From 50de7500b94ccf9e2566067a80386c96b40fc96e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 6 Mar 2024 19:38:11 -0600 Subject: [PATCH 1/2] Add package_firewalld_installed to PCI-DSS profile Addresses #11568 --- controls/pcidss_4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index 1905a924367..457ec11939b 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -57,6 +57,7 @@ controls: policies. rules: - package_nftables_installed + - package_firewalld_installed - service_firewalld_enabled - service_nftables_disabled From 90cb499986899804f800ea4ff4523f7fea4a6561 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 6 Mar 2024 20:04:46 -0600 Subject: [PATCH 2/2] Update profile stability for pci-dss --- .../profile_stability/rhel7/pci-dss.profile | 460 +++++++++--------- .../profile_stability/rhel8/pci-dss.profile | 455 ++++++++--------- .../profile_stability/rhel9/pci-dss.profile | 434 ++++++++--------- 3 files changed, 675 insertions(+), 674 deletions(-) diff --git a/tests/data/profile_stability/rhel7/pci-dss.profile b/tests/data/profile_stability/rhel7/pci-dss.profile index 2f0368f9f69..5d7f73e4f70 100644 --- a/tests/data/profile_stability/rhel7/pci-dss.profile +++ b/tests/data/profile_stability/rhel7/pci-dss.profile @@ -20,263 +20,264 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: -- file_groupowner_etc_passwd -- ensure_shadow_group_empty -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_cron_deny_not_exist -- disable_users_coredumps -- account_disable_post_pw_expiration -- dconf_gnome_screensaver_lock_enabled -- sysctl_net_ipv4_conf_all_rp_filter -- rsyslog_files_ownership -- service_nftables_disabled -- dconf_gnome_screensaver_lock_delay -- sudo_custom_logfile -- file_permissions_etc_issue_net -- no_direct_root_logins -- file_permissions_etc_passwd -- audit_rules_dac_modification_lsetxattr -- audit_rules_suid_privilege_function -- package_rsh-server_removed +- accounts_password_set_max_life_existing +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_unlink +- no_files_unowned_by_user +- dconf_gnome_screensaver_idle_delay +- file_owner_cron_d +- audit_rules_dac_modification_lchown +- file_permissions_cron_hourly - accounts_root_gid_zero -- audit_rules_usergroup_modification_group -- file_groupowner_cron_weekly -- file_permissions_etc_group -- dconf_gnome_disable_automount -- file_permissions_sshd_pub_key -- audit_rules_dac_modification_fchownat -- account_unique_id -- gnome_gdm_disable_guest_login -- account_unique_name -- file_permissions_etc_shadow -- no_password_auth_for_systemaccounts -- sshd_use_approved_ciphers -- dconf_gnome_screensaver_idle_activation_enabled -- package_ypbind_removed -- file_permissions_backup_etc_passwd -- chronyd_specify_remote_server -- accounts_password_warn_age_login_defs -- accounts_password_pam_minlen - audit_rules_usergroup_modification_passwd -- audit_rules_dac_modification_fchmod +- audit_rules_dac_modification_chmod +- rpm_verify_ownership +- accounts_tmout +- file_groupowner_cron_allow +- file_owner_backup_etc_shadow +- nftables_ensure_default_deny_policy +- file_groupowner_crontab +- dconf_db_up_to_date +- sysctl_net_ipv4_conf_all_secure_redirects +- accounts_no_uid_except_zero +- file_groupowner_cron_d +- kernel_module_usb-storage_disabled +- file_groupowner_backup_etc_group +- audit_rules_dac_modification_removexattr +- file_groupowner_backup_etc_shadow +- package_telnet-server_removed +- package_rsh_removed +- service_auditd_enabled +- sshd_set_max_sessions +- sshd_use_strong_kex +- security_patches_up_to_date +- sysctl_net_ipv4_conf_default_accept_redirects - file_groupowner_cron_monthly +- file_owner_grub2_cfg +- audit_rules_dac_modification_fchmod +- ensure_root_password_configured +- sshd_disable_rhosts +- sudo_custom_logfile +- no_empty_passwords +- package_tftp_removed - file_owner_etc_shadow -- ensure_redhat_gpgkey_installed -- dconf_gnome_session_idle_user_locks -- package_chrony_installed -- selinux_confinement_of_daemons -- sysctl_net_ipv4_ip_forward -- sshd_enable_pam -- file_groupowner_grub2_cfg -- sshd_set_loglevel_verbose +- accounts_passwords_pam_faillock_unlock_time - accounts_passwords_pam_faillock_deny -- directory_access_var_log_audit +- rsyslog_files_ownership +- account_disable_post_pw_expiration +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_dac_modification_fremovexattr +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- wireless_disable_interfaces +- coredump_disable_backtraces +- service_chronyd_or_ntpd_enabled +- dconf_gnome_disable_automount_open +- chronyd_specify_remote_server +- dconf_gnome_screensaver_idle_activation_enabled +- file_groupowner_etc_group +- no_direct_root_logins +- sshd_set_idle_timeout +- accounts_password_all_shadowed +- audit_rules_dac_modification_setxattr +- auditd_data_retention_admin_space_left_action +- file_permissions_etc_passwd +- file_permissions_grub2_cfg +- package_cryptsetup-luks_installed +- rsyslog_files_permissions +- gid_passwd_group_same +- file_owner_cron_weekly +- chronyd_run_as_chrony_user +- file_permissions_backup_etc_shadow +- coredump_disable_storage - audit_rules_sysadmin_actions -- audit_rules_immutable -- package_telnet_removed +- grub2_audit_argument +- account_unique_id +- package_firewalld_installed - file_groupowner_etc_issue_net -- sshd_set_maxstartups -- file_permissions_var_log_audit -- audit_rules_dac_modification_chmod -- dconf_gnome_screensaver_mode_blank -- accounts_password_pam_pwhistory_remember_password_auth -- package_audit_installed -- audit_rules_dac_modification_lchown -- audit_rules_dac_modification_fsetxattr -- ensure_gpgcheck_globally_activated -- file_owner_crontab -- file_permissions_cron_d - file_permissions_user_cfg -- postfix_network_listening_disabled -- accounts_password_set_warn_age_existing -- auditd_name_format -- audit_rules_networkconfig_modification -- gid_passwd_group_same -- audit_rules_file_deletion_events_unlink -- kernel_module_dccp_disabled -- package_ypserv_removed -- sshd_set_max_sessions -- wireless_disable_interfaces -- file_permissions_cron_allow -- audit_rules_dac_modification_setxattr -- file_owner_cron_daily -- audit_rules_login_events_lastlog -- rsyslog_files_groupownership -- audit_rules_file_deletion_events_rmdir +- auditd_audispd_syslog_plugin_activated +- sudo_add_use_pty +- ensure_gpgcheck_never_disabled +- use_pam_wheel_group_for_su +- bios_enable_execution_restrictions +- audit_rules_session_events +- audit_rules_media_export +- no_password_auth_for_systemaccounts +- auditd_data_retention_space_left - audit_rules_login_events_faillock -- file_owner_grub2_cfg -- disable_host_auth - rpm_verify_hashes -- ntpd_specify_remote_server -- audit_rules_usergroup_modification_shadow -- audit_rules_time_clock_settime -- file_owner_etc_passwd -- audit_rules_dac_modification_lremovexattr +- accounts_set_post_pw_existing +- service_nftables_disabled +- accounts_password_set_warn_age_existing +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_mac_modification +- ntpd_specify_multiple_servers +- audit_rules_time_settimeofday +- sshd_use_approved_macs +- sysctl_fs_suid_dumpable +- sysctl_net_ipv4_ip_forward +- audit_rules_dac_modification_lsetxattr +- accounts_password_pam_dcredit +- accounts_password_pam_unix_remember +- file_permissions_sshd_config +- no_empty_passwords_etc_shadow +- audit_rules_file_deletion_events_unlinkat - file_permissions_backup_etc_group +- file_groupowner_user_cfg +- sshd_use_approved_ciphers +- audit_rules_immutable +- audit_rules_file_deletion_events_renameat +- file_group_ownership_var_log_audit +- package_aide_installed +- file_permissions_etc_group +- ensure_shadow_group_empty +- accounts_password_pam_minlen +- configure_firewalld_ports +- file_groupowner_etc_passwd +- audit_rules_usergroup_modification_gshadow +- audit_rules_suid_privilege_function - group_unique_id -- display_login_attempts -- network_sniffer_disabled +- sshd_do_not_permit_user_env +- file_permissions_cron_weekly +- dconf_gnome_disable_automount +- audit_rules_time_clock_settime +- file_permissions_cron_d +- selinux_confinement_of_daemons +- ensure_pam_wheel_group_empty +- ensure_gpgcheck_globally_activated +- file_permissions_backup_etc_passwd - no_shelllogin_for_systemaccounts -- audit_rules_dac_modification_fchown - sshd_disable_empty_passwords -- accounts_password_last_change_is_in_past -- sysctl_net_ipv6_conf_default_accept_source_route -- security_patches_up_to_date -- ntpd_specify_multiple_servers -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- file_owner_backup_etc_group -- rsyslog_files_permissions -- audit_sudo_log_events -- rpm_verify_ownership -- sshd_do_not_permit_user_env -- package_net-snmp_removed -- network_nmcli_permissions -- audit_rules_dac_modification_fremovexattr -- auditd_data_retention_admin_space_left_action -- accounts_maximum_age_login_defs -- audit_rules_file_deletion_events_renameat -- sshd_disable_rhosts -- dir_perms_world_writable_sticky_bits -- file_permissions_cron_monthly -- file_owner_cron_allow -- sshd_use_approved_macs -- sshd_disable_root_login -- file_owner_backup_etc_passwd -- file_permissions_sshd_config - file_owner_etc_issue_net -- file_ownership_var_log_audit -- package_talk_removed -- file_permissions_unauthorized_world_writable -- selinux_state -- service_avahi-daemon_disabled -- file_groupowner_crontab -- sudo_require_reauthentication -- sysctl_net_ipv4_conf_default_accept_redirects -- file_groupowner_backup_etc_group -- no_empty_passwords -- sysctl_fs_suid_dumpable -- file_groupowner_etc_shadow +- sshd_disable_x11_forwarding +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_fchownat - auditd_data_retention_space_left_action -- file_permissions_cron_weekly -- sshd_use_strong_kex -- service_ntpd_enabled -- configure_firewalld_ports -- file_permissions_backup_etc_shadow -- auditd_data_retention_space_left -- selinux_policytype -- accounts_password_pam_unix_remember -- file_at_deny_not_exist -- sshd_set_idle_timeout -- package_tftp_removed -- sshd_set_keepalive -- chronyd_run_as_chrony_user -- file_groupowner_cron_daily -- file_owner_cron_hourly - group_unique_name -- securetty_root_login_console_only -- set_password_hashing_algorithm_systemauth -- sysctl_net_ipv4_conf_all_send_redirects -- audit_rules_dac_modification_chown -- dconf_gnome_screensaver_idle_delay -- install_PAE_kernel_on_x86-32 -- file_groupowner_backup_etc_shadow -- sshd_disable_tcp_forwarding -- grub2_audit_backlog_limit_argument +- dir_perms_world_writable_sticky_bits +- package_ypserv_removed - set_ip6tables_default_rule -- accounts_password_pam_pwhistory_remember_system_auth -- aide_build_database -- kernel_module_usb-storage_disabled -- file_groupowner_cron_hourly -- set_firewalld_default_zone -- package_aide_installed -- sudo_add_use_pty -- service_firewalld_enabled -- audit_rules_media_export -- service_auditd_enabled -- file_groupowner_backup_etc_passwd -- package_cryptsetup-luks_installed -- accounts_tmout -- file_group_ownership_var_log_audit -- file_owner_cron_monthly -- file_permissions_cron_daily -- accounts_password_set_max_life_existing -- auditd_audispd_syslog_plugin_activated +- sshd_set_login_grace_time +- file_owner_etc_passwd +- accounts_password_warn_age_login_defs +- network_nmcli_permissions - package_sudo_installed -- sshd_disable_x11_forwarding -- file_owner_cron_weekly -- accounts_set_post_pw_existing -- grub2_audit_argument -- service_rsyncd_disabled -- file_groupowner_cron_d -- sshd_set_max_auth_tries +- file_groupowner_cron_weekly +- selinux_state +- file_permissions_var_log_audit +- file_owner_user_cfg +- file_groupowner_cron_daily +- sysctl_net_ipv4_tcp_syncookies +- file_owner_crontab +- package_talk_removed +- package_chrony_installed +- audit_rules_login_events_lastlog - audit_rules_time_watch_localtime -- accounts_password_pam_dcredit -- sysctl_net_ipv4_conf_default_send_redirects -- file_owner_etc_group -- bios_enable_execution_restrictions -- nftables_ensure_default_deny_policy -- package_logrotate_installed -- package_talk-server_removed -- accounts_password_all_shadowed -- file_groupowner_etc_group -- file_permissions_crontab -- file_permissions_grub2_cfg -- file_permissions_sshd_private_key -- set_password_hashing_algorithm_logindefs -- sysctl_kernel_randomize_va_space -- package_xinetd_removed -- accounts_no_uid_except_zero -- accounts_password_pam_lcredit -- accounts_passwords_pam_faillock_unlock_time -- audit_rules_file_deletion_events_rename -- audit_rules_session_events -- audit_rules_file_deletion_events_unlinkat -- package_rsh_removed +- dconf_gnome_screensaver_mode_blank +- file_owner_cron_hourly +- package_libselinux_installed +- file_groupowner_backup_etc_passwd +- sshd_set_loglevel_verbose +- audit_rules_dac_modification_fchown +- file_permissions_etc_shadow +- kernel_module_dccp_disabled +- package_ftp_removed +- package_telnet_removed +- service_avahi-daemon_disabled - package_audispd-plugins_installed -- service_chronyd_or_ntpd_enabled -- audit_rules_dac_modification_removexattr -- dconf_db_up_to_date -- audit_rules_mac_modification -- audit_rules_usergroup_modification_gshadow -- no_empty_passwords_etc_shadow +- file_permissions_cron_monthly +- file_permissions_cron_allow +- sudo_require_authentication - audit_rules_dac_modification_fchmodat -- file_groupowner_cron_allow +- securetty_root_login_console_only +- audit_rules_dac_modification_fsetxattr +- set_password_hashing_algorithm_libuserconf +- service_rsyncd_disabled +- set_firewalld_default_zone +- audit_rules_networkconfig_modification +- file_permissions_sshd_private_key +- rsyslog_files_groupownership - service_rpcbind_disabled -- ensure_pam_wheel_group_empty -- aide_periodic_cron_checking -- audit_rules_time_adjtimex -- audit_rules_time_stime -- sshd_limit_user_access -- grub2_enable_selinux -- package_nftables_installed -- ensure_gpgcheck_never_disabled -- file_groupowner_user_cfg +- sysctl_kernel_randomize_va_space - package_tftp-server_removed -- coredump_disable_backtraces -- file_owner_user_cfg -- gnome_gdm_disable_automatic_login -- sysctl_net_ipv4_tcp_syncookies -- use_pam_wheel_group_for_su -- coredump_disable_storage -- sudo_require_authentication -- file_owner_cron_d +- file_owner_backup_etc_group +- file_ownership_var_log_audit - file_permissions_ungroupowned -- package_libselinux_installed +- audit_rules_time_adjtimex +- sysctl_net_ipv4_conf_all_send_redirects +- accounts_password_pam_lcredit - audit_rules_login_events_tallylog +- install_PAE_kernel_on_x86-32 +- file_permissions_unauthorized_world_writable +- ensure_redhat_gpgkey_installed +- auditd_name_format +- grub2_enable_selinux +- accounts_maximum_age_login_defs +- kernel_module_sctp_disabled +- file_permissions_cron_daily +- set_password_hashing_algorithm_logindefs +- sudo_require_reauthentication +- directory_access_var_log_audit +- dconf_gnome_session_idle_user_locks +- ntpd_specify_remote_server +- aide_periodic_cron_checking +- gnome_gdm_disable_guest_login +- dconf_gnome_screensaver_lock_delay +- grub2_audit_backlog_limit_argument +- sysctl_net_ipv4_conf_default_send_redirects +- sshd_enable_pam +- sshd_disable_tcp_forwarding +- dconf_gnome_screensaver_lock_enabled +- package_nftables_installed +- disable_users_coredumps +- audit_rules_usergroup_modification_shadow +- file_permissions_sshd_pub_key +- accounts_password_pam_pwhistory_remember_password_auth +- display_login_attempts +- file_cron_deny_not_exist +- file_groupowner_grub2_cfg +- package_xinetd_removed +- audit_rules_time_stime +- selinux_policytype +- sysctl_net_ipv4_conf_all_rp_filter +- package_ypbind_removed +- package_audit_installed +- service_ntpd_enabled +- file_owner_cron_allow +- sshd_disable_root_login +- account_unique_name +- package_talk-server_removed +- audit_rules_dac_modification_lremovexattr +- audit_rules_file_deletion_events_rmdir +- file_owner_cron_monthly - package_dhcp_removed -- dconf_gnome_disable_automount_open -- ensure_root_password_configured -- no_files_unowned_by_user -- package_ftp_removed -- package_telnet-server_removed -- sshd_set_login_grace_time +- sshd_set_keepalive +- file_groupowner_etc_shadow +- accounts_password_last_change_is_in_past +- file_permissions_etc_issue_net +- file_at_deny_not_exist +- aide_build_database +- set_password_hashing_algorithm_systemauth +- file_permissions_crontab +- disable_host_auth +- file_owner_cron_daily +- package_logrotate_installed +- postfix_network_listening_disabled +- gnome_gdm_disable_automatic_login +- file_owner_etc_group +- package_rsh-server_removed +- file_owner_backup_etc_passwd +- service_firewalld_enabled +- audit_rules_dac_modification_chown +- accounts_password_pam_pwhistory_remember_system_auth +- package_net-snmp_removed +- sshd_limit_user_access +- audit_sudo_log_events +- network_sniffer_disabled +- sshd_set_max_auth_tries +- sshd_set_maxstartups +- file_groupowner_cron_hourly - audit_rules_usergroup_modification_opasswd -- sysctl_net_ipv4_conf_all_secure_redirects -- set_password_hashing_algorithm_libuserconf -- file_permissions_cron_hourly -- file_owner_backup_etc_shadow -- audit_rules_time_settimeofday -- kernel_module_sctp_disabled - var_multiple_time_servers=generic - var_auditd_admin_space_left_action=single - var_auditd_space_left=100MB @@ -313,5 +314,4 @@ filter_rules: '' policies: - pcidss_4 title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7 -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/pci-dss.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 45038c76ea7..0a47f35b4f9 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -11,6 +11,7 @@ description: 'Payment Card Industry - Data Security Standard (PCI-DSS) is a set with PCI-DSS v4.0 requirements.' extends: null +hidden: '' metadata: version: '4.0' SMEs: @@ -19,261 +20,262 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: -- file_permissions_cron_d -- audit_rules_immutable -- auditd_audispd_syslog_plugin_activated -- coredump_disable_backtraces -- file_permissions_user_cfg -- audit_rules_login_events_lastlog -- file_at_deny_not_exist -- file_owner_backup_etc_passwd -- file_owner_cron_hourly -- file_permissions_etc_shadow -- file_owner_grub2_cfg -- set_firewalld_default_zone -- accounts_passwords_pam_faillock_deny -- audit_rules_media_export -- dconf_gnome_screensaver_lock_delay -- file_owner_cron_d -- file_groupowner_backup_etc_group -- file_permissions_grub2_cfg -- audit_rules_usergroup_modification_passwd -- no_files_unowned_by_user -- audit_rules_dac_modification_lremovexattr -- audit_rules_suid_privilege_function -- package_xinetd_removed -- selinux_policytype -- sshd_disable_root_login -- file_groupowner_user_cfg -- sshd_disable_empty_passwords -- accounts_password_pam_unix_remember -- accounts_no_uid_except_zero -- file_owner_cron_daily -- sshd_disable_rhosts -- accounts_tmout -- file_groupowner_cron_hourly -- sshd_set_maxstartups -- selinux_confinement_of_daemons -- sysctl_net_ipv4_conf_default_send_redirects -- audit_rules_time_clock_settime -- package_dhcp_removed -- file_permissions_etc_passwd -- sysctl_net_ipv6_conf_default_accept_source_route -- file_permissions_sshd_private_key -- file_permissions_cron_allow -- audit_rules_dac_modification_fsetxattr -- auditd_data_retention_space_left_action -- enable_authselect -- sysctl_net_ipv4_conf_all_rp_filter -- sshd_use_approved_macs -- gnome_gdm_disable_automatic_login -- sysctl_net_ipv4_conf_default_accept_redirects -- file_groupowner_crontab -- file_permissions_sshd_pub_key -- audit_rules_time_stime -- grub2_audit_argument +- directory_access_var_log_audit - audit_rules_login_events_faillock +- account_disable_post_pw_expiration - auditd_data_retention_space_left -- file_owner_user_cfg -- kernel_module_dccp_disabled -- sshd_enable_pam -- audit_rules_networkconfig_modification -- set_ip6tables_default_rule -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- package_ypserv_removed -- coredump_disable_storage -- dconf_gnome_screensaver_lock_enabled -- disable_host_auth -- audit_rules_dac_modification_fchownat -- file_permissions_etc_group -- file_permissions_unauthorized_world_writable -- bios_enable_execution_restrictions -- sudo_custom_logfile -- file_permissions_cron_weekly +- audit_rules_file_deletion_events_rmdir - audit_sudo_log_events -- aide_build_database -- network_sniffer_disabled -- package_nftables_installed -- rsyslog_files_permissions -- sshd_set_login_grace_time -- audit_rules_usergroup_modification_shadow -- file_permissions_at_allow -- audit_rules_file_deletion_events_renameat -- accounts_password_pam_pwhistory_remember_password_auth -- audit_rules_dac_modification_fchmodat -- file_permissions_backup_etc_shadow +- audit_rules_dac_modification_chmod +- sshd_set_idle_timeout +- sshd_use_strong_kex +- file_groupowner_backup_etc_passwd +- file_groupowner_cron_daily +- file_permissions_ungroupowned +- sshd_set_maxstartups +- grub2_audit_argument +- file_groupowner_backup_etc_shadow - aide_periodic_cron_checking +- package_ypserv_removed - package_sudo_installed -- file_group_ownership_var_log_audit -- service_rpcbind_disabled -- service_auditd_enabled -- audit_rules_usergroup_modification_group -- set_password_hashing_algorithm_libuserconf -- dconf_gnome_screensaver_idle_delay -- audit_rules_dac_modification_chown +- dconf_db_up_to_date - accounts_maximum_age_login_defs -- account_disable_post_pw_expiration -- file_owner_etc_shadow -- account_unique_name -- directory_access_var_log_audit -- file_owner_cron_weekly -- file_groupowner_cron_weekly -- no_direct_root_logins - security_patches_up_to_date -- file_groupowner_grub2_cfg -- audit_rules_file_deletion_events_rename -- audit_rules_file_deletion_events_rmdir -- accounts_password_pam_lcredit +- set_password_hashing_algorithm_libuserconf +- file_owner_etc_passwd +- sshd_do_not_permit_user_env +- sshd_use_approved_macs +- file_permissions_etc_group +- group_unique_id +- file_owner_cron_monthly +- audit_rules_dac_modification_fchownat +- file_groupowner_cron_allow +- service_nftables_disabled - file_groupowner_cron_d -- audit_rules_file_deletion_events_unlinkat -- file_groupowner_etc_shadow -- file_permissions_var_log_audit -- package_logrotate_installed -- file_owner_backup_etc_shadow -- file_ownership_var_log_audit -- display_login_attempts +- rpm_verify_hashes +- accounts_passwords_pam_faillock_deny - sshd_limit_user_access -- no_shelllogin_for_systemaccounts -- accounts_password_set_max_life_existing -- package_ypbind_removed -- file_owner_backup_etc_group -- package_telnet-server_removed -- package_chrony_installed +- audit_rules_time_stime +- package_aide_installed +- accounts_password_pam_unix_remember +- audit_rules_usergroup_modification_opasswd - package_tftp_removed -- sysctl_net_ipv4_conf_all_secure_redirects -- service_nftables_disabled +- accounts_root_gid_zero - sysctl_net_ipv4_ip_forward -- kernel_module_sctp_disabled -- audit_rules_time_adjtimex -- package_aide_installed -- file_groupowner_etc_issue_net -- configure_firewalld_ports -- audit_rules_dac_modification_lsetxattr -- chronyd_run_as_chrony_user -- ensure_gpgcheck_never_disabled +- auditd_data_retention_space_left_action +- file_cron_deny_not_exist +- service_rsyncd_disabled +- dconf_gnome_disable_automount_open +- wireless_disable_interfaces +- audit_rules_dac_modification_lchown +- dconf_gnome_screensaver_idle_activation_enabled +- file_permissions_cron_monthly +- audit_rules_session_events +- file_permissions_cron_daily +- sysctl_net_ipv4_conf_default_send_redirects - file_owner_crontab -- file_permissions_backup_etc_passwd -- audit_rules_dac_modification_fremovexattr -- file_owner_etc_group -- sshd_set_idle_timeout -- configure_ssh_crypto_policy +- file_permissions_cron_allow - no_password_auth_for_systemaccounts -- file_owner_cron_monthly +- audit_rules_dac_modification_lremovexattr +- file_permissions_backup_etc_shadow +- audit_rules_suid_privilege_function +- file_permissions_grub2_cfg +- selinux_confinement_of_daemons +- package_tftp-server_removed +- file_owner_etc_group - set_password_hashing_algorithm_logindefs -- ensure_gpgcheck_globally_activated -- audit_rules_dac_modification_removexattr -- file_groupowner_backup_etc_passwd -- sshd_disable_x11_forwarding +- sudo_require_reauthentication +- file_owner_backup_etc_passwd +- package_telnet-server_removed +- securetty_root_login_console_only +- bios_enable_execution_restrictions +- file_owner_cron_daily +- service_firewalld_enabled +- use_pam_wheel_group_for_su +- accounts_password_pam_minlen +- chronyd_run_as_chrony_user +- file_group_ownership_var_log_audit +- file_ownership_var_log_audit +- file_permissions_at_allow +- package_dhcp_removed +- auditd_name_format - kernel_module_usb-storage_disabled -- audit_rules_usergroup_modification_gshadow -- audit_rules_mac_modification -- ensure_redhat_gpgkey_installed -- file_groupowner_backup_etc_shadow -- firewalld_loopback_traffic_trusted +- rsyslog_files_groupownership +- disable_host_auth +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_immutable +- file_permissions_backup_etc_passwd +- audit_rules_time_clock_settime +- accounts_password_warn_age_login_defs +- file_permissions_cron_hourly +- sysctl_kernel_core_pattern +- audit_rules_networkconfig_modification +- rsyslog_files_ownership +- audit_rules_usergroup_modification_passwd +- network_sniffer_disabled +- audit_rules_usergroup_modification_shadow +- file_groupowner_backup_etc_group +- sshd_set_max_sessions +- no_files_unowned_by_user +- file_groupowner_cron_hourly +- file_permissions_etc_issue_net +- file_groupowner_crontab +- configure_crypto_policy +- sudo_add_use_pty +- set_firewalld_default_zone +- sudo_custom_logfile - grub2_audit_backlog_limit_argument -- sshd_use_strong_kex -- accounts_password_all_shadowed -- sshd_set_max_auth_tries -- audit_rules_session_events +- grub2_enable_selinux +- accounts_password_pam_pwhistory_remember_password_auth +- file_groupowner_grub2_cfg +- package_ypbind_removed +- file_owner_cron_weekly +- audit_rules_time_adjtimex +- ensure_gpgcheck_globally_activated - ensure_pam_wheel_group_empty -- sysctl_net_ipv4_tcp_syncookies +- network_nmcli_permissions +- package_net-snmp_removed +- sysctl_net_ipv4_conf_all_secure_redirects +- sshd_disable_root_login +- ensure_redhat_gpgkey_installed +- service_avahi-daemon_disabled +- no_shelllogin_for_systemaccounts +- auditd_data_retention_admin_space_left_action +- install_PAE_kernel_on_x86-32 +- package_audispd-plugins_installed +- package_chrony_installed +- account_unique_id +- dconf_gnome_screensaver_mode_blank +- audit_rules_dac_modification_fchown +- sshd_disable_empty_passwords +- sysctl_net_ipv4_conf_all_rp_filter +- package_telnet_removed +- file_permissions_var_log_audit +- package_ftp_removed +- no_empty_passwords +- file_permissions_cron_weekly +- file_permissions_user_cfg +- package_firewalld_installed +- package_nftables_installed +- audit_rules_login_events_tallylog +- gid_passwd_group_same +- audit_rules_dac_modification_removexattr +- service_auditd_enabled +- ensure_root_password_configured +- audit_rules_dac_modification_chown +- ensure_gpgcheck_never_disabled +- audit_rules_dac_modification_fremovexattr +- file_owner_grub2_cfg +- file_permissions_cron_d +- accounts_password_set_max_life_existing +- enable_authselect +- group_unique_name +- service_chronyd_or_ntpd_enabled +- selinux_policytype +- file_permissions_sshd_pub_key +- aide_build_database +- file_permissions_etc_shadow +- audit_rules_dac_modification_fsetxattr +- selinux_state +- dconf_gnome_session_idle_user_locks +- audit_rules_time_settimeofday - audit_rules_time_watch_localtime -- file_owner_cron_allow -- configure_crypto_policy +- gnome_gdm_disable_guest_login +- file_groupowner_etc_passwd +- audit_rules_dac_modification_fchmod +- file_groupowner_cron_monthly +- account_unique_name +- audit_rules_sysadmin_actions +- sysctl_net_ipv6_conf_default_accept_source_route +- package_logrotate_installed +- sysctl_kernel_randomize_va_space +- no_empty_passwords_etc_shadow +- dconf_gnome_screensaver_lock_delay +- service_rpcbind_disabled +- file_groupowner_etc_group +- sshd_disable_rhosts +- file_permissions_sshd_config - sshd_disable_tcp_forwarding -- audit_rules_dac_modification_fchown -- dconf_db_up_to_date -- package_tftp-server_removed -- audit_rules_dac_modification_lchown -- firewalld_loopback_traffic_restricted +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_disable_automount +- package_xinetd_removed +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_fs_suid_dumpable +- accounts_passwords_pam_faillock_unlock_time +- configure_ssh_crypto_policy +- file_owner_cron_allow +- file_owner_cron_d +- set_ip6tables_default_rule - sudo_require_authentication -- package_libselinux_installed -- use_pam_wheel_group_for_su -- wireless_disable_interfaces +- sshd_set_keepalive +- firewalld_loopback_traffic_trusted +- sshd_use_approved_ciphers +- kernel_module_dccp_disabled +- accounts_set_post_pw_existing +- audit_rules_file_deletion_events_rename - file_permissions_backup_etc_group +- file_permissions_crontab +- audit_rules_mac_modification +- file_groupowner_at_allow +- firewalld_loopback_traffic_restricted +- file_permissions_etc_passwd +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_setxattr +- file_owner_etc_shadow - package_audit_installed -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_login_events_lastlog +- no_direct_root_logins +- display_login_attempts +- audit_rules_usergroup_modification_gshadow +- sshd_set_login_grace_time +- audit_rules_media_export +- file_permissions_sshd_private_key +- audit_rules_dac_modification_fchmodat +- sysctl_net_ipv4_tcp_syncookies +- package_libselinux_installed +- kernel_module_sctp_disabled +- accounts_password_all_shadowed +- file_groupowner_etc_issue_net +- rpm_verify_ownership +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_password_pam_dcredit +- file_groupowner_user_cfg +- accounts_no_uid_except_zero +- sysctl_net_ipv4_conf_default_accept_redirects +- accounts_tmout - accounts_password_set_warn_age_existing -- account_unique_id -- file_cron_deny_not_exist -- file_permissions_cron_daily -- rsyslog_files_groupownership +- postfix_network_listening_disabled +- accounts_password_last_change_is_in_past +- coredump_disable_storage +- gnome_gdm_disable_automatic_login - disable_users_coredumps -- sudo_require_reauthentication -- accounts_password_pam_minlen -- sysctl_fs_suid_dumpable -- package_audispd-plugins_installed -- accounts_passwords_pam_faillock_unlock_time -- audit_rules_dac_modification_fchmod - audit_rules_file_deletion_events_unlink -- dconf_gnome_screensaver_mode_blank -- service_avahi-daemon_disabled -- sshd_do_not_permit_user_env -- dir_perms_world_writable_sticky_bits - set_password_hashing_algorithm_systemauth -- rsyslog_files_ownership -- postfix_network_listening_disabled -- service_firewalld_enabled -- audit_rules_dac_modification_chmod -- accounts_password_pam_pwhistory_remember_system_auth -- file_groupowner_etc_passwd -- no_empty_passwords -- file_permissions_ungroupowned -- auditd_name_format -- install_PAE_kernel_on_x86-32 -- accounts_password_warn_age_login_defs -- ensure_root_password_configured -- selinux_state -- file_groupowner_cron_allow -- sshd_use_approved_ciphers -- audit_rules_login_events_tallylog -- network_nmcli_permissions +- dir_perms_world_writable_sticky_bits +- file_at_deny_not_exist - sshd_set_loglevel_verbose -- gnome_gdm_disable_guest_login -- group_unique_name -- sysctl_kernel_core_pattern -- sshd_set_keepalive -- file_permissions_cron_monthly -- dconf_gnome_disable_automount_open -- dconf_gnome_disable_automount +- coredump_disable_backtraces +- audit_rules_file_deletion_events_renameat +- audit_rules_dac_modification_lsetxattr +- auditd_audispd_syslog_plugin_activated +- sshd_disable_x11_forwarding +- sshd_enable_pam +- file_owner_backup_etc_group +- file_owner_backup_etc_shadow +- file_permissions_unauthorized_world_writable +- configure_firewalld_ports +- accounts_password_pam_lcredit +- file_groupowner_cron_weekly +- file_owner_cron_hourly +- sshd_set_max_auth_tries - chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_cron_daily -- dconf_gnome_screensaver_idle_activation_enabled -- file_owner_etc_passwd -- package_ftp_removed -- audit_rules_sysadmin_actions -- file_groupowner_cron_monthly -- file_permissions_sshd_config -- audit_rules_time_settimeofday -- securetty_root_login_console_only -- file_permissions_etc_issue_net -- accounts_password_last_change_is_in_past -- gid_passwd_group_same -- rpm_verify_ownership -- accounts_password_pam_dcredit -- service_rsyncd_disabled -- accounts_root_gid_zero -- grub2_enable_selinux -- package_net-snmp_removed -- sshd_set_max_sessions -- sudo_add_use_pty -- file_groupowner_at_allow -- group_unique_id -- package_telnet_removed -- audit_rules_dac_modification_setxattr -- no_empty_passwords_etc_shadow +- file_groupowner_etc_shadow - file_owner_etc_issue_net -- accounts_set_post_pw_existing -- sysctl_net_ipv4_conf_all_send_redirects -- rpm_verify_hashes -- audit_rules_usergroup_modification_opasswd -- dconf_gnome_session_idle_user_locks -- file_permissions_crontab -- auditd_data_retention_admin_space_left_action -- file_permissions_cron_hourly -- service_chronyd_or_ntpd_enabled -- sysctl_kernel_randomize_va_space +- rsyslog_files_permissions +- audit_rules_file_deletion_events_unlinkat +- file_owner_user_cfg +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- dconf_gnome_screensaver_lock_enabled - var_multiple_time_servers=generic - var_auditd_admin_space_left_action=single - var_auditd_space_left=100MB @@ -310,5 +312,4 @@ filter_rules: '' policies: - pcidss_4 title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8 -definition_location: /home/mburket/Developer/ComplianceAsCode/content/products/rhel8/profiles/pci-dss.profile documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile index 9106e5801b7..0b81f0c2f77 100644 --- a/tests/data/profile_stability/rhel9/pci-dss.profile +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -20,253 +20,254 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: -- coredump_disable_storage -- accounts_passwords_pam_faillock_unlock_time -- audit_rules_session_events -- firewalld_loopback_traffic_restricted -- set_password_hashing_algorithm_libuserconf -- audit_rules_login_events_lastlog -- directory_access_var_log_audit -- file_owner_grub2_cfg -- no_shelllogin_for_systemaccounts +- audit_rules_dac_modification_fchown +- audit_rules_media_export +- audit_rules_usergroup_modification_shadow +- file_at_deny_not_exist +- package_libselinux_installed +- package_tftp_removed +- sshd_disable_empty_passwords - file_owner_cron_allow - dconf_gnome_screensaver_idle_delay -- ensure_root_password_configured -- file_owner_cron_daily -- file_owner_backup_etc_shadow -- service_avahi-daemon_disabled -- package_audispd-plugins_installed -- sshd_set_login_grace_time +- audit_rules_dac_modification_fsetxattr +- accounts_password_pam_dcredit +- file_groupowner_cron_allow +- ensure_gpgcheck_never_disabled +- audit_rules_file_deletion_events_unlink - file_owner_cron_hourly -- audit_rules_dac_modification_lsetxattr -- file_groupowner_cron_d -- package_logrotate_installed -- audit_rules_networkconfig_modification -- rsyslog_files_permissions -- dconf_gnome_disable_automount_open -- sshd_set_loglevel_verbose -- package_nftables_installed -- audit_rules_time_stime -- auditd_data_retention_space_left_action -- bios_enable_execution_restrictions -- audit_sudo_log_events -- audit_rules_sysadmin_actions -- accounts_tmout -- file_owner_backup_etc_group -- grub2_audit_backlog_limit_argument -- audit_rules_file_deletion_events_unlinkat +- audit_rules_dac_modification_removexattr - file_groupowner_backup_etc_shadow -- file_permissions_cron_daily -- file_groupowner_backup_etc_passwd -- set_password_hashing_algorithm_systemauth -- sshd_limit_user_access -- sshd_set_max_sessions -- file_permissions_crontab +- file_groupowner_cron_daily +- auditd_data_retention_space_left_action +- file_permissions_backup_etc_group - file_permissions_at_allow -- file_owner_etc_passwd -- package_sudo_installed -- file_owner_backup_etc_passwd -- audit_rules_login_events_faillock -- audit_rules_file_deletion_events_rename -- file_groupowner_etc_passwd -- file_permissions_etc_shadow -- sudo_require_reauthentication -- package_telnet_removed -- file_permissions_unauthorized_world_writable -- audit_rules_dac_modification_fchown -- chronyd_run_as_chrony_user -- file_at_deny_not_exist -- file_groupowner_crontab -- sysctl_fs_suid_dumpable -- selinux_confinement_of_daemons +- file_groupowner_cron_monthly +- service_rsyncd_disabled +- file_permissions_sshd_pub_key +- directory_access_var_log_audit +- file_permissions_user_cfg +- service_rpcbind_disabled +- accounts_tmout +- file_owner_cron_weekly - security_patches_up_to_date -- file_permissions_cron_weekly -- file_cron_deny_not_exist -- file_permissions_etc_group -- accounts_password_set_max_life_existing -- package_audit_installed -- file_permissions_var_log_audit +- file_permissions_backup_etc_shadow +- selinux_confinement_of_daemons - accounts_no_uid_except_zero -- disable_host_auth -- file_permissions_ungroupowned -- dconf_gnome_screensaver_lock_enabled -- sshd_disable_empty_passwords -- aide_build_database -- file_owner_user_cfg -- package_tftp-server_removed +- file_permissions_backup_etc_passwd +- grub2_enable_selinux +- file_cron_deny_not_exist +- securetty_root_login_console_only - dconf_gnome_screensaver_mode_blank -- audit_rules_file_deletion_events_renameat -- accounts_password_all_shadowed -- audit_rules_mac_modification -- account_unique_id -- accounts_set_post_pw_existing -- audit_rules_login_events_tallylog -- file_ownership_var_log_audit -- file_permissions_cron_d -- disable_users_coredumps +- file_permissions_var_log_audit +- chronyd_specify_remote_server +- file_groupowner_etc_passwd +- accounts_password_pam_lcredit - file_groupowner_cron_hourly +- use_pam_wheel_group_for_su +- no_files_unowned_by_user +- set_ip6tables_default_rule +- audit_rules_usergroup_modification_opasswd +- file_groupowner_user_cfg +- file_owner_crontab +- dconf_gnome_disable_automount_open +- sshd_limit_user_access +- chronyd_run_as_chrony_user +- file_owner_cron_monthly +- rsyslog_files_groupownership +- audit_rules_usergroup_modification_gshadow +- aide_periodic_cron_checking +- audit_rules_networkconfig_modification +- audit_rules_file_deletion_events_unlinkat +- sshd_disable_root_login +- accounts_password_pam_pwhistory_remember_password_auth +- sysctl_net_ipv4_conf_all_send_redirects +- file_groupowner_etc_group +- ensure_root_password_configured +- selinux_policytype +- file_owner_etc_shadow +- audit_rules_login_events_tallylog +- file_permissions_cron_allow +- account_unique_name +- sshd_do_not_permit_user_env +- file_owner_cron_daily +- gid_passwd_group_same +- file_groupowner_backup_etc_group - dconf_db_up_to_date +- kernel_module_usb-storage_disabled +- accounts_passwords_pam_faillock_unlock_time +- package_ftp_removed +- accounts_maximum_age_login_defs +- audit_rules_time_stime +- dconf_gnome_screensaver_lock_enabled +- accounts_password_pam_unix_remember - sysctl_net_ipv4_ip_forward -- file_owner_cron_monthly -- set_password_hashing_algorithm_logindefs +- ensure_pam_wheel_group_empty +- wireless_disable_interfaces +- audit_rules_file_deletion_events_rmdir +- audit_rules_time_settimeofday +- file_group_ownership_var_log_audit - audit_rules_usergroup_modification_passwd -- no_password_auth_for_systemaccounts -- sshd_set_maxstartups -- dconf_gnome_screensaver_idle_activation_enabled -- file_groupowner_cron_allow -- sudo_add_use_pty -- accounts_maximum_age_login_defs -- configure_firewalld_ports +- accounts_password_set_warn_age_existing +- auditd_data_retention_admin_space_left_action +- audit_rules_sysadmin_actions - service_firewalld_enabled -- audit_rules_dac_modification_lchown -- ensure_redhat_gpgkey_installed -- file_owner_etc_group -- accounts_password_pam_pwhistory_remember_password_auth +- network_sniffer_disabled +- sudo_require_reauthentication +- file_groupowner_etc_shadow +- set_password_hashing_algorithm_libuserconf +- accounts_passwords_pam_faillock_deny +- file_owner_etc_passwd +- auditd_name_format +- accounts_password_set_max_life_existing +- accounts_set_post_pw_existing +- file_groupowner_crontab +- audit_sudo_log_events +- package_nftables_installed +- set_password_hashing_algorithm_systemauth +- sshd_disable_tcp_forwarding - display_login_attempts +- file_owner_etc_group +- enable_authselect - group_unique_id -- kernel_module_sctp_disabled -- selinux_policytype -- file_groupowner_user_cfg +- disable_users_coredumps +- firewalld_loopback_traffic_trusted +- sudo_custom_logfile +- audit_rules_usergroup_modification_group +- file_owner_backup_etc_passwd +- package_audispd-plugins_installed +- sysctl_net_ipv4_conf_default_send_redirects +- firewalld_loopback_traffic_restricted +- sysctl_net_ipv4_conf_all_secure_redirects +- audit_rules_dac_modification_lsetxattr +- no_empty_passwords_etc_shadow +- audit_rules_mac_modification - dconf_gnome_disable_automount -- timer_logrotate_enabled -- file_groupowner_cron_weekly +- sshd_set_login_grace_time +- audit_rules_dac_modification_chown +- grub2_audit_backlog_limit_argument +- file_owner_backup_etc_group +- sysctl_net_ipv6_conf_default_accept_source_route +- accounts_password_pam_minlen +- auditd_data_retention_space_left +- package_sudo_installed +- sshd_set_maxstartups +- audit_rules_login_events_lastlog +- grub2_audit_argument +- sysctl_kernel_randomize_va_space +- file_permissions_cron_weekly +- file_owner_etc_issue_net +- no_direct_root_logins +- sysctl_kernel_core_pattern +- kernel_module_sctp_disabled +- package_firewalld_installed +- file_permissions_etc_group +- audit_rules_file_deletion_events_renameat +- sshd_set_max_sessions +- accounts_password_all_shadowed +- file_permissions_sshd_config +- sshd_set_loglevel_verbose +- audit_rules_time_adjtimex +- package_logrotate_installed +- file_owner_user_cfg +- package_telnet-server_removed +- package_cryptsetup-luks_installed +- sudo_add_use_pty +- dconf_gnome_screensaver_idle_activation_enabled - package_net-snmp_removed -- coredump_disable_backtraces -- enable_authselect -- auditd_data_retention_admin_space_left_action -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- network_nmcli_permissions -- sysctl_net_ipv4_conf_all_send_redirects -- gnome_gdm_disable_automatic_login +- file_ownership_var_log_audit +- service_avahi-daemon_disabled +- sysctl_net_ipv4_conf_all_rp_filter +- audit_rules_dac_modification_fremovexattr +- file_permissions_etc_passwd +- rpm_verify_hashes +- aide_build_database +- file_groupowner_cron_d +- audit_rules_immutable +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- ensure_redhat_gpgkey_installed - rpm_verify_ownership -- configure_ssh_crypto_policy +- service_nftables_disabled +- no_shelllogin_for_systemaccounts - dconf_gnome_screensaver_lock_delay -- audit_rules_usergroup_modification_shadow -- file_permissions_etc_passwd -- ensure_pam_wheel_group_empty -- file_permissions_backup_etc_shadow -- kernel_module_dccp_disabled -- file_owner_crontab -- sudo_custom_logfile -- sshd_disable_tcp_forwarding -- sshd_disable_x11_forwarding -- ensure_gpgcheck_never_disabled +- accounts_root_gid_zero +- coredump_disable_backtraces +- sysctl_net_ipv4_conf_default_accept_redirects +- configure_ssh_crypto_policy - audit_rules_dac_modification_fchmod -- file_owner_etc_issue_net -- account_disable_post_pw_expiration -- accounts_password_pam_lcredit +- file_groupowner_cron_weekly +- sshd_set_max_auth_tries +- account_unique_id +- file_owner_backup_etc_shadow +- file_permissions_sshd_private_key +- set_password_hashing_algorithm_logindefs +- file_owner_cron_d +- service_auditd_enabled - sshd_enable_pam -- audit_rules_file_deletion_events_unlink -- set_firewalld_default_zone -- sshd_set_keepalive - sysctl_net_ipv4_tcp_syncookies -- postfix_network_listening_disabled -- rsyslog_files_groupownership -- selinux_state -- no_direct_root_logins -- service_auditd_enabled -- file_permissions_grub2_cfg -- audit_rules_time_watch_localtime -- file_permissions_sshd_private_key -- accounts_password_pam_unix_remember -- audit_rules_time_adjtimex +- package_dhcp_removed +- audit_rules_session_events +- coredump_disable_storage - no_empty_passwords -- package_cryptsetup-luks_installed -- grub2_enable_selinux -- file_permissions_sshd_pub_key -- service_nftables_disabled -- accounts_password_pam_minlen -- file_permissions_cron_allow -- audit_rules_dac_modification_fchmodat -- use_pam_wheel_group_for_su -- grub2_audit_argument -- sysctl_net_ipv4_conf_all_secure_redirects -- auditd_audispd_syslog_plugin_activated -- file_owner_cron_d +- package_audit_installed +- accounts_password_last_change_is_in_past +- timer_logrotate_enabled - accounts_password_pam_pwhistory_remember_system_auth -- audit_rules_time_clock_settime -- file_permissions_etc_issue_net -- dir_perms_world_writable_sticky_bits -- service_rsyncd_disabled -- auditd_data_retention_space_left -- sysctl_kernel_randomize_va_space -- sysctl_net_ipv4_conf_all_rp_filter -- sshd_set_max_auth_tries -- audit_rules_dac_modification_chmod -- sysctl_net_ipv4_conf_default_accept_redirects -- package_telnet-server_removed -- audit_rules_suid_privilege_function -- audit_rules_time_settimeofday -- sshd_disable_root_login -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_fsetxattr -- file_permissions_backup_etc_passwd -- audit_rules_dac_modification_removexattr -- file_permissions_sshd_config -- file_group_ownership_var_log_audit -- audit_rules_dac_modification_setxattr -- audit_rules_immutable -- package_tftp_removed -- network_sniffer_disabled -- auditd_name_format -- no_empty_passwords_etc_shadow -- package_dhcp_removed -- audit_rules_dac_modification_lremovexattr -- file_groupowner_at_allow -- package_aide_installed -- audit_rules_media_export -- rpm_verify_hashes - file_permissions_cron_monthly -- package_ftp_removed -- securetty_root_login_console_only +- package_chrony_installed +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_dac_modification_lremovexattr +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_chmod +- dconf_gnome_session_idle_user_locks +- auditd_audispd_syslog_plugin_activated +- gnome_gdm_disable_automatic_login - rsyslog_files_ownership -- accounts_password_last_change_is_in_past +- accounts_password_warn_age_login_defs - sshd_disable_rhosts -- chronyd_specify_remote_server -- file_groupowner_etc_group -- file_groupowner_backup_etc_group -- sysctl_net_ipv4_conf_default_send_redirects -- file_permissions_backup_etc_group +- package_tftp-server_removed +- kernel_module_dccp_disabled +- disable_host_auth +- account_disable_post_pw_expiration +- no_password_auth_for_systemaccounts +- file_groupowner_at_allow +- file_groupowner_backup_etc_passwd +- file_permissions_unauthorized_world_writable +- configure_firewalld_ports - audit_rules_dac_modification_fchownat -- file_groupowner_grub2_cfg -- kernel_module_usb-storage_disabled -- package_libselinux_installed -- accounts_password_pam_dcredit -- service_rpcbind_disabled -- audit_rules_file_deletion_events_rmdir -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_owner_cron_weekly -- audit_rules_usergroup_modification_gshadow -- gid_passwd_group_same -- package_chrony_installed -- sshd_do_not_permit_user_env -- dconf_gnome_session_idle_user_locks -- sudo_require_authentication -- accounts_passwords_pam_faillock_deny -- file_groupowner_cron_daily -- file_owner_etc_shadow -- account_unique_name +- file_groupowner_etc_issue_net +- audit_rules_file_deletion_events_rename +- sysctl_fs_suid_dumpable +- audit_rules_dac_modification_fchmodat +- sshd_disable_x11_forwarding +- bios_enable_execution_restrictions +- configure_crypto_policy +- file_permissions_grub2_cfg - sshd_set_idle_timeout -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- no_files_unowned_by_user -- sysctl_kernel_core_pattern -- file_groupowner_cron_monthly -- audit_rules_dac_modification_chown -- set_ip6tables_default_rule -- audit_rules_dac_modification_fremovexattr - ensure_gpgcheck_globally_activated -- firewalld_loopback_traffic_trusted -- configure_crypto_policy -- wireless_disable_interfaces -- accounts_root_gid_zero -- accounts_password_warn_age_login_defs -- accounts_password_set_warn_age_existing -- aide_periodic_cron_checking -- file_groupowner_etc_shadow -- audit_rules_usergroup_modification_opasswd - file_permissions_cron_hourly +- selinux_state +- file_permissions_crontab +- file_permissions_ungroupowned +- rsyslog_files_permissions +- sudo_require_authentication +- postfix_network_listening_disabled +- audit_rules_login_events_faillock +- dir_perms_world_writable_sticky_bits +- file_owner_grub2_cfg +- audit_rules_time_clock_settime +- file_permissions_cron_d +- audit_rules_dac_modification_setxattr +- audit_rules_suid_privilege_function +- package_aide_installed +- file_permissions_etc_issue_net +- file_permissions_cron_daily +- sshd_set_keepalive +- file_permissions_etc_shadow +- package_telnet_removed +- set_firewalld_default_zone +- file_groupowner_grub2_cfg +- network_nmcli_permissions +- audit_rules_time_watch_localtime - var_multiple_time_servers=generic - var_auditd_admin_space_left_action=single - var_auditd_space_left=100MB @@ -303,5 +304,4 @@ filter_rules: '' policies: - pcidss_4 title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9 -definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/pci-dss.profile documentation_complete: true