|
 |
9be3b2 |
From f3e6ef75a941307be8a203ac06c40b8f6b79e8ef Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
9be3b2 |
Date: Thu, 30 Sep 2021 13:43:34 -0500
|
|
|
9be3b2 |
Subject: [PATCH] Add rule for RHEL8 CIS 5.2.16 and RHEL7 CIS 5.3.19
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Fixes #5526
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
controls/cis_rhel7.yml | 4 +++-
|
|
|
9be3b2 |
controls/cis_rhel8.yml | 6 +++---
|
|
|
9be3b2 |
.../services/ssh/ssh_server/sshd_enable_pam/rule.yml | 11 +++++++++--
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 3 ---
|
|
|
9be3b2 |
4 files changed, 15 insertions(+), 9 deletions(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
|
|
|
9be3b2 |
index bd68e32ed99..dcc639072d7 100644
|
|
|
9be3b2 |
--- a/controls/cis_rhel7.yml
|
|
|
9be3b2 |
+++ b/controls/cis_rhel7.yml
|
|
|
9be3b2 |
@@ -1841,7 +1841,9 @@ controls:
|
|
|
9be3b2 |
levels:
|
|
|
9be3b2 |
- l1_server
|
|
|
9be3b2 |
- l1_workstation
|
|
|
9be3b2 |
- automated: no # rule missing
|
|
|
9be3b2 |
+ status: automated
|
|
|
9be3b2 |
+ rules:
|
|
|
9be3b2 |
+ - sshd_enable_pam
|
|
|
9be3b2 |
|
|
|
9be3b2 |
- id: 5.3.20
|
|
|
9be3b2 |
title: Ensure SSH AllowTcpForwarding is disabled (Automated)
|
|
|
9be3b2 |
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
|
9be3b2 |
index cbe1fc4e6a4..a505c4e80d4 100644
|
|
|
9be3b2 |
--- a/controls/cis_rhel8.yml
|
|
|
9be3b2 |
+++ b/controls/cis_rhel8.yml
|
|
|
9be3b2 |
@@ -1751,14 +1751,14 @@ controls:
|
|
|
9be3b2 |
- l1_workstation
|
|
|
9be3b2 |
automated: no
|
|
|
9be3b2 |
|
|
|
9be3b2 |
- # NEEDS RULE
|
|
|
9be3b2 |
- # https://github.com/ComplianceAsCode/content/issues/5526
|
|
|
9be3b2 |
- id: 5.2.16
|
|
|
9be3b2 |
title: Ensure SSH PAM is enabled (Automated)
|
|
|
9be3b2 |
levels:
|
|
|
9be3b2 |
- l1_server
|
|
|
9be3b2 |
- l1_workstation
|
|
|
9be3b2 |
- automated: no
|
|
|
9be3b2 |
+ status: automated
|
|
|
9be3b2 |
+ rules:
|
|
|
9be3b2 |
+ - sshd_enable_pam
|
|
|
9be3b2 |
|
|
|
9be3b2 |
- id: 5.2.17
|
|
|
9be3b2 |
title: Ensure SSH AllowTcpForwarding is disabled (Automated)
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
index fe02c963e58..75a5855c196 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
@@ -18,14 +18,21 @@ rationale: |-
|
|
|
9be3b2 |
the account. Additionally, you can make sure users inherit certain environment variables
|
|
|
9be3b2 |
on login or disallow access to the server.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
+severity: medium
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+identifiers:
|
|
|
9be3b2 |
+ cce@rhel7: CCE-86720-0
|
|
|
9be3b2 |
+ cce@rhel8: CCE-86721-8
|
|
|
9be3b2 |
+ cce@rhel9: CCE-86722-6
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
references:
|
|
|
9be3b2 |
+ cis@rhel7: 5.3.19
|
|
|
9be3b2 |
+ cis@rhel8: 5.2.16
|
|
|
9be3b2 |
cis@ubuntu2004: 5.2.19
|
|
|
9be3b2 |
disa: CCI-000877
|
|
|
9be3b2 |
srg: SRG-OS-000125-GPOS-00065
|
|
|
9be3b2 |
stigid@ubuntu2004: UBTU-20-010035
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-severity: medium
|
|
|
9be3b2 |
-
|
|
|
9be3b2 |
ocil_clause: 'it is commented out or is not enabled'
|
|
|
9be3b2 |
|
|
|
9be3b2 |
ocil: |-
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index 46f9559ea84..5e5b9d17897 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -805,9 +805,6 @@ CCE-86716-8
|
|
|
9be3b2 |
CCE-86717-6
|
|
|
9be3b2 |
CCE-86718-4
|
|
|
9be3b2 |
CCE-86719-2
|
|
|
9be3b2 |
-CCE-86720-0
|
|
|
9be3b2 |
-CCE-86721-8
|
|
|
9be3b2 |
-CCE-86722-6
|
|
|
9be3b2 |
CCE-86723-4
|
|
|
9be3b2 |
CCE-86724-2
|
|
|
9be3b2 |
CCE-86725-9
|