From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 29 Jun 2021 14:37:28 +0100
Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files
per-benchmark
---
products/rhel8/profiles/cis.profile | 1080 +----------------
products/rhel8/profiles/cis_server_l1.profile | 22 +
.../rhel8/profiles/cis_workstation_l1.profile | 22 +
.../rhel8/profiles/cis_workstation_l2.profile | 22 +
4 files changed, 72 insertions(+), 1074 deletions(-)
create mode 100644 products/rhel8/profiles/cis_server_l1.profile
create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile
create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile
diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile
index c22ae86d076..4a00c24e0f7 100644
--- a/products/rhel8/profiles/cis.profile
+++ b/products/rhel8/profiles/cis.profile
@@ -1,1090 +1,22 @@
documentation_complete: true
metadata:
- version: 1.0.0
+ version: 1.0.1
SMEs:
- vojtapolasek
- yuumasato
reference: https://www.cisecurity.org/benchmark/red_hat_linux/
-title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server'
description: |-
- This profile defines a baseline that aligns to the Center for Internet Security®
- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+ This profile defines a baseline that aligns to the "Level 2 - Server"
+ configuration from the Center for Internet Security® Red Hat Enterprise
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
This profile includes Center for Internet Security®
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
selections:
- # Necessary for dconf rules
- - dconf_db_up_to_date
-
- ### Partitioning
- - mount_option_home_nodev
-
- ## 1.1 Filesystem Configuration
-
- ### 1.1.1 Disable unused filesystems
-
- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
- - kernel_module_cramfs_disabled
-
- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
-
-
- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
- - kernel_module_squashfs_disabled
-
- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
- - kernel_module_udf_disabled
-
- ### 1.1.2 Ensure /tmp is configured (Scored)
- - partition_for_tmp
-
- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
- - mount_option_tmp_nodev
-
- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
- - mount_option_tmp_nosuid
-
- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
- - mount_option_tmp_noexec
-
- ### 1.1.6 Ensure separate partition exists for /var (Scored)
- - partition_for_var
-
- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
- - partition_for_var_tmp
-
- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_nodev
-
- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_nosuid
-
- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_noexec
-
- ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
- - partition_for_var_log
-
- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
- - partition_for_var_log_audit
-
- ### 1.1.13 Ensure separate partition exists for /home (Scored)
- - partition_for_home
-
- ### 1.1.14 Ensure nodev option set on /home partition (Scored)
- - mount_option_home_nodev
-
- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_nodev
-
- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_nosuid
-
- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_noexec
-
- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
- - mount_option_nodev_removable_partitions
-
- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
- - mount_option_nosuid_removable_partitions
-
- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
- - mount_option_noexec_removable_partitions
-
- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
- - dir_perms_world_writable_sticky_bits
-
- ### 1.1.22 Disable Automounting (Scored)
- - service_autofs_disabled
-
- ### 1.1.23 Disable USB Storage (Scored)
- - kernel_module_usb-storage_disabled
-
- ## 1.2 Configure Software Updates
-
- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
-
- ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
- - service_rhnsd_disabled
-
- ### 1.2.3 Ensure GPG keys are configured (Not Scored)
- - ensure_redhat_gpgkey_installed
-
- ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
- - ensure_gpgcheck_globally_activated
-
- ### 1.2.5 Ensure package manager repositories are configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
-
- ## 1.3 Configure sudo
-
- ### 1.3.1 Ensure sudo is installed (Scored)
- - package_sudo_installed
-
- ### 1.3.2 Ensure sudo commands use pty (Scored)
- - sudo_add_use_pty
-
- ### 1.3.3 Ensure sudo log file exists (Scored)
- - sudo_custom_logfile
-
- ## 1.4 Filesystem Integrity Checking
-
- ### 1.4.1 Ensure AIDE is installed (Scored)
- - package_aide_installed
-
- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
- - aide_periodic_cron_checking
-
- ## Secure Boot Settings
-
- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
- #### chown root:root /boot/grub2/grub.cfg
- - file_owner_grub2_cfg
- - file_groupowner_grub2_cfg
-
- #### chmod og-rwx /boot/grub2/grub.cfg
- - file_permissions_grub2_cfg
-
- #### chown root:root /boot/grub2/grubenv
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
- #### chmod og-rwx /boot/grub2/grubenv
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
- ### 1.5.2 Ensure bootloader password is set (Scored)
- - grub2_password
-
- ### 1.5.3 Ensure authentication required for single user mode (Scored)
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
- - require_singleuser_auth
-
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
- - require_emergency_target_auth
-
- ## 1.6 Additional Process Hardening
-
- ### 1.6.1 Ensure core dumps are restricted (Scored)
- #### * hard core 0
- - disable_users_coredumps
-
- #### fs.suid_dumpable = 0
- - sysctl_fs_suid_dumpable
-
- #### ProcessSizeMax=0
- - coredump_disable_backtraces
-
- #### Storage=none
- - coredump_disable_storage
-
- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
- - sysctl_kernel_randomize_va_space
-
- ## 1.7 Mandatory Access Control
-
- ### 1.7.1 Configure SELinux
-
- #### 1.7.1.1 Ensure SELinux is installed (Scored)
- - package_libselinux_installed
-
- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
- - grub2_enable_selinux
-
- #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
- - var_selinux_policy_name=targeted
- - selinux_policytype
-
- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
- - var_selinux_state=enforcing
- - selinux_state
-
- #### 1.7.1.5 Ensure no unconfied services exist (Scored)
- - selinux_confinement_of_daemons
-
- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
- - package_setroubleshoot_removed
-
- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
- - package_mcstrans_removed
-
- ## Warning Banners
-
- ### 1.8.1 Command Line Warning Baners
-
- #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
- - banner_etc_motd
-
- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
- - banner_etc_issue
-
- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
-
- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
- # chmod u-x,go-wx /etc/motd
- - file_permissions_etc_motd
-
- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
- # chmod u-x,go-wx /etc/issue
- - file_permissions_etc_issue
-
- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
- # Previously addressed via 'rpm_verify_permissions' rule
-
- ### 1.8.2 Ensure GDM login banner is configured (Scored)
- #### banner-message-enable=true
- - dconf_gnome_banner_enabled
-
- #### banner-message-text='<banner message>'
- - dconf_gnome_login_banner_text
-
- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
- - security_patches_up_to_date
-
- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
- - var_system_crypto_policy=future
- - configure_crypto_policy
-
- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
- # Previously addressed via 'configure_crypto_policy' rule
-
- # Services
-
- ## 2.1 inetd Services
-
- ### 2.1.1 Ensure xinetd is not installed (Scored)
- - package_xinetd_removed
-
- ## 2.2 Special Purpose Services
-
- ### 2.2.1 Time Synchronization
-
- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
- - package_chrony_installed
-
- #### 2.2.1.2 Ensure chrony is configured (Scored)
- - service_chronyd_enabled
- - chronyd_specify_remote_server
- - chronyd_run_as_chrony_user
-
- ### 2.2.2 Ensure X Window System is not installed (Scored)
- - package_xorg-x11-server-common_removed
- - xwindows_runlevel_target
-
- ### 2.2.3 Ensure rsync service is not enabled (Scored)
- - service_rsyncd_disabled
-
- ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
- - service_avahi-daemon_disabled
-
- ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
- - service_snmpd_disabled
-
- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
- - package_squid_removed
-
- ### 2.2.7 Ensure Samba is not enabled (Scored)
- - service_smb_disabled
-
- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
- - service_dovecot_disabled
-
- ### 2.2.9 Ensure HTTP server is not enabled (Scored)
- - service_httpd_disabled
-
- ### 2.2.10 Ensure FTP Server is not enabled (Scored)
- - service_vsftpd_disabled
-
- ### 2.2.11 Ensure DNS Server is not enabled (Scored)
- - service_named_disabled
-
- ### 2.2.12 Ensure NFS is not enabled (Scored)
- - service_nfs_disabled
-
- ### 2.2.13 Ensure RPC is not enabled (Scored)
- - service_rpcbind_disabled
-
- ### 2.2.14 Ensure LDAP service is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
-
- ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
- - service_dhcpd_disabled
-
- ### 2.2.16 Ensure CUPS is not enabled (Scored)
- - service_cups_disabled
-
- ### 2.2.17 Ensure NIS Server is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
-
- ### 2.2.18 Ensure mail transfer agent is configured for
- ### local-only mode (Scored)
- - postfix_network_listening_disabled
-
- ## 2.3 Service Clients
-
- ### 2.3.1 Ensure NIS Client is not installed (Scored)
- - package_ypbind_removed
-
- ### 2.3.2 Ensure telnet client is not installed (Scored)
- - package_telnet_removed
-
- ### Ensure LDAP client is not installed
- - package_openldap-clients_removed
-
- # 3 Network Configuration
-
- ## 3.1 Network Parameters (Host Only)
-
- ### 3.1.1 Ensure IP forwarding is disabled (Scored)
- #### net.ipv4.ip_forward = 0
- - sysctl_net_ipv4_ip_forward
-
- #### net.ipv6.conf.all.forwarding = 0
- - sysctl_net_ipv6_conf_all_forwarding
-
- ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
- #### net.ipv4.conf.all.send_redirects = 0
- - sysctl_net_ipv4_conf_all_send_redirects
-
- #### net.ipv4.conf.default.send_redirects = 0
- - sysctl_net_ipv4_conf_default_send_redirects
-
- ## 3.2 Network Parameters (Host and Router)
-
- ### 3.2.1 Ensure source routed packets are not accepted (Scored)
- #### net.ipv4.conf.all.accept_source_route = 0
- - sysctl_net_ipv4_conf_all_accept_source_route
-
- #### net.ipv4.conf.default.accept_source_route = 0
- - sysctl_net_ipv4_conf_default_accept_source_route
-
- #### net.ipv6.conf.all.accept_source_route = 0
- - sysctl_net_ipv6_conf_all_accept_source_route
-
- #### net.ipv6.conf.default.accept_source_route = 0
- - sysctl_net_ipv6_conf_default_accept_source_route
-
- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
- #### net.ipv4.conf.all.accept_redirects = 0
- - sysctl_net_ipv4_conf_all_accept_redirects
-
- #### net.ipv4.conf.default.accept_redirects
- - sysctl_net_ipv4_conf_default_accept_redirects
-
- #### net.ipv6.conf.all.accept_redirects = 0
- - sysctl_net_ipv6_conf_all_accept_redirects
-
- #### net.ipv6.conf.defaults.accept_redirects = 0
- - sysctl_net_ipv6_conf_default_accept_redirects
-
- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
- #### net.ipv4.conf.all.secure_redirects = 0
- - sysctl_net_ipv4_conf_all_secure_redirects
-
- #### net.ipv4.cof.default.secure_redirects = 0
- - sysctl_net_ipv4_conf_default_secure_redirects
-
- ### 3.2.4 Ensure suspicious packets are logged (Scored)
- #### net.ipv4.conf.all.log_martians = 1
- - sysctl_net_ipv4_conf_all_log_martians
-
- #### net.ipv4.conf.default.log_martians = 1
- - sysctl_net_ipv4_conf_default_log_martians
-
- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-
- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-
- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
- #### net.ipv4.conf.all.rp_filter = 1
- - sysctl_net_ipv4_conf_all_rp_filter
-
- #### net.ipv4.conf.default.rp_filter = 1
- - sysctl_net_ipv4_conf_default_rp_filter
-
- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
- - sysctl_net_ipv4_tcp_syncookies
-
- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
- #### net.ipv6.conf.all.accept_ra = 0
- - sysctl_net_ipv6_conf_all_accept_ra
-
- #### net.ipv6.conf.default.accept_ra = 0
- - sysctl_net_ipv6_conf_default_accept_ra
-
- ## 3.3 Uncommon Network Protocols
-
- ### 3.3.1 Ensure DCCP is disabled (Scored)
- - kernel_module_dccp_disabled
-
- ### Ensure SCTP is disabled (Scored)
- - kernel_module_sctp_disabled
-
- ### 3.3.3 Ensure RDS is disabled (Scored)
- - kernel_module_rds_disabled
-
- ### 3.3.4 Ensure TIPC is disabled (Scored)
- - kernel_module_tipc_disabled
-
- ## 3.4 Firewall Configuration
-
- ### 3.4.1 Ensure Firewall software is installed
-
- #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
- ##### firewalld
- - package_firewalld_installed
-
- ##### nftables
- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
-
- ##### iptables
- #- package_iptables_installed
-
- ### 3.4.2 Configure firewalld
-
- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
- - service_firewalld_enabled
-
- #### 3.4.2.2 Ensure iptables is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
-
- #### 3.4.2.3 Ensure nftables is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
-
- #### 3.4.2.4 Ensure default zone is set (Scored)
- - set_firewalld_default_zone
-
- #### 3.4.2.5 Ensure network interfaces are assigned to
- #### appropriate zone (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
-
- #### 3.4.2.6 Ensure unnecessary services and ports are not
- #### accepted (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
-
- ### 3.4.3 Configure nftables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
-
- #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
-
- #### 3.4.3.2 Ensure a table exists (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
-
- #### 3.4.3.3 Ensure base chains exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
-
- #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
-
- #### 3.4.3.5 Ensure outbound and established connections are
- #### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
-
- #### 3.4.3.6 Ensure default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
-
- #### 3.4.3.7 Ensure nftables service is enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
-
- #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
-
- ### 3.4.4 Configure iptables
-
- #### 3.4.4.1 Configure IPv4 iptables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
-
- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
-
- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
-
- ##### 3.4.4.1.3 Ensure outbound and established connections are
- ##### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
-
- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
-
- #### 3.4.4.2 Configure IPv6 ip6tables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
-
- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
-
- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
-
- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
- ##### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
-
- ## 3.5 Ensure wireless interfaces are disabled (Scored)
- - wireless_disable_interfaces
-
- ## 3.6 Disable IPv6 (Not Scored)
- - kernel_module_ipv6_option_disabled
-
- # Logging and Auditing
-
- ## 4.1 Configure System Accounting (auditd)
-
- ### 4.1.1 Ensure auditing is enabled
-
- #### 4.1.1.1 Ensure auditd is installed (Scored)
- - package_audit_installed
-
- #### 4.1.1.2 Ensure auditd service is enabled (Scored)
- - service_auditd_enabled
-
- #### 4.1.1.3 Ensure auditing for processes that start prior to audit
- #### is enabled (Scored)
- - grub2_audit_argument
-
- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
- - grub2_audit_backlog_limit_argument
-
- ### 4.1.2 Configure Data Retention
-
- #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
- - auditd_data_retention_max_log_file
-
- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
- - auditd_data_retention_max_log_file_action
-
- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
- - var_auditd_space_left_action=email
- - auditd_data_retention_space_left_action
-
- ##### action_mail_acct = root
- - var_auditd_action_mail_acct=root
- - auditd_data_retention_action_mail_acct
-
- ##### admin_space_left_action = halt
- - var_auditd_admin_space_left_action=halt
- - auditd_data_retention_admin_space_left_action
-
- ### 4.1.3 Ensure changes to system administration scope
- ### (sudoers) is collected (Scored)
- - audit_rules_sysadmin_actions
-
- ### 4.1.4 Ensure login and logout events are collected (Scored)
- - audit_rules_login_events_faillock
- - audit_rules_login_events_lastlog
-
- ### 4.1.5 Ensure session initiation information is collected (Scored)
- - audit_rules_session_events
-
- ### 4.1.6 Ensure events that modify date and time information
- ### are collected (Scored)
- #### adjtimex
- - audit_rules_time_adjtimex
-
- #### settimeofday
- - audit_rules_time_settimeofday
-
- #### stime
- - audit_rules_time_stime
-
- #### clock_settime
- - audit_rules_time_clock_settime
-
- #### -w /etc/localtime -p wa
- - audit_rules_time_watch_localtime
-
- ### 4.1.7 Ensure events that modify the system's Mandatory
- ### Access Control are collected (Scored)
- #### -w /etc/selinux/ -p wa
- - audit_rules_mac_modification
-
- #### -w /usr/share/selinux/ -p wa
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
-
- ### 4.1.8 Ensure events that modify the system's network
- ### enironment are collected (Scored)
- - audit_rules_networkconfig_modification
-
- ### 4.1.9 Ensure discretionary access control permission modification
- ### events are collected (Scored)
- - audit_rules_dac_modification_chmod
- - audit_rules_dac_modification_fchmod
- - audit_rules_dac_modification_fchmodat
- - audit_rules_dac_modification_chown
- - audit_rules_dac_modification_fchown
- - audit_rules_dac_modification_fchownat
- - audit_rules_dac_modification_lchown
- - audit_rules_dac_modification_setxattr
- - audit_rules_dac_modification_lsetxattr
- - audit_rules_dac_modification_fsetxattr
- - audit_rules_dac_modification_removexattr
- - audit_rules_dac_modification_lremovexattr
- - audit_rules_dac_modification_fremovexattr
-
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
- ### collected (Scored)
- - audit_rules_unsuccessful_file_modification_creat
- - audit_rules_unsuccessful_file_modification_open
- - audit_rules_unsuccessful_file_modification_openat
- - audit_rules_unsuccessful_file_modification_truncate
- - audit_rules_unsuccessful_file_modification_ftruncate
- # Opinionated selection
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
-
- ### 4.1.11 Ensure events that modify user/group information are
- ### collected (Scored)
- - audit_rules_usergroup_modification_passwd
- - audit_rules_usergroup_modification_group
- - audit_rules_usergroup_modification_gshadow
- - audit_rules_usergroup_modification_shadow
- - audit_rules_usergroup_modification_opasswd
-
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
- - audit_rules_media_export
-
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
- - audit_rules_privileged_commands
-
- ### 4.1.14 Ensure file deletion events by users are collected
- ### (Scored)
- - audit_rules_file_deletion_events_unlink
- - audit_rules_file_deletion_events_unlinkat
- - audit_rules_file_deletion_events_rename
- - audit_rules_file_deletion_events_renameat
- # Opinionated selection
- - audit_rules_file_deletion_events_rmdir
-
- ### 4.1.15 Ensure kernel module loading and unloading is collected
- ### (Scored)
- - audit_rules_kernel_module_loading
-
- ### 4.1.16 Ensure system administrator actions (sudolog) are
- ### collected (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
- ### 4.1.17 Ensure the audit configuration is immutable (Scored)
- - audit_rules_immutable
-
- ## 4.2 Configure Logging
-
- ### 4.2.1 Configure rsyslog
-
- #### 4.2.1.1 Ensure rsyslog is installed (Scored)
- - package_rsyslog_installed
-
- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
- - service_rsyslog_enabled
-
- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
- - rsyslog_files_permissions
-
- #### 4.2.1.4 Ensure logging is configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
-
- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
- #### log host (Scored)
- - rsyslog_remote_loghost
-
- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
- #### designated log hosts (Not Scored)
- - rsyslog_nolisten
-
- ### 4.2.2 Configure journald
-
- #### 4.2.2.1 Ensure journald is configured to send logs to
- #### rsyslog (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
-
- #### 4.2.2.2 Ensure journald is configured to compress large
- #### log files (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
-
-
- #### 4.2.2.3 Ensure journald is configured to write logfiles to
- #### persistent disk (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
-
- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
-
- ## 4.3 Ensure logrotate is configured (Not Scored)
-
- # 5 Access, Authentication and Authorization
-
- ## 5.1 Configure cron
-
- ### 5.1.1 Ensure cron daemon is enabled (Scored)
- - service_crond_enabled
-
-
- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
- # chown root:root /etc/crontab
- - file_owner_crontab
- - file_groupowner_crontab
- # chmod og-rwx /etc/crontab
- - file_permissions_crontab
-
- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
- # chown root:root /etc/cron.hourly
- - file_owner_cron_hourly
- - file_groupowner_cron_hourly
- # chmod og-rwx /etc/cron.hourly
- - file_permissions_cron_hourly
-
- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
- # chown root:root /etc/cron.daily
- - file_owner_cron_daily
- - file_groupowner_cron_daily
- # chmod og-rwx /etc/cron.daily
- - file_permissions_cron_daily
-
- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
- # chown root:root /etc/cron.weekly
- - file_owner_cron_weekly
- - file_groupowner_cron_weekly
- # chmod og-rwx /etc/cron.weekly
- - file_permissions_cron_weekly
-
- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
- # chown root:root /etc/cron.monthly
- - file_owner_cron_monthly
- - file_groupowner_cron_monthly
- # chmod og-rwx /etc/cron.monthly
- - file_permissions_cron_monthly
-
- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
- # chown root:root /etc/cron.d
- - file_owner_cron_d
- - file_groupowner_cron_d
- # chmod og-rwx /etc/cron.d
- - file_permissions_cron_d
-
- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
-
-
- ## 5.2 SSH Server Configuration
-
- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
- # chown root:root /etc/ssh/sshd_config
- - file_owner_sshd_config
- - file_groupowner_sshd_config
-
- # chmod og-rwx /etc/ssh/sshd_config
- - file_permissions_sshd_config
-
- ### 5.2.2 Ensure SSH access is limited (Scored)
-
-
- ### 5.2.3 Ensure permissions on SSH private host key files are
- ### configured (Scored)
- # TO DO: The rule sets to 640, but benchmark wants 600
- - file_permissions_sshd_private_key
- # TO DO: check owner of private keys in /etc/ssh is root:root
-
- ### 5.2.4 Ensure permissions on SSH public host key files are configured
- ### (Scored)
- - file_permissions_sshd_pub_key
- # TO DO: check owner of pub keys in /etc/ssh is root:root
-
- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- - sshd_set_loglevel_info
-
- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
- - sshd_disable_x11_forwarding
-
- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
- - sshd_max_auth_tries_value=4
- - sshd_set_max_auth_tries
-
- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
- - sshd_disable_rhosts
-
- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
- - disable_host_auth
-
- ### 5.2.10 Ensure SSH root login is disabled (Scored)
- - sshd_disable_root_login
-
- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
- - sshd_disable_empty_passwords
-
- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
- - sshd_do_not_permit_user_env
-
- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
- # ClientAliveInterval 300
- - sshd_idle_timeout_value=5_minutes
- - sshd_set_idle_timeout
-
- # ClientAliveCountMax 0
- - var_sshd_set_keepalive=0
- - sshd_set_keepalive_0
-
- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
- ### or less (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
-
- ### 5.2.15 Ensure SSH warning banner is configured (Scored)
- - sshd_enable_warning_banner
-
- ### 5.2.16 Ensure SSH PAM is enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
-
- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
- - sshd_disable_tcp_forwarding
-
- ### 5.2.18 Ensure SSH MaxStartups is configured (Scored)
- - sshd_set_maxstartups
- - var_sshd_set_maxstartups=10:30:60
-
- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
- - sshd_set_max_sessions
- - var_sshd_max_sessions=4
-
- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
- - configure_ssh_crypto_policy
-
- ## 5.3 Configure authselect
-
-
- ### 5.3.1 Create custom authselectet profile (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
-
- ### 5.3.2 Select authselect profile (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
-
- ### 5.3.3 Ensure authselect includes with-faillock (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
-
- ## 5.4 Configure PAM
-
- ### 5.4.1 Ensure password creation requirements are configured (Scored)
- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
- - accounts_password_pam_retry
- - var_password_pam_minlen=14
- - accounts_password_pam_minlen
- - var_password_pam_minclass=4
- - accounts_password_pam_minclass
-
- ### 5.4.2 Ensure lockout for failed password attempts is
- ### configured (Scored)
- - var_accounts_passwords_pam_faillock_unlock_time=900
- - var_accounts_passwords_pam_faillock_deny=5
- - accounts_passwords_pam_faillock_unlock_time
- - accounts_passwords_pam_faillock_deny
-
- ### 5.4.3 Ensure password reuse is limited (Scored)
- - var_password_pam_unix_remember=5
- - accounts_password_pam_unix_remember
-
- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
- - set_password_hashing_algorithm_systemauth
-
- ## 5.5 User Accounts and Environment
-
- ### 5.5.1 Set Shadow Password Suite Parameters
-
- #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
- - var_accounts_maximum_age_login_defs=365
- - accounts_maximum_age_login_defs
-
- #### 5.5.1.2 Ensure minimum days between password changes is 7
- #### or more (Scored)
- - var_accounts_minimum_age_login_defs=7
- - accounts_minimum_age_login_defs
-
- #### 5.5.1.3 Ensure password expiration warning days is
- #### 7 or more (Scored)
- - var_accounts_password_warn_age_login_defs=7
- - accounts_password_warn_age_login_defs
-
- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
- # TODO: Rule doesn't check list of users
- # https://github.com/ComplianceAsCode/content/issues/5536
- - var_account_disable_post_pw_expiration=30
- - account_disable_post_pw_expiration
-
- #### 5.5.1.5 Ensure all users last password change date is
- #### in the past (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
- ### 5.5.2 Ensure system accounts are secured (Scored)
- - no_shelllogin_for_systemaccounts
-
- ### 5.5.3 Ensure default user shell timeout is 900 seconds
- ### or less (Scored)
- - var_accounts_tmout=15_min
- - accounts_tmout
-
- ### 5.5.4 Ensure default group for the root account is
- ### GID 0 (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
- - var_accounts_user_umask=027
- - accounts_umask_etc_bashrc
- - accounts_umask_etc_profile
-
- ## 5.6 Ensure root login is restricted to system console (Not Scored)
- - securetty_root_login_console_only
- - no_direct_root_logins
-
- ## 5.7 Ensure access to the su command is restricted (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
-
- # System Maintenance
-
- ## 6.1 System File Permissions
-
- ### 6.1.1 Audit system file permissions (Not Scored)
- - rpm_verify_permissions
- - rpm_verify_ownership
-
- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
- # chown root:root /etc/passwd
- - file_owner_etc_passwd
- - file_groupowner_etc_passwd
-
- # chmod 644 /etc/passwd
- - file_permissions_etc_passwd
-
- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
- # chown root:root /etc/shadow
- - file_owner_etc_shadow
- - file_groupowner_etc_shadow
-
- # chmod o-rwx,g-wx /etc/shadow
- - file_permissions_etc_shadow
-
- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
- # chown root:root /etc/group
- - file_owner_etc_group
- - file_groupowner_etc_group
-
- # chmod 644 /etc/group
- - file_permissions_etc_group
-
- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
- # chown root:root /etc/gshadow
- - file_owner_etc_gshadow
- - file_groupowner_etc_gshadow
-
- # chmod o-rwx,g-rw /etc/gshadow
- - file_permissions_etc_gshadow
-
- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
- # chown root:root /etc/passwd-
- - file_owner_backup_etc_passwd
- - file_groupowner_backup_etc_passwd
-
- # chmod 644 /etc/passwd-
- - file_permissions_backup_etc_passwd
-
- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
- # chown root:root /etc/shadow-
- - file_owner_backup_etc_shadow
- - file_groupowner_backup_etc_shadow
-
- # chmod 0000 /etc/shadow-
- - file_permissions_backup_etc_shadow
-
- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
- # chown root:root /etc/group-
- - file_owner_backup_etc_group
- - file_groupowner_backup_etc_group
-
- # chmod 644 /etc/group-
- - file_permissions_backup_etc_group
-
- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
- # chown root:root /etc/gshadow-
- - file_owner_backup_etc_gshadow
- - file_groupowner_backup_etc_gshadow
-
- # chmod 0000 /etc/gshadow-
- - file_permissions_backup_etc_gshadow
-
- ### 6.1.10 Ensure no world writable files exist (Scored)
- - file_permissions_unauthorized_world_writable
-
- ### 6.1.11 Ensure no unowned files or directories exist (Scored)
- - no_files_unowned_by_user
-
- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
- - file_permissions_ungroupowned
-
- ### 6.1.13 Audit SUID executables (Not Scored)
- - file_permissions_unauthorized_suid
-
- ### 6.1.14 Audit SGID executables (Not Scored)
- - file_permissions_unauthorized_sgid
-
- ## 6.2 User and Group Settings
-
- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
- - no_legacy_plus_entries_etc_passwd
-
- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
- - no_legacy_plus_entries_etc_shadow
-
- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
- - no_legacy_plus_entries_etc_group
-
- ### 6.2.6 Ensure root is the only UID 0 account (Scored)
- - accounts_no_uid_except_zero
-
- ### 6.2.7 Ensure users' home directories permissions are 750
- ### or more restrictive (Scored)
- - file_permissions_home_dirs
-
- ### 6.2.8 Ensure users own their home directories (Scored)
- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
- - file_groupownership_home_directories
-
- ### 6.2.9 Ensure users' dot files are not group or world
- ### writable (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
-
- ### 6.2.10 Ensure no users have .forward files (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
-
- ### 6.2.11 Ensure no users have .netrc files (Scored)
- - no_netrc_files
-
- ### 6.2.12 Ensure users' .netrc Files are not group or
- ### world accessible (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
-
- ### 6.2.13 Ensure no users have .rhosts files (Scored)
- - no_rsh_trust_files
-
- ### 6.2.14 Ensure all groups in /etc/passwd exist in
- ### /etc/group (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
-
- ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
-
- ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
-
- ### 6.2.17 Ensure no duplicate user names exist (Scored)
- - account_unique_name
-
- ### 6.2.18 Ensure no duplicate group names exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
-
- ### 6.2.19 Ensure shadow group is empty (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
-
- ### 6.2.20 Ensure all users' home directories exist (Scored)
- - accounts_user_interactive_home_directory_exists
+ - cis_rhel8:all:l2_server
diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile
new file mode 100644
index 00000000000..7b4518e15a5
--- /dev/null
+++ b/products/rhel8/profiles/cis_server_l1.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 1 - Server"
+ configuration from the Center for Internet Security® Red Hat Enterprise
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+ - cis_rhel8:all:l1_server
diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile
new file mode 100644
index 00000000000..230e4c2f0ba
--- /dev/null
+++ b/products/rhel8/profiles/cis_workstation_l1.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 1 - Workstation"
+ configuration from the Center for Internet Security® Red Hat Enterprise
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+ - cis_rhel8:all:l1_workstation
diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile
new file mode 100644
index 00000000000..c0d1698c2f0
--- /dev/null
+++ b/products/rhel8/profiles/cis_workstation_l2.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation'
+
+description: |-
+ This profile defines a baseline that aligns to the "Level 2 - Workstation"
+ configuration from the Center for Internet Security® Red Hat Enterprise
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+ - cis_rhel8:all:l2_workstation
From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 1 Jul 2021 16:35:19 +0100
Subject: [PATCH 02/55] Add CIS control file for RHEL 8
---
controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 758 insertions(+)
create mode 100644 controls/cis_rhel8.yml
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
new file mode 100644
index 00000000000..a84bb078e34
--- /dev/null
+++ b/controls/cis_rhel8.yml
@@ -0,0 +1,758 @@
+policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
+title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
+id: cis_rhel8
+version: '1.0.1'
+source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux
+levels:
+ - id: l1_server
+ - id: l2_server
+ inherits_from:
+ - l1_server
+ - id: l1_workstation
+ - id: l2_workstation
+ inherits_from:
+ - l1_workstation
+
+controls:
+ - id: reload_dconf_db
+ title: Reload Dconf database
+ levels:
+ - l1_server
+ - l1_workstation
+ notes: <-
+ This is a helper rule to reload Dconf datbase correctly.
+ automated: yes
+ rules:
+ - dconf_db_up_to_date
+
+ - id: 1.1.1.1
+ title: Ensure mounting of cramfs filesystems is disabled (Automated)
+ levels:
+ - l1_workstation
+ - l1_server
+ automated: yes
+ rules:
+ - kernel_module_cramfs_disabled
+
+ - id: 1.1.1.2
+ title: Ensure mounting of vFAT filesystems is limited (Manual)
+ levels:
+ - l2_workstation
+ - l2_server
+ automated: no
+ related_rules:
+ - kernel_module_vfat_disabled
+
+ - id: 1.1.1.3
+ title: Ensure mounting of squashfs filesystems is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - kernel_module_squashfs_disabled
+
+ - id: 1.1.1.4
+ title: Ensure mounting of udf filesystems is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - kernel_module_udf_disabled
+
+ - id: 1.1.2
+ title: Ensure /tmp is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - partition_for_tmp
+
+ - id: 1.1.3
+ title: Ensure nodev option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_tmp_nodev
+
+ - id: 1.1.4
+ title: Ensure nosuid option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_tmp_nosuid
+
+ - id: 1.1.5
+ title: Ensure noexec option set on /tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_tmp_noexec
+
+ - id: 1.1.6
+ title: Ensure separate partition exists for /var (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - partition_for_var
+
+ - id: 1.1.7
+ title: Ensure separate partition exists for /var/tmp (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - partition_for_var_tmp
+
+ - id: 1.1.8
+ title: Ensure nodev option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_var_tmp_nodev
+
+ - id: 1.1.9
+ title: Ensure nosuid option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_var_tmp_nosuid
+
+ - id: 1.1.10
+ title: Ensure noexec option set on /var/tmp partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_var_tmp_noexec
+
+ - id: 1.1.11
+ title: Ensure separate partition exists for /var/log (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - partition_for_var_log
+
+ - id: 1.1.12
+ title: Ensure separate partition exists for /var/log/audit (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - partition_for_var_log_audit
+
+ - id: 1.1.13
+ title: Ensure separate partition exists for /home (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - partition_for_home
+
+ - id: 1.1.18
+ title: Ensure nodev option set on /home partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_home_nodev
+
+ - id: 1.1.15
+ title: Ensure nodev option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_dev_shm_nodev
+
+ - id: 1.1.16
+ title: Ensure nosuid option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_dev_shm_nosuid
+
+ - id: 1.1.17
+ title: Ensure noexec option set on /dev/shm partition (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - mount_option_dev_shm_noexec
+
+ - id: 1.1.18
+ title: Ensure nodev option set on removable media partitions (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ rules:
+ - mount_option_nodev_removable_partitions
+
+ - id: 1.1.19
+ title: Ensure nosuid option set on removable media partitions (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ rules:
+ - mount_option_nosuid_removable_partitions
+
+ - id: 1.1.20
+ title: Ensure noexec option set on removable media partitions (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ rules:
+ - mount_option_noexec_removable_partitions
+
+ - id: 1.1.22
+ title: Disable Automounting (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - service_autofs_disabled
+
+ - id: 1.1.23
+ title: Disable USB Storage (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_usb-storage_disabled
+
+ - id: 1.2.1
+ title: Ensure Red Hat Subscription Manager connection is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 1.2.2
+ title: Disable the rhnsd Daemon (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - service_rhnsd_disabled
+
+ - id: 1.2.3
+ title: Ensure GPG keys are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - ensure_redhat_gpgkey_installed
+
+ - id: 1.2.4
+ title: Ensure gpgcheck is globally activated (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - ensure_gpgcheck_globally_activated
+
+ - id: 1.2.5
+ title: Ensure package manager repositories are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 1.3.1
+ title: Ensure sudo is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_sudo_installed
+
+ - id: 1.3.2
+ title: Ensure sudo commands use pty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sudo_add_use_pty
+
+ - id: 1.3.3
+ title: Ensure sudo log file exists (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sudo_custom_logfile
+
+ - id: 1.4.1
+ title: Ensure AIDE is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_aide_installed
+
+ - id: 1.4.2
+ title: Ensure filesystem integrity is regularly checked (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - aide_periodic_cron_checking
+
+ - id: 1.5.1
+ title: Ensure permissions on bootloader config are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_owner_grub2_cfg
+ - file_groupowner_grub2_cfg
+ - file_permissions_grub2_cfg
+
+ - id: 1.5.1
+ title: Ensure bootloader password is set (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - grub2_password
+
+ - id: 1.5.3
+ title: Ensure authentication required for single user mode (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - require_singleuser_auth
+ - require_emergency_target_auth
+
+ - id: 1.6.1
+ title: Ensure core dumps are restricted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - disable_users_coredumps
+ - sysctl_fs_suid_dumpable
+ - coredump_disable_backtraces
+ - coredump_disable_storage
+
+ - id: 1.6.2
+ title: Ensure address space layout randomization (ASLR) is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_kernel_randomize_va_space
+
+ - id: 1.7.1.1
+ title: Ensure SELinux is installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - package_libselinux_installed
+
+ - id: 1.7.1.1
+ title: Ensure SELinux is installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - package_libselinux_installed
+
+ - id: 1.7.1.2
+ title: Ensure SELinux is not disabled in bootloader configuration (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - grub2_enable_selinux
+
+ - id: 1.7.1.3
+ title: Ensure SELinux policy is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - var_selinux_policy_name=targeted
+ - selinux_policytype
+
+ - id: 1.7.1.4
+ title: Ensure the SELinux state is enforcing (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - var_selinux_state=enforcing
+ - selinux_state
+
+ - id: 1.7.1.5
+ title: Ensure no unconfined services exist (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - selinux_confinement_of_daemons
+
+ - id: 1.7.1.6
+ title: Ensure SETroubleshoot is not installed (Automated)
+ levels:
+ - l2_server
+ automated: yes
+ rules:
+ - package_setroubleshoot_removed
+
+ - id: 1.7.1.7
+ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - package_mcstrans_removed
+
+ - id: 1.8.1.1
+ title: Ensure message of the day is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - banner_etc_motd
+
+ - id: 1.8.1.2
+ title: Ensure local login warning banner is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - banner_etc_issue
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5225
+ - id: 1.8.1.3
+ title: Ensure remote login warning banner is configured properly (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 1.8.1.4
+ title: Ensure permissions on /etc/motd are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_etc_motd
+
+ - id: 1.8.1.5
+ title: Ensure permissions on /etc/issue are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_etc_issue
+
+ - id: 1.8.2
+ title: Ensure GDM login banner is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - dconf_gnome_banner_enabled
+ - dconf_gnome_login_banner_text
+
+ - id: 1.9
+ title: Ensure updates, patches, and additional security software are installed (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - security_patches_up_to_date
+
+ - id: 1.10
+ title: Ensure system-wide crypto policy is not legacy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - configure_crypto_policy
+
+ # This rule works in conjunction with the configure_crypto_policy above.
+ # If a system is remediated to CIS Level 1, just the rule above will apply
+ # and will enforce the default value for var_system_crypto_policy (DEFAULT).
+ # If the system is remediated to Level 2 then this rule will be selected,
+ # and the value applied by the rule above will will be overridden to
+ # FUTURE through the var_system_crypto_policy variable.
+ - id: 1.11
+ title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - var_system_crypto_policy=future
+
+ - id: 2.1.1
+ title: Ensure xinetd is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_xinetd_removed
+
+ - id: 2.2.1.1
+ title: Ensure time synchronization is in use (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - package_chrony_installed
+
+ - id: 2.1.1
+ title: Ensure chrony is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_chronyd_enabled
+ - chronyd_specify_remote_server
+ - chronyd_run_as_chrony_user
+
+ - id: 2.2.2
+ title: Ensure chrony is configured (Automated)
+ levels:
+ - l1_server
+ automated: yes
+ rules:
+ - package_xorg-x11-server-common_removed
+ - xwindows_runlevel_target
+
+ - id: 2.2.3
+ title: Ensure rsync service is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_rsyncd_disabled
+
+ - id: 2.2.4
+ title: Ensure Avahi Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_avahi-daemon_disabled
+
+ - id: 2.2.5
+ title: Ensure SNMP Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_snmpd_disabled
+
+ - id: 2.2.6
+ title: Ensure HTTP Proxy Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_squid_removed
+
+ - id: 2.2.7
+ title: Ensure Samba is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_smb_disabled
+
+ - id: 2.2.8
+ title: Ensure IMAP and POP3 server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_dovecot_disabled
+
+ - id: 2.2.9
+ title: Ensure HTTP server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_httpd_disabled
+
+ - id: 2.2.10
+ title: Ensure FTP Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_vsftpd_disabled
+
+ - id: 2.2.11
+ title: Ensure DNS Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_named_disabled
+
+ - id: 2.2.12
+ title: Ensure NFS is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_nfs_disabled
+
+ - id: 2.2.13
+ title: Ensure RPC is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_rpcbind_disabled
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5231
+ - id: 2.2.14
+ title: Ensure RPC is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 2.2.15
+ title: Ensure DHCP Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_dhcpd_disabled
+
+ - id: 2.2.16
+ title: Ensure CUPS is not enabled (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - service_cups_disabled
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5232
+ - id: 2.2.17
+ title: Ensure NIS Server is not enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 2.2.18
+ title: Ensure mail transfer agent is configured for local-only mode (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - postfix_network_listening_disabled
+
+ - id: 2.3.1
+ title: Ensure NIS Client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_ypbind_removed
+
+ - id: 2.3.2
+ title: Ensure telnet client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_telnet_removed
+
+ - id: 2.3.3
+ title: Ensure LDAP client is not installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_openldap-clients_removed
From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 2 Jul 2021 20:47:49 +0100
Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file
---
controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 726 insertions(+), 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a84bb078e34..b63dc6cf9e1 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -712,8 +712,8 @@ controls:
rules:
- service_cups_disabled
- # NEEDS RULE
- # https://github.com/ComplianceAsCode/content/issues/5232
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5232
- id: 2.2.17
title: Ensure NIS Server is not enabled (Automated)
levels:
@@ -756,3 +756,727 @@ controls:
automated: yes
rules:
- package_openldap-clients_removed
+
+ - id: 3.1.1
+ title: Ensure IP forwarding is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv6_conf_all_forwarding
+
+ - id: 3.1.2
+ title: Ensure packet redirect sending is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_conf_default_send_redirects
+
+ - id: 3.2.1
+ title: Ensure source routed packets are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route
+
+ - id: 3.2.2
+ title: Ensure ICMP redirects are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects
+
+ - id: 3.2.3
+ title: Ensure secure ICMP redirects are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects
+
+ - id: 3.2.4
+ title: Ensure suspicious packets are logged (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians
+
+ - id: 3.2.5
+ title: Ensure broadcast ICMP requests are ignored (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+ - id: 3.2.6
+ title: Ensure bogus ICMP responses are ignored (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+
+ - id: 3.2.7
+ title: Ensure Reverse Path Filtering is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter
+
+ - id: 3.2.8
+ title: Ensure TCP SYN Cookies is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_tcp_syncookies
+
+ - id: 3.2.8
+ title: Ensure TCP SYN Cookies is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv4_tcp_syncookies
+
+ - id: 3.2.9
+ title: Ensure IPv6 router advertisements are not accepted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra
+
+ - id: 3.3.1
+ title: Ensure DCCP is disabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_dccp_disabled
+
+ - id: 3.3.2
+ title: Ensure SCTP is disabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_sctp_disabled
+
+ - id: 3.3.3
+ title: Ensure RDS is disabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_rds_disabled
+
+ - id: 3.3.4
+ title: Ensure TIPC is disabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_tipc_disabled
+
+ # NEEDS RULE
+ # This rule is currently quite opinionated and expects firewalld
+ # as the installed firewall package. But, as per the CIS control,
+ # this rule should also be satisfied by nftables or iptables.
+ - id: 3.4.1.1
+ title: Ensure a Firewall package is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_firewalld_installed
+
+ - id: 3.4.2.1
+ title: Ensure firewalld service is enabled and running (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_firewalld_enabled
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5238
+ - id: 3.4.2.2
+ title: Ensure iptables service is not enabled with firewalld (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5239
+ - id: 3.4.2.3
+ title: Ensure nftables is not enabled with firewalld (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.2.4
+ title: Ensure firewalld default zone is set (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - set_firewalld_default_zone
+
+ - id: 3.4.2.5
+ title: Ensure network interfaces are assigned to appropriate zone (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.2.6
+ title: Ensure firewalld drops unnecessary services and ports (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.3.1
+ title: Ensure iptables are flushed with nftables (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5244
+ - id: 3.4.3.2
+ title: Ensure an nftables table exists (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5245
+ - id: 3.4.3.3
+ title: Ensure nftables base chains exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5246
+ - id: 3.4.3.4
+ title: Ensure nftables loopback traffic is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.3.5
+ title: Ensure nftables outbound and established connections are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5248
+ - id: 3.4.3.6
+ title: Ensure nftables default deny firewall policy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5249
+ - id: 3.4.3.7
+ title: Ensure nftables service is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5250
+ - id: 3.4.3.8
+ title: Ensure nftables rules are permanent (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5252
+ - id: 3.4.4.1.1
+ title: Ensure iptables default deny firewall policy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5253
+ - id: 3.4.4.1.2
+ title: Ensure iptables loopback traffic is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.4.1.3
+ title: Ensure iptables outbound and established connections are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5255
+ - id: 3.4.4.1.4
+ title: Ensure iptables firewall rules exist for all open ports (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7190
+ - id: 3.4.4.1.5
+ title: Ensure iptables is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5257
+ - id: 3.4.4.2.1
+ title: Ensure ip6tables default deny firewall policy (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5258
+ - id: 3.4.4.2.2
+ title: Ensure ip6tables loopback traffic is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.4.4.2.3
+ title: Ensure ip6tables outbound and established connections are configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7191
+ - id: 3.4.4.2.4
+ title: Ensure ip6tables firewall rules exist for all open ports (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7192
+ - id: 3.4.4.2.5
+ title: Ensure ip6tables is enabled and active (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 3.5
+ title: Ensure wireless interfaces are disabled (Automated)
+ levels:
+ - l1_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - wireless_disable_interfaces
+
+ - id: 3.6
+ title: Disable IPv6 (Manual)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - kernel_module_ipv6_option_disabled
+
+ - id: 4.1.1.1
+ title: Ensure auditd is installed (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - package_audit_installed
+
+ - id: 4.1.1.2
+ title: Ensure auditd service is enabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - service_auditd_enabled
+
+ - id: 4.1.1.3
+ title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - grub2_audit_argument
+
+ - id: 4.1.1.4
+ title: Ensure audit_backlog_limit is sufficient (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - grub2_audit_backlog_limit_argument
+
+ - id: 4.1.2.1
+ title: Ensure audit log storage size is configured (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - auditd_data_retention_max_log_file
+
+ - id: 4.1.2.2
+ title: Ensure audit logs are not automatically deleted (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - auditd_data_retention_max_log_file_action
+
+ - id: 4.1.2.3
+ title: Ensure system is disabled when audit logs are full (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - auditd_data_retention_action_mail_acct
+ - auditd_data_retention_admin_space_left_action
+ - auditd_data_retention_space_left_action
+ - var_auditd_action_mail_acct=root
+ - var_auditd_admin_space_left_action=halt
+ - var_auditd_space_left_action=email
+
+ - id: 4.1.3
+ title: Ensure changes to system administration scope (sudoers) is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_sysadmin_actions
+
+ - id: 4.1.4
+ title: Ensure login and logout events are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_login_events_faillock
+ - audit_rules_login_events_lastlog
+
+ - id: 4.1.5
+ title: Ensure session initiation information is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_session_events
+
+ - id: 4.1.6
+ title: Ensure events that modify date and time information are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_time_adjtimex
+ - audit_rules_time_clock_settime
+ - audit_rules_time_settimeofday
+ - audit_rules_time_stime
+ - audit_rules_time_watch_localtime
+
+ # NEEDS RULE
+ # -w /usr/share/selinux/ -p wa
+ # https://github.com/ComplianceAsCode/content/issues/5264
+ - id: 4.1.7
+ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_mac_modification
+
+ - id: 4.1.8
+ title: Ensure events that modify the system's network environment are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_networkconfig_modification
+
+ - id: 4.1.9
+ title: Ensure discretionary access control permission modification events are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_lsetxattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+
+ - id: 4.1.10
+ title: Ensure unsuccessful unauthorized file access attempts are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_unsuccessful_file_modification_creat
+ - audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_open
+ - audit_rules_unsuccessful_file_modification_openat
+ - audit_rules_unsuccessful_file_modification_truncate
+ # Opinionated selection
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+ - id: 4.1.11
+ title: Ensure events that modify user/group information are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_usergroup_modification_group
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
+
+ - id: 4.1.12
+ title: Ensure successful file system mounts are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_media_export
+
+ - id: 4.1.13
+ title: Ensure use of privileged commands is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_privileged_commands
+
+ - id: 4.1.14
+ title: Ensure file deletion events by users are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_file_deletion_events_rename
+ - audit_rules_file_deletion_events_renameat
+ - audit_rules_file_deletion_events_unlink
+ - audit_rules_file_deletion_events_unlinkat
+ # Opinionated selection
+ - audit_rules_file_deletion_events_rmdir
+
+ - id: 4.1.15
+ title: Ensure kernel module loading and unloading is collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_kernel_module_loading
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5516
+ - id: 4.1.16
+ title: Ensure system administrator actions (sudolog) are collected (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: no
+
+ - id: 4.1.17
+ title: Ensure the audit configuration is immutable (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - audit_rules_immutable
+
+ - id: 4.2.1.1
+ title: Ensure rsyslog is installed (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - package_rsyslog_installed
+
+ - id: 4.2.1.2
+ title: Ensure rsyslog Service is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_rsyslog_enabled
+
+ - id: 4.2.1.3
+ title: Ensure rsyslog default file permissions configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - rsyslog_files_permissions
+
+ - id: 4.2.1.4
+ title: Ensure logging is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 4.2.1.5
+ title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - rsyslog_remote_loghost
+
+ - id: 4.2.1.6
+ title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - rsyslog_nolisten
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5520
+ - id: 4.2.2.1
+ title: Ensure journald is configured to send logs to rsyslog (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5521
+ - id: 4.2.2.2
+ title: Ensure journald is configured to compress large log files (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5522
+ - id: 4.2.2.3
+ title: Ensure journald is configured to write logfiles to persistent disk (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5523
+ - id: 4.2.3
+ title: Ensure permissions on all logfiles are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 4.3
+ title: Ensure logrotate is configured (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:08:31 +0100
Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file
---
controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 460 insertions(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index b63dc6cf9e1..85c821bc60d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1480,3 +1480,463 @@ controls:
- l1_server
- l1_workstation
automated: no
+
+ - id: 5.1.1
+ title: Ensure cron daemon is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - service_crond_enabled
+
+ - id: 5.1.2
+ title: Ensure permissions on /etc/crontab are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_crontab
+ - file_owner_crontab
+ - file_permissions_crontab
+
+ - id: 5.1.3
+ title: Ensure permissions on /etc/cron.hourly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_cron_hourly
+ - file_owner_cron_hourly
+ - file_permissions_cron_hourly
+
+ - id: 5.1.4
+ title: Ensure permissions on /etc/cron.daily are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_cron_daily
+ - file_owner_cron_daily
+ - file_permissions_cron_daily
+
+ - id: 5.1.5
+ title: Ensure permissions on /etc/cron.weekly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_cron_weekly
+ - file_owner_cron_weekly
+ - file_permissions_cron_weekly
+
+ - id: 5.1.6
+ title: Ensure permissions on /etc/cron.monthly are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_cron_monthly
+ - file_owner_cron_monthly
+ - file_permissions_cron_monthly
+
+ - id: 5.1.7
+ title: Ensure permissions on /etc/cron.d are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_cron_d
+ - file_owner_cron_d
+ - file_permissions_cron_d
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7195
+ - id: 5.1.8
+ title: Ensure at/cron is restricted to authorized users (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 5.2.1
+ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_sshd_config
+ - file_owner_sshd_config
+ - file_permissions_sshd_config
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7196
+ - id: 5.2.2
+ title: Ensure SSH access is limited (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # TODO
+ # Rule sets permissions to 0640 but benchmark wants it to be 0600
+ #
+ # TODO
+ # Check owner of private keys in /etc/ssh is root:root
+ - id: 5.2.3
+ title: Ensure permissions on SSH private host key files are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_sshd_private_key
+
+ # TODO
+ # Check owner of public keys in /etc/ssh is root:root
+ - id: 5.2.4
+ title: Ensure permissions on SSH public host key files are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_sshd_pub_key
+
+ - id: 5.2.5
+ title: Ensure SSH LogLevel is appropriate (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_set_loglevel_info
+
+ - id: 5.2.6
+ title: Ensure SSH X11 forwarding is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_disable_x11_forwarding
+
+ - id: 5.2.7
+ title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_max_auth_tries_value=4
+ - sshd_set_max_auth_tries
+
+ - id: 5.2.8
+ title: Ensure SSH IgnoreRhosts is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_disable_rhosts
+
+ - id: 5.2.9
+ title: Ensure SSH HostbasedAuthentication is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - disable_host_auth
+
+ - id: 5.2.10
+ title: Ensure SSH root login is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_disable_root_login
+
+ - id: 5.2.11
+ title: Ensure SSH PermitEmptyPasswords is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_disable_empty_passwords
+
+ - id: 5.2.12
+ title: Ensure SSH PermitUserEnvironment is disabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_do_not_permit_user_env
+
+ - id: 5.2.13
+ title: Ensure SSH Idle Timeout Interval is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_idle_timeout_value=5_minutes
+ - sshd_set_idle_timeout
+ - sshd_set_keepalive_0
+ - var_sshd_set_keepalive=0
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5525
+ - id: 5.2.14
+ title: Ensure SSH LoginGraceTime is set to one minute or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 5.2.15
+ title: Ensure SSH warning banner is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_enable_warning_banner
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5526
+ - id: 5.2.16
+ title: Ensure SSH PAM is enabled (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 5.2.17
+ title: Ensure SSH AllowTcpForwarding is disabled (Automated)
+ levels:
+ - l2_server
+ - l2_workstation
+ automated: yes
+ rules:
+ - sshd_disable_tcp_forwarding
+
+ - id: 5.2.18
+ title: Ensure SSH MaxStartups is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_set_maxstartups
+
+ - id: 5.2.19
+ title: Ensure SSH MaxSessions is set to 4 or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - sshd_set_max_sessions
+ - var_sshd_max_sessions=4
+
+ - id: 5.2.20
+ title: Ensure system-wide crypto policy is not over-ridden (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - configure_ssh_crypto_policy
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5530
+ - id: 5.3.1
+ title: Create custom authselect profile (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5531
+ - id: 5.3.2
+ title: Select authselect profile (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5532
+ - id: 5.3.2
+ title: Ensure authselect includes with-faillock (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE: try_first_pass
+ # https://github.com/ComplianceAsCode/content/issues/5533
+ - id: 5.4.1
+ title: Ensure password creation requirements are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_password_pam_minclass
+ - accounts_password_pam_minlen
+ - accounts_password_pam_retry
+ - var_password_pam_minclass=4
+ - var_password_pam_minlen=14
+
+ - id: 5.4.2
+ title: Ensure lockout for failed password attempts is configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_unlock_time
+ - var_accounts_passwords_pam_faillock_deny=5
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+
+ - id: 5.4.3
+ title: Ensure password reuse is limited (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_password_pam_unix_remember
+ - var_password_pam_unix_remember=5
+
+ - id: 5.4.4
+ title: Ensure password hashing algorithm is SHA-512 (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - set_password_hashing_algorithm_systemauth
+
+ - id: 5.5.1.1
+ title: Ensure password expiration is 365 days or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_maximum_age_login_defs
+ - var_accounts_maximum_age_login_defs=365
+
+ - id: 5.5.1.2
+ title: Ensure minimum days between password changes is 7 or more (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_minimum_age_login_defs
+ - var_accounts_minimum_age_login_defs=7
+
+ - id: 5.5.1.3
+ title: Ensure password expiration warning days is 7 or more (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_password_warn_age_login_defs
+ - var_accounts_password_warn_age_login_defs=7
+
+ # TODO
+ # Rule doesn't check list of users
+ - id: 5.5.1.4
+ title: Ensure inactive password lock is 30 days or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - account_disable_post_pw_expiration
+ - var_account_disable_post_pw_expiration=30
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5537
+ - id: 5.5.1.5
+ title: Ensure all users last password change date is in the past (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 5.5.2
+ title: Ensure system accounts are secured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_shelllogin_for_systemaccounts
+
+ - id: 5.5.3
+ title: Ensure default user shell timeout is 900 seconds or less (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_tmout
+ - var_accounts_tmout=15_min
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5539
+ - id: 5.5.4
+ title: Ensure default group for the root account is GID 0 (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 5.5.5
+ title: Ensure default user umask is 027 or more restrictive (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_umask_etc_bashrc
+ - accounts_umask_etc_profile
+ - var_accounts_user_umask=027
+
+ - id: 5.6
+ title: Ensure root login is restricted to system console (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - no_direct_root_logins
+ - securetty_root_login_console_only
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5541
+ - id: 5.7
+ title: Ensure access to the su command is restricted (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:33:15 +0100
Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file
---
controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 325 insertions(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 85c821bc60d..bc77e25d122 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1940,3 +1940,328 @@ controls:
- l1_server
- l1_workstation
automated: no
+
+ - id: 6.1.1
+ title: Audit system file permissions (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ related_rules:
+ - rpm_verify_permissions
+ - rpm_verify_ownership
+
+ - id: 6.1.2
+ title: Ensure permissions on /etc/passwd are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_etc_passwd
+ - file_owner_etc_passwd
+ - file_permissions_etc_passwd
+
+ - id: 6.1.3
+ title: Ensure permissions on /etc/passwd- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_backup_etc_passwd
+ - file_owner_backup_etc_passwd
+ - file_permissions_backup_etc_passwd
+
+ - id: 6.1.4
+ title: Ensure permissions on /etc/shadow are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_owner_etc_shadow
+ - file_groupowner_etc_shadow
+ - file_permissions_etc_shadow
+
+ - id: 6.1.5
+ title: Ensure permissions on /etc/shadow- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_backup_etc_shadow
+ - file_owner_backup_etc_shadow
+ - file_permissions_backup_etc_shadow
+
+ - id: 6.1.6
+ title: Ensure permissions on /etc/gshadow are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_etc_gshadow
+ - file_owner_etc_gshadow
+ - file_permissions_etc_gshadow
+
+ - id: 6.1.7
+ title: Ensure permissions on /etc/gshadow- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_backup_etc_gshadow
+ - file_owner_backup_etc_gshadow
+ - file_permissions_backup_etc_gshadow
+
+ - id: 6.1.8
+ title: Ensure permissions on /etc/group are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_etc_group
+ - file_owner_etc_group
+ - file_permissions_etc_group
+
+ - id: 6.1.9
+ title: Ensure permissions on /etc/group- are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupowner_backup_etc_group
+ - file_owner_backup_etc_group
+ - file_permissions_backup_etc_group
+
+ - id: 6.1.10
+ title: Ensure no world writable files exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_unauthorized_world_writable
+
+ - id: 6.1.11
+ title: Ensure no unowned files or directories exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_files_unowned_by_user
+
+ - id: 6.1.12
+ title: Ensure no ungrouped files or directories exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_ungroupowned
+
+ - id: 6.1.13
+ title: Audit SUID executables (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ rules:
+ - file_permissions_unauthorized_suid
+
+ - id: 6.1.14
+ title: Audit SGID executables (Manual)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+ rules:
+ - file_permissions_unauthorized_sgid
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7197
+ - id: 6.2.1
+ title: Ensure password fields are not empty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.2
+ title: Ensure no legacy "+" entries exist in /etc/passwd (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_legacy_plus_entries_etc_passwd
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7198
+ - id: 6.2.3
+ title: Ensure root PATH Integrity (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.4
+ title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_legacy_plus_entries_etc_shadow
+
+ - id: 6.2.5
+ title: Ensure no legacy "+" entries exist in /etc/group (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_legacy_plus_entries_etc_group
+
+ - id: 6.2.6
+ title: Ensure root is the only UID 0 account (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_no_uid_except_zero
+
+ - id: 6.2.7
+ title: Ensure users' home directories permissions are 750 or more restrictive (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_permissions_home_dirs
+
+ # NEEDS RULE (for user ownership)
+ # https://github.com/ComplianceAsCode/content/issues/5507
+ - id: 6.2.8
+ title: Ensure users own their home directories (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - file_groupownership_home_directories
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5506
+ - id: 6.2.9
+ title: Ensure users' dot files are not group or world writable (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5505
+ - id: 6.2.10
+ title: Ensure no users have .forward files (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.11
+ title: Ensure no users have .netrc files (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_netrc_files
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5504
+ - id: 6.2.12
+ title: Ensure users' .netrc Files are not group or world accessible (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.13
+ title: Ensure no users have .rhosts files (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - no_rsh_trust_files
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5503
+ - id: 6.2.14
+ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5502
+ - id: 6.2.15
+ title: Ensure no duplicate UIDs exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5501
+ - id: 6.2.16
+ title: Ensure no duplicate GIDs exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.17
+ title: Ensure no duplicate user names exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - account_unique_name
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5500
+ - id: 6.2.18
+ title: Ensure no duplicate group names exist (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/5499
+ - id: 6.2.19
+ title: Ensure shadow group is empty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
+ - id: 6.2.20
+ title: Ensure shadow group is empty (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - accounts_user_interactive_home_directory_exists
From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:36:01 +0100
Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint
---
controls/cis_rhel8.yml | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index bc77e25d122..161a2aac58e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1,3 +1,4 @@
+---
policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
id: cis_rhel8
@@ -1597,7 +1598,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - file_permissions_sshd_private_key
+ - file_permissions_sshd_private_key
# TODO
# Check owner of public keys in /etc/ssh is root:root
@@ -1608,7 +1609,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - file_permissions_sshd_pub_key
+ - file_permissions_sshd_pub_key
- id: 5.2.5
title: Ensure SSH LogLevel is appropriate (Automated)
@@ -1617,7 +1618,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - sshd_set_loglevel_info
+ - sshd_set_loglevel_info
- id: 5.2.6
title: Ensure SSH X11 forwarding is disabled (Automated)
@@ -1626,7 +1627,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - sshd_disable_x11_forwarding
+ - sshd_disable_x11_forwarding
- id: 5.2.7
title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 9 Jul 2021 00:11:57 +0100
Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR
---
controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++-------------
1 file changed, 31 insertions(+), 14 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 161a2aac58e..c93d6128ca4 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -170,7 +170,7 @@ controls:
rules:
- partition_for_home
- - id: 1.1.18
+ - id: 1.1.14
title: Ensure nodev option set on /home partition (Automated)
levels:
- l1_server
@@ -212,7 +212,7 @@ controls:
- l1_server
- l1_workstation
automated: no
- rules:
+ related_rules:
- mount_option_nodev_removable_partitions
- id: 1.1.19
@@ -221,7 +221,7 @@ controls:
- l1_server
- l1_workstation
automated: no
- rules:
+ related_rules:
- mount_option_nosuid_removable_partitions
- id: 1.1.20
@@ -230,9 +230,18 @@ controls:
- l1_server
- l1_workstation
automated: no
- rules:
+ related_rules:
- mount_option_noexec_removable_partitions
+ - id: 1.1.21
+ title: Ensure sticky bit is set on all world-writable directories (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: yes
+ rules:
+ - dir_perms_world_writable_sticky_bits
+
- id: 1.1.22
title: Disable Automounting (Automated)
levels:
@@ -348,7 +357,7 @@ controls:
- file_groupowner_grub2_cfg
- file_permissions_grub2_cfg
- - id: 1.5.1
+ - id: 1.5.2
title: Ensure bootloader password is set (Automated)
levels:
- l1_server
@@ -356,6 +365,7 @@ controls:
automated: yes
rules:
- grub2_password
+ - grub2_uefi_password
- id: 1.5.3
title: Ensure authentication required for single user mode (Automated)
@@ -397,15 +407,6 @@ controls:
rules:
- package_libselinux_installed
- - id: 1.7.1.1
- title: Ensure SELinux is installed (Automated)
- levels:
- - l2_server
- - l2_workstation
- automated: yes
- rules:
- - package_libselinux_installed
-
- id: 1.7.1.2
title: Ensure SELinux is not disabled in bootloader configuration (Automated)
levels:
@@ -469,6 +470,7 @@ controls:
automated: yes
rules:
- banner_etc_motd
+ - login_banner_text=usgcb_default
- id: 1.8.1.2
title: Ensure local login warning banner is configured properly (Automated)
@@ -478,6 +480,7 @@ controls:
automated: yes
rules:
- banner_etc_issue
+ - login_banner_text=usgcb_default
# NEEDS RULE
# https://github.com/ComplianceAsCode/content/issues/5225
@@ -495,6 +498,8 @@ controls:
- l1_workstation
automated: yes
rules:
+ - file_groupowner_etc_motd
+ - file_owner_etc_motd
- file_permissions_etc_motd
- id: 1.8.1.5
@@ -504,8 +509,19 @@ controls:
- l1_workstation
automated: yes
rules:
+ - file_groupowner_etc_issue
+ - file_owner_etc_issue
- file_permissions_etc_issue
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7225
+ - id: 1.8.1.6
+ title: Ensure permissions on /etc/issue.net are configured (Automated)
+ levels:
+ - l1_server
+ - l1_workstation
+ automated: no
+
- id: 1.8.2
title: Ensure GDM login banner is configured (Automated)
levels:
@@ -515,6 +531,7 @@ controls:
rules:
- dconf_gnome_banner_enabled
- dconf_gnome_login_banner_text
+ - login_banner_text=usgcb_default
- id: 1.9
title: Ensure updates, patches, and additional security software are installed (Manual)
From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 14:21:02 +0100
Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional
on merge of #7226)
---
controls/cis_rhel8.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c93d6128ca4..9140711fb66 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -550,6 +550,7 @@ controls:
automated: yes
rules:
- configure_crypto_policy
+ - var_system_crypto_policy=default
# This rule works in conjunction with the configure_crypto_policy above.
# If a system is remediated to CIS Level 1, just the rule above will apply
From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 14:34:41 +0100
Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules
---
controls/cis_rhel8.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 9140711fb66..782dc7666f3 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -585,7 +585,7 @@ controls:
related_rules:
- package_chrony_installed
- - id: 2.1.1
+ - id: 2.2.1.2
title: Ensure chrony is configured (Automated)
levels:
- l1_server
@@ -597,13 +597,12 @@ controls:
- chronyd_run_as_chrony_user
- id: 2.2.2
- title: Ensure chrony is configured (Automated)
+ title: Ensure X Window System is not installed (Automated)
levels:
- l1_server
automated: yes
rules:
- - package_xorg-x11-server-common_removed
- - xwindows_runlevel_target
+ - xwindows_remove_packages
- id: 2.2.3
title: Ensure rsync service is not enabled (Automated)
@@ -639,7 +638,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - package_squid_removed
+ - package_squid_disabled
- id: 2.2.7
title: Ensure Samba is not enabled (Automated)
@@ -707,7 +706,7 @@ controls:
# NEEDS RULE
# https://github.com/ComplianceAsCode/content/issues/5231
- id: 2.2.14
- title: Ensure RPC is not enabled (Automated)
+ title: Ensure LDAP server is not enabled (Automated)
levels:
- l1_server
- l1_workstation
@@ -748,6 +747,7 @@ controls:
automated: yes
rules:
- postfix_network_listening_disabled
+ - var_postfix_inet_interfaces=loopback-only
- id: 2.3.1
title: Ensure NIS Client is not installed (Automated)
From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 15:03:09 +0100
Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules
---
controls/cis_rhel8.yml | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 782dc7666f3..1d34337411f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -785,6 +785,7 @@ controls:
rules:
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_forwarding
+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
- id: 3.1.2
title: Ensure packet redirect sending is disabled (Automated)
@@ -804,9 +805,13 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
- id: 3.2.2
title: Ensure ICMP redirects are not accepted (Automated)
@@ -816,9 +821,13 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
- id: 3.2.3
title: Ensure secure ICMP redirects are not accepted (Automated)
@@ -828,7 +837,9 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_conf_all_secure_redirects
+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
- sysctl_net_ipv4_conf_default_secure_redirects
+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
- id: 3.2.4
title: Ensure suspicious packets are logged (Automated)
@@ -838,7 +849,9 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_conf_all_log_martians
+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
- sysctl_net_ipv4_conf_default_log_martians
+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
- id: 3.2.5
title: Ensure broadcast ICMP requests are ignored (Automated)
@@ -848,6 +861,7 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
- id: 3.2.6
title: Ensure bogus ICMP responses are ignored (Automated)
@@ -857,6 +871,7 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
- id: 3.2.7
title: Ensure Reverse Path Filtering is enabled (Automated)
@@ -866,7 +881,9 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_conf_all_rp_filter
+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
- sysctl_net_ipv4_conf_default_rp_filter
+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
- id: 3.2.8
title: Ensure TCP SYN Cookies is enabled (Automated)
@@ -876,15 +893,7 @@ controls:
automated: yes
rules:
- sysctl_net_ipv4_tcp_syncookies
-
- - id: 3.2.8
- title: Ensure TCP SYN Cookies is enabled (Automated)
- levels:
- - l1_server
- - l1_workstation
- automated: yes
- rules:
- - sysctl_net_ipv4_tcp_syncookies
+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
- id: 3.2.9
title: Ensure IPv6 router advertisements are not accepted (Automated)
@@ -894,7 +903,9 @@ controls:
automated: yes
rules:
- sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
- sysctl_net_ipv6_conf_default_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
- id: 3.3.1
title: Ensure DCCP is disabled (Automated)
From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 20 Jul 2021 08:43:10 +0100
Subject: [PATCH 11/55] Update controls/cis_rhel8.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 1d34337411f..2acf9aef28d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -638,7 +638,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - package_squid_disabled
+ - service_squid_disabled
- id: 2.2.7
title: Ensure Samba is not enabled (Automated)
From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 30 Jul 2021 22:13:25 +0100
Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2acf9aef28d..e63fc57ddea 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -351,7 +351,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # This rule, as implemented here, does not check for a user.cfg file
rules:
- file_owner_grub2_cfg
- file_groupowner_grub2_cfg
From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 30 Jul 2021 22:19:14 +0100
Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1
---
controls/cis_rhel8.yml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e63fc57ddea..2163655d9d3 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -353,8 +353,11 @@ controls:
- l1_workstation
automated: partially # This rule, as implemented here, does not check for a user.cfg file
rules:
- - file_owner_grub2_cfg
+ - file_groupowner_efi_grub2_cfg
- file_groupowner_grub2_cfg
+ - file_owner_efi_grub2_cfg
+ - file_owner_grub2_cfg
+ - file_permissions_efi_grub2_cfg
- file_permissions_grub2_cfg
- id: 1.5.2
From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:11:38 +0100
Subject: [PATCH 14/55] Update controls/cis_rhel8.yml
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2163655d9d3..aa9c2b6c809 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1655,7 +1655,7 @@ controls:
- id: 5.2.6
title: Ensure SSH X11 forwarding is disabled (Automated)
levels:
- - l1_server
+ - l2_server
- l1_workstation
automated: yes
rules:
From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:22:44 +0100
Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action
---
controls/cis_rhel8.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index aa9c2b6c809..af874fd789e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1234,6 +1234,7 @@ controls:
automated: yes
rules:
- auditd_data_retention_max_log_file_action
+ - var_auditd_max_log_file_action=keep_logs
- id: 4.1.2.3
title: Ensure system is disabled when audit logs are full (Automated)
From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:31:20 +0100
Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6
---
controls/cis_rhel8.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index af874fd789e..af1314325ab 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1225,6 +1225,7 @@ controls:
automated: yes
rules:
- auditd_data_retention_max_log_file
+ - var_auditd_max_log_file=6
- id: 4.1.2.2
title: Ensure audit logs are not automatically deleted (Automated)
From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:36:48 +0100
Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not
directly align with CIS
---
controls/cis_rhel8.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index af1314325ab..a81a9ef4605 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1284,11 +1284,10 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: yes
+ automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
rules:
- audit_rules_time_adjtimex
- audit_rules_time_clock_settime
- - audit_rules_time_settimeofday
- audit_rules_time_stime
- audit_rules_time_watch_localtime
From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:37:25 +0100
Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve
full automation
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a81a9ef4605..cba86f40c9e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1299,7 +1299,7 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: yes
+ automated: partial
rules:
- audit_rules_mac_modification
From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:38:54 +0100
Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not
align with the benchmark
---
controls/cis_rhel8.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cba86f40c9e..6e8c5cf10f0 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1345,8 +1345,6 @@ controls:
- audit_rules_unsuccessful_file_modification_open
- audit_rules_unsuccessful_file_modification_openat
- audit_rules_unsuccessful_file_modification_truncate
- # Opinionated selection
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
- id: 4.1.11
title: Ensure events that modify user/group information are collected (Automated)
From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:41:13 +0100
Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation
key
---
controls/cis_rhel8.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 6e8c5cf10f0..829f0515cb0 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1284,7 +1284,7 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
+ automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
rules:
- audit_rules_time_adjtimex
- audit_rules_time_clock_settime
@@ -1299,7 +1299,7 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: partial
+ automated: partially
rules:
- audit_rules_mac_modification
From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:42:57 +0100
Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not
align exactly with the benchmark
---
controls/cis_rhel8.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 829f0515cb0..76a7c8bbfa9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1373,8 +1373,9 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: yes
- rules:
+ automated: no
+ related_rules:
+ # The rule below is almost correct but cannot be used as it does not set the perm=x flag.
- audit_rules_privileged_commands
- id: 4.1.14
From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:44:03 +0100
Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not
align with the benchmark
---
controls/cis_rhel8.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 76a7c8bbfa9..e6a53516666 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1389,8 +1389,6 @@ controls:
- audit_rules_file_deletion_events_renameat
- audit_rules_file_deletion_events_unlink
- audit_rules_file_deletion_events_unlinkat
- # Opinionated selection
- - audit_rules_file_deletion_events_rmdir
- id: 4.1.15
title: Ensure kernel module loading and unloading is collected (Automated)
From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:47:53 +0100
Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does
not align with the benchmark
---
controls/cis_rhel8.yml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e6a53516666..327400abd65 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1435,14 +1435,15 @@ controls:
rules:
- service_rsyslog_enabled
+ # NEEDS RULE
+ # The rsyslog_files_permissions rule is not sufficient
+ # https://github.com/ComplianceAsCode/content/issues/7332
- id: 4.2.1.3
title: Ensure rsyslog default file permissions configured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
- - rsyslog_files_permissions
+ automated: no
- id: 4.2.1.4
title: Ensure logging is configured (Manual)
From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:52:17 +0100
Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align
perfectly with the benchmark
---
controls/cis_rhel8.yml | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 327400abd65..f5a8ce45848 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1452,14 +1452,15 @@ controls:
- l1_workstation
automated: no
+ # NEEDS RULE
+ # The rsyslog_remote_loghost rule is not sufficient
+ # https://github.com/ComplianceAsCode/content/issues/7333
- id: 4.2.1.5
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
- - rsyslog_remote_loghost
+ automated: no
- id: 4.2.1.6
title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
@@ -1617,19 +1618,15 @@ controls:
- l1_workstation
automated: no
- # TODO
- # Rule sets permissions to 0640 but benchmark wants it to be 0600
- #
- # TODO
- # Check owner of private keys in /etc/ssh is root:root
+ # NEEDS RULE
+ # The file_permissions_sshd_private_key rule is not aligned with the benchmark
+ # https://github.com/ComplianceAsCode/content/issues/7334
- id: 5.2.3
title: Ensure permissions on SSH private host key files are configured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
- - file_permissions_sshd_private_key
+ automated: no
# TODO
# Check owner of public keys in /etc/ssh is root:root
From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:53:10 +0100
Subject: [PATCH 25/55] 5.2.4 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index f5a8ce45848..0e3fa99d32e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1635,7 +1635,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially
rules:
- file_permissions_sshd_pub_key
From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:55:32 +0100
Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used
properly
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0e3fa99d32e..439b3265fe9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1721,7 +1721,7 @@ controls:
rules:
- sshd_idle_timeout_value=5_minutes
- sshd_set_idle_timeout
- - sshd_set_keepalive_0
+ - sshd_set_keepalive
- var_sshd_set_keepalive=0
# NEEDS RULE
From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 08:47:24 +0100
Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely
with CIS benchmark
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 439b3265fe9..92ac0dd85c5 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -595,9 +595,9 @@ controls:
- l1_workstation
automated: yes
rules:
- - service_chronyd_enabled
- chronyd_specify_remote_server
- chronyd_run_as_chrony_user
+ - var_multiple_time_servers=rhel
- id: 2.2.2
title: Ensure X Window System is not installed (Automated)
From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 08:54:14 +0100
Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file
---
controls/cis_rhel8.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 92ac0dd85c5..565974817f1 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1645,7 +1645,12 @@ controls:
- l1_server
- l1_workstation
automated: yes
+ # The CIS benchmark is not opinionated about which loglevel is selected
+ # here. Here, this profile uses VERBOSE by default, as it allows for
+ # the capture of login and logout activity as well as key fingerprints.
rules:
+ - sshd_set_loglevel_verbose
+ related_rules:
- sshd_set_loglevel_info
- id: 5.2.6
From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:00:17 +0100
Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses
wrong path)
---
controls/cis_rhel8.yml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 565974817f1..53f024fffea 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1738,14 +1738,16 @@ controls:
- l1_workstation
automated: no
+ # NEEDS RULE
+ # The current sshd_enable_warning_banner rule uses /etc/issue instead
+ # of the /etc/issue.net that the benchmark expects.
+ #
- id: 5.2.15
title: Ensure SSH warning banner is configured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
- - sshd_enable_warning_banner
+ automated: no
# NEEDS RULE
# https://github.com/ComplianceAsCode/content/issues/5526
From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:00:48 +0100
Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups
rule in RHEL 8 CIS profile
---
controls/cis_rhel8.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 53f024fffea..3345a37d098 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1775,6 +1775,7 @@ controls:
automated: yes
rules:
- sshd_set_maxstartups
+ - var_sshd_set_maxstartups=10:30:60
- id: 5.2.19
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:19:43 +0100
Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits
for vs the one in the control title
---
controls/cis_rhel8.yml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 3345a37d098..3b6219f3296 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1777,6 +1777,13 @@ controls:
- sshd_set_maxstartups
- var_sshd_set_maxstartups=10:30:60
+ # The title of this control does not appear to match the suggested audit and
+ # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
+ # value from the audit and remediation sections of the benchmark rather than
+ # from the title.
+ #
+ # An upstream ticket has been opened about this issue:
+ # https://workbench.cisecurity.org/community/14/tickets/13414
- id: 5.2.19
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
levels:
@@ -1785,7 +1792,7 @@ controls:
automated: yes
rules:
- sshd_set_max_sessions
- - var_sshd_max_sessions=4
+ - var_sshd_max_sessions=10
- id: 5.2.20
title: Ensure system-wide crypto policy is not over-ridden (Automated)
From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:20:45 +0100
Subject: [PATCH 32/55] Fix rule ID for 5.3.3
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 3b6219f3296..55c8378529d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1823,7 +1823,7 @@ controls:
# NEEDS RULE
# https://github.com/ComplianceAsCode/content/issues/5532
- - id: 5.3.2
+ - id: 5.3.3
title: Ensure authselect includes with-faillock (Automated)
levels:
- l1_server
From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:23:40 +0100
Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2
---
controls/cis_rhel8.yml | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 55c8378529d..c7f651994d6 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1845,17 +1845,14 @@ controls:
- var_password_pam_minclass=4
- var_password_pam_minlen=14
+ # NEEDS RULE
+ # https://github.com/ComplianceAsCode/content/issues/7337
- id: 5.4.2
title: Ensure lockout for failed password attempts is configured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
- - accounts_passwords_pam_faillock_deny
- - accounts_passwords_pam_faillock_unlock_time
- - var_accounts_passwords_pam_faillock_deny=5
- - var_accounts_passwords_pam_faillock_unlock_time=900
+ automated: no
- id: 5.4.3
title: Ensure password reuse is limited (Automated)
From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:29:15 +0100
Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated
---
controls/cis_rhel8.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c7f651994d6..10816e1ba35 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1830,14 +1830,15 @@ controls:
- l1_workstation
automated: no
- # NEEDS RULE: try_first_pass
+ # NEEDS RULE
+ # try_first_pass
# https://github.com/ComplianceAsCode/content/issues/5533
- id: 5.4.1
title: Ensure password creation requirements are configured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially
rules:
- accounts_password_pam_minclass
- accounts_password_pam_minlen
From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:37:15 +0100
Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited"
rule from RHEL 7
---
controls/cis_rhel8.yml | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 10816e1ba35..0ea36362832 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1861,9 +1861,15 @@ controls:
- l1_server
- l1_workstation
automated: yes
- rules:
- - accounts_password_pam_unix_remember
- - var_password_pam_unix_remember=5
+ notes: |-
+ Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation.
+ See here for more details about pam_unix.so:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1778929
+ rules:
+ - accounts_password_pam_pwhistory_remember_password_auth
+ - accounts_password_pam_pwhistory_remember_system_auth
+ - var_password_pam_remember_control_flag=required
+ - var_password_pam_remember=5
- id: 5.4.4
title: Ensure password hashing algorithm is SHA-512 (Automated)
From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:41:13 +0100
Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0ea36362832..be46d870965 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1876,7 +1876,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark.
rules:
- set_password_hashing_algorithm_systemauth
From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:42:57 +0100
Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index be46d870965..e41c2eb4dae 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1885,7 +1885,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control.
rules:
- accounts_maximum_age_login_defs
- var_accounts_maximum_age_login_defs=365
From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:44:17 +0100
Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e41c2eb4dae..0b2b3d04621 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1895,7 +1895,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control.
rules:
- accounts_minimum_age_login_defs
- var_accounts_minimum_age_login_defs=7
From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:47:22 +0100
Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0b2b3d04621..70312f6399a 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1905,7 +1905,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control.
rules:
- accounts_password_warn_age_login_defs
- var_accounts_password_warn_age_login_defs=7
From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:47:54 +0100
Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated
---
controls/cis_rhel8.yml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 70312f6399a..42dbf14c816 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1910,14 +1910,12 @@ controls:
- accounts_password_warn_age_login_defs
- var_accounts_password_warn_age_login_defs=7
- # TODO
- # Rule doesn't check list of users
- id: 5.5.1.4
title: Ensure inactive password lock is 30 days or less (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control.
rules:
- account_disable_post_pw_expiration
- var_account_disable_post_pw_expiration=30
From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 15:17:53 +0100
Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 42dbf14c816..e8e340e0c36 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1724,7 +1724,7 @@ controls:
- l1_workstation
automated: yes
rules:
- - sshd_idle_timeout_value=5_minutes
+ - sshd_idle_timeout_value=15_minutes
- sshd_set_idle_timeout
- sshd_set_keepalive
- var_sshd_set_keepalive=0
From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:12:47 +0100
Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated
---
controls/cis_rhel8.yml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e8e340e0c36..2d534d95072 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1929,12 +1929,15 @@ controls:
- l1_workstation
automated: no
+ # NEEDS RULE
+ # We are missing the component of this control which locks non-root system accounts
+ # https://github.com/ComplianceAsCode/content/issues/7352
- id: 5.5.2
title: Ensure system accounts are secured (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially
rules:
- no_shelllogin_for_systemaccounts
From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:17:13 +0100
Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated
---
controls/cis_rhel8.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2d534d95072..784af3e0fe9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1946,7 +1946,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark
rules:
- accounts_tmout
- var_accounts_tmout=15_min
From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:21:39 +0100
Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated
---
controls/cis_rhel8.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 784af3e0fe9..045e219d90f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1965,9 +1965,10 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark
rules:
- accounts_umask_etc_bashrc
+ - accounts_umask_etc_login_defs
- accounts_umask_etc_profile
- var_accounts_user_umask=027
From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:23:32 +0100
Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by
use_pam_wheel_for_su
---
controls/cis_rhel8.yml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 045e219d90f..84a3269afc6 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1989,7 +1989,9 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: no
+ automated: partially
+ rules:
+ - use_pam_wheel_for_su
- id: 6.1.1
title: Audit system file permissions (Manual)
From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:31:56 +0100
Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3
---
controls/cis_rhel8.yml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 84a3269afc6..d02f2cbbf86 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2154,14 +2154,15 @@ controls:
rules:
- no_legacy_plus_entries_etc_passwd
- # NEEDS RULE
- # https://github.com/ComplianceAsCode/content/issues/7198
- id: 6.2.3
title: Ensure root PATH Integrity (Automated)
levels:
- l1_server
- l1_workstation
- automated: no
+ automated: yes
+ rules:
+ - accounts_root_path_dirs_no_write
+ - root_path_no_dot
- id: 6.2.4
title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)
From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:34:47 +0100
Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without
OVAL checks or remediations
---
controls/cis_rhel8.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index d02f2cbbf86..a3f3d4e6d4f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2196,8 +2196,8 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
+ related_rules:
- file_permissions_home_dirs
# NEEDS RULE (for user ownership)
@@ -2207,7 +2207,7 @@ controls:
levels:
- l1_server
- l1_workstation
- automated: yes
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
rules:
- file_groupownership_home_directories
From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:35:23 +0100
Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL
checks or remediations
---
controls/cis_rhel8.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a3f3d4e6d4f..cfefd245300 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2311,10 +2311,10 @@ controls:
automated: no
- id: 6.2.20
- title: Ensure shadow group is empty (Automated)
+ title: Ensure all users' home directories exist (Automated)
levels:
- l1_server
- l1_workstation
- automated: yes
- rules:
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
+ related_rules:
- accounts_user_interactive_home_directory_exists
From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:38:11 +0100
Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because
it also checks for finit_module syscall
---
controls/cis_rhel8.yml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cfefd245300..e8d3f24ccbb 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1397,7 +1397,11 @@ controls:
- l2_workstation
automated: yes
rules:
- - audit_rules_kernel_module_loading
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_init
+ - audit_rules_privileged_commands_insmod
+ - audit_rules_privileged_commands_modprobe
+ - audit_rules_privileged_commands_rmmod
# NEEDS RULE
# https://github.com/ComplianceAsCode/content/issues/5516
From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Mon, 9 Aug 2021 11:49:56 +0100
Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control
is not automated
---
controls/cis_rhel8.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e8d3f24ccbb..a624d06cb56 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2128,7 +2128,7 @@ controls:
- l1_server
- l1_workstation
automated: no
- rules:
+ related_rules:
- file_permissions_unauthorized_suid
- id: 6.1.14
@@ -2137,7 +2137,7 @@ controls:
- l1_server
- l1_workstation
automated: no
- rules:
+ related_rules:
- file_permissions_unauthorized_sgid
# NEEDS RULE
@@ -2212,7 +2212,7 @@ controls:
- l1_server
- l1_workstation
automated: no # The rule below exists, but does not have any OVAL checks or remediations.
- rules:
+ related_rules:
- file_groupownership_home_directories
# NEEDS RULE
From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 10 Aug 2021 09:12:18 +0100
Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream
Draft Benchmark 1.1.0
---
controls/cis_rhel8.yml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a624d06cb56..bff2200ce12 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1782,11 +1782,11 @@ controls:
- var_sshd_set_maxstartups=10:30:60
# The title of this control does not appear to match the suggested audit and
- # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
- # value from the audit and remediation sections of the benchmark rather than
- # from the title.
+ # remediation in the CIS Benchmark version 1.0.1
+ #
+ # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0
+ # which confirms that '4' is the intended value for this control.
#
- # An upstream ticket has been opened about this issue:
# https://workbench.cisecurity.org/community/14/tickets/13414
- id: 5.2.19
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
@@ -1796,7 +1796,7 @@ controls:
automated: yes
rules:
- sshd_set_max_sessions
- - var_sshd_max_sessions=10
+ - var_sshd_max_sessions=4
- id: 5.2.20
title: Ensure system-wide crypto policy is not over-ridden (Automated)
From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 11 Aug 2021 10:37:23 +0100
Subject: [PATCH 52/55] Control to disable IPv6 should not be automated
---
controls/cis_rhel8.yml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index bff2200ce12..29d972427cf 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1177,9 +1177,7 @@ controls:
levels:
- l2_server
- l2_workstation
- automated: yes
- rules:
- - kernel_module_ipv6_option_disabled
+ automated: no
- id: 4.1.1.1
title: Ensure auditd is installed (Automated)
From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:09:48 +0100
Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8
---
.../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 +
.../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 +
.../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 +
.../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 4 ----
5 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index 24a0feaf0aa..748d9d9d188 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -21,6 +21,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80199-3
+ cce@rhel8: CCE-85914-0
references:
cis-csc: 11,3,9
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
index 288b6706b03..f44e85a059a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83430-9
+ cce@rhel8: CCE-85915-7
references:
cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
index edcda693591..a9468d00ddc 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83429-1
+ cce@rhel8: CCE-85913-2
references:
cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index 6e636a7caf7..bc4fdcc7e04 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83431-7
+ cce@rhel8: CCE-85912-4
references:
cis-csc: 12,13,14,15,16,18,3,5
From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:15:15 +0100
Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules
---
.../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 +
.../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 +
.../root_logins/use_pam_wheel_for_su/rule.yml | 1 +
.../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 +
.../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 +
.../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 +
6 files changed, 6 insertions(+)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index 2ffb01a3983..ee54a53dfd4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -27,6 +27,7 @@ identifiers:
references:
cis@rhel7: 5.3.5
+ cis@rhel8: 5.2.5
disa: CCI-000067
nerc-cip: CIP-007-3 R7.1
nist: AC-17(a),AC-17(1),CM-6(a)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
index c548b1e3ea2..935766db26d 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -41,6 +41,7 @@ identifiers:
references:
cis@rhel7: 2.2.2
+ cis@rhel8: 2.2.2
disa: CCI-000366
nist: CM-6(b)
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index 984a8cf333e..616a0aa0052 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
cis@rhel7: "5.7"
+ cis@rhel8: 5.7
cis@sle15: '5.6'
cis@ubuntu2004: '5.6'
ospp: FMT_SMF_EXT.1.1
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
index 81c30174c71..057701075e5 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
@@ -23,6 +23,7 @@ identifiers:
references:
cis-csc: 11,3,9
cis@rhel7: 6.2.10
+ cis@rhel8: 6.2.3
cis@sle15: 6.2.4
cis@ubuntu2004: 6.2.3
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index 748d9d9d188..c94de8fa3e6 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -26,6 +26,7 @@ identifiers:
references:
cis-csc: 11,3,9
cis@rhel7: 6.2.10
+ cis@rhel8: 6.2.3
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
disa: CCI-000366
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 46e81737199..51f8e51fa6a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -25,6 +25,7 @@ references:
anssi: BP28(R35)
cis-csc: 11,18,3,9
cis@rhel7: 5.5.5
+ cis@rhel8: 5.5.5
cis@ubuntu2004: 5.4.4
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05
disa: CCI-000366
From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:25:45 +0100
Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an
integer
---
.../root_logins/use_pam_wheel_for_su/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index 616a0aa0052..08677cbb7dc 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -24,7 +24,7 @@ identifiers:
references:
cis@rhel7: "5.7"
- cis@rhel8: 5.7
+ cis@rhel8: "5.7"
cis@sle15: '5.6'
cis@ubuntu2004: '5.6'
ospp: FMT_SMF_EXT.1.1