlocal_mta currently checks for services listening only on port 25, + but the policy checks also for ports 465 and 587 rules: - - package_rsync_removed + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta + + - id: 2.1.22 + title: Ensure only approved services are listening on a network interface (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 2.1.1 + title: Ensure time synchronization is in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated related_rules: - - service_rsyncd_disabled + - package_chrony_installed + + - id: 2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + - var_multiple_time_servers=rhel - id: 2.3.1 title: Ensure telnet client is not installed (Automated) From 1a77e1d25a772555d6ab3d29f0be6cfc2c8263be Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 10:56:52 +0200 Subject: [PATCH 20/61] CIS RHEL9 v2.0.0 - 2.2 Configure Client Services --- controls/cis_rhel9.yml | 49 +++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 4bc8377a755..c41f011a157 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1016,27 +1016,34 @@ controls: - l1_workstation status: manual - - id: 2.1.1 - title: Ensure time synchronization is in use (Automated) + - id: 2.2.1 + title: Ensure ftp client is not installed (Automated) levels: - l1_server - l1_workstation status: automated - related_rules: - - package_chrony_installed + rules: + - package_ftp_removed - - id: 2.1.2 - title: Ensure chrony is configured (Automated) + - id: 2.2.2 + title: Ensure ldap client is not installed (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - package_openldap-clients_removed + + - id: 2.2.3 + title: Ensure nis client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - - var_multiple_time_servers=rhel + - package_ypbind_removed - - id: 2.3.1 + - id: 2.2.4 title: Ensure telnet client is not installed (Automated) levels: - l1_server @@ -1045,32 +1052,34 @@ controls: rules: - package_telnet_removed - - id: 2.3.2 - title: Ensure LDAP client is not installed (Automated) + - id: 2.2.5 + title: Ensure tftp client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_openldap-clients_removed + - package_tftp_removed - - id: 2.3.3 - title: Ensure TFTP client is not installed (Automated) + - id: 2.1.1 + title: Ensure time synchronization is in use (Automated) levels: - l1_server - l1_workstation status: automated - rules: - - package_tftp_removed + related_rules: + - package_chrony_installed - - id: 2.3.4 - title: Ensure FTP client is not installed (Automated) + - id: 2.1.2 + title: Ensure chrony is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_ftp_removed + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + - var_multiple_time_servers=rhel - id: 2.4 title: Ensure nonessential services are removed or masked (Manual) From a5dc7d17fc835383100dd3fb3e1458848af7c249 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:12:17 +0200 Subject: [PATCH 21/61] CIS RHEL9 v2.0.0 - 2.3 Configure Time Synchronization --- controls/cis_rhel9.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index c41f011a157..0800f30cb1e 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1061,7 +1061,7 @@ controls: rules: - package_tftp_removed - - id: 2.1.1 + - id: 2.3.1 title: Ensure time synchronization is in use (Automated) levels: - l1_server @@ -1070,7 +1070,7 @@ controls: related_rules: - package_chrony_installed - - id: 2.1.2 + - id: 2.3.2 title: Ensure chrony is configured (Automated) levels: - l1_server @@ -1078,9 +1078,17 @@ controls: status: automated rules: - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - var_multiple_time_servers=rhel + - id: 2.3.3 + title: Ensure chrony is not run as the root user (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - chronyd_run_as_chrony_user + - id: 2.4 title: Ensure nonessential services are removed or masked (Manual) levels: From bece9c020fe436c0a5f3754434d17542b35a5d9b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:22:16 +0200 Subject: [PATCH 22/61] CIS RHEL9 v2.0.0 - 2.4.1 Configure cron Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 174 +++++++++++++++++++++-------------------- 1 file changed, 88 insertions(+), 86 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 0800f30cb1e..c15e6d9b384 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1089,6 +1089,94 @@ controls: rules: - chronyd_run_as_chrony_user + - id: 2.4.1.1 + title: Ensure cron daemon is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - service_crond_enabled + + - id: 2.4.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 2.4.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 2.4.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 2.4.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 2.4.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 2.4.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + - id: 2.4.1.8 + title: Ensure crontab is restricted to authorized users (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow + - id: 2.4 title: Ensure nonessential services are removed or masked (Manual) levels: @@ -1899,93 +1987,7 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.1.1 - title: Ensure cron daemon is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_crond_enabled - - - id: 5.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab - - id: 5.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly - - - id: 5.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily - - - id: 5.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly - - - id: 5.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly - - - id: 5.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d - - - id: 5.1.8 - title: Ensure cron is restricted to authorized users (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow - id: 5.1.9 title: Ensure at is restricted to authorized users (Automated) From 2f6b328909198e44e8dc3caeb9e2e5ed2ac7a5f6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:25:42 +0200 Subject: [PATCH 23/61] CIS RHEL9 v2.0.0 - 2.4.2 Configure at Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index c15e6d9b384..1e2dfe950b3 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1177,6 +1177,21 @@ controls: - file_owner_cron_allow - file_permissions_cron_allow + - id: 2.4.2.1 + title: Ensure at is restricted to authorized users (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + It is necessary to create a rule to ensure the existence of at.allow. + file_cron_allow_exists can be used as reference for a new templated rule. + rules: + - file_at_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow + - id: 2.4 title: Ensure nonessential services are removed or masked (Manual) levels: @@ -1987,20 +2002,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - - - id: 5.1.9 - title: Ensure at is restricted to authorized users (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_at_deny_not_exist - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow - - id: 5.2.1 title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: From 692578b1428364f924d34cf326c0f5834697aded Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:27:46 +0200 Subject: [PATCH 24/61] CIS RHEL9 v2.0.0 - 2 - Services - Cleanup Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 1e2dfe950b3..828aa3210bb 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1192,13 +1192,6 @@ controls: - file_owner_at_allow - file_permissions_at_allow - - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - id: 3.1.1 title: Ensure IPv6 status is identified (Manual) levels: From 6d27cdcecd9ed29ecf2c6a7baffa4b362bcfb597 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:34:51 +0200 Subject: [PATCH 25/61] CIS RHEL9 v2.0.0 - 3.1 Configure Network Devices Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 828aa3210bb..1d493e57ee5 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1208,13 +1208,13 @@ controls: - wireless_disable_interfaces - id: 3.1.3 - title: Ensure TIPC is disabled (Automated) + title: Ensure bluetooth services are not in use (Automated) levels: - - l2_server + - l1_server - l2_workstation status: automated rules: - - kernel_module_tipc_disabled + - service_bluetooth_disabled - id: 3.2.1 title: Ensure IP forwarding is disabled (Automated) From d176b4fc65f10de34a8a95a09267ab8b1eb34a6d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:37:17 +0200 Subject: [PATCH 26/61] CIS RHEL9 v2.0.0 - 3.2 Configure Network Kernel Modules Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 1d493e57ee5..feae67cfc7b 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1216,6 +1216,42 @@ controls: rules: - service_bluetooth_disabled + - id: 3.2.1 + title: Ensure dccp kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_dccp_disabled + + - id: 3.2.2 + title: Ensure tipc kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_tipc_disabled + + - id: 3.2.3 + title: Ensure rds kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_rds_disabled + + - id: 3.2.4 + title: Ensure sctp kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_sctp_disabled + - id: 3.2.1 title: Ensure IP forwarding is disabled (Automated) levels: From 3c0d43da860f7a3caa2a9d6bd43d6c3528e5ba19 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:45:11 +0200 Subject: [PATCH 27/61] CIS RHEL9 v2.0.0 - 3.3 Configure Network Kernel Parameters Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 90 +++++++++++++++++++++--------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index feae67cfc7b..b520f7efc1e 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1252,7 +1252,7 @@ controls: rules: - kernel_module_sctp_disabled - - id: 3.2.1 + - id: 3.3.1 title: Ensure IP forwarding is disabled (Automated) levels: - l1_server @@ -1263,7 +1263,7 @@ controls: - sysctl_net_ipv6_conf_all_forwarding - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - id: 3.2.2 + - id: 3.3.2 title: Ensure packet redirect sending is disabled (Automated) levels: - l1_server @@ -1273,24 +1273,28 @@ controls: - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - - id: 3.3.1 - title: Ensure source routed packets are not accepted (Automated) + - id: 3.3.3 + title: Ensure bogus icmp responses are ignored (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - id: 3.3.2 - title: Ensure ICMP redirects are not accepted (Automated) + - id: 3.3.4 + title: Ensure broadcast icmp requests are ignored (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.3.5 + title: Ensure icmp redirects are not accepted (Automated) levels: - l1_server - l1_workstation @@ -1305,8 +1309,8 @@ controls: - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - id: 3.3.3 - title: Ensure secure ICMP redirects are not accepted (Automated) + - id: 3.3.6 + title: Ensure secure icmp redirects are not accepted (Automated) levels: - l1_server - l1_workstation @@ -1317,52 +1321,48 @@ controls: - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - id: 3.3.4 - title: Ensure suspicious packets are logged (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - - id: 3.3.5 - title: Ensure broadcast ICMP requests are ignored (Automated) + - id: 3.3.7 + title: Ensure reverse path filtering is enabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - id: 3.3.6 - title: Ensure bogus ICMP responses are ignored (Automated) + - id: 3.3.8 + title: Ensure source routed packets are not accepted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - id: 3.3.7 - title: Ensure Reverse Path Filtering is enabled (Automated) + - id: 3.3.9 + title: Ensure suspicious packets are logged (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - id: 3.3.8 - title: Ensure TCP SYN Cookies is enabled (Automated) + - id: 3.3.10 + title: Ensure tcp syn cookies is enabled (Automated) levels: - l1_server - l1_workstation @@ -1371,7 +1371,7 @@ controls: - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_tcp_syncookies_value=enabled - - id: 3.3.9 + - id: 3.3.11 title: Ensure IPv6 router advertisements are not accepted (Automated) levels: - l1_server From 6b57fbb951fb9683488e92df5132334fdcf7545a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:47:16 +0200 Subject: [PATCH 28/61] CIS RHEL9 v2.0.0 - 4.1 Configure a firewall utility Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index b520f7efc1e..1b399f963b9 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1383,7 +1383,7 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - id: 3.4.1.1 + - id: 4.1.1 title: Ensure nftables is installed (Automated) levels: - l1_server @@ -1392,7 +1392,7 @@ controls: rules: - package_nftables_installed - - id: 3.4.1.2 + - id: 4.1.2 title: Ensure a single firewall configuration utility is in use (Automated) levels: - l1_server From 2feb1e313f0fce439b5b831f3153111a7e996076 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:51:23 +0200 Subject: [PATCH 29/61] CIS RHEL9 v2.0.0 - 4.2 Configure FirewallD Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 1b399f963b9..93ab801c938 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1403,6 +1403,25 @@ controls: - package_firewalld_installed - service_nftables_disabled + - id: 4.2.1 + title: Ensure firewalld drops unnecessary services and ports (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - configure_firewalld_ports + + - id: 4.2.2 + title: Ensure firewalld loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - firewalld_loopback_traffic_trusted + - firewalld_loopback_traffic_restricted + - id: 3.4.2.1 title: Ensure firewalld default zone is set (Automated) levels: @@ -1448,25 +1467,6 @@ controls: - var_nftables_base_chain_priorities=chain_priorities - var_nftables_base_chain_policies=chain_policies - - id: 3.4.2.4 - title: Ensure host based firewall loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - firewalld_loopback_traffic_trusted - - firewalld_loopback_traffic_restricted - - - id: 3.4.2.5 - title: Ensure firewalld drops unnecessary services and ports (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - configure_firewalld_ports - - id: 3.4.2.6 title: Ensure nftables established connections are configured (Manual) levels: From a1a70dc28e5d14627978269af365adfa1e8fdf9e Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:57:43 +0200 Subject: [PATCH 30/61] CIS RHEL9 v2.0.0 - 4.3 Configure NFTables Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 71 +++++++++++++++++++++++++----------------- 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 93ab801c938..90c364d7da1 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1422,32 +1422,7 @@ controls: - firewalld_loopback_traffic_trusted - firewalld_loopback_traffic_restricted - - id: 3.4.2.1 - title: Ensure firewalld default zone is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_firewalld_default_zone - - - id: 3.4.2.2 - title: Ensure at least one nftables table exists (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. - rules: - - set_nftables_table - - var_nftables_family=inet - - var_nftables_table=firewalld - - - id: 3.4.2.3 + - id: 4.3.1 title: Ensure nftables base chains exist (Automated) levels: - l1_server @@ -1467,14 +1442,14 @@ controls: - var_nftables_base_chain_priorities=chain_priorities - var_nftables_base_chain_policies=chain_policies - - id: 3.4.2.6 + - id: 4.3.2 title: Ensure nftables established connections are configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 3.4.2.7 + - id: 4.3.3 title: Ensure nftables default deny firewall policy (Automated) levels: - l1_server @@ -1487,6 +1462,46 @@ controls: related_rules: - nftables_ensure_default_deny_policy + - id: 4.3.4 + title: Ensure nftables loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. + related_rules: + - set_nftables_loopback_traffic + + - id: 3.4.2.1 + title: Ensure firewalld default zone is set (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - set_firewalld_default_zone + + - id: 3.4.2.2 + title: Ensure at least one nftables table exists (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. firewalld uses the inet firewalld that is created when firewalld is installed. + The OVAL check cannot be automated but an SCE is availble. + rules: + - set_nftables_table + - var_nftables_family=inet + - var_nftables_table=firewalld + + + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: From 83adb132b2599f32b36ed59756995b8aeaea76fe Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 14:59:14 +0200 Subject: [PATCH 31/61] CIS RHEL9 v2.0.0 - 4 Host Based Firewall - Cleanup Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 90c364d7da1..d13995c5c86 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1475,33 +1475,6 @@ controls: related_rules: - set_nftables_loopback_traffic - - id: 3.4.2.1 - title: Ensure firewalld default zone is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_firewalld_default_zone - - - id: 3.4.2.2 - title: Ensure at least one nftables table exists (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. - rules: - - set_nftables_table - - var_nftables_family=inet - - var_nftables_table=firewalld - - - - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: From 01c0a74cb096aedbc41236ac5a138b23691da287 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 15:38:40 +0200 Subject: [PATCH 32/61] CIS RHEL9 v2.0.0 - 5.1 Configure SSH Server Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 438 ++++++++++-------- .../services/ssh/sshd_approved_ciphers.var | 1 + .../guide/services/ssh/sshd_strong_kex.var | 1 + .../guide/services/ssh/sshd_strong_macs.var | 1 + 4 files changed, 243 insertions(+), 198 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index d13995c5c86..465df673f7f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1475,6 +1475,246 @@ controls: related_rules: - set_nftables_loopback_traffic + - id: 5.1.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + - id: 5.1.2 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permissions_sshd_private_key + - file_ownership_sshd_private_key + - file_groupownership_sshd_private_key + + - id: 5.1.3 + title: Ensure permissions on SSH public host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key + + - id: 5.1.4 + title: Ensure sshd Ciphers are configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0 + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_approved_ciphers + - sshd_approved_ciphers=cis_rhel9 + + - id: 5.1.5 + title: Ensure sshd KexAlgorithms is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_strong_kex + - sshd_strong_kex=cis_rhel9 + + - id: 5.1.6 + title: Ensure sshd MACs are configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + The status was automated but we need to double check the approach used in this rule. + Therefore I moved it to pending until deeper investigation. + rules: + - sshd_use_strong_macs + - sshd_strong_macs=cis_rhel9 + + - id: 5.1.7 + title: Ensure sshd access is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_limit_user_access + + - id: 5.1.8 + title: Ensure sshd Banner is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner + + - id: 5.1.9 + title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The requirement gives an example of 45 seconds, but is flexible about the values. It is only + necessary to ensure there is a timeout configured in alignment to the site policy. + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + + - id: 5.1.10 + title: Ensure sshd DisableForwarding is enabled (Automated) + levels: + - l2_server + - l1_workstation + status: pending + notes: |- + New templated rule is necessary for "disableforwarding" option. + related_rules: + - sshd_disable_tcp_forwarding + - sshd_disable_x11_forwarding + + - id: 5.1.11 + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) + levels: + - l2_server + - l1_workstation + status: automated + notes: |- + Introduced in CIS RHEL9 v2.0.0 + rules: + - sshd_disable_gssapi_auth + + - id: 5.1.12 + title: Ensure sshd HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - disable_host_auth + + - id: 5.1.13 + title: Ensure sshd IgnoreRhosts is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_rhosts + + - id: 5.1.14 + title: Ensure sshd LoginGraceTime is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + + - id: 5.1.15 + title: Ensure sshd LogLevel is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The CIS benchmark is not opinionated about which loglevel is selected here. Here, this + profile uses VERBOSE by default, as it allows for the capture of login and logout activity + as well as key fingerprints. + rules: + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info + + - id: 5.1.16 + title: Ensure sshd MaxAuthTries is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + - id: 5.1.17 + title: Ensure sshd MaxStartups is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + + - id: 5.1.18 + title: Ensure sshd MaxSessions is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + + - id: 5.1.19 + title: Ensure sshd PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_empty_passwords + + - id: 5.1.20 + title: Ensure sshd PermitRootLogin is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_disable_root_login + + - id: 5.1.21 + title: Ensure sshd PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_do_not_permit_user_env + + - id: 5.1.22 + title: Ensure sshd UsePAM is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sshd_enable_pam + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2019,205 +2259,7 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config - - - id: 5.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - - file_groupownership_sshd_private_key - - - id: 5.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key - - - id: 5.2.4 - title: Ensure SSH access is limited (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_limit_user_access - - - id: 5.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) - levels: - - l1_server - - l1_workstation - status: automated - # The CIS benchmark is not opinionated about which loglevel is selected - # here. Here, this profile uses VERBOSE by default, as it allows for - # the capture of login and logout activity as well as key fingerprints. - rules: - - sshd_set_loglevel_verbose - related_rules: - - sshd_set_loglevel_info - - - id: 5.2.6 - title: Ensure SSH PAM is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_enable_pam - - - id: 5.2.7 - title: Ensure SSH root login is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_root_login - - id: 5.2.8 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - disable_host_auth - - - id: 5.2.9 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_empty_passwords - - - id: 5.2.10 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_do_not_permit_user_env - - - id: 5.2.11 - title: Ensure SSH IgnoreRhosts is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_rhosts - - - id: 5.2.12 - title: Ensure SSH X11 forwarding is disabled (Automated) - levels: - - l2_server - - l1_workstation - status: automated - rules: - - sshd_disable_x11_forwarding - - - id: 5.2.13 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - sshd_disable_tcp_forwarding - - - id: 5.2.14 - title: Ensure system-wide crypto policy is not over-ridden (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - configure_ssh_crypto_policy - - - id: 5.2.15 - title: Ensure SSH warning banner is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner - - - id: 5.2.16 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries - - - id: 5.2.17 - title: Ensure SSH MaxStartups is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 - - - id: 5.2.18 - title: Ensure SSH MaxSessions is set to 10 or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 - - - id: 5.2.19 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 - - - id: 5.2.20 - title: Ensure SSH Idle Timeout Interval is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_idle_timeout_value=15_minutes - - sshd_set_idle_timeout - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - id: 5.3.1 title: Ensure sudo is installed (Automated) diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 2cad2423cd1..0f5ef88db44 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -17,6 +17,7 @@ options: default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel7: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_sle15: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_ubuntu: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var index f281a491620..ac25c735a77 100644 --- a/linux_os/guide/services/ssh/sshd_strong_kex.var +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -15,6 +15,7 @@ options: pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 cis_rhel8: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 + cis_rhel9: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_ubuntu2004: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var index 1caca07a64c..824888a7e99 100644 --- a/linux_os/guide/services/ssh/sshd_strong_macs.var +++ b/linux_os/guide/services/ssh/sshd_strong_macs.var @@ -14,6 +14,7 @@ options: default: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 cis_rhel7: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com + cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 From c9c0d30ae5acc056359988423510fe6fd04db379 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 15:43:18 +0200 Subject: [PATCH 33/61] CIS RHEL9 v2.0.0 - 5.2 Configure privilege escalation Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 142 ++++++++++++++++++++--------------------- 1 file changed, 70 insertions(+), 72 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 465df673f7f..7dc1bfa1e76 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1715,6 +1715,76 @@ controls: rules: - sshd_enable_pam + - id: 5.2.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_sudo_installed + + - id: 5.2.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_add_use_pty + + - id: 5.2.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_custom_logfile + + - id: 5.2.4 + title: Ensure users must provide password for escalation (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - sudo_require_authentication + + - id: 5.2.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.2.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_require_reauthentication + + - id: 5.2.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. + rules: + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2259,78 +2329,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - - - id: 5.3.1 - title: Ensure sudo is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_sudo_installed - - - id: 5.3.2 - title: Ensure sudo commands use pty (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_add_use_pty - - - id: 5.3.3 - title: Ensure sudo log file exists (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_custom_logfile - - - id: 5.3.4 - title: Ensure users must provide password for escalation (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - sudo_require_authentication - - - id: 5.3.5 - title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_require_reauthentication - - - id: 5.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - sudo_require_reauthentication - - - id: 5.3.7 - title: Ensure access to the su command is restricted (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. - rules: - - var_pam_wheel_group_for_su=cis - - use_pam_wheel_group_for_su - - ensure_pam_wheel_group_empty - - id: 5.4.1 title: Ensure custom authselect profile is used (Manual) levels: From 325e8b7fcc4b3aa1e0ae4054f790b93571fb8e34 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 15:49:27 +0200 Subject: [PATCH 34/61] CIS RHEL9 v2.0.0 - 5.3.1 Configure PAM software packages Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 7dc1bfa1e76..07cacd922ee 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1785,6 +1785,35 @@ controls: - use_pam_wheel_group_for_su - ensure_pam_wheel_group_empty + - id: 5.3.1.1 + title: Ensure latest version of pam is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure PAM package is updated. + + - id: 5.3.1.2 + title: Ensure latest version of authselect is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure authselect package is updated. + + - id: 5.3.1.3 + title: Ensure latest version of libpwquality is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure libpwquality package is updated. + rules: + - package_pam_pwquality_installed + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: From 11cce126898a98bc8fdea3d9bd9d51ef67bcb1ee Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 16:02:53 +0200 Subject: [PATCH 35/61] CIS RHEL9 v2.0.0 - 5.3.2 Configure authselect Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 85 +++++++++++++++++++++++++++++++----------- 1 file changed, 64 insertions(+), 21 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 07cacd922ee..88bf0c136e9 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1814,6 +1814,70 @@ controls: rules: - package_pam_pwquality_installed + - id: 5.3.2.1 + title: Ensure active authselect profile includes pam modules (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + This requirement is hard to be automated without any specific requirement. The policy even + states that provided commands are examples, other custom settings might be in place and the + settings might be different depending on site policies. The other rules will already make + sure there is a correct autheselect profile regardless of the existing settings. It is + necessary to better discuss with CIS Community. + related_rules: + - no_empty_passwords + + - id: 5.3.2.2 + title: Ensure pam_faillock module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.3.3.1. + rules: + - account_password_pam_faillock_password_auth + - account_password_pam_faillock_system_auth + + - id: 5.3.2.3 + title: Ensure pam_pwquality module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is also indirectly satisfied by the requirement 5.3.3.2. + related_rules: + - package_pam_pwquality_installed + + - id: 5.3.2.4 + title: Ensure pam_pwhistory module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The module is properly enabled by the rules mentioned in related_rules. + Requirements in 5.3.3.3 use these rules. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + + - id: 5.3.2.5 + title: Ensure pam_unix module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + This module is always present by default. It is necessary to investigate if a new rule to + check its existence needs to be created. But so far the rule no_empty_passwords, used in + 5.3.3.4 can ensure this requirement is attended. + related_rules: + - no_empty_passwords + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2358,27 +2422,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.4.1 - title: Ensure custom authselect profile is used (Manual) - levels: - - l1_server - - l1_workstation - status: manual - rules: - - no_empty_passwords - - - id: 5.4.2 - title: Ensure authselect includes with-faillock (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - This requirement is also indirectly satisfied by the requirement 5.5.2. - rules: - - account_password_pam_faillock_password_auth - - account_password_pam_faillock_system_auth - - id: 5.5.1 title: Ensure password creation requirements are configured (Automated) levels: From 01d68fe7ed2559afbdfae7e15a19c6108363f237 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 16:07:39 +0200 Subject: [PATCH 36/61] CIS RHEL9 v2.0.0 - 5.3.3.1 Configure pam_faillock module Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 45 +++++++++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 88bf0c136e9..5fda5d60b49 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1878,6 +1878,39 @@ controls: related_rules: - no_empty_passwords + - id: 5.3.3.1.1 + title: Ensure password failed attempts lockout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=5 + + - id: 5.3.3.1.2 + title: Ensure password unlock time is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The policy also accepts value 0, which means the locked accounts should be manually unlocked + by an administrator. However, it also mentions that using value 0 can facilitate a DoS + attack to legitimate users. + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 + + - id: 5.3.3.1.3 + title: Ensure password failed attempts lockout includes root account (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_deny_root + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2440,18 +2473,6 @@ controls: - var_password_pam_minclass=4 - var_password_pam_minlen=14 - - id: 5.5.2 - title: Ensure lockout for failed password attempts is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 5.5.3 title: Ensure password reuse is limited (Automated) levels: From 7469a3f55be1ce760406e8336f6d71c2a3f8e95a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 16:15:36 +0200 Subject: [PATCH 37/61] CIS RHEL9 v2.0.0 - 5.3.3.2 Configure pam_pwquality module Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 97 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 79 insertions(+), 18 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 5fda5d60b49..912ff09448e 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1911,6 +1911,85 @@ controls: rules: - accounts_passwords_pam_faillock_deny_root + - id: 5.3.3.2.1 + title: Ensure password number of changed characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_difok + - var_password_pam_difok=2 + + - id: 5.3.3.2.2 + title: Ensure password length is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=14 + + - id: 5.3.3.2.3 + title: Ensure password complexity is configured (Manual) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is expected to be manual. However, in previous versions of the policy + it was already automated the configuration of "minclass" option. This posture was kept for + RHEL 9 in this new version. Rules related to other options are informed in related_rules. + In short, minclass=4 alone can achieve the same result achieved by the combination of the + other 4 options mentioned in the policy. + rules: + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + related_rules: + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit + + - id: 5.3.3.2.4 + title: Ensure password same consecutive characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 + + - id: 5.3.3.2.5 + title: Ensure password maximum sequential characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: planned + notes: |- + A new templated rule and variable are necessary for the maxsequence option. + + - id: 5.3.3.2.6 + title: Ensure password dictionary check is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 + + - id: 5.3.3.2.7 + title: Ensure password quality is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_enforce_root + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2455,24 +2534,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.5.1 - title: Ensure password creation requirements are configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The Benchmark mentions that the try_first_pass option should be included in pam_pwquality.so - module. However, the pam_pwquality.so module, by default, is always the first module from in - the PAM password stack. Therefore, the option is useless and not necessary. It was already - proposed to update the requirement in the next CIS version. - rules: - - accounts_password_pam_minclass - - accounts_password_pam_minlen - - accounts_password_pam_retry - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 - - id: 5.5.3 title: Ensure password reuse is limited (Automated) levels: From 833a60247896243bf03ca82a6a90a2a6c174159f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 16:23:55 +0200 Subject: [PATCH 38/61] CIS RHEL9 v2.0.0 - 5.3.3.3 Configure pam_pwhistory module Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 58 ++++++++++++++++++++++++++++++------------ 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 912ff09448e..0483d54b610 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1990,6 +1990,48 @@ controls: rules: - accounts_password_pam_enforce_root + - id: 5.3.3.3.1 + title: Ensure password history remember is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure + retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry + can be used. + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=24 + related_rules: + - accounts_password_pam_retry + + - id: 5.3.3.3.2 + title: Ensure password history is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + status: planned + notes: |- + A new rule needs to be created to check and remediate the enforce_for_root option in + /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. + + - id: 5.3.3.3.3 + title: Ensure pam_pwhistory includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 9 pam_pwhistory is enabled via authselect feature, as required in 5.3.2.4. The + feature automatically set "use_authok" option. In any case, we don't have a rule to check + this option specifically. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2534,22 +2576,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.5.3 - title: Ensure password reuse is limited (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. - See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=5 - - id: 5.5.4 title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) levels: From ddd87594c41a625a83b3c1bd09d334bd56a8977c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 13 Jun 2024 16:33:53 +0200 Subject: [PATCH 39/61] CIS RHEL9 v2.0.0 - 5.3.3.4 Configure pam_unix module Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 59 +++++++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 12 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 0483d54b610..02a7805f2d9 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2032,6 +2032,53 @@ controls: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth + - id: 5.3.3.4.1 + title: Ensure pam_unix does not include nullok (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The rule more specifically used in this requirement also satify the requirement 5.3.2.5. + rules: + - no_empty_passwords + + - id: 5.3.3.4.2 + title: Ensure pam_unix does not include remember (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not + recommened by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 5.3.3.3.1. See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + A new rule needs to be created to remove the remember option from pam_unix module. + + - id: 5.3.3.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4 + rules: + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + + - id: 5.3.3.4.4 + title: Ensure pam_unix includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 9 pam_unix is enabled by default in all authselect profiles already with the + use_authtok option set. In any case, we don't have a rule to check this option specifically, + like in 5.3.3.3.3. + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2576,18 +2623,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.5.4 - title: Ensure password hashing algorithm is SHA-512 or yescrypt (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 - - id: 5.6.1.1 title: Ensure password expiration is 365 days or less (Automated) levels: From 17e9763f2881bc109a6491f23a0f56c5cd99bba9 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 09:25:33 +0200 Subject: [PATCH 40/61] CIS RHEL9 v2.0.0 - 5.4.1 Configure shadow password suite parameters Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 117 ++++++++++++++++++++++------------------- 1 file changed, 64 insertions(+), 53 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 02a7805f2d9..2b8a69fe8ae 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2079,6 +2079,70 @@ controls: use_authtok option set. In any case, we don't have a rule to check this option specifically, like in 5.3.3.3.3. + - id: 5.4.1.1 + title: Ensure password expiration is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing + + - id: 5.4.1.2 + title: Ensure minimum password days is configured (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + - accounts_password_set_min_life_existing + + - id: 5.4.1.3 + title: Ensure password expiration warning days is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing + + - id: 5.4.1.4 + title: Ensure strong password hashing algorithm is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + + - id: 5.4.1.5 + title: Ensure inactive password lock is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - account_disable_post_pw_expiration + - accounts_set_post_pw_existing + - var_account_disable_post_pw_expiration=45 + + - id: 5.4.1.6 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_last_change_is_in_past + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2623,59 +2687,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.6.1.1 - title: Ensure password expiration is 365 days or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=365 - - accounts_password_set_max_life_existing - - - id: 5.6.1.2 - title: Ensure minimum days between password changes is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=1 - - accounts_password_set_min_life_existing - - - id: 5.6.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_set_warn_age_existing - - - id: 5.6.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=30 - - accounts_set_post_pw_existing - - - id: 5.6.1.5 - title: Ensure all users last password change date is in the past (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_password_last_change_is_in_past - - id: 5.6.2 title: Ensure system accounts are secured (Automated) levels: From e88c32a58ab4a48fbb7195c30fe7aa6bce14cc3b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 09:57:08 +0200 Subject: [PATCH 41/61] CIS RHEL9 v2.0.0 - 5.4.2 Configure root and system accounts and environment Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 121 ++++++++++++++++++++++++++++------------- 1 file changed, 82 insertions(+), 39 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 2b8a69fe8ae..cd9e8e6cc1f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2143,6 +2143,88 @@ controls: rules: - accounts_password_last_change_is_in_past + - id: 5.4.2.1 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_no_uid_except_zero + + - id: 5.4.2.2 + title: Ensure root is the only GID 0 account (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + Introduced in CIS RHEL9 v2.0.0. + The rule confirms the primary group for root, but doesn't check if any other user are also + using GID 0. New rule is necessary. + There is assessment but no automated remediation for this rule and this sounds reasonable. + rules: + - accounts_root_gid_zero + + - id: 5.4.2.3 + title: Ensure group root is the only GID 0 group (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New rule is necessary. + + - id: 5.4.2.4 + title: Ensure root account access is controlled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - ensure_root_password_configured + + - id: 5.4.2.5 + title: Ensure root path integrity (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot + + - id: 5.4.2.6 + title: Ensure root user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have + to be created. It can be based on accounts_umask_interactive_users. + + - id: 5.4.2.7 + title: Ensure system accounts do not have a valid login shell (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts + + - id: 5.4.2.8 + title: Ensure accounts without a valid login shell are locked (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New rule is necessary. + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2687,16 +2769,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.6.2 - title: Ensure system accounts are secured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts - - id: 5.6.3 title: Ensure default user shell timeout is 900 seconds or less (Automated) levels: @@ -2728,16 +2800,6 @@ controls: - accounts_umask_etc_profile - var_accounts_user_umask=027 - - id: 5.6.6 - title: Ensure root password is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - ensure_root_password_configured - - no_empty_passwords_etc_shadow - - id: 1.3.1 title: Ensure AIDE is installed (Automated) levels: @@ -2983,25 +3045,6 @@ controls: rules: - group_unique_name - - id: 6.2.8 - title: Ensure root PATH Integrity (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_path_dirs_no_write - - root_path_no_dot - - - id: 6.2.9 - title: Ensure root is the only UID 0 account (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_no_uid_except_zero - - id: 6.2.10 title: Ensure local interactive user home directories exist (Automated) levels: From ef0c90f9249819708b1e6b1e5bc483b365289016 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 10:04:23 +0200 Subject: [PATCH 42/61] CIS RHEL9 v2.0.0 - 5.4.3 Configure user default environment Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 64 +++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index cd9e8e6cc1f..c815c095e6a 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2159,7 +2159,6 @@ controls: - l1_workstation status: partial notes: |- - Introduced in CIS RHEL9 v2.0.0. The rule confirms the primary group for root, but doesn't check if any other user are also using GID 0. New rule is necessary. There is assessment but no automated remediation for this rule and this sounds reasonable. @@ -2225,6 +2224,38 @@ controls: Introduced in CIS RHEL9 v2.0.0. New rule is necessary. + - id: 5.4.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation + status: pending + notes: |- + It is necessary to create a new rule to check and remove nologin from /etc/shells. + The no_tmux_in_shells rule can be used as referece. + + - id: 5.4.3.2 + title: Ensure default user shell timeout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_tmout + - var_accounts_tmout=15_min + + - id: 5.4.3.3 + title: Ensure default user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2769,37 +2800,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 5.6.3 - title: Ensure default user shell timeout is 900 seconds or less (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_tmout - - var_accounts_tmout=15_min - - - id: 5.6.4 - title: Ensure default group for the root account is GID 0 (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_gid_zero - - - id: 5.6.5 - title: Ensure default user umask is 027 or more restrictive (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - var_accounts_user_umask=027 - - id: 1.3.1 title: Ensure AIDE is installed (Automated) levels: From 4d88d52f66104ef0de9e4f8a0175f8d8cf5603af Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 10:10:57 +0200 Subject: [PATCH 43/61] CIS RHEL9 v2.0.0 - 6.1 Configure Integrity Checking Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 60 +++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index c815c095e6a..f44562004d1 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2256,6 +2256,36 @@ controls: - accounts_umask_etc_profile - var_accounts_user_umask=027 + - id: 6.1.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_aide_installed + - aide_build_database + + - id: 6.1.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - aide_periodic_cron_checking + + - id: 6.1.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2800,36 +2830,6 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 1.3.1 - title: Ensure AIDE is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_aide_installed - - aide_build_database - - - id: 1.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_periodic_cron_checking - - - id: 1.3.3 - title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_check_audit_tools - related_rules: - - aide_use_fips_hashes - - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) levels: From 258eb019c81b01031d1b26697fa33ded40ef120b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 10:21:43 +0200 Subject: [PATCH 44/61] CIS RHEL9 v2.0.0 - 6.2.1 Configure systemd-journald service Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 62 ++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index f44562004d1..4889d15da90 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2286,6 +2286,38 @@ controls: related_rules: - aide_use_fips_hashes + - id: 6.2.1.1 + title: Ensure journald service is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - service_systemd-journald_enabled + + - id: 6.2.1.2 + title: Ensure journald log file access is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.1.3 + title: Ensure journald log file rotation is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.1.4 + title: Ensure only one logging system is in use (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary to create a new rule to check the status of journald and rsyslog. + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2705,13 +2737,6 @@ controls: rules: - rsyslog_filecreatemode - - id: 4.2.1.5 - title: Ensure logging is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - id: 4.2.1.6 title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: @@ -2760,15 +2785,6 @@ controls: rules: - socket_systemd-journal-remote_disabled - - id: 4.2.2.2 - title: Ensure journald service is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_systemd-journald_enabled - - id: 4.2.2.3 title: Ensure journald is configured to compress large log files (Automated) levels: @@ -2794,20 +2810,6 @@ controls: - l1_workstation status: manual - - id: 4.2.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 4.2.2.7 - title: Ensure journald default file permissions configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - id: 4.2.3 title: Ensure all logfiles have appropriate permissions and ownership (Automated) levels: From c932e112f84cc1fa71c7df17650f79c8a1e74c62 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 10:33:24 +0200 Subject: [PATCH 45/61] CIS RHEL9 v2.0.0 - 6.2.2.1 Configure systemd-journal-remote Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 65 +++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 4889d15da90..dbd67725b68 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2318,6 +2318,41 @@ controls: notes: |- It is necessary to create a new rule to check the status of journald and rsyslog. + - id: 6.2.2.1.1 + title: Ensure systemd-journal-remote is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_systemd-journal-remote_installed + + - id: 6.2.2.1.2 + title: Ensure systemd-journal-upload authentication is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.2.1.3 + title: Ensure systemd-journal-upload is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Introduced in CIS RHEL9 v2.0.0. + New templated rule is necessary. + + - id: 6.2.2.1.4 + title: Ensure systemd-journal-remote service is not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - socket_systemd-journal-remote_disabled + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2755,36 +2790,6 @@ controls: rules: - rsyslog_nolisten - - id: 4.2.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 4.2.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 4.2.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 4.2.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - socket_systemd-journal-remote_disabled - - id: 4.2.2.3 title: Ensure journald is configured to compress large log files (Automated) levels: From eb51b88b6d3c5803ecf854283d2bc37a288493e7 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 10:48:09 +0200 Subject: [PATCH 46/61] CIS RHEL9 v2.0.0 - 6.2.2 Configure journald Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 47 ++++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index dbd67725b68..b2bf0648359 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2353,6 +2353,35 @@ controls: rules: - socket_systemd-journal-remote_disabled + - id: 6.2.2.2 + title: Ensure journald ForwardToSyslog is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + This rule conflicts with 6.2.3.3. More investigation is needed to properly solve this. + related_rules: + - journald_forward_to_syslog + + - id: 6.2.2.3 + title: Ensure journald Compress is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - journald_compress + + - id: 6.2.2.4 + title: Ensure journald Storage is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - journald_storage + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2790,24 +2819,6 @@ controls: rules: - rsyslog_nolisten - - id: 4.2.2.3 - title: Ensure journald is configured to compress large log files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_compress - - - id: 4.2.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_storage - - id: 4.2.2.5 title: Ensure journald is not configured to send logs to rsyslog (Manual) levels: From c995a575763246cdcfec1915f1f228fc62d46cb6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 11:00:12 +0200 Subject: [PATCH 47/61] CIS RHEL9 v2.0.0 - 6.2.3 Configure rsyslog Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 166 ++++++++++++++++++++--------------------- 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index b2bf0648359..edc6096e02b 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2382,6 +2382,89 @@ controls: rules: - journald_storage + - id: 6.2.3.1 + title: Ensure rsyslog is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_rsyslog_installed + + - id: 6.2.3.2 + title: Ensure rsyslog service is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - service_rsyslog_enabled + + - id: 6.2.3.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - journald_forward_to_syslog + + - id: 6.2.3.4 + title: Ensure rsyslog log file creation mode is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - rsyslog_filecreatemode + + - id: 6.2.3.5 + title: Ensure rsyslog logging is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.3.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - rsyslog_remote_loghost + + - id: 6.2.3.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - rsyslog_nolisten + + - id: 6.2.3.8 + title: Ensure rsyslog logrotate is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled + + - id: 4.2.3 + title: Ensure all logfiles have appropriate permissions and ownership (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions + - id: 4.1.1.1 title: Ensure auditd is installed (Automated) levels: @@ -2765,89 +2848,6 @@ controls: rules: - file_groupownership_audit_binaries - - id: 4.2.1.1 - title: Ensure rsyslog is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_rsyslog_installed - - - id: 4.2.1.2 - title: Ensure rsyslog Service is enabled (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_rsyslog_enabled - - - id: 4.2.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - journald_forward_to_syslog - - - id: 4.2.1.4 - title: Ensure rsyslog default file permissions configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_filecreatemode - - - id: 4.2.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - rsyslog_remote_loghost - - - id: 4.2.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_nolisten - - - id: 4.2.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 4.2.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - rsyslog_files_groupownership - - rsyslog_files_ownership - - rsyslog_files_permissions - - - id: 4.3 - title: Ensure logrotate is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled - - id: 6.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) levels: From 287d417ef5d4d3f06d0995e5b23385685a39f283 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 11:01:55 +0200 Subject: [PATCH 48/61] CIS RHEL9 v2.0.0 - 6.2.4 Configure Logfiles Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index edc6096e02b..1dc8d57562f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2454,8 +2454,8 @@ controls: - package_logrotate_installed - timer_logrotate_enabled - - id: 4.2.3 - title: Ensure all logfiles have appropriate permissions and ownership (Automated) + - id: 6.2.4.1 + title: Ensure access to all logfiles has been configured (Automated) levels: - l1_server - l1_workstation From f55d0d3a87ee0e5147c1b99f039f5d56dd26a418 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 11:05:11 +0200 Subject: [PATCH 49/61] CIS RHEL9 v2.0.0 - 6.3.1 Configure auditd Service Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 1dc8d57562f..782e80f4e82 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2465,16 +2465,17 @@ controls: - rsyslog_files_ownership - rsyslog_files_permissions - - id: 4.1.1.1 - title: Ensure auditd is installed (Automated) + - id: 6.3.1.1 + title: Ensure auditd packages are installed (Automated) levels: - l2_server - l2_workstation status: automated rules: - package_audit_installed + - package_audit-libs_installed - - id: 4.1.1.2 + - id: 6.3.1.2 title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - l2_server @@ -2483,7 +2484,7 @@ controls: rules: - grub2_audit_argument - - id: 4.1.1.3 + - id: 6.3.1.3 title: Ensure audit_backlog_limit is sufficient (Automated) levels: - l2_server @@ -2492,8 +2493,8 @@ controls: rules: - grub2_audit_backlog_limit_argument - - id: 4.1.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 6.3.1.4 + title: Ensure auditd service is enabled and active (Automated) levels: - l2_server - l2_workstation From 25aaf5235e03c675149ae7a5ecfae13f38542850 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 11:16:02 +0200 Subject: [PATCH 50/61] CIS RHEL9 v2.0.0 - 6.3.2 Configure Data Retention Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 22 ++++++++++++++----- .../var_auditd_admin_space_left_action.var | 1 + .../var_auditd_disk_error_action.var | 1 + .../var_auditd_disk_full_action.var | 1 + .../var_auditd_space_left_action.var | 1 + 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 782e80f4e82..596ff1580d2 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2502,7 +2502,7 @@ controls: rules: - service_auditd_enabled - - id: 4.1.2.1 + - id: 6.3.2.1 title: Ensure audit log storage size is configured (Automated) levels: - l2_server @@ -2512,7 +2512,7 @@ controls: - auditd_data_retention_max_log_file - var_auditd_max_log_file=6 - - id: 4.1.2.2 + - id: 6.3.2.2 title: Ensure audit logs are not automatically deleted (Automated) levels: - l2_server @@ -2522,19 +2522,31 @@ controls: - auditd_data_retention_max_log_file_action - var_auditd_max_log_file_action=keep_logs - - id: 4.1.2.3 + - id: 6.3.2.3 title: Ensure system is disabled when audit logs are full (Automated) levels: - l2_server - l2_workstation status: automated + rules: + - auditd_data_disk_error_action + - auditd_data_disk_full_action + - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_disk_full_action=cis_rhel9 + + - id: 6.3.2.4 + title: Ensure system warns when audit logs are low on space (Automated) + levels: + - l2_server + - l2_workstation + status: automated rules: - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_space_left_action - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=halt - - var_auditd_space_left_action=email + - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_space_left_action=cis_rhel9 - id: 4.1.3.1 title: Ensure changes to system administration scope (sudoers) is collected (Automated) diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var index 1f7a6968a02..fd60e0ce24b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var @@ -20,3 +20,4 @@ options: ignore: ignore cis_rhel7: single|halt cis_rhel8: single|halt + cis_rhel9: single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var index 5a20593197a..200609182d4 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var @@ -23,3 +23,4 @@ options: rhel8: syslog|single|halt cis_rhel7: syslog|single|halt cis_rhel8: syslog|single|halt + cis_rhel9: syslog|single|halt diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var index a911ab727b0..5d6f1f423cc 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var @@ -24,3 +24,4 @@ options: rhel8: syslog|single|halt cis_rhel7: halt|single cis_rhel8: syslog|single|halt + cis_rhel9: halt|single diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var index 84ccf94caa2..87a744d6e8f 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var @@ -20,3 +20,4 @@ options: ignore: ignore cis_rhel7: email|exec|single|halt cis_rhel8: email|exec|single|halt + cis_rhel9: email|exec|single|halt From 5f8587fd913cf111e0859ccad4504745b309e11d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 11:38:15 +0200 Subject: [PATCH 51/61] CIS RHEL9 v2.0.0 - 6.3.3 Configure auditd Rules Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 65 +++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 596ff1580d2..9f6f7725140 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2548,7 +2548,7 @@ controls: - var_auditd_admin_space_left_action=cis_rhel9 - var_auditd_space_left_action=cis_rhel9 - - id: 4.1.3.1 + - id: 6.3.3.1 title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - l2_server @@ -2557,7 +2557,7 @@ controls: rules: - audit_rules_sysadmin_actions - - id: 4.1.3.2 + - id: 6.3.3.2 title: Ensure actions as another user are always logged (Automated) levels: - l2_server @@ -2566,7 +2566,7 @@ controls: rules: - audit_rules_suid_auid_privilege_function - - id: 4.1.3.3 + - id: 6.3.3.3 title: Ensure events that modify the sudo log file are collected (Automated) levels: - l2_server @@ -2575,7 +2575,7 @@ controls: rules: - audit_sudo_log_events - - id: 4.1.3.4 + - id: 6.3.3.4 title: Ensure events that modify date and time information are collected (Automated) levels: - l2_server @@ -2585,21 +2585,24 @@ controls: - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_clock_settime - - audit_rules_time_stime - audit_rules_time_watch_localtime + related_rules: + - audit_rules_time_stime - - id: 4.1.3.5 + - id: 6.3.3.5 title: Ensure events that modify the system's network environment are collected (Automated) levels: - l2_server - l2_workstation - status: automated + status: partial + notes: |- + These rules are not covering "/etc/hostname" and "/etc/NetworkManager/". rules: - audit_rules_networkconfig_modification - audit_rules_networkconfig_modification_network_scripts - - id: 4.1.3.6 - title: Ensure use of privileged commands is collected (Automated) + - id: 6.3.3.6 + title: Ensure use of privileged commands are collected (Automated) levels: - l2_server - l2_workstation @@ -2607,7 +2610,7 @@ controls: rules: - audit_rules_privileged_commands - - id: 4.1.3.7 + - id: 6.3.3.7 title: Ensure unsuccessful file access attempts are collected (Automated) levels: - l2_server @@ -2620,12 +2623,14 @@ controls: - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_truncate - - id: 4.1.3.8 + - id: 6.3.3.8 title: Ensure events that modify user/group information are collected (Automated) levels: - l2_server - l2_workstation - status: automated + status: partial + notes: |- + Missing rules to check "/etc/nsswitch.conf", "/etc/pam.conf" and "/etc/pam.d" rules: - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow @@ -2633,7 +2638,7 @@ controls: - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - id: 4.1.3.9 + - id: 6.3.3.9 title: Ensure discretionary access control permission modification events are collected (Automated) levels: - l2_server @@ -2654,7 +2659,7 @@ controls: - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - - id: 4.1.3.10 + - id: 6.3.3.10 title: Ensure successful file system mounts are collected (Automated) levels: - l2_server @@ -2663,7 +2668,7 @@ controls: rules: - audit_rules_media_export - - id: 4.1.3.11 + - id: 6.3.3.11 title: Ensure session initiation information is collected (Automated) levels: - l2_server @@ -2672,7 +2677,7 @@ controls: rules: - audit_rules_session_events - - id: 4.1.3.12 + - id: 6.3.3.12 title: Ensure login and logout events are collected (Automated) levels: - l2_server @@ -2683,7 +2688,7 @@ controls: - audit_rules_login_events_lastlog - var_accounts_passwords_pam_faillock_dir=run - - id: 4.1.3.13 + - id: 6.3.3.13 title: Ensure file deletion events by users are collected (Automated) levels: - l2_server @@ -2695,7 +2700,7 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - - id: 4.1.3.14 + - id: 6.3.3.14 title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - l2_server @@ -2705,8 +2710,8 @@ controls: - audit_rules_mac_modification - audit_rules_mac_modification_usr_share - - id: 4.1.3.15 - title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) + - id: 6.3.3.15 + title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) levels: - l2_server - l2_workstation @@ -2714,8 +2719,8 @@ controls: rules: - audit_rules_execution_chcon - - id: 4.1.3.16 - title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) + - id: 6.3.3.16 + title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated) levels: - l2_server - l2_workstation @@ -2723,8 +2728,8 @@ controls: rules: - audit_rules_execution_setfacl - - id: 4.1.3.17 - title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) + - id: 6.3.3.17 + title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated) levels: - l2_server - l2_workstation @@ -2732,8 +2737,8 @@ controls: rules: - audit_rules_execution_chacl - - id: 4.1.3.18 - title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) + - id: 6.3.3.18 + title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated) levels: - l2_server - l2_workstation @@ -2741,8 +2746,8 @@ controls: rules: - audit_rules_privileged_commands_usermod - - id: 4.1.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 6.3.3.19 + title: Ensure kernel module loading unloading and modification is collected (Automated) levels: - l2_server - l2_workstation @@ -2755,7 +2760,7 @@ controls: - audit_rules_kernel_module_loading_query - audit_rules_privileged_commands_kmod - - id: 4.1.3.20 + - id: 6.3.3.20 title: Ensure the audit configuration is immutable (Automated) levels: - l2_server @@ -2764,7 +2769,7 @@ controls: rules: - audit_rules_immutable - - id: 4.1.3.21 + - id: 6.3.3.21 title: Ensure the running and on disk configuration is the same (Manual) levels: - l2_server From 94901a7220f2fd5ac37cc0798d319de4b396d981 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 12:02:29 +0200 Subject: [PATCH 52/61] CIS RHEL9 v2.0.0 - 6.3.4 Configure auditd File Access Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 48 +++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 9f6f7725140..d4b66b3b945 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2776,44 +2776,44 @@ controls: - l2_workstation status: manual - - id: 4.1.4.1 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 6.3.4.1 + title: Ensure the audit log file directory mode is configured (Automated) levels: - l2_server - l2_workstation status: automated rules: - - file_permissions_var_log_audit + - directory_permissions_var_log_audit - - id: 4.1.4.2 - title: Ensure only authorized users own audit log files (Automated) + - id: 6.3.4.2 + title: Ensure audit log files mode is configured (Automated) levels: - l2_server - l2_workstation status: automated rules: - - file_ownership_var_log_audit_stig + - file_permissions_var_log_audit - - id: 4.1.4.3 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 6.3.4.3 + title: Ensure audit log files owner is configured (Automated) levels: - l2_server - l2_workstation status: automated rules: - - file_group_ownership_var_log_audit + - file_ownership_var_log_audit_stig - - id: 4.1.4.4 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 6.3.4.4 + title: Ensure audit log files group owner is configured (Automated) levels: - l2_server - l2_workstation status: automated rules: - - directory_permissions_var_log_audit + - file_group_ownership_var_log_audit - - id: 4.1.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 6.3.4.5 + title: Ensure audit configuration files mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2821,8 +2821,8 @@ controls: rules: - file_permissions_audit_configuration - - id: 4.1.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 6.3.4.6 + title: Ensure audit configuration files owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2830,8 +2830,8 @@ controls: rules: - file_ownership_audit_configuration - - id: 4.1.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 6.3.4.7 + title: Ensure audit configuration files group owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2839,8 +2839,8 @@ controls: rules: - file_groupownership_audit_configuration - - id: 4.1.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 6.3.4.8 + title: Ensure audit tools mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2848,8 +2848,8 @@ controls: rules: - file_permissions_audit_binaries - - id: 4.1.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 6.3.4.9 + title: Ensure audit tools owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2857,8 +2857,8 @@ controls: rules: - file_ownership_audit_binaries - - id: 4.1.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 6.3.4.10 + title: Ensure audit tools group owner is configured (Automated) levels: - l2_server - l2_workstation From 58ca799f5a3f240b508d3777fff9dbbdbef4906f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 12:14:17 +0200 Subject: [PATCH 53/61] CIS RHEL9 v2.0.0 - 7.1 System File Permissions Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 80 ++++++++++++++++++++---------------------- 1 file changed, 39 insertions(+), 41 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index d4b66b3b945..f658d153f2f 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2866,7 +2866,7 @@ controls: rules: - file_groupownership_audit_binaries - - id: 6.1.1 + - id: 7.1.1 title: Ensure permissions on /etc/passwd are configured (Automated) levels: - l1_server @@ -2877,7 +2877,7 @@ controls: - file_owner_etc_passwd - file_permissions_etc_passwd - - id: 6.1.2 + - id: 7.1.2 title: Ensure permissions on /etc/passwd- are configured (Automated) levels: - l1_server @@ -2888,7 +2888,7 @@ controls: - file_owner_backup_etc_passwd - file_permissions_backup_etc_passwd - - id: 6.1.3 + - id: 7.1.3 title: Ensure permissions on /etc/group are configured (Automated) levels: - l1_server @@ -2899,7 +2899,7 @@ controls: - file_owner_etc_group - file_permissions_etc_group - - id: 6.1.4 + - id: 7.1.4 title: Ensure permissions on /etc/group- are configured (Automated) levels: - l1_server @@ -2910,7 +2910,7 @@ controls: - file_owner_backup_etc_group - file_permissions_backup_etc_group - - id: 6.1.5 + - id: 7.1.5 title: Ensure permissions on /etc/shadow are configured (Automated) levels: - l1_server @@ -2921,7 +2921,7 @@ controls: - file_groupowner_etc_shadow - file_permissions_etc_shadow - - id: 6.1.6 + - id: 7.1.6 title: Ensure permissions on /etc/shadow- are configured (Automated) levels: - l1_server @@ -2932,7 +2932,7 @@ controls: - file_owner_backup_etc_shadow - file_permissions_backup_etc_shadow - - id: 6.1.7 + - id: 7.1.7 title: Ensure permissions on /etc/gshadow are configured (Automated) levels: - l1_server @@ -2943,7 +2943,7 @@ controls: - file_owner_etc_gshadow - file_permissions_etc_gshadow - - id: 6.1.8 + - id: 7.1.8 title: Ensure permissions on /etc/gshadow- are configured (Automated) levels: - l1_server @@ -2954,61 +2954,59 @@ controls: - file_owner_backup_etc_gshadow - file_permissions_backup_etc_gshadow - - id: 6.1.9 - title: Ensure no world writable files exist (Automated) + - id: 7.1.9 + title: Ensure permissions on /etc/shells are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_unauthorized_world_writable + - file_groupowner_etc_shells + - file_owner_etc_shells + - file_permissions_etc_shells - - id: 6.1.10 - title: Ensure no unowned files or directories exist (Automated) + - id: 7.1.10 + title: Ensure permissions on /etc/security/opasswd are configured (Automated) levels: - - l1_server - - l1_workstation - status: automated + - l1_server + - l1_workstation + status: partial rules: - - no_files_unowned_by_user + # TODO: We need another rule that checks /etc/security/opasswd.old + - file_etc_security_opasswd - - id: 6.1.11 - title: Ensure no ungrouped files or directories exist (Automated) + - id: 7.1.11 + title: Ensure world writable files and directories are secured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_ungroupowned + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits - - id: 6.1.12 - title: Ensure sticky bit is set on all world-writable directories (Automated) + - id: 7.1.12 + title: Ensure no files or directories without an owner and a group exist (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial rules: - - dir_perms_world_writable_sticky_bits + # TODO: add rules for unowned/ungrouped directories + - no_files_unowned_by_user + - file_permissions_ungroupowned - - id: 6.1.13 - title: Audit SUID executables (Manual) + - id: 7.1.13 + title: Ensure SUID and SGID files are reviewed (Manual) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: manual related_rules: - file_permissions_unauthorized_suid - - - id: 6.1.14 - title: Audit SGID executables (Manual) - levels: - - l1_server - - l1_workstation - status: manual - related_rules: - file_permissions_unauthorized_sgid - - id: 6.1.15 + - id: 7.1.14 title: Audit system file permissions (Manual) levels: - l2_server From e45c939dfe3f142b916cc04838b9fac6862005a8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 12:35:09 +0200 Subject: [PATCH 54/61] CIS RHEL9 v2.0.0 - 7.2 Local User and Group Settings Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 80 +++++++++++++----------------------------- 1 file changed, 24 insertions(+), 56 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index f658d153f2f..51b2146206e 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -3016,7 +3016,7 @@ controls: - rpm_verify_permissions - rpm_verify_ownership - - id: 6.2.1 + - id: 7.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: - l1_server @@ -3025,7 +3025,7 @@ controls: rules: - accounts_password_all_shadowed - - id: 6.2.2 + - id: 7.2.2 title: Ensure /etc/shadow password fields are not empty (Automated) levels: - l1_server @@ -3034,7 +3034,7 @@ controls: rules: - no_empty_passwords_etc_shadow - - id: 6.2.3 + - id: 7.2.3 title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) levels: - l1_server @@ -3043,7 +3043,7 @@ controls: rules: - gid_passwd_group_same - - id: 6.2.4 + - id: 7.2.4 title: Ensure no duplicate UIDs exist (Automated) levels: - l1_server @@ -3052,7 +3052,7 @@ controls: rules: - account_unique_id - - id: 6.2.5 + - id: 7.2.5 title: Ensure no duplicate GIDs exist (Automated) levels: - l1_server @@ -3061,7 +3061,7 @@ controls: rules: - group_unique_id - - id: 6.2.6 + - id: 7.2.6 title: Ensure no duplicate user names exist (Automated) levels: - l1_server @@ -3070,7 +3070,7 @@ controls: rules: - account_unique_name - - id: 6.2.7 + - id: 7.2.7 title: Ensure no duplicate group names exist (Automated) levels: - l1_server @@ -3079,67 +3079,35 @@ controls: rules: - group_unique_name - - id: 6.2.10 - title: Ensure local interactive user home directories exist (Automated) + - id: 7.2.8 + title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - accounts_user_interactive_home_directory_exists - - - id: 6.2.11 - title: Ensure local interactive users own their home directories (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_ownership_home_directories - - file_groupownership_home_directories - - - id: 6.2.12 - title: Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_permissions_home_directories + related_rules: + - file_groupownership_home_directories - - id: 6.2.13 - title: Ensure no local interactive user has .netrc files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_netrc_files - - - id: 6.2.14 - title: Ensure no local interactive user has .forward files (Automated) + - id: 7.2.9 + title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server - l1_workstation - status: automated + notes: |- + Missing a rule to check that .bash_history is mode 0600 or more restrictive. + status: partial rules: + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - accounts_user_dot_no_world_writable_programs + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles - no_forward_files - - - id: 6.2.15 - title: Ensure no local interactive user has .rhosts files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: The rule also removes /etc/hosts.equiv - rules: + - no_netrc_files - no_rsh_trust_files - - - id: 6.2.16 - title: Ensure local interactive user dot files are not group or world writable (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_user_dot_no_world_writable_programs + related_rules: + - accounts_users_netrc_file_permissions From e04b264068a035053dc39e2fb87c7347a688d05f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 12:36:02 +0200 Subject: [PATCH 55/61] CIS RHEL9 v2.0.0 - Update version in control file Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 51b2146206e..428f7ea60b4 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2,7 +2,7 @@ policy: 'CIS Benchmark for Red Hat Enterprise Linux 9' title: 'CIS Benchmark for Red Hat Enterprise Linux 9' id: cis_rhel9 -version: '1.0.0' +version: '2.0.0' source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux levels: - id: l1_server From b2469febca36750b621425b814673513ec096a8e Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 13:05:48 +0200 Subject: [PATCH 56/61] Include CCEs in rules selected by CIS RHEL9 v2.0.0 Signed-off-by: Marcus Burghardt --- .../auditing/package_audit-libs_installed/rule.yml | 1 + .../ssh/ssh_server/sshd_use_approved_ciphers/rule.yml | 1 + .../ssh/ssh_server/sshd_use_strong_kex/rule.yml | 1 + .../ssh/ssh_server/sshd_use_strong_macs/rule.yml | 1 + .../var_account_disable_post_pw_expiration.var | 1 + .../package_systemd-journal-remote_installed/rule.yml | 1 + .../service_bluetooth_disabled/rule.yml | 1 + .../file_etc_security_opasswd/rule.yml | 1 + .../mounting/kernel_module_freevxfs_disabled/rule.yml | 1 + .../mounting/kernel_module_hfs_disabled/rule.yml | 1 + .../mounting/kernel_module_hfsplus_disabled/rule.yml | 1 + .../mounting/kernel_module_jffs2_disabled/rule.yml | 1 + shared/references/cce-redhat-avail.txt | 11 ----------- 13 files changed, 12 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml index ca6080f5fee..2cfa1377ba7 100644 --- a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-86531-1 + cce@rhel9: CCE-86772-1 cce@sle12: CCE-92320-1 cce@sle15: CCE-92478-7 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index 2801ac8511f..3ca461e2451 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -48,6 +48,7 @@ severity: medium identifiers: cce@rhel7: CCE-27295-5 cce@rhel8: CCE-81032-5 + cce@rhel9: CCE-86767-1 cce@sle12: CCE-83181-8 cce@sle15: CCE-91337-6 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml index a2ffc8f02e1..4b00f39ee86 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel7: CCE-86090-8 cce@rhel8: CCE-86518-8 + cce@rhel9: CCE-86768-9 cce@sle12: CCE-92339-1 cce@sle15: CCE-92626-1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index 761fae58ed4..a4621f128b3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-82364-1 cce@rhel8: CCE-86504-8 + cce@rhel9: CCE-86769-7 cce@sle12: CCE-92280-7 cce@sle15: CCE-91396-2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var index ba64dbd5b17..4b3214d3f8f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/var_account_disable_post_pw_expiration.var @@ -14,6 +14,7 @@ options: 30: 30 35: 35 40: 40 + 45: 45 60: 60 90: 90 default: 35 diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml index 8c0e0261d8d..8d2eea0384e 100644 --- a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml +++ b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-87415-6 cce@rhel8: CCE-86467-8 + cce@rhel9: CCE-86760-6 references: cis@ubuntu2204: 4.2.1.1.1 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml index 4906a306f9f..b3766b3e23a 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-27328-4 cce@rhel8: CCE-87231-7 + cce@rhel9: CCE-86761-4 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index b802e10bd23..3faae884ca3 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-87198-8 cce@rhel8: CCE-86140-1 + cce@rhel9: CCE-86762-2 cce@sle12: CCE-83172-7 cce@sle15: CCE-85572-6 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml index 56e0f968ef9..0fea3e1753b 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82713-9 cce@rhel7: CCE-80138-1 cce@rhel8: CCE-86615-2 + cce@rhel9: CCE-86763-0 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml index b6ff25b1321..388928502c9 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82714-7 cce@rhel7: CCE-80140-7 cce@rhel8: CCE-86616-0 + cce@rhel9: CCE-86764-8 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml index 81b1147ad0f..885b14f7400 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82715-4 cce@rhel7: CCE-80141-5 cce@rhel8: CCE-86617-8 + cce@rhel9: CCE-86765-5 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml index 34874bb7e2a..2b8c615acd8 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhcos4: CCE-82716-2 cce@rhel7: CCE-80139-9 cce@rhel8: CCE-86618-6 + cce@rhel9: CCE-86766-3 references: cis-csc: 11,14,3,9 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 5d824cd05cb..ec28fda4495 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -247,17 +247,6 @@ CCE-86750-7 CCE-86751-5 CCE-86752-3 CCE-86753-1 -CCE-86760-6 -CCE-86761-4 -CCE-86762-2 -CCE-86763-0 -CCE-86764-8 -CCE-86765-5 -CCE-86766-3 -CCE-86767-1 -CCE-86768-9 -CCE-86769-7 -CCE-86772-1 CCE-86773-9 CCE-86774-7 CCE-86775-4 From 53b28bfbd7cfaeb5cefc834b359f7c8d50f7dfae Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 14 Jun 2024 15:59:51 +0200 Subject: [PATCH 57/61] Update references for profile stability tests CIS RHEL9 v2.0.0 --- .../data/profile_stability/rhel9/cis.profile | 735 +++++++++--------- .../rhel9/cis_server_l1.profile | 555 ++++++------- .../rhel9/cis_workstation_l1.profile | 545 ++++++------- .../rhel9/cis_workstation_l2.profile | 726 ++++++++--------- 4 files changed, 1334 insertions(+), 1227 deletions(-) diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index d0eecd81138..c3899b0d991 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -12,424 +12,460 @@ metadata: - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- sysctl_net_ipv4_conf_all_accept_redirects -- auditd_data_retention_max_log_file -- audit_rules_session_events -- sysctl_net_ipv6_conf_all_accept_redirects -- audit_rules_login_events_lastlog -- file_owner_cron_daily -- ensure_root_password_configured -- file_owner_backup_etc_shadow -- package_setroubleshoot_removed -- audit_rules_dac_modification_lsetxattr -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- sysctl_net_ipv4_conf_default_log_martians -- audit_rules_unsuccessful_file_modification_truncate -- auditd_data_retention_space_left_action -- audit_sudo_log_events -- grub2_audit_backlog_limit_argument -- audit_rules_file_deletion_events_unlinkat -- file_permissions_home_directories -- file_permissions_crontab -- audit_rules_kernel_module_loading_finit -- sudo_require_reauthentication -- file_cron_deny_not_exist -- accounts_no_uid_except_zero -- disable_host_auth -- package_tftp-server_removed -- file_groupowner_backup_etc_gshadow +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_unique_id -- file_groupowner_etc_motd -- grub2_password +- account_unique_name - accounts_maximum_age_login_defs -- file_owner_etc_group -- audit_rules_execution_setfacl -- service_crond_enabled -- file_permissions_backup_etc_gshadow -- file_owner_crontab -- sysctl_net_ipv4_tcp_syncookies -- file_owner_etc_issue_net -- sshd_set_keepalive -- set_firewalld_default_zone +- accounts_minimum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_min_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny +- accounts_passwords_pam_faillock_deny_root +- accounts_passwords_pam_faillock_unlock_time +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout - accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev -- service_auditd_enabled -- file_permissions_grub2_cfg +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_setfacl +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_create - audit_rules_kernel_module_loading_delete -- dconf_gnome_screensaver_user_locks -- no_empty_passwords +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_kernel_module_loading_query +- audit_rules_login_events_faillock +- audit_rules_login_events_lastlog +- audit_rules_mac_modification +- audit_rules_mac_modification_usr_share +- audit_rules_media_export +- audit_rules_networkconfig_modification +- audit_rules_networkconfig_modification_network_scripts +- audit_rules_privileged_commands +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_usermod +- audit_rules_session_events +- audit_rules_suid_auid_privilege_function +- audit_rules_sysadmin_actions - audit_rules_time_adjtimex -- accounts_password_pam_minlen -- audit_rules_dac_modification_fchmodat -- grub2_audit_argument -- sysctl_net_ipv4_conf_all_secure_redirects -- file_groupowner_sshd_config - audit_rules_time_clock_settime -- dir_perms_world_writable_sticky_bits -- mount_option_var_log_audit_nosuid -- kernel_module_squashfs_disabled -- accounts_user_dot_no_world_writable_programs -- sshd_set_max_auth_tries -- package_telnet-server_removed - audit_rules_time_settimeofday -- file_groupownership_home_directories -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_dac_modification_fsetxattr -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- audit_rules_immutable -- mount_option_dev_shm_nodev -- package_cups_removed -- file_permissions_cron_monthly -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- audit_rules_dac_modification_fchownat -- kernel_module_usb-storage_disabled -- mount_option_tmp_nodev +- audit_rules_time_watch_localtime +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow -- gid_passwd_group_same -- sysctl_net_ipv6_conf_default_accept_redirects -- set_password_hashing_algorithm_passwordauth -- dconf_gnome_session_idle_user_locks -- sudo_require_authentication -- accounts_password_set_min_life_existing -- kernel_module_tipc_disabled -- dconf_gnome_banner_enabled -- sysctl_net_ipv4_conf_default_secure_redirects -- file_groupowner_cron_d - audit_rules_usergroup_modification_opasswd -- audit_rules_mac_modification_usr_share -- accounts_passwords_pam_faillock_unlock_time -- file_owner_grub2_cfg -- audit_rules_kernel_module_loading_query -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow -- dconf_gnome_screensaver_idle_delay -- directory_permissions_var_log_audit -- package_samba_removed -- sshd_set_loglevel_verbose -- audit_rules_time_stime -- accounts_user_interactive_home_directory_exists -- accounts_tmout -- file_groupowner_backup_etc_shadow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- partition_for_home -- audit_rules_file_deletion_events_rename -- package_rsync_removed -- accounts_password_pam_retry -- chronyd_run_as_chrony_user -- file_permissions_cron_weekly -- file_permissions_etc_group -- file_permissions_ungroupowned -- aide_build_database -- accounts_password_all_shadowed -- set_nftables_table -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs -- mount_option_tmp_nosuid -- package_xorg-x11-server-common_removed -- service_firewalld_enabled -- rsyslog_nolisten -- accounts_password_pam_pwhistory_remember_password_auth -- package_net-snmp_removed -- coredump_disable_backtraces -- partition_for_dev_shm +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- auditd_data_disk_error_action +- auditd_data_disk_full_action +- auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action +- auditd_data_retention_max_log_file +- auditd_data_retention_max_log_file_action +- auditd_data_retention_space_left_action +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy - configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- directory_permissions_var_log_audit +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated - ensure_pam_wheel_group_empty -- package_vsftpd_removed -- auditd_data_retention_max_log_file_action -- sshd_disable_x11_forwarding -- sshd_enable_pam -- audit_rules_kernel_module_loading_init -- audit_rules_time_watch_localtime -- package_dnsmasq_removed -- sshd_enable_warning_banner_net -- file_permissions_sshd_pub_key -- file_permissions_cron_allow -- file_owner_etc_motd -- rsyslog_filecreatemode -- file_owner_cron_d -- audit_rules_unsuccessful_file_modification_open -- accounts_umask_etc_login_defs -- mount_option_home_nodev -- mount_option_dev_shm_noexec -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- journald_forward_to_syslog -- audit_rules_execution_chcon -- audit_rules_dac_modification_lremovexattr -- package_ftp_removed -- accounts_password_last_change_is_in_past -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians +- ensure_root_password_configured +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_group_ownership_var_log_audit +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab - file_groupowner_etc_group -- package_libselinux_installed -- file_owner_cron_weekly -- mount_option_var_nosuid -- file_owner_etc_shadow -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- audit_rules_dac_modification_chown -- has_nonlocal_mta -- accounts_password_warn_age_login_defs -- mount_option_var_log_nosuid -- file_groupowner_etc_shadow -- file_permissions_cron_hourly -- coredump_disable_storage -- auditd_data_retention_action_mail_acct - file_groupowner_etc_gshadow -- audit_rules_unsuccessful_file_modification_ftruncate -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- mount_option_var_tmp_noexec -- mount_option_var_nodev -- audit_rules_privileged_commands_kmod -- audit_rules_sysadmin_actions - file_groupowner_etc_issue +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_audit_binaries +- file_groupownership_audit_configuration +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group -- file_permissions_cron_daily -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- sshd_set_max_sessions -- journald_compress -- package_sudo_installed +- file_owner_backup_etc_gshadow - file_owner_backup_etc_passwd -- audit_rules_login_events_faillock -- file_groupowner_etc_passwd -- package_firewalld_installed -- file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- audit_rules_dac_modification_fchown -- file_at_deny_not_exist -- mount_option_home_nosuid -- file_permissions_var_log_audit -- mount_option_dev_shm_nosuid +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config - file_owner_user_cfg -- sysctl_net_ipv6_conf_all_forwarding -- audit_rules_mac_modification -- file_permissions_cron_d -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- audit_rules_usergroup_modification_passwd -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- package_httpd_removed -- audit_rules_dac_modification_lchown -- audit_rules_kernel_module_loading_create -- group_unique_id -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount -- package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled -- enable_authselect -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv4_conf_all_send_redirects -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_shadow -- journald_storage -- sudo_custom_logfile -- audit_rules_dac_modification_fchmod -- account_disable_post_pw_expiration -- aide_check_audit_tools +- file_ownership_audit_binaries - file_ownership_audit_configuration -- selinux_state -- service_nfs_disabled -- partition_for_var_tmp -- grub2_enable_selinux -- service_nftables_disabled -- use_pam_wheel_group_for_su -- file_permissions_audit_configuration -- package_nginx_removed -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net +- file_ownership_sshd_private_key - file_ownership_sshd_pub_key -- file_ownership_audit_binaries -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_default_accept_redirects -- file_permissions_backup_etc_passwd - file_ownership_var_log_audit_stig -- package_tftp_removed -- file_groupownership_audit_binaries -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- package_aide_installed -- mount_option_tmp_noexec -- sshd_disable_rhosts +- file_permission_user_init_files +- file_permissions_at_allow - file_permissions_audit_binaries -- package_avahi_removed -- service_rpcbind_disabled -- accounts_umask_etc_profile -- file_owner_etc_issue -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- package_squid_removed -- file_groupowner_cron_daily -- package_openldap-clients_removed -- partition_for_var_log -- audit_rules_suid_auid_privilege_function -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- configure_crypto_policy -- aide_periodic_cron_checking +- file_permissions_audit_configuration +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d +- file_permissions_cron_daily +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly +- file_permissions_crontab +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd - file_permissions_etc_passwd -- file_groupownership_sshd_private_key -- package_dovecot_removed +- file_permissions_etc_shadow +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key +- file_permissions_unauthorized_world_writable +- file_permissions_ungroupowned +- file_permissions_user_cfg +- file_permissions_var_log_audit - firewalld_loopback_traffic_restricted -- mount_option_var_log_nodev +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_audit_argument +- grub2_audit_backlog_limit_argument +- grub2_enable_selinux +- grub2_password +- has_nonlocal_mta +- journald_compress +- journald_forward_to_syslog +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_dccp_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_rds_disabled +- kernel_module_sctp_disabled +- kernel_module_squashfs_disabled +- kernel_module_tipc_disabled +- kernel_module_udf_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec +- mount_option_tmp_nosuid +- mount_option_var_log_audit_nodev - mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- dconf_gnome_disable_automount_open -- selinux_not_disabled -- service_systemd-journald_enabled -- package_nftables_installed +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev - mount_option_var_log_noexec -- partition_for_var -- package_mcstrans_removed -- sshd_limit_user_access -- root_path_no_dot -- file_permissions_at_allow -- file_permissions_etc_shadow +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid -- package_telnet_removed -- file_groupowner_crontab -- selinux_confinement_of_daemons -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- package_audit_installed -- sshd_disable_empty_passwords -- audit_rules_execution_chacl -- audit_rules_file_deletion_events_renameat -- audit_rules_privileged_commands_usermod -- accounts_set_post_pw_existing -- file_groupowner_cron_hourly -- file_owner_sshd_config -- file_owner_cron_monthly -- no_password_auth_for_systemaccounts -- audit_rules_privileged_commands -- file_permissions_etc_issue +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- selinux_policytype -- file_permissions_user_cfg +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_audit-libs_installed +- package_audit_installed +- package_avahi_removed +- package_bind_removed +- package_cups_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed - package_gdm_removed -- dconf_gnome_screensaver_lock_delay -- audit_rules_usergroup_modification_shadow -- sshd_disable_tcp_forwarding -- file_groupownership_sshd_pub_key -- audit_rules_file_deletion_events_unlink +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed +- package_net-snmp_removed +- package_nftables_installed +- package_nginx_removed +- package_openldap-clients_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_rsyslog_installed +- package_samba_removed +- package_setroubleshoot_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed +- package_vsftpd_removed +- package_xinetd_removed +- package_xorg-x11-server-common_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_home +- partition_for_tmp +- partition_for_var +- partition_for_var_log +- partition_for_var_log_audit +- partition_for_var_tmp - postfix_network_listening_disabled +- root_path_no_dot +- rsyslog_filecreatemode - rsyslog_files_groupownership -- accounts_minimum_age_login_defs -- file_permissions_etc_gshadow -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_gshadow -- package_rsyslog_installed -- sysctl_kernel_randomize_va_space -- audit_rules_dac_modification_chmod -- gnome_gdm_disable_xdmcp -- sshd_disable_root_login -- file_groupownership_audit_configuration -- file_group_ownership_var_log_audit -- audit_rules_unsuccessful_file_modification_openat -- banner_etc_issue_net -- audit_rules_media_export -- sysctl_net_ipv4_conf_default_accept_source_route - rsyslog_files_ownership -- file_groupowner_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- dconf_gnome_disable_user_list -- partition_for_tmp +- rsyslog_files_permissions +- rsyslog_nolisten +- selinux_not_disabled +- selinux_policytype +- selinux_state +- service_auditd_enabled +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled +- service_nfs_disabled +- service_nftables_disabled +- service_rpcbind_disabled +- service_rsyslog_enabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login - sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- accounts_passwords_pam_faillock_deny -- no_files_unowned_by_user -- audit_rules_dac_modification_fremovexattr -- firewalld_loopback_traffic_trusted -- partition_for_var_log_audit +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_authentication +- sudo_require_reauthentication +- sysctl_kernel_randomize_va_space +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv4_conf_default_accept_redirects +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv4_conf_default_log_martians +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv6_conf_default_accept_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su - wireless_disable_interfaces -- accounts_root_gid_zero -- audit_rules_unsuccessful_file_modification_creat -- accounts_password_set_warn_age_existing +- xwindows_runlevel_target +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_dir=run - var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=halt -- var_auditd_space_left_action=email +- var_auditd_admin_space_left_action=cis_rhel9 +- var_auditd_space_left_action=cis_rhel9 +- var_auditd_disk_error_action=cis_rhel9 +- var_auditd_disk_full_action=cis_rhel9 - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=6 +- var_accounts_minimum_age_login_defs=1 - var_selinux_state=enforcing unselected_groups: [] platforms: !!set {} @@ -439,5 +475,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index 8eb73a288db..7278ca428ec 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -12,330 +12,352 @@ metadata: - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- coredump_disable_storage -- package_dovecot_removed +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth +- account_unique_id +- account_unique_name +- accounts_maximum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time -- sysctl_net_ipv4_conf_all_accept_redirects -- firewalld_loopback_traffic_restricted -- sysctl_net_ipv6_conf_all_accept_redirects -- mount_option_var_log_nodev -- file_groupowner_etc_gshadow -- file_owner_grub2_cfg -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout +- accounts_umask_etc_bashrc +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy +- configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated +- ensure_pam_wheel_group_empty - ensure_root_password_configured -- file_owner_cron_daily -- file_owner_backup_etc_shadow -- mount_option_var_log_audit_noexec -- package_setroubleshoot_removed -- sshd_set_login_grace_time -- file_owner_cron_hourly -- package_samba_removed -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- dconf_gnome_disable_automount_open -- mount_option_var_tmp_noexec -- selinux_not_disabled -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_default_log_martians -- service_systemd-journald_enabled -- package_nftables_installed -- mount_option_var_nodev -- accounts_user_interactive_home_directory_exists -- accounts_tmout +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab +- file_groupowner_etc_group +- file_groupowner_etc_gshadow - file_groupowner_etc_issue -- mount_option_var_log_noexec +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group +- file_owner_backup_etc_gshadow +- file_owner_backup_etc_passwd +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config +- file_owner_user_cfg +- file_ownership_sshd_private_key +- file_ownership_sshd_pub_key +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d - file_permissions_cron_daily -- file_groupowner_backup_etc_shadow -- file_permissions_home_directories -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- package_mcstrans_removed -- sshd_limit_user_access -- sshd_set_max_sessions +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly - file_permissions_crontab -- journald_compress -- file_permissions_at_allow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- file_owner_backup_etc_passwd -- package_sudo_installed -- root_path_no_dot +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd +- file_permissions_etc_passwd - file_permissions_etc_shadow -- file_groupowner_etc_passwd -- mount_option_var_tmp_nosuid -- package_rsync_removed -- accounts_password_pam_retry -- package_firewalld_installed -- package_telnet_removed -- sudo_require_reauthentication +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key - file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- chronyd_run_as_chrony_user -- file_at_deny_not_exist -- file_groupowner_crontab -- selinux_confinement_of_daemons -- mount_option_home_nosuid -- file_permissions_cron_weekly -- file_cron_deny_not_exist -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- file_permissions_etc_group -- accounts_no_uid_except_zero -- disable_host_auth - file_permissions_ungroupowned -- sshd_disable_empty_passwords -- mount_option_dev_shm_nosuid -- aide_build_database -- file_owner_user_cfg -- package_tftp-server_removed -- sysctl_net_ipv6_conf_all_forwarding -- file_groupowner_backup_etc_gshadow -- accounts_password_all_shadowed -- account_unique_id -- set_nftables_table -- accounts_set_post_pw_existing -- file_groupowner_etc_motd -- file_permissions_cron_d +- file_permissions_user_cfg +- firewalld_loopback_traffic_restricted +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_enable_selinux - grub2_password -- file_groupowner_cron_hourly -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- file_owner_sshd_config -- file_owner_cron_monthly -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs +- has_nonlocal_mta +- journald_compress +- journald_forward_to_syslog +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec - mount_option_tmp_nosuid -- no_password_auth_for_systemaccounts -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_maximum_age_login_defs -- file_permissions_etc_issue -- package_httpd_removed +- mount_option_var_log_audit_nodev +- mount_option_var_log_audit_noexec +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev +- mount_option_var_log_noexec +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec +- mount_option_var_tmp_nosuid +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- service_firewalld_enabled -- rsyslog_nolisten -- file_owner_etc_group -- accounts_password_pam_pwhistory_remember_password_auth -- group_unique_id -- selinux_policytype -- sysctl_net_ipv4_conf_default_secure_redirects -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_avahi_removed - package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled +- package_cups_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed - package_net-snmp_removed -- coredump_disable_backtraces -- enable_authselect -- partition_for_dev_shm -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- service_crond_enabled -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv6_conf_default_accept_ra -- dconf_gnome_screensaver_lock_delay -- configure_ssh_crypto_policy -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_gshadow -- file_permissions_etc_passwd -- ensure_pam_wheel_group_empty -- file_permissions_backup_etc_shadow -- journald_storage -- file_owner_crontab +- package_nftables_installed +- package_nginx_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_rsyslog_installed +- package_samba_removed +- package_setroubleshoot_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed - package_vsftpd_removed -- sudo_custom_logfile -- file_groupownership_sshd_pub_key -- file_owner_etc_issue_net -- account_disable_post_pw_expiration -- sshd_enable_pam -- sshd_set_keepalive -- sysctl_net_ipv4_tcp_syncookies -- set_firewalld_default_zone -- aide_check_audit_tools +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_tmp - postfix_network_listening_disabled -- accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev +- root_path_no_dot +- rsyslog_filecreatemode - rsyslog_files_groupownership +- rsyslog_files_ownership +- rsyslog_files_permissions +- rsyslog_nolisten +- selinux_not_disabled +- selinux_policytype +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled - service_nfs_disabled -- accounts_minimum_age_login_defs -- file_permissions_grub2_cfg -- dconf_gnome_screensaver_user_locks -- file_permissions_etc_gshadow -- sshd_enable_warning_banner_net -- package_dnsmasq_removed -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- no_empty_passwords -- grub2_enable_selinux -- file_permissions_sshd_pub_key - service_nftables_disabled -- mount_option_var_log_nosuid -- accounts_password_pam_minlen -- file_permissions_cron_allow -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_motd -- use_pam_wheel_group_for_su -- rsyslog_filecreatemode -- sysctl_net_ipv4_conf_all_secure_redirects -- file_owner_cron_d -- file_groupowner_sshd_config -- file_owner_etc_gshadow -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net -- package_nginx_removed -- dir_perms_world_writable_sticky_bits -- file_ownership_sshd_pub_key -- mount_option_var_log_audit_nosuid -- package_rsyslog_installed -- accounts_umask_etc_login_defs -- kernel_module_squashfs_disabled +- service_rpcbind_disabled +- service_rsyslog_enabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_rhosts +- sshd_disable_root_login +- sshd_do_not_permit_user_env +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_reauthentication - sysctl_kernel_randomize_va_space -- accounts_user_dot_no_world_writable_programs +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter -- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects -- package_telnet-server_removed -- gnome_gdm_disable_xdmcp -- mount_option_home_nodev -- file_groupownership_home_directories -- sshd_disable_root_login -- mount_option_dev_shm_noexec -- sysctl_net_ipv6_conf_default_accept_source_route -- file_permissions_backup_etc_passwd -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- banner_etc_issue_net -- journald_forward_to_syslog -- package_tftp_removed -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- mount_option_dev_shm_nodev -- package_aide_installed -- package_cups_removed -- file_permissions_cron_monthly -- mount_option_tmp_noexec - sysctl_net_ipv4_conf_default_accept_source_route -- package_ftp_removed -- rsyslog_files_ownership -- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians -- sshd_disable_rhosts -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- file_groupowner_grub2_cfg -- package_avahi_removed -- banner_etc_issue -- accounts_umask_etc_profile -- kernel_module_usb-storage_disabled -- file_owner_etc_issue -- mount_option_tmp_nodev -- package_libselinux_installed -- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_user_list -- file_owner_cron_weekly -- gid_passwd_group_same +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects -- partition_for_tmp -- mount_option_var_nosuid -- set_password_hashing_algorithm_passwordauth -- package_squid_removed -- sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- dconf_gnome_session_idle_user_locks -- accounts_passwords_pam_faillock_deny -- accounts_password_set_min_life_existing -- file_groupowner_cron_daily -- file_owner_etc_shadow -- package_openldap-clients_removed -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- no_files_unowned_by_user -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- firewalld_loopback_traffic_trusted -- configure_crypto_policy -- has_nonlocal_mta +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su - wireless_disable_interfaces -- accounts_root_gid_zero -- dconf_gnome_banner_enabled -- accounts_password_warn_age_login_defs -- accounts_password_set_warn_age_existing -- aide_periodic_cron_checking -- file_groupowner_etc_shadow -- file_groupowner_cron_d -- file_groupownership_sshd_private_key -- file_permissions_cron_hourly +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd unselected_groups: [] @@ -346,5 +368,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_server_l1.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 0c1a4e07df3..93758f5a3d3 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -12,326 +12,344 @@ metadata: - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- coredump_disable_storage -- package_dovecot_removed +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth +- account_unique_id +- account_unique_name +- accounts_maximum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time -- sysctl_net_ipv4_conf_all_accept_redirects -- firewalld_loopback_traffic_restricted -- sysctl_net_ipv6_conf_all_accept_redirects -- mount_option_var_log_nodev -- file_groupowner_etc_gshadow -- file_owner_grub2_cfg -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout +- accounts_umask_etc_bashrc +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy +- configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated +- ensure_pam_wheel_group_empty - ensure_root_password_configured -- file_owner_cron_daily -- file_owner_backup_etc_shadow -- mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- package_samba_removed -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- dconf_gnome_disable_automount_open -- mount_option_var_tmp_noexec -- selinux_not_disabled -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_default_log_martians -- service_systemd-journald_enabled -- package_nftables_installed -- mount_option_var_nodev -- accounts_user_interactive_home_directory_exists -- accounts_tmout +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab +- file_groupowner_etc_group +- file_groupowner_etc_gshadow - file_groupowner_etc_issue -- mount_option_var_log_noexec +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group +- file_owner_backup_etc_gshadow +- file_owner_backup_etc_passwd +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config +- file_owner_user_cfg +- file_ownership_sshd_private_key +- file_ownership_sshd_pub_key +- file_permission_user_init_files +- file_permissions_at_allow +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d - file_permissions_cron_daily -- file_groupowner_backup_etc_shadow -- file_permissions_home_directories -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- package_mcstrans_removed -- sshd_limit_user_access -- sshd_set_max_sessions +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly - file_permissions_crontab -- journald_compress -- file_permissions_at_allow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- file_owner_backup_etc_passwd -- package_sudo_installed -- root_path_no_dot +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd +- file_permissions_etc_passwd - file_permissions_etc_shadow -- file_groupowner_etc_passwd -- mount_option_var_tmp_nosuid -- package_rsync_removed -- accounts_password_pam_retry -- package_firewalld_installed -- package_telnet_removed -- sudo_require_reauthentication +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key - file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- chronyd_run_as_chrony_user -- file_at_deny_not_exist -- file_groupowner_crontab -- selinux_confinement_of_daemons -- mount_option_home_nosuid -- file_permissions_cron_weekly -- file_cron_deny_not_exist -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- file_permissions_etc_group -- accounts_no_uid_except_zero -- disable_host_auth - file_permissions_ungroupowned -- sshd_disable_empty_passwords -- mount_option_dev_shm_nosuid -- aide_build_database -- file_owner_user_cfg -- package_tftp-server_removed -- sysctl_net_ipv6_conf_all_forwarding -- file_groupowner_backup_etc_gshadow -- accounts_password_all_shadowed -- account_unique_id -- set_nftables_table -- accounts_set_post_pw_existing -- file_groupowner_etc_motd -- file_permissions_cron_d +- file_permissions_user_cfg +- firewalld_loopback_traffic_restricted +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_enable_selinux - grub2_password -- file_groupowner_cron_hourly -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- file_owner_sshd_config -- file_owner_cron_monthly -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs +- has_nonlocal_mta +- journald_compress +- journald_forward_to_syslog +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec - mount_option_tmp_nosuid -- no_password_auth_for_systemaccounts -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_maximum_age_login_defs -- file_permissions_etc_issue -- package_httpd_removed +- mount_option_var_log_audit_nodev +- mount_option_var_log_audit_noexec +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev +- mount_option_var_log_noexec +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec +- mount_option_var_tmp_nosuid +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- service_firewalld_enabled -- rsyslog_nolisten -- file_owner_etc_group -- accounts_password_pam_pwhistory_remember_password_auth -- group_unique_id -- selinux_policytype -- sysctl_net_ipv4_conf_default_secure_redirects -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed - package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed - package_net-snmp_removed -- coredump_disable_backtraces -- enable_authselect -- partition_for_dev_shm -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- service_crond_enabled -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv6_conf_default_accept_ra -- dconf_gnome_screensaver_lock_delay -- configure_ssh_crypto_policy -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_gshadow -- file_permissions_etc_passwd -- ensure_pam_wheel_group_empty -- file_permissions_backup_etc_shadow -- journald_storage -- file_owner_crontab +- package_nftables_installed +- package_nginx_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_rsyslog_installed +- package_samba_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed - package_vsftpd_removed -- sudo_custom_logfile -- sshd_disable_x11_forwarding -- file_groupownership_sshd_pub_key -- file_owner_etc_issue_net -- account_disable_post_pw_expiration -- sshd_enable_pam -- sshd_set_keepalive -- sysctl_net_ipv4_tcp_syncookies -- set_firewalld_default_zone -- aide_check_audit_tools +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_tmp - postfix_network_listening_disabled -- accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev +- root_path_no_dot +- rsyslog_filecreatemode - rsyslog_files_groupownership +- rsyslog_files_ownership +- rsyslog_files_permissions +- rsyslog_nolisten +- selinux_not_disabled +- selinux_policytype +- service_crond_enabled +- service_firewalld_enabled - service_nfs_disabled -- accounts_minimum_age_login_defs -- file_permissions_grub2_cfg -- dconf_gnome_screensaver_user_locks -- file_permissions_etc_gshadow -- sshd_enable_warning_banner_net -- package_dnsmasq_removed -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- no_empty_passwords -- grub2_enable_selinux -- file_permissions_sshd_pub_key - service_nftables_disabled -- mount_option_var_log_nosuid -- accounts_password_pam_minlen -- file_permissions_cron_allow -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_motd -- use_pam_wheel_group_for_su -- rsyslog_filecreatemode -- sysctl_net_ipv4_conf_all_secure_redirects -- file_owner_cron_d -- file_groupowner_sshd_config -- file_owner_etc_gshadow -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net -- package_nginx_removed -- dir_perms_world_writable_sticky_bits -- file_ownership_sshd_pub_key -- mount_option_var_log_audit_nosuid -- package_rsyslog_installed -- accounts_umask_etc_login_defs -- kernel_module_squashfs_disabled +- service_rpcbind_disabled +- service_rsyslog_enabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login +- sshd_do_not_permit_user_env +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_reauthentication - sysctl_kernel_randomize_va_space -- accounts_user_dot_no_world_writable_programs +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter -- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects -- package_telnet-server_removed -- gnome_gdm_disable_xdmcp -- mount_option_home_nodev -- file_groupownership_home_directories -- sshd_disable_root_login -- mount_option_dev_shm_noexec -- sysctl_net_ipv6_conf_default_accept_source_route -- file_permissions_backup_etc_passwd -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- banner_etc_issue_net -- journald_forward_to_syslog -- package_tftp_removed -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- mount_option_dev_shm_nodev -- package_aide_installed -- file_permissions_cron_monthly -- mount_option_tmp_noexec - sysctl_net_ipv4_conf_default_accept_source_route -- package_ftp_removed -- rsyslog_files_ownership -- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians -- sshd_disable_rhosts -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- accounts_umask_etc_profile -- mount_option_tmp_nodev -- file_owner_etc_issue -- package_libselinux_installed -- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_user_list -- file_owner_cron_weekly -- gid_passwd_group_same +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects -- partition_for_tmp -- mount_option_var_nosuid -- set_password_hashing_algorithm_passwordauth -- package_squid_removed -- sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- dconf_gnome_session_idle_user_locks -- accounts_passwords_pam_faillock_deny -- accounts_password_set_min_life_existing -- file_groupowner_cron_daily -- file_owner_etc_shadow -- package_openldap-clients_removed -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- no_files_unowned_by_user -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- firewalld_loopback_traffic_trusted -- configure_crypto_policy -- has_nonlocal_mta -- accounts_root_gid_zero -- dconf_gnome_banner_enabled -- accounts_password_warn_age_login_defs -- accounts_password_set_warn_age_existing -- aide_periodic_cron_checking -- file_groupowner_etc_shadow -- file_groupowner_cron_d -- file_groupownership_sshd_private_key -- file_permissions_cron_hourly +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd unselected_groups: [] @@ -342,5 +360,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l1.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 6e082b2280a..82f5b6e8414 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -12,418 +12,453 @@ metadata: - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: -- sysctl_net_ipv4_conf_all_accept_redirects -- auditd_data_retention_max_log_file -- audit_rules_session_events -- sysctl_net_ipv6_conf_all_accept_redirects -- audit_rules_login_events_lastlog -- file_owner_cron_daily -- ensure_root_password_configured -- file_owner_backup_etc_shadow -- audit_rules_dac_modification_lsetxattr -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- sysctl_net_ipv4_conf_default_log_martians -- audit_rules_unsuccessful_file_modification_truncate -- auditd_data_retention_space_left_action -- audit_sudo_log_events -- grub2_audit_backlog_limit_argument -- audit_rules_file_deletion_events_unlinkat -- file_permissions_home_directories -- file_permissions_crontab -- audit_rules_kernel_module_loading_finit -- sudo_require_reauthentication -- file_cron_deny_not_exist -- accounts_no_uid_except_zero -- disable_host_auth -- package_tftp-server_removed -- file_groupowner_backup_etc_gshadow +- account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_unique_id -- file_groupowner_etc_motd -- grub2_password +- account_unique_name - accounts_maximum_age_login_defs -- file_owner_etc_group -- audit_rules_execution_setfacl -- service_crond_enabled -- file_permissions_backup_etc_gshadow -- file_owner_crontab -- sysctl_net_ipv4_tcp_syncookies -- file_owner_etc_issue_net -- sshd_set_keepalive -- set_firewalld_default_zone +- accounts_minimum_age_login_defs +- accounts_no_uid_except_zero +- accounts_password_all_shadowed +- accounts_password_last_change_is_in_past +- accounts_password_pam_dictcheck +- accounts_password_pam_difok +- accounts_password_pam_enforce_root +- accounts_password_pam_maxrepeat +- accounts_password_pam_minclass +- accounts_password_pam_minlen +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_set_max_life_existing +- accounts_password_set_min_life_existing +- accounts_password_set_warn_age_existing +- accounts_password_warn_age_login_defs +- accounts_passwords_pam_faillock_deny +- accounts_passwords_pam_faillock_deny_root +- accounts_passwords_pam_faillock_unlock_time +- accounts_root_gid_zero +- accounts_root_path_dirs_no_write +- accounts_set_post_pw_existing +- accounts_tmout - accounts_umask_etc_bashrc -- mount_option_var_log_audit_nodev -- service_auditd_enabled -- file_permissions_grub2_cfg +- accounts_umask_etc_login_defs +- accounts_umask_etc_profile +- accounts_user_dot_group_ownership +- accounts_user_dot_no_world_writable_programs +- accounts_user_dot_user_ownership +- accounts_user_interactive_home_directory_exists +- aide_build_database +- aide_check_audit_tools +- aide_periodic_cron_checking +- audit_rules_dac_modification_chmod +- audit_rules_dac_modification_chown +- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_fchmodat +- audit_rules_dac_modification_fchown +- audit_rules_dac_modification_fchownat +- audit_rules_dac_modification_fremovexattr +- audit_rules_dac_modification_fsetxattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lsetxattr +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chacl +- audit_rules_execution_chcon +- audit_rules_execution_setfacl +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_renameat +- audit_rules_file_deletion_events_unlink +- audit_rules_file_deletion_events_unlinkat +- audit_rules_immutable +- audit_rules_kernel_module_loading_create - audit_rules_kernel_module_loading_delete -- dconf_gnome_screensaver_user_locks -- no_empty_passwords +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +- audit_rules_kernel_module_loading_query +- audit_rules_login_events_faillock +- audit_rules_login_events_lastlog +- audit_rules_mac_modification +- audit_rules_mac_modification_usr_share +- audit_rules_media_export +- audit_rules_networkconfig_modification +- audit_rules_networkconfig_modification_network_scripts +- audit_rules_privileged_commands +- audit_rules_privileged_commands_kmod +- audit_rules_privileged_commands_usermod +- audit_rules_session_events +- audit_rules_suid_auid_privilege_function +- audit_rules_sysadmin_actions - audit_rules_time_adjtimex -- accounts_password_pam_minlen -- audit_rules_dac_modification_fchmodat -- grub2_audit_argument -- sysctl_net_ipv4_conf_all_secure_redirects -- file_groupowner_sshd_config - audit_rules_time_clock_settime -- dir_perms_world_writable_sticky_bits -- mount_option_var_log_audit_nosuid -- kernel_module_squashfs_disabled -- accounts_user_dot_no_world_writable_programs -- sshd_set_max_auth_tries -- package_telnet-server_removed - audit_rules_time_settimeofday -- file_groupownership_home_directories -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_dac_modification_fsetxattr -- package_cyrus-imapd_removed -- file_permissions_sshd_config -- no_netrc_files -- audit_rules_immutable -- mount_option_dev_shm_nodev -- file_permissions_cron_monthly -- dconf_gnome_login_banner_text -- chronyd_specify_remote_server -- sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group -- audit_rules_dac_modification_fchownat -- kernel_module_usb-storage_disabled -- mount_option_tmp_nodev +- audit_rules_time_watch_localtime +- audit_rules_unsuccessful_file_modification_creat +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_unsuccessful_file_modification_open +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_unsuccessful_file_modification_truncate +- audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow -- gid_passwd_group_same -- sysctl_net_ipv6_conf_default_accept_redirects -- set_password_hashing_algorithm_passwordauth -- dconf_gnome_session_idle_user_locks -- sudo_require_authentication -- accounts_password_set_min_life_existing -- kernel_module_tipc_disabled -- dconf_gnome_banner_enabled -- sysctl_net_ipv4_conf_default_secure_redirects -- file_groupowner_cron_d - audit_rules_usergroup_modification_opasswd -- audit_rules_mac_modification_usr_share -- accounts_passwords_pam_faillock_unlock_time -- file_owner_grub2_cfg -- audit_rules_kernel_module_loading_query -- no_shelllogin_for_systemaccounts -- file_owner_cron_allow -- dconf_gnome_screensaver_idle_delay -- directory_permissions_var_log_audit -- package_samba_removed -- sshd_set_loglevel_verbose -- audit_rules_time_stime -- accounts_user_interactive_home_directory_exists -- accounts_tmout -- file_groupowner_backup_etc_shadow -- file_owner_etc_passwd -- mount_option_var_tmp_nodev -- partition_for_home -- audit_rules_file_deletion_events_rename -- package_rsync_removed -- accounts_password_pam_retry -- chronyd_run_as_chrony_user -- file_permissions_cron_weekly -- file_permissions_etc_group -- file_permissions_ungroupowned -- aide_build_database -- accounts_password_all_shadowed -- set_nftables_table -- file_permissions_etc_motd -- set_password_hashing_algorithm_logindefs -- mount_option_tmp_nosuid -- service_firewalld_enabled -- rsyslog_nolisten -- accounts_password_pam_pwhistory_remember_password_auth -- package_net-snmp_removed -- coredump_disable_backtraces -- partition_for_dev_shm +- audit_rules_usergroup_modification_passwd +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- auditd_data_disk_error_action +- auditd_data_disk_full_action +- auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action +- auditd_data_retention_max_log_file +- auditd_data_retention_max_log_file_action +- auditd_data_retention_space_left_action +- banner_etc_issue +- banner_etc_issue_net +- banner_etc_motd +- chronyd_run_as_chrony_user +- chronyd_specify_remote_server +- configure_crypto_policy - configure_ssh_crypto_policy +- coredump_disable_backtraces +- coredump_disable_storage +- dconf_db_up_to_date +- dconf_gnome_banner_enabled +- dconf_gnome_disable_automount +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +- dconf_gnome_disable_user_list +- dconf_gnome_login_banner_text +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_delay +- dconf_gnome_screensaver_user_locks +- dconf_gnome_session_idle_user_locks +- dir_perms_world_writable_sticky_bits +- directory_permissions_var_log_audit +- disable_host_auth +- enable_authselect +- ensure_gpgcheck_globally_activated - ensure_pam_wheel_group_empty -- package_vsftpd_removed -- auditd_data_retention_max_log_file_action -- sshd_disable_x11_forwarding -- sshd_enable_pam -- audit_rules_kernel_module_loading_init -- audit_rules_time_watch_localtime -- package_dnsmasq_removed -- sshd_enable_warning_banner_net -- file_permissions_sshd_pub_key -- file_permissions_cron_allow -- file_owner_etc_motd -- rsyslog_filecreatemode -- file_owner_cron_d -- audit_rules_unsuccessful_file_modification_open -- accounts_umask_etc_login_defs -- mount_option_home_nodev -- mount_option_dev_shm_noexec -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- journald_forward_to_syslog -- audit_rules_execution_chcon -- audit_rules_dac_modification_lremovexattr -- package_ftp_removed -- accounts_password_last_change_is_in_past -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_all_log_martians +- ensure_root_password_configured +- file_at_deny_not_exist +- file_cron_allow_exists +- file_cron_deny_not_exist +- file_etc_security_opasswd +- file_group_ownership_var_log_audit +- file_groupowner_at_allow +- file_groupowner_backup_etc_group +- file_groupowner_backup_etc_gshadow +- file_groupowner_backup_etc_passwd +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- file_groupowner_cron_d +- file_groupowner_cron_daily +- file_groupowner_cron_hourly +- file_groupowner_cron_monthly +- file_groupowner_cron_weekly +- file_groupowner_crontab - file_groupowner_etc_group -- package_libselinux_installed -- file_owner_cron_weekly -- mount_option_var_nosuid -- file_owner_etc_shadow -- account_unique_name -- sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- audit_rules_dac_modification_chown -- has_nonlocal_mta -- accounts_password_warn_age_login_defs -- mount_option_var_log_nosuid -- file_groupowner_etc_shadow -- file_permissions_cron_hourly -- coredump_disable_storage -- auditd_data_retention_action_mail_acct - file_groupowner_etc_gshadow -- audit_rules_unsuccessful_file_modification_ftruncate -- no_rsh_trust_files -- rsyslog_files_permissions -- account_password_pam_faillock_system_auth -- mount_option_var_tmp_noexec -- mount_option_var_nodev -- audit_rules_privileged_commands_kmod -- audit_rules_sysadmin_actions - file_groupowner_etc_issue +- file_groupowner_etc_issue_net +- file_groupowner_etc_motd +- file_groupowner_etc_passwd +- file_groupowner_etc_shadow +- file_groupowner_etc_shells +- file_groupowner_grub2_cfg +- file_groupowner_sshd_config +- file_groupowner_user_cfg +- file_groupownership_audit_binaries +- file_groupownership_audit_configuration +- file_groupownership_sshd_private_key +- file_groupownership_sshd_pub_key - file_owner_backup_etc_group -- file_permissions_cron_daily -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- sshd_set_max_sessions -- journald_compress -- package_sudo_installed +- file_owner_backup_etc_gshadow - file_owner_backup_etc_passwd -- audit_rules_login_events_faillock -- file_groupowner_etc_passwd -- package_firewalld_installed -- file_permissions_unauthorized_world_writable -- sysctl_net_ipv4_conf_all_accept_source_route -- audit_rules_dac_modification_fchown -- file_at_deny_not_exist -- mount_option_home_nosuid -- file_permissions_var_log_audit -- mount_option_dev_shm_nosuid +- file_owner_backup_etc_shadow +- file_owner_cron_allow +- file_owner_cron_d +- file_owner_cron_daily +- file_owner_cron_hourly +- file_owner_cron_monthly +- file_owner_cron_weekly +- file_owner_crontab +- file_owner_etc_group +- file_owner_etc_gshadow +- file_owner_etc_issue +- file_owner_etc_issue_net +- file_owner_etc_motd +- file_owner_etc_passwd +- file_owner_etc_shadow +- file_owner_etc_shells +- file_owner_grub2_cfg +- file_owner_sshd_config - file_owner_user_cfg -- sysctl_net_ipv6_conf_all_forwarding -- audit_rules_mac_modification -- file_permissions_cron_d -- dconf_db_up_to_date -- sysctl_net_ipv4_ip_forward -- audit_rules_usergroup_modification_passwd -- accounts_password_pam_minclass -- service_rsyslog_enabled -- sshd_set_maxstartups -- file_groupowner_cron_allow -- sudo_add_use_pty -- sysctl_net_ipv6_conf_all_accept_ra -- package_httpd_removed -- audit_rules_dac_modification_lchown -- audit_rules_kernel_module_loading_create -- group_unique_id -- file_cron_allow_exists -- file_groupowner_user_cfg -- dconf_gnome_disable_automount -- package_bind_removed -- file_groupowner_cron_weekly -- socket_systemd-journal-remote_disabled -- enable_authselect -- kernel_module_udf_disabled -- file_groupowner_etc_issue_net -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv4_conf_all_send_redirects -- account_password_pam_faillock_password_auth -- banner_etc_motd -- file_permissions_backup_etc_shadow -- journald_storage -- sudo_custom_logfile -- audit_rules_dac_modification_fchmod -- account_disable_post_pw_expiration -- aide_check_audit_tools +- file_ownership_audit_binaries - file_ownership_audit_configuration -- selinux_state -- service_nfs_disabled -- partition_for_var_tmp -- grub2_enable_selinux -- service_nftables_disabled -- use_pam_wheel_group_for_su -- file_permissions_audit_configuration -- package_nginx_removed -- accounts_password_pam_pwhistory_remember_system_auth -- file_permissions_etc_issue_net +- file_ownership_sshd_private_key - file_ownership_sshd_pub_key -- file_ownership_audit_binaries -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_default_accept_redirects -- file_permissions_backup_etc_passwd - file_ownership_var_log_audit_stig -- package_tftp_removed -- file_groupownership_audit_binaries -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- file_groupowner_at_allow -- package_aide_installed -- mount_option_tmp_noexec -- sshd_disable_rhosts +- file_permission_user_init_files +- file_permissions_at_allow - file_permissions_audit_binaries -- service_rpcbind_disabled -- accounts_umask_etc_profile -- file_owner_etc_issue -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- accounts_root_path_dirs_no_write -- package_squid_removed -- file_groupowner_cron_daily -- package_openldap-clients_removed -- partition_for_var_log -- audit_rules_suid_auid_privilege_function -- file_groupowner_cron_monthly -- ensure_gpgcheck_globally_activated -- configure_crypto_policy -- aide_periodic_cron_checking +- file_permissions_audit_configuration +- file_permissions_backup_etc_group +- file_permissions_backup_etc_gshadow +- file_permissions_backup_etc_passwd +- file_permissions_backup_etc_shadow +- file_permissions_cron_allow +- file_permissions_cron_d +- file_permissions_cron_daily +- file_permissions_cron_hourly +- file_permissions_cron_monthly +- file_permissions_cron_weekly +- file_permissions_crontab +- file_permissions_etc_group +- file_permissions_etc_gshadow +- file_permissions_etc_issue +- file_permissions_etc_issue_net +- file_permissions_etc_motd - file_permissions_etc_passwd -- file_groupownership_sshd_private_key -- package_dovecot_removed +- file_permissions_etc_shadow +- file_permissions_etc_shells +- file_permissions_grub2_cfg +- file_permissions_home_directories +- file_permissions_sshd_config +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key +- file_permissions_unauthorized_world_writable +- file_permissions_ungroupowned +- file_permissions_user_cfg +- file_permissions_var_log_audit - firewalld_loopback_traffic_restricted -- mount_option_var_log_nodev +- firewalld_loopback_traffic_trusted +- gid_passwd_group_same +- gnome_gdm_disable_xdmcp +- group_unique_id +- grub2_audit_argument +- grub2_audit_backlog_limit_argument +- grub2_enable_selinux +- grub2_password +- has_nonlocal_mta +- journald_compress +- journald_forward_to_syslog +- journald_storage +- kernel_module_cramfs_disabled +- kernel_module_dccp_disabled +- kernel_module_freevxfs_disabled +- kernel_module_hfs_disabled +- kernel_module_hfsplus_disabled +- kernel_module_jffs2_disabled +- kernel_module_rds_disabled +- kernel_module_sctp_disabled +- kernel_module_squashfs_disabled +- kernel_module_tipc_disabled +- kernel_module_udf_disabled +- kernel_module_usb-storage_disabled +- mount_option_dev_shm_nodev +- mount_option_dev_shm_noexec +- mount_option_dev_shm_nosuid +- mount_option_home_nodev +- mount_option_home_nosuid +- mount_option_tmp_nodev +- mount_option_tmp_noexec +- mount_option_tmp_nosuid +- mount_option_var_log_audit_nodev - mount_option_var_log_audit_noexec -- sshd_set_login_grace_time -- file_owner_cron_hourly -- dconf_gnome_disable_automount_open -- selinux_not_disabled -- service_systemd-journald_enabled -- package_nftables_installed +- mount_option_var_log_audit_nosuid +- mount_option_var_log_nodev - mount_option_var_log_noexec -- partition_for_var -- package_mcstrans_removed -- sshd_limit_user_access -- root_path_no_dot -- file_permissions_at_allow -- file_permissions_etc_shadow +- mount_option_var_log_nosuid +- mount_option_var_nodev +- mount_option_var_nosuid +- mount_option_var_tmp_nodev +- mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid -- package_telnet_removed -- file_groupowner_crontab -- selinux_confinement_of_daemons -- dconf_gnome_disable_autorun -- accounts_password_set_max_life_existing -- package_audit_installed -- sshd_disable_empty_passwords -- audit_rules_execution_chacl -- audit_rules_file_deletion_events_renameat -- audit_rules_privileged_commands_usermod -- accounts_set_post_pw_existing -- file_groupowner_cron_hourly -- file_owner_sshd_config -- file_owner_cron_monthly -- no_password_auth_for_systemaccounts -- audit_rules_privileged_commands -- file_permissions_etc_issue +- no_empty_passwords +- no_empty_passwords_etc_shadow +- no_files_unowned_by_user - no_forward_files -- selinux_policytype -- file_permissions_user_cfg -- dconf_gnome_screensaver_lock_delay -- audit_rules_usergroup_modification_shadow -- sshd_disable_tcp_forwarding -- file_groupownership_sshd_pub_key -- audit_rules_file_deletion_events_unlink +- no_netrc_files +- no_password_auth_for_systemaccounts +- no_rsh_trust_files +- no_shelllogin_for_systemaccounts +- package_aide_installed +- package_audit-libs_installed +- package_audit_installed +- package_bind_removed +- package_cyrus-imapd_removed +- package_dhcp_removed +- package_dnsmasq_removed +- package_dovecot_removed +- package_firewalld_installed +- package_ftp_removed +- package_httpd_removed +- package_libselinux_installed +- package_mcstrans_removed +- package_net-snmp_removed +- package_nftables_installed +- package_nginx_removed +- package_openldap-clients_removed +- package_pam_pwquality_installed +- package_rsync_removed +- package_rsyslog_installed +- package_samba_removed +- package_squid_removed +- package_sudo_installed +- package_systemd-journal-remote_installed +- package_telnet-server_removed +- package_telnet_removed +- package_tftp-server_removed +- package_tftp_removed +- package_vsftpd_removed +- package_xinetd_removed +- package_ypbind_removed +- package_ypserv_removed +- partition_for_dev_shm +- partition_for_home +- partition_for_tmp +- partition_for_var +- partition_for_var_log +- partition_for_var_log_audit +- partition_for_var_tmp - postfix_network_listening_disabled +- root_path_no_dot +- rsyslog_filecreatemode - rsyslog_files_groupownership -- accounts_minimum_age_login_defs -- file_permissions_etc_gshadow -- file_ownership_sshd_private_key -- file_permissions_sshd_private_key -- sysctl_net_ipv6_conf_all_accept_source_route -- file_owner_etc_gshadow -- package_rsyslog_installed -- sysctl_kernel_randomize_va_space -- audit_rules_dac_modification_chmod -- gnome_gdm_disable_xdmcp -- sshd_disable_root_login -- file_groupownership_audit_configuration -- file_group_ownership_var_log_audit -- audit_rules_unsuccessful_file_modification_openat -- banner_etc_issue_net -- audit_rules_media_export -- sysctl_net_ipv4_conf_default_accept_source_route - rsyslog_files_ownership -- file_groupowner_backup_etc_group -- file_groupowner_grub2_cfg -- banner_etc_issue -- dconf_gnome_disable_user_list -- partition_for_tmp +- rsyslog_files_permissions +- rsyslog_nolisten +- selinux_not_disabled +- selinux_policytype +- selinux_state +- service_auditd_enabled +- service_autofs_disabled +- service_bluetooth_disabled +- service_crond_enabled +- service_firewalld_enabled +- service_nfs_disabled +- service_nftables_disabled +- service_rpcbind_disabled +- service_rsyslog_enabled +- service_systemd-journald_enabled +- set_password_hashing_algorithm_libuserconf +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_passwordauth +- set_password_hashing_algorithm_systemauth +- socket_systemd-journal-remote_disabled +- sshd_disable_empty_passwords +- sshd_disable_gssapi_auth +- sshd_disable_rhosts +- sshd_disable_root_login - sshd_do_not_permit_user_env -- file_owner_backup_etc_gshadow -- accounts_passwords_pam_faillock_deny -- no_files_unowned_by_user -- audit_rules_dac_modification_fremovexattr -- firewalld_loopback_traffic_trusted -- partition_for_var_log_audit -- accounts_root_gid_zero -- audit_rules_unsuccessful_file_modification_creat -- accounts_password_set_warn_age_existing +- sshd_enable_pam +- sshd_enable_warning_banner_net +- sshd_limit_user_access +- sshd_set_idle_timeout +- sshd_set_keepalive +- sshd_set_login_grace_time +- sshd_set_loglevel_verbose +- sshd_set_max_auth_tries +- sshd_set_max_sessions +- sshd_set_maxstartups +- sshd_use_approved_ciphers +- sshd_use_strong_kex +- sshd_use_strong_macs +- sudo_add_use_pty +- sudo_custom_logfile +- sudo_require_authentication +- sudo_require_reauthentication +- sysctl_kernel_randomize_va_space +- sysctl_kernel_yama_ptrace_scope +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv4_conf_all_log_martians +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv4_conf_default_accept_redirects +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv4_conf_default_log_martians +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- sysctl_net_ipv4_ip_forward +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv6_conf_all_accept_ra +- sysctl_net_ipv6_conf_all_accept_redirects +- sysctl_net_ipv6_conf_all_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv6_conf_default_accept_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- use_pam_wheel_group_for_su +- var_user_initialization_files_regex=all_dotfiles - var_accounts_user_umask=027 - var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 +- var_account_disable_post_pw_expiration=45 +- var_password_hashing_algorithm=SHA512 - var_accounts_password_warn_age_login_defs=7 -- var_accounts_minimum_age_login_defs=1 - var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 - var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=5 -- var_accounts_passwords_pam_faillock_deny=3 -- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 - var_password_pam_minclass=4 - var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 - var_pam_wheel_group_for_su=cis -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_sshd_set_login_grace_time=60 - var_sshd_max_sessions=10 - var_sshd_set_maxstartups=10:30:60 - sshd_max_auth_tries_value=4 -- var_nftables_family=inet -- var_nftables_table=firewalld +- var_sshd_set_login_grace_time=60 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_strong_macs=cis_rhel9 +- sshd_strong_kex=cis_rhel9 +- sshd_approved_ciphers=cis_rhel9 - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only - var_multiple_time_servers=rhel -- var_system_crypto_policy=default_policy +- var_postfix_inet_interfaces=loopback-only - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - remote_login_banner_text=cis_banners - login_banner_text=cis_banners - motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 - var_selinux_policy_name=targeted - var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_dir=run - var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=halt -- var_auditd_space_left_action=email +- var_auditd_admin_space_left_action=cis_rhel9 +- var_auditd_space_left_action=cis_rhel9 +- var_auditd_disk_error_action=cis_rhel9 +- var_auditd_disk_full_action=cis_rhel9 - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=6 +- var_accounts_minimum_age_login_defs=1 - var_selinux_state=enforcing unselected_groups: [] platforms: !!set {} @@ -433,5 +468,4 @@ filter_rules: '' policies: - cis_rhel9 title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l2.profile documentation_complete: true From ea4e438f924e2005f6ec4b527e49c87b6c8416e5 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 18 Jun 2024 10:55:15 +0200 Subject: [PATCH 58/61] Update CIS profiles descriptions for RHEL9 Signed-off-by: Marcus Burghardt --- products/rhel9/profiles/cis.profile | 6 +++--- products/rhel9/profiles/cis_server_l1.profile | 6 +++--- products/rhel9/profiles/cis_workstation_l1.profile | 6 +++--- products/rhel9/profiles/cis_workstation_l2.profile | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile index fc95feca30d..447e34d5eb4 100644 --- a/products/rhel9/profiles/cis.profile +++ b/products/rhel9/profiles/cis.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server' description: |- This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile index 4d4295665eb..914bfa25f0e 100644 --- a/products/rhel9/profiles/cis_server_l1.profile +++ b/products/rhel9/profiles/cis_server_l1.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server' description: |- This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile index 957555d6cff..dca0beca93c 100644 --- a/products/rhel9/profiles/cis_workstation_l1.profile +++ b/products/rhel9/profiles/cis_workstation_l1.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile index 56ddc036082..5f9e92ca63f 100644 --- a/products/rhel9/profiles/cis_workstation_l2.profile +++ b/products/rhel9/profiles/cis_workstation_l2.profile @@ -1,11 +1,11 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -14,7 +14,7 @@ title: 'CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 9 Benchmark™, v1.0.0, released 2022-11-28. + Linux 9 Benchmark™, v2.0.0, released 2024-06-20. This profile includes Center for Internet Security® Red Hat Enterprise Linux 9 CIS Benchmarks™ content. From 897a64367bbcf15f9128caf55453d83e5aac6b78 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 19 Jun 2024 15:40:58 +0200 Subject: [PATCH 59/61] CIS RHEL9 v2.0.0 - Adjust conflicting requirements There are conflicting requirements regarding journald and rsyslog. JournalD is the default preference for RHEL 9. Signed-off-by: Marcus Burghardt --- controls/cis_rhel9.yml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 428f7ea60b4..3da3a816858 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -2317,6 +2317,7 @@ controls: status: pending notes: |- It is necessary to create a new rule to check the status of journald and rsyslog. + It would also be necessary a new rule to disable or remove rsyslog. - id: 6.2.2.1.1 title: Ensure systemd-journal-remote is installed (Automated) @@ -2387,8 +2388,8 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: + status: supported + related_rules: - package_rsyslog_installed - id: 6.2.3.2 @@ -2396,8 +2397,8 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: + status: supported + related_rules: - service_rsyslog_enabled - id: 6.2.3.3 @@ -2405,8 +2406,8 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: + status: supported + related_rules: - journald_forward_to_syslog - id: 6.2.3.4 @@ -2414,8 +2415,8 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: + status: supported + related_rules: - rsyslog_filecreatemode - id: 6.2.3.5 @@ -2439,8 +2440,8 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: + status: supported + related_rules: - rsyslog_nolisten - id: 6.2.3.8 @@ -2460,6 +2461,8 @@ controls: - l1_server - l1_workstation status: automated + notes: |- + It is not harmful to run these rules even if rsyslog is not installed or active. rules: - rsyslog_files_groupownership - rsyslog_files_ownership From 122b7f9eff22a83f9e705b77c7be29d1836c3222 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 19 Jun 2024 15:52:53 +0200 Subject: [PATCH 60/61] Update references for profile stability tests CIS RHEL 9 v2.0.0 Signed-off-by: Marcus Burghardt --- tests/data/profile_stability/rhel9/cis.profile | 11 +++-------- .../profile_stability/rhel9/cis_server_l1.profile | 11 +++-------- .../rhel9/cis_workstation_l1.profile | 11 +++-------- .../rhel9/cis_workstation_l2.profile | 11 +++-------- 4 files changed, 12 insertions(+), 32 deletions(-) diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index c3899b0d991..ac3f53eaebe 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -1,15 +1,15 @@ description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: - account_disable_post_pw_expiration @@ -241,7 +241,6 @@ selections: - grub2_password - has_nonlocal_mta - journald_compress -- journald_forward_to_syslog - journald_storage - kernel_module_cramfs_disabled - kernel_module_dccp_disabled @@ -304,7 +303,6 @@ selections: - package_openldap-clients_removed - package_pam_pwquality_installed - package_rsync_removed -- package_rsyslog_installed - package_samba_removed - package_setroubleshoot_removed - package_squid_removed @@ -328,11 +326,9 @@ selections: - partition_for_var_tmp - postfix_network_listening_disabled - root_path_no_dot -- rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions -- rsyslog_nolisten - selinux_not_disabled - selinux_policytype - selinux_state @@ -344,7 +340,6 @@ selections: - service_nfs_disabled - service_nftables_disabled - service_rpcbind_disabled -- service_rsyslog_enabled - service_systemd-journald_enabled - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index 7278ca428ec..98285383d42 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -1,15 +1,15 @@ description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: - account_disable_post_pw_expiration @@ -165,7 +165,6 @@ selections: - grub2_password - has_nonlocal_mta - journald_compress -- journald_forward_to_syslog - journald_storage - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled @@ -218,7 +217,6 @@ selections: - package_nginx_removed - package_pam_pwquality_installed - package_rsync_removed -- package_rsyslog_installed - package_samba_removed - package_setroubleshoot_removed - package_squid_removed @@ -236,11 +234,9 @@ selections: - partition_for_tmp - postfix_network_listening_disabled - root_path_no_dot -- rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions -- rsyslog_nolisten - selinux_not_disabled - selinux_policytype - service_autofs_disabled @@ -250,7 +246,6 @@ selections: - service_nfs_disabled - service_nftables_disabled - service_rpcbind_disabled -- service_rsyslog_enabled - service_systemd-journald_enabled - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 93758f5a3d3..5b76018b737 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -1,15 +1,15 @@ description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: - account_disable_post_pw_expiration @@ -163,7 +163,6 @@ selections: - grub2_password - has_nonlocal_mta - journald_compress -- journald_forward_to_syslog - journald_storage - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled @@ -213,7 +212,6 @@ selections: - package_nginx_removed - package_pam_pwquality_installed - package_rsync_removed -- package_rsyslog_installed - package_samba_removed - package_squid_removed - package_sudo_installed @@ -230,11 +228,9 @@ selections: - partition_for_tmp - postfix_network_listening_disabled - root_path_no_dot -- rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions -- rsyslog_nolisten - selinux_not_disabled - selinux_policytype - service_crond_enabled @@ -242,7 +238,6 @@ selections: - service_nfs_disabled - service_nftables_disabled - service_rpcbind_disabled -- service_rsyslog_enabled - service_systemd-journald_enabled - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 82f5b6e8414..a0a5678dad3 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -1,15 +1,15 @@ description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, - v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + v2.0.0, released 2024-06-20.\n\nThis profile includes Center for Internet Security\xAE\nRed Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." extends: null hidden: '' metadata: - version: 1.0.0 + version: 2.0.0 SMEs: - marcusburghardt + - mab879 - vojtapolasek - - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ selections: - account_disable_post_pw_expiration @@ -241,7 +241,6 @@ selections: - grub2_password - has_nonlocal_mta - journald_compress -- journald_forward_to_syslog - journald_storage - kernel_module_cramfs_disabled - kernel_module_dccp_disabled @@ -301,7 +300,6 @@ selections: - package_openldap-clients_removed - package_pam_pwquality_installed - package_rsync_removed -- package_rsyslog_installed - package_samba_removed - package_squid_removed - package_sudo_installed @@ -323,11 +321,9 @@ selections: - partition_for_var_tmp - postfix_network_listening_disabled - root_path_no_dot -- rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions -- rsyslog_nolisten - selinux_not_disabled - selinux_policytype - selinux_state @@ -339,7 +335,6 @@ selections: - service_nfs_disabled - service_nftables_disabled - service_rpcbind_disabled -- service_rsyslog_enabled - service_systemd-journald_enabled - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs From fc850590c88ccc03e926e997b46495980f425a8b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 26 Jun 2024 10:26:56 +0200 Subject: [PATCH 61/61] Ensure rules in rhel9 datastream Ensure rules no longer used in RHEL 9 profiles are kept in the Datastream to avoid breaking eventual tailoring files. --- products/rhel9/profiles/default.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index d9b50f7fa35..5ef04a92e96 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -553,3 +553,5 @@ selections: - sebool_polipo_session_users - sebool_cluster_manage_all_files - configure_firewalld_ports + - journald_forward_to_syslog + - rsyslog_filecreatemode