From abb9962457ca9100f193d559baa6fd64de22ffe6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2021 18:59:06 +0000 Subject: import scap-security-guide-0.1.57-5.el9 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a94a7b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.57.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..ea6c565 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +d78bdc956df4301c3b3bbb2f9f24d809d7b1d08c SOURCES/scap-security-guide-0.1.57.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch b/SOURCES/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch new file mode 100644 index 0000000..c609d07 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch @@ -0,0 +1,702 @@ +From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 9 Jul 2021 14:41:03 +0200 +Subject: [PATCH 01/12] ensure that higher policy levels can override variables + of lower levels + +--- + ssg/controls.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 297d80e46c5..165cdf0511a 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id): + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- for c in all_policy_controls: +- if len(level_ids.intersection(c.levels)) > 0: +- eligible_controls.append(c) ++ defined_variables = [] ++ # we will go level by level, from top to bottom ++ # this is done to enable overriding of variables by higher levels ++ for lv in level_ids: ++ for c in all_policy_controls: ++ if lv in c.levels: ++ # if the control has a variable, check if it is not already defined ++ if c.variables.keys().isdisjoint(defined_variables): ++ eligible_controls.append(c) ++ defined_variables += [*c.variables.keys()] + return eligible_controls + + def get_all_controls(self, policy_id): + +From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 14:02:25 +0200 +Subject: [PATCH 02/12] use ordered sets emulated by ordereddict + +because of compatibility with python2 +--- + ssg/controls.py | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 165cdf0511a..611a647e125 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -2,6 +2,7 @@ + import logging + import os + from glob import glob ++from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -152,16 +153,18 @@ def get_level(self, level_id): + raise ValueError(msg) + + def get_level_with_ancestors(self, level_id): +- levels = set() ++ # use OrderedDict for Python2 compatibility instead of ordered set ++ levels = OrderedDict() + level = self.get_level(level_id) +- levels.add(level) ++ levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- levels.update(self.get_level_with_ancestors(lv)) ++ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ for l in eligible_levels: ++ levels[l] = "" + return levels + + +- + class ControlsManager(): + def __init__(self, controls_dir, env_yaml=None): + self.controls_dir = os.path.abspath(controls_dir) +@@ -198,20 +201,24 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- level_ids = set([lv.id for lv in levels]) ++ # we use OrderedDict here with empty values instead of ordered set ++ # cause we want to be compatible with python 2 ++ level_ids = OrderedDict() ++ for lv in levels.keys(): ++ level_ids[lv.id] = "" + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids: ++ for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: + # if the control has a variable, check if it is not already defined + if c.variables.keys().isdisjoint(defined_variables): + eligible_controls.append(c) +- defined_variables += [*c.variables.keys()] ++ defined_variables += list(c.variables.keys()) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:30:10 +0200 +Subject: [PATCH 03/12] rework handling of variables when returning all + controls of a level + +currently only the top most level variables are kept in the controls +if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control +the original control stays in tact +--- + ssg/controls.py | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 611a647e125..4ebb8bda3d7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -1,8 +1,8 @@ + import collections + import logging + import os ++import copy + from glob import glob +-from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -154,7 +154,7 @@ def get_level(self, level_id): + + def get_level_with_ancestors(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set +- levels = OrderedDict() ++ levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: +@@ -201,24 +201,39 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) ++ print ("getting levels of " + level_id) ++ print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 +- level_ids = OrderedDict() ++ level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- ++ print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): ++ print ("going through level " +lv) + for c in all_policy_controls: ++ print (c.levels) + if lv in c.levels: + # if the control has a variable, check if it is not already defined +- if c.variables.keys().isdisjoint(defined_variables): ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- defined_variables += list(c.variables.keys()) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:31:25 +0200 +Subject: [PATCH 04/12] add tests for defining of variables + +--- + tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++ + tests/unit/ssg-module/test_controls.py | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index aded77c12a6..b98a7cd4e19 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -19,10 +19,14 @@ controls: + - id: S2 + levels: + - low ++ rules: ++ - var_password_pam_minlen=1 + + - id: S3 + levels: + - medium ++ rules: ++ - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -36,3 +40,5 @@ controls: + title: Enforce password quality standards + levels: + - high ++ rules: ++ - var_password_pam_minlen=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index ff9b04f26c9..06fcb0c375d 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -87,6 +87,11 @@ def test_controls_levels(): + assert len(low_controls) == 4 + assert len(medium_controls) == 5 + ++ # test overriding of variables in levels ++ assert c_2.variables["var_password_pam_minlen"] == "1" ++ assert c_3.variables["var_password_pam_minlen"] == "2" ++ assert c_4b.variables["var_password_pam_minlen"] == "3" ++ + + def test_controls_load_product(): + ssg_root = \ + +From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 6 Aug 2021 09:30:47 +0200 +Subject: [PATCH 05/12] make overriding of variables optional + +--- + ssg/controls.py | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 4ebb8bda3d7..90639fbe4c7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,42 +198,42 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id): ++ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): ++ # if override_vars is enabled, then variables from higher levels will ++ # override variables efined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- print ("getting levels of " + level_id) +- print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 + level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): +- print ("going through level " +lv) + for c in all_policy_controls: +- print (c.levels) + if lv in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ if override_vars == False: + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) ++ else: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 12:38:42 +0200 +Subject: [PATCH 06/12] fix a typo + +--- + ssg/controls.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 90639fbe4c7..10a304bf8c2 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -200,7 +200,7 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + # if override_vars is enabled, then variables from higher levels will +- # override variables efined in controls of lower levels ++ # override variables defined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set + +From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:11 +0200 +Subject: [PATCH 07/12] update tests to check that overriding of variables + works + +--- + .../ssg-module/data/controls_dir/abcd-levels.yml | 4 +--- + tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++-- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index b98a7cd4e19..99efafd832e 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -25,8 +25,6 @@ controls: + - id: S3 + levels: + - medium +- rules: +- - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -41,4 +39,4 @@ controls: + levels: + - high + rules: +- - var_password_pam_minlen=3 ++ - var_password_pam_minlen=2 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 06fcb0c375d..124b344d141 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -89,8 +89,20 @@ def test_controls_levels(): + + # test overriding of variables in levels + assert c_2.variables["var_password_pam_minlen"] == "1" +- assert c_3.variables["var_password_pam_minlen"] == "2" +- assert c_4b.variables["var_password_pam_minlen"] == "3" ++ assert "var_password_pam_minlen" not in c_3.variables.keys() ++ assert c_4b.variables["var_password_pam_minlen"] == "2" ++ ++ for c in low_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in medium_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in high_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "2" + + + def test_controls_load_product(): + +From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:32 +0200 +Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting + controls of a certain level + +--- + ssg/controls.py | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 10a304bf8c2..7923f0cb379 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,9 +198,7 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): +- # if override_vars is enabled, then variables from higher levels will +- # override variables defined in controls of lower levels ++ def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set +@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: +- if override_vars == False: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- else: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ continue ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) +- eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 15:30:39 +0200 +Subject: [PATCH 09/12] get rid of one ordereddict + +--- + ssg/controls.py | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 7923f0cb379..891b13c891c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -201,19 +201,14 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- # we use OrderedDict here with empty values instead of ordered set +- # cause we want to be compatible with python 2 +- level_ids = collections.OrderedDict() +- for lv in levels.keys(): +- level_ids[lv.id] = "" + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids.keys(): ++ for lv in levels.keys(): + for c in all_policy_controls: +- if lv in c.levels: ++ if lv.id in c.levels: + # if the control has a variable, check if it is not already defined + variables = list(c.variables.keys()) + if len(variables) == 0: + +From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:44:57 +0200 +Subject: [PATCH 10/12] fix overriding of variables + +when there were multiple variables overridden, it caused problems by creating multiple copies of controls +--- + ssg/controls.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 891b13c891c..8b69676313c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id): + if len(variables) == 0: + eligible_controls.append(c) + continue ++ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control + for var in variables: + if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ variables_to_remove.append(var) + else: + defined_variables.append(var) +- eligible_controls.append(c) ++ if len(variables_to_remove) == 0: ++ eligible_controls.append(c) ++ else: ++ new_c = copy.deepcopy(c) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ eligible_controls.append(new_c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:45:38 +0200 +Subject: [PATCH 11/12] extended tests to test for multiple overridden + variables + +--- + .../data/controls_dir/abcd-levels.yml | 2 ++ + tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index 99efafd832e..2e60ec43532 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -21,6 +21,7 @@ controls: + - low + rules: + - var_password_pam_minlen=1 ++ - var_some_variable=1 + + - id: S3 + levels: +@@ -40,3 +41,4 @@ controls: + - high + rules: + - var_password_pam_minlen=2 ++ - var_some_variable=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 124b344d141..1465661b04a 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -104,6 +104,25 @@ def test_controls_levels(): + if "var_password_pam_minlen" in c.variables.keys(): + assert c.variables["var_password_pam_minlen"] == "2" + ++ # now test if controls of lower level has the variable definition correctly removed ++ # because it is overriden by higher level controls ++ s2_high = [c for c in high_controls if c.id == "S2"] ++ assert len(s2_high) == 1 ++ assert "var_some_variable" not in s2_high[0].variables.keys() ++ assert "var_password_pam_minlen" not in s2_high[0].variables.keys() ++ s4b_high = [c for c in high_controls if c.id == "S4.b"] ++ assert len(s4b_high) == 1 ++ assert s4b_high[0].variables["var_some_variable"] == "3" ++ assert s4b_high[0].variables["var_password_pam_minlen"] == "2" ++ ++ # check that in low level the variable is correctly placed there in S2 ++ s2_low = [c for c in low_controls if c.id == "S2"] ++ assert len(s2_low) == 1 ++ assert s2_low[0].variables["var_some_variable"] == "1" ++ assert s2_low[0].variables["var_password_pam_minlen"] == "1" ++ ++ ++ + + def test_controls_load_product(): + ssg_root = \ + +From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 10:39:22 +0200 +Subject: [PATCH 12/12] Style improvements + +- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence, + and made it return a list - a dictionary result is quite confusing. +- Removed some optimization in the variable deletion loops. +- Extracted functionality to a _get_control_without_variables static + method. +- Defined variable removal steps using set operations. +--- + ssg/controls.py | 54 +++++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 26 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 8b69676313c..ca3187d5b16 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -152,17 +152,17 @@ def get_level(self, level_id): + ) + raise ValueError(msg) + +- def get_level_with_ancestors(self, level_id): ++ def get_level_with_ancestors_sequence(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set + levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()] + for l in eligible_levels: + levels[l] = "" +- return levels ++ return list(levels.keys()) + + + class ControlsManager(): +@@ -200,35 +200,37 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) +- levels = policy.get_level_with_ancestors(level_id) ++ levels = policy.get_level_with_ancestors_sequence(level_id) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- defined_variables = [] ++ already_defined_variables = set() + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in levels.keys(): +- for c in all_policy_controls: +- if lv.id in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: +- eligible_controls.append(c) +- continue +- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control +- for var in variables: +- if var in defined_variables: +- variables_to_remove.append(var) +- else: +- defined_variables.append(var) +- if len(variables_to_remove) == 0: +- eligible_controls.append(c) +- else: +- new_c = copy.deepcopy(c) +- for var in variables_to_remove: +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ for lv in levels: ++ for control in all_policy_controls: ++ if lv.id not in control.levels: ++ continue ++ ++ variables = set(control.variables.keys()) ++ ++ variables_to_remove = variables.intersection(already_defined_variables) ++ already_defined_variables.update(variables) ++ ++ new_c = self._get_control_without_variables(variables_to_remove, control) ++ eligible_controls.append(new_c) ++ + return eligible_controls + ++ @staticmethod ++ def _get_control_without_variables(variables_to_remove, control): ++ if not variables_to_remove: ++ return control ++ ++ new_c = copy.deepcopy(control) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ return new_c ++ + def get_all_controls(self, policy_id): + policy = self._get_policy(policy_id) + return policy.controls_by_id.values() diff --git a/SOURCES/scap-security-guide-0.1.58-cis_def-PR_6976.patch b/SOURCES/scap-security-guide-0.1.58-cis_def-PR_6976.patch new file mode 100644 index 0000000..3082bf2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-cis_def-PR_6976.patch @@ -0,0 +1,5333 @@ +From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 29 Jun 2021 14:37:28 +0100 +Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files + per-benchmark + +--- + products/rhel8/profiles/cis.profile | 1080 +---------------- + products/rhel8/profiles/cis_server_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l2.profile | 22 + + 4 files changed, 72 insertions(+), 1074 deletions(-) + create mode 100644 products/rhel8/profiles/cis_server_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile + +diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile +index c22ae86d076..4a00c24e0f7 100644 +--- a/products/rhel8/profiles/cis.profile ++++ b/products/rhel8/profiles/cis.profile +@@ -1,1090 +1,22 @@ + documentation_complete: true + + metadata: +- version: 1.0.0 ++ version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: 'CIS Red Hat Enterprise Linux 8 Benchmark' ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server' + + description: |- +- This profile defines a baseline that aligns to the Center for Internet Security® +- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ This profile defines a baseline that aligns to the "Level 2 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: +- # Necessary for dconf rules +- - dconf_db_up_to_date +- +- ### Partitioning +- - mount_option_home_nodev +- +- ## 1.1 Filesystem Configuration +- +- ### 1.1.1 Disable unused filesystems +- +- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) +- - kernel_module_cramfs_disabled +- +- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) +- +- +- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) +- - kernel_module_squashfs_disabled +- +- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) +- - kernel_module_udf_disabled +- +- ### 1.1.2 Ensure /tmp is configured (Scored) +- - partition_for_tmp +- +- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) +- - mount_option_tmp_nodev +- +- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) +- - mount_option_tmp_nosuid +- +- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) +- - mount_option_tmp_noexec +- +- ### 1.1.6 Ensure separate partition exists for /var (Scored) +- - partition_for_var +- +- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) +- - partition_for_var_tmp +- +- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nodev +- +- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nosuid +- +- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_noexec +- +- ### 1.1.11 Ensure separate partition exists for /var/log (Scored) +- - partition_for_var_log +- +- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) +- - partition_for_var_log_audit +- +- ### 1.1.13 Ensure separate partition exists for /home (Scored) +- - partition_for_home +- +- ### 1.1.14 Ensure nodev option set on /home partition (Scored) +- - mount_option_home_nodev +- +- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nodev +- +- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nosuid +- +- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_noexec +- +- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) +- - mount_option_nodev_removable_partitions +- +- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) +- - mount_option_nosuid_removable_partitions +- +- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) +- - mount_option_noexec_removable_partitions +- +- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) +- - dir_perms_world_writable_sticky_bits +- +- ### 1.1.22 Disable Automounting (Scored) +- - service_autofs_disabled +- +- ### 1.1.23 Disable USB Storage (Scored) +- - kernel_module_usb-storage_disabled +- +- ## 1.2 Configure Software Updates +- +- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 +- +- ### 1.2.2 Disable the rhnsd Daemon (Not Scored) +- - service_rhnsd_disabled +- +- ### 1.2.3 Ensure GPG keys are configured (Not Scored) +- - ensure_redhat_gpgkey_installed +- +- ### 1.2.4 Ensure gpgcheck is globally activated (Scored) +- - ensure_gpgcheck_globally_activated +- +- ### 1.2.5 Ensure package manager repositories are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 +- +- ## 1.3 Configure sudo +- +- ### 1.3.1 Ensure sudo is installed (Scored) +- - package_sudo_installed +- +- ### 1.3.2 Ensure sudo commands use pty (Scored) +- - sudo_add_use_pty +- +- ### 1.3.3 Ensure sudo log file exists (Scored) +- - sudo_custom_logfile +- +- ## 1.4 Filesystem Integrity Checking +- +- ### 1.4.1 Ensure AIDE is installed (Scored) +- - package_aide_installed +- +- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) +- - aide_periodic_cron_checking +- +- ## Secure Boot Settings +- +- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) +- #### chown root:root /boot/grub2/grub.cfg +- - file_owner_grub2_cfg +- - file_groupowner_grub2_cfg +- +- #### chmod og-rwx /boot/grub2/grub.cfg +- - file_permissions_grub2_cfg +- +- #### chown root:root /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- #### chmod og-rwx /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- ### 1.5.2 Ensure bootloader password is set (Scored) +- - grub2_password +- +- ### 1.5.3 Ensure authentication required for single user mode (Scored) +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- - require_singleuser_auth +- +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency +- - require_emergency_target_auth +- +- ## 1.6 Additional Process Hardening +- +- ### 1.6.1 Ensure core dumps are restricted (Scored) +- #### * hard core 0 +- - disable_users_coredumps +- +- #### fs.suid_dumpable = 0 +- - sysctl_fs_suid_dumpable +- +- #### ProcessSizeMax=0 +- - coredump_disable_backtraces +- +- #### Storage=none +- - coredump_disable_storage +- +- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- - sysctl_kernel_randomize_va_space +- +- ## 1.7 Mandatory Access Control +- +- ### 1.7.1 Configure SELinux +- +- #### 1.7.1.1 Ensure SELinux is installed (Scored) +- - package_libselinux_installed +- +- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) +- - grub2_enable_selinux +- +- #### 1.7.1.3 Ensure SELinux policy is configured (Scored) +- - var_selinux_policy_name=targeted +- - selinux_policytype +- +- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) +- - var_selinux_state=enforcing +- - selinux_state +- +- #### 1.7.1.5 Ensure no unconfied services exist (Scored) +- - selinux_confinement_of_daemons +- +- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) +- - package_setroubleshoot_removed +- +- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) +- - package_mcstrans_removed +- +- ## Warning Banners +- +- ### 1.8.1 Command Line Warning Baners +- +- #### 1.8.1.1 Ensure message of the day is configured properly (Scored) +- - banner_etc_motd +- +- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) +- - banner_etc_issue +- +- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 +- +- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) +- # chmod u-x,go-wx /etc/motd +- - file_permissions_etc_motd +- +- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) +- # chmod u-x,go-wx /etc/issue +- - file_permissions_etc_issue +- +- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) +- # Previously addressed via 'rpm_verify_permissions' rule +- +- ### 1.8.2 Ensure GDM login banner is configured (Scored) +- #### banner-message-enable=true +- - dconf_gnome_banner_enabled +- +- #### banner-message-text='' +- - dconf_gnome_login_banner_text +- +- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) +- - security_patches_up_to_date +- +- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) +- - var_system_crypto_policy=future +- - configure_crypto_policy +- +- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) +- # Previously addressed via 'configure_crypto_policy' rule +- +- # Services +- +- ## 2.1 inetd Services +- +- ### 2.1.1 Ensure xinetd is not installed (Scored) +- - package_xinetd_removed +- +- ## 2.2 Special Purpose Services +- +- ### 2.2.1 Time Synchronization +- +- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - package_chrony_installed +- +- #### 2.2.1.2 Ensure chrony is configured (Scored) +- - service_chronyd_enabled +- - chronyd_specify_remote_server +- - chronyd_run_as_chrony_user +- +- ### 2.2.2 Ensure X Window System is not installed (Scored) +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target +- +- ### 2.2.3 Ensure rsync service is not enabled (Scored) +- - service_rsyncd_disabled +- +- ### 2.2.4 Ensure Avahi Server is not enabled (Scored) +- - service_avahi-daemon_disabled +- +- ### 2.2.5 Ensure SNMP Server is not enabled (Scored) +- - service_snmpd_disabled +- +- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) +- - package_squid_removed +- +- ### 2.2.7 Ensure Samba is not enabled (Scored) +- - service_smb_disabled +- +- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) +- - service_dovecot_disabled +- +- ### 2.2.9 Ensure HTTP server is not enabled (Scored) +- - service_httpd_disabled +- +- ### 2.2.10 Ensure FTP Server is not enabled (Scored) +- - service_vsftpd_disabled +- +- ### 2.2.11 Ensure DNS Server is not enabled (Scored) +- - service_named_disabled +- +- ### 2.2.12 Ensure NFS is not enabled (Scored) +- - service_nfs_disabled +- +- ### 2.2.13 Ensure RPC is not enabled (Scored) +- - service_rpcbind_disabled +- +- ### 2.2.14 Ensure LDAP service is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 +- +- ### 2.2.15 Ensure DHCP Server is not enabled (Scored) +- - service_dhcpd_disabled +- +- ### 2.2.16 Ensure CUPS is not enabled (Scored) +- - service_cups_disabled +- +- ### 2.2.17 Ensure NIS Server is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 +- +- ### 2.2.18 Ensure mail transfer agent is configured for +- ### local-only mode (Scored) +- - postfix_network_listening_disabled +- +- ## 2.3 Service Clients +- +- ### 2.3.1 Ensure NIS Client is not installed (Scored) +- - package_ypbind_removed +- +- ### 2.3.2 Ensure telnet client is not installed (Scored) +- - package_telnet_removed +- +- ### Ensure LDAP client is not installed +- - package_openldap-clients_removed +- +- # 3 Network Configuration +- +- ## 3.1 Network Parameters (Host Only) +- +- ### 3.1.1 Ensure IP forwarding is disabled (Scored) +- #### net.ipv4.ip_forward = 0 +- - sysctl_net_ipv4_ip_forward +- +- #### net.ipv6.conf.all.forwarding = 0 +- - sysctl_net_ipv6_conf_all_forwarding +- +- ### 3.1.2 Ensure packet redirect sending is disabled (Scored) +- #### net.ipv4.conf.all.send_redirects = 0 +- - sysctl_net_ipv4_conf_all_send_redirects +- +- #### net.ipv4.conf.default.send_redirects = 0 +- - sysctl_net_ipv4_conf_default_send_redirects +- +- ## 3.2 Network Parameters (Host and Router) +- +- ### 3.2.1 Ensure source routed packets are not accepted (Scored) +- #### net.ipv4.conf.all.accept_source_route = 0 +- - sysctl_net_ipv4_conf_all_accept_source_route +- +- #### net.ipv4.conf.default.accept_source_route = 0 +- - sysctl_net_ipv4_conf_default_accept_source_route +- +- #### net.ipv6.conf.all.accept_source_route = 0 +- - sysctl_net_ipv6_conf_all_accept_source_route +- +- #### net.ipv6.conf.default.accept_source_route = 0 +- - sysctl_net_ipv6_conf_default_accept_source_route +- +- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.accept_redirects = 0 +- - sysctl_net_ipv4_conf_all_accept_redirects +- +- #### net.ipv4.conf.default.accept_redirects +- - sysctl_net_ipv4_conf_default_accept_redirects +- +- #### net.ipv6.conf.all.accept_redirects = 0 +- - sysctl_net_ipv6_conf_all_accept_redirects +- +- #### net.ipv6.conf.defaults.accept_redirects = 0 +- - sysctl_net_ipv6_conf_default_accept_redirects +- +- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.secure_redirects = 0 +- - sysctl_net_ipv4_conf_all_secure_redirects +- +- #### net.ipv4.cof.default.secure_redirects = 0 +- - sysctl_net_ipv4_conf_default_secure_redirects +- +- ### 3.2.4 Ensure suspicious packets are logged (Scored) +- #### net.ipv4.conf.all.log_martians = 1 +- - sysctl_net_ipv4_conf_all_log_martians +- +- #### net.ipv4.conf.default.log_martians = 1 +- - sysctl_net_ipv4_conf_default_log_martians +- +- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- +- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) +- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- +- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +- #### net.ipv4.conf.all.rp_filter = 1 +- - sysctl_net_ipv4_conf_all_rp_filter +- +- #### net.ipv4.conf.default.rp_filter = 1 +- - sysctl_net_ipv4_conf_default_rp_filter +- +- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +- - sysctl_net_ipv4_tcp_syncookies +- +- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) +- #### net.ipv6.conf.all.accept_ra = 0 +- - sysctl_net_ipv6_conf_all_accept_ra +- +- #### net.ipv6.conf.default.accept_ra = 0 +- - sysctl_net_ipv6_conf_default_accept_ra +- +- ## 3.3 Uncommon Network Protocols +- +- ### 3.3.1 Ensure DCCP is disabled (Scored) +- - kernel_module_dccp_disabled +- +- ### Ensure SCTP is disabled (Scored) +- - kernel_module_sctp_disabled +- +- ### 3.3.3 Ensure RDS is disabled (Scored) +- - kernel_module_rds_disabled +- +- ### 3.3.4 Ensure TIPC is disabled (Scored) +- - kernel_module_tipc_disabled +- +- ## 3.4 Firewall Configuration +- +- ### 3.4.1 Ensure Firewall software is installed +- +- #### 3.4.1.1 Ensure a Firewall package is installed (Scored) +- ##### firewalld +- - package_firewalld_installed +- +- ##### nftables +- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 +- +- ##### iptables +- #- package_iptables_installed +- +- ### 3.4.2 Configure firewalld +- +- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) +- - service_firewalld_enabled +- +- #### 3.4.2.2 Ensure iptables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 +- +- #### 3.4.2.3 Ensure nftables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 +- +- #### 3.4.2.4 Ensure default zone is set (Scored) +- - set_firewalld_default_zone +- +- #### 3.4.2.5 Ensure network interfaces are assigned to +- #### appropriate zone (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 +- +- #### 3.4.2.6 Ensure unnecessary services and ports are not +- #### accepted (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 +- +- ### 3.4.3 Configure nftables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 +- +- #### 3.4.3.1 Ensure iptables are flushed (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 +- +- #### 3.4.3.2 Ensure a table exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 +- +- #### 3.4.3.3 Ensure base chains exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 +- +- #### 3.4.3.4 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 +- +- #### 3.4.3.5 Ensure outbound and established connections are +- #### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 +- +- #### 3.4.3.6 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 +- +- #### 3.4.3.7 Ensure nftables service is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 +- +- #### 3.4.3.8 Ensure nftables rules are permanent (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 +- +- ### 3.4.4 Configure iptables +- +- #### 3.4.4.1 Configure IPv4 iptables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 +- +- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 +- +- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 +- +- ##### 3.4.4.1.3 Ensure outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 +- +- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 +- +- #### 3.4.4.2 Configure IPv6 ip6tables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 +- +- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 +- +- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 +- +- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 +- +- ## 3.5 Ensure wireless interfaces are disabled (Scored) +- - wireless_disable_interfaces +- +- ## 3.6 Disable IPv6 (Not Scored) +- - kernel_module_ipv6_option_disabled +- +- # Logging and Auditing +- +- ## 4.1 Configure System Accounting (auditd) +- +- ### 4.1.1 Ensure auditing is enabled +- +- #### 4.1.1.1 Ensure auditd is installed (Scored) +- - package_audit_installed +- +- #### 4.1.1.2 Ensure auditd service is enabled (Scored) +- - service_auditd_enabled +- +- #### 4.1.1.3 Ensure auditing for processes that start prior to audit +- #### is enabled (Scored) +- - grub2_audit_argument +- +- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +- - grub2_audit_backlog_limit_argument +- +- ### 4.1.2 Configure Data Retention +- +- #### 4.1.2.1 Ensure audit log storage size is configured (Scored) +- - auditd_data_retention_max_log_file +- +- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) +- - auditd_data_retention_max_log_file_action +- +- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) +- - var_auditd_space_left_action=email +- - auditd_data_retention_space_left_action +- +- ##### action_mail_acct = root +- - var_auditd_action_mail_acct=root +- - auditd_data_retention_action_mail_acct +- +- ##### admin_space_left_action = halt +- - var_auditd_admin_space_left_action=halt +- - auditd_data_retention_admin_space_left_action +- +- ### 4.1.3 Ensure changes to system administration scope +- ### (sudoers) is collected (Scored) +- - audit_rules_sysadmin_actions +- +- ### 4.1.4 Ensure login and logout events are collected (Scored) +- - audit_rules_login_events_faillock +- - audit_rules_login_events_lastlog +- +- ### 4.1.5 Ensure session initiation information is collected (Scored) +- - audit_rules_session_events +- +- ### 4.1.6 Ensure events that modify date and time information +- ### are collected (Scored) +- #### adjtimex +- - audit_rules_time_adjtimex +- +- #### settimeofday +- - audit_rules_time_settimeofday +- +- #### stime +- - audit_rules_time_stime +- +- #### clock_settime +- - audit_rules_time_clock_settime +- +- #### -w /etc/localtime -p wa +- - audit_rules_time_watch_localtime +- +- ### 4.1.7 Ensure events that modify the system's Mandatory +- ### Access Control are collected (Scored) +- #### -w /etc/selinux/ -p wa +- - audit_rules_mac_modification +- +- #### -w /usr/share/selinux/ -p wa +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 +- +- ### 4.1.8 Ensure events that modify the system's network +- ### enironment are collected (Scored) +- - audit_rules_networkconfig_modification +- +- ### 4.1.9 Ensure discretionary access control permission modification +- ### events are collected (Scored) +- - audit_rules_dac_modification_chmod +- - audit_rules_dac_modification_fchmod +- - audit_rules_dac_modification_fchmodat +- - audit_rules_dac_modification_chown +- - audit_rules_dac_modification_fchown +- - audit_rules_dac_modification_fchownat +- - audit_rules_dac_modification_lchown +- - audit_rules_dac_modification_setxattr +- - audit_rules_dac_modification_lsetxattr +- - audit_rules_dac_modification_fsetxattr +- - audit_rules_dac_modification_removexattr +- - audit_rules_dac_modification_lremovexattr +- - audit_rules_dac_modification_fremovexattr +- +- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are +- ### collected (Scored) +- - audit_rules_unsuccessful_file_modification_creat +- - audit_rules_unsuccessful_file_modification_open +- - audit_rules_unsuccessful_file_modification_openat +- - audit_rules_unsuccessful_file_modification_truncate +- - audit_rules_unsuccessful_file_modification_ftruncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at +- +- ### 4.1.11 Ensure events that modify user/group information are +- ### collected (Scored) +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_group +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- +- ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- - audit_rules_media_export +- +- ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- - audit_rules_privileged_commands +- +- ### 4.1.14 Ensure file deletion events by users are collected +- ### (Scored) +- - audit_rules_file_deletion_events_unlink +- - audit_rules_file_deletion_events_unlinkat +- - audit_rules_file_deletion_events_rename +- - audit_rules_file_deletion_events_renameat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir +- +- ### 4.1.15 Ensure kernel module loading and unloading is collected +- ### (Scored) +- - audit_rules_kernel_module_loading +- +- ### 4.1.16 Ensure system administrator actions (sudolog) are +- ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 +- +- ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- - audit_rules_immutable +- +- ## 4.2 Configure Logging +- +- ### 4.2.1 Configure rsyslog +- +- #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- - package_rsyslog_installed +- +- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- - service_rsyslog_enabled +- +- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- - rsyslog_files_permissions +- +- #### 4.2.1.4 Ensure logging is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 +- +- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote +- #### log host (Scored) +- - rsyslog_remote_loghost +- +- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on +- #### designated log hosts (Not Scored) +- - rsyslog_nolisten +- +- ### 4.2.2 Configure journald +- +- #### 4.2.2.1 Ensure journald is configured to send logs to +- #### rsyslog (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 +- +- #### 4.2.2.2 Ensure journald is configured to compress large +- #### log files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 +- +- +- #### 4.2.2.3 Ensure journald is configured to write logfiles to +- #### persistent disk (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 +- +- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 +- +- ## 4.3 Ensure logrotate is configured (Not Scored) +- +- # 5 Access, Authentication and Authorization +- +- ## 5.1 Configure cron +- +- ### 5.1.1 Ensure cron daemon is enabled (Scored) +- - service_crond_enabled +- +- +- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +- # chown root:root /etc/crontab +- - file_owner_crontab +- - file_groupowner_crontab +- # chmod og-rwx /etc/crontab +- - file_permissions_crontab +- +- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +- # chown root:root /etc/cron.hourly +- - file_owner_cron_hourly +- - file_groupowner_cron_hourly +- # chmod og-rwx /etc/cron.hourly +- - file_permissions_cron_hourly +- +- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +- # chown root:root /etc/cron.daily +- - file_owner_cron_daily +- - file_groupowner_cron_daily +- # chmod og-rwx /etc/cron.daily +- - file_permissions_cron_daily +- +- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +- # chown root:root /etc/cron.weekly +- - file_owner_cron_weekly +- - file_groupowner_cron_weekly +- # chmod og-rwx /etc/cron.weekly +- - file_permissions_cron_weekly +- +- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +- # chown root:root /etc/cron.monthly +- - file_owner_cron_monthly +- - file_groupowner_cron_monthly +- # chmod og-rwx /etc/cron.monthly +- - file_permissions_cron_monthly +- +- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) +- # chown root:root /etc/cron.d +- - file_owner_cron_d +- - file_groupowner_cron_d +- # chmod og-rwx /etc/cron.d +- - file_permissions_cron_d +- +- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) +- +- +- ## 5.2 SSH Server Configuration +- +- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) +- # chown root:root /etc/ssh/sshd_config +- - file_owner_sshd_config +- - file_groupowner_sshd_config +- +- # chmod og-rwx /etc/ssh/sshd_config +- - file_permissions_sshd_config +- +- ### 5.2.2 Ensure SSH access is limited (Scored) +- +- +- ### 5.2.3 Ensure permissions on SSH private host key files are +- ### configured (Scored) +- # TO DO: The rule sets to 640, but benchmark wants 600 +- - file_permissions_sshd_private_key +- # TO DO: check owner of private keys in /etc/ssh is root:root +- +- ### 5.2.4 Ensure permissions on SSH public host key files are configured +- ### (Scored) +- - file_permissions_sshd_pub_key +- # TO DO: check owner of pub keys in /etc/ssh is root:root +- +- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) +- - sshd_set_loglevel_info +- +- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) +- - sshd_disable_x11_forwarding +- +- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +- - sshd_max_auth_tries_value=4 +- - sshd_set_max_auth_tries +- +- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) +- - sshd_disable_rhosts +- +- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) +- - disable_host_auth +- +- ### 5.2.10 Ensure SSH root login is disabled (Scored) +- - sshd_disable_root_login +- +- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) +- - sshd_disable_empty_passwords +- +- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) +- - sshd_do_not_permit_user_env +- +- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) +- # ClientAliveInterval 300 +- - sshd_idle_timeout_value=5_minutes +- - sshd_set_idle_timeout +- +- # ClientAliveCountMax 0 +- - var_sshd_set_keepalive=0 +- - sshd_set_keepalive_0 +- +- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute +- ### or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 +- +- ### 5.2.15 Ensure SSH warning banner is configured (Scored) +- - sshd_enable_warning_banner +- +- ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 +- +- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) +- - sshd_disable_tcp_forwarding +- +- ### 5.2.18 Ensure SSH MaxStartups is configured (Scored) +- - sshd_set_maxstartups +- - var_sshd_set_maxstartups=10:30:60 +- +- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) +- - sshd_set_max_sessions +- - var_sshd_max_sessions=4 +- +- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) +- - configure_ssh_crypto_policy +- +- ## 5.3 Configure authselect +- +- +- ### 5.3.1 Create custom authselectet profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 +- +- ### 5.3.2 Select authselect profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 +- +- ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 +- +- ## 5.4 Configure PAM +- +- ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 +- - accounts_password_pam_retry +- - var_password_pam_minlen=14 +- - accounts_password_pam_minlen +- - var_password_pam_minclass=4 +- - accounts_password_pam_minclass +- +- ### 5.4.2 Ensure lockout for failed password attempts is +- ### configured (Scored) +- - var_accounts_passwords_pam_faillock_unlock_time=900 +- - var_accounts_passwords_pam_faillock_deny=5 +- - accounts_passwords_pam_faillock_unlock_time +- - accounts_passwords_pam_faillock_deny +- +- ### 5.4.3 Ensure password reuse is limited (Scored) +- - var_password_pam_unix_remember=5 +- - accounts_password_pam_unix_remember +- +- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- - set_password_hashing_algorithm_systemauth +- +- ## 5.5 User Accounts and Environment +- +- ### 5.5.1 Set Shadow Password Suite Parameters +- +- #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- - var_accounts_maximum_age_login_defs=365 +- - accounts_maximum_age_login_defs +- +- #### 5.5.1.2 Ensure minimum days between password changes is 7 +- #### or more (Scored) +- - var_accounts_minimum_age_login_defs=7 +- - accounts_minimum_age_login_defs +- +- #### 5.5.1.3 Ensure password expiration warning days is +- #### 7 or more (Scored) +- - var_accounts_password_warn_age_login_defs=7 +- - accounts_password_warn_age_login_defs +- +- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # TODO: Rule doesn't check list of users +- # https://github.com/ComplianceAsCode/content/issues/5536 +- - var_account_disable_post_pw_expiration=30 +- - account_disable_post_pw_expiration +- +- #### 5.5.1.5 Ensure all users last password change date is +- #### in the past (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 +- +- ### 5.5.2 Ensure system accounts are secured (Scored) +- - no_shelllogin_for_systemaccounts +- +- ### 5.5.3 Ensure default user shell timeout is 900 seconds +- ### or less (Scored) +- - var_accounts_tmout=15_min +- - accounts_tmout +- +- ### 5.5.4 Ensure default group for the root account is +- ### GID 0 (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 +- +- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- - var_accounts_user_umask=027 +- - accounts_umask_etc_bashrc +- - accounts_umask_etc_profile +- +- ## 5.6 Ensure root login is restricted to system console (Not Scored) +- - securetty_root_login_console_only +- - no_direct_root_logins +- +- ## 5.7 Ensure access to the su command is restricted (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 +- +- # System Maintenance +- +- ## 6.1 System File Permissions +- +- ### 6.1.1 Audit system file permissions (Not Scored) +- - rpm_verify_permissions +- - rpm_verify_ownership +- +- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- # chown root:root /etc/passwd +- - file_owner_etc_passwd +- - file_groupowner_etc_passwd +- +- # chmod 644 /etc/passwd +- - file_permissions_etc_passwd +- +- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- # chown root:root /etc/shadow +- - file_owner_etc_shadow +- - file_groupowner_etc_shadow +- +- # chmod o-rwx,g-wx /etc/shadow +- - file_permissions_etc_shadow +- +- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- # chown root:root /etc/group +- - file_owner_etc_group +- - file_groupowner_etc_group +- +- # chmod 644 /etc/group +- - file_permissions_etc_group +- +- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- # chown root:root /etc/gshadow +- - file_owner_etc_gshadow +- - file_groupowner_etc_gshadow +- +- # chmod o-rwx,g-rw /etc/gshadow +- - file_permissions_etc_gshadow +- +- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- # chown root:root /etc/passwd- +- - file_owner_backup_etc_passwd +- - file_groupowner_backup_etc_passwd +- +- # chmod 644 /etc/passwd- +- - file_permissions_backup_etc_passwd +- +- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- # chown root:root /etc/shadow- +- - file_owner_backup_etc_shadow +- - file_groupowner_backup_etc_shadow +- +- # chmod 0000 /etc/shadow- +- - file_permissions_backup_etc_shadow +- +- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- # chown root:root /etc/group- +- - file_owner_backup_etc_group +- - file_groupowner_backup_etc_group +- +- # chmod 644 /etc/group- +- - file_permissions_backup_etc_group +- +- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- # chown root:root /etc/gshadow- +- - file_owner_backup_etc_gshadow +- - file_groupowner_backup_etc_gshadow +- +- # chmod 0000 /etc/gshadow- +- - file_permissions_backup_etc_gshadow +- +- ### 6.1.10 Ensure no world writable files exist (Scored) +- - file_permissions_unauthorized_world_writable +- +- ### 6.1.11 Ensure no unowned files or directories exist (Scored) +- - no_files_unowned_by_user +- +- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- - file_permissions_ungroupowned +- +- ### 6.1.13 Audit SUID executables (Not Scored) +- - file_permissions_unauthorized_suid +- +- ### 6.1.14 Audit SGID executables (Not Scored) +- - file_permissions_unauthorized_sgid +- +- ## 6.2 User and Group Settings +- +- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- - no_legacy_plus_entries_etc_passwd +- +- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- - no_legacy_plus_entries_etc_shadow +- +- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- - no_legacy_plus_entries_etc_group +- +- ### 6.2.6 Ensure root is the only UID 0 account (Scored) +- - accounts_no_uid_except_zero +- +- ### 6.2.7 Ensure users' home directories permissions are 750 +- ### or more restrictive (Scored) +- - file_permissions_home_dirs +- +- ### 6.2.8 Ensure users own their home directories (Scored) +- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 +- - file_groupownership_home_directories +- +- ### 6.2.9 Ensure users' dot files are not group or world +- ### writable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 +- +- ### 6.2.10 Ensure no users have .forward files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 +- +- ### 6.2.11 Ensure no users have .netrc files (Scored) +- - no_netrc_files +- +- ### 6.2.12 Ensure users' .netrc Files are not group or +- ### world accessible (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 +- +- ### 6.2.13 Ensure no users have .rhosts files (Scored) +- - no_rsh_trust_files +- +- ### 6.2.14 Ensure all groups in /etc/passwd exist in +- ### /etc/group (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 +- +- ### 6.2.15 Ensure no duplicate UIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 +- +- ### 6.2.16 Ensure no duplicate GIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 +- +- ### 6.2.17 Ensure no duplicate user names exist (Scored) +- - account_unique_name +- +- ### 6.2.18 Ensure no duplicate group names exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 +- +- ### 6.2.19 Ensure shadow group is empty (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 +- +- ### 6.2.20 Ensure all users' home directories exist (Scored) +- - accounts_user_interactive_home_directory_exists ++ - cis_rhel8:all:l2_server +diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile +new file mode 100644 +index 00000000000..7b4518e15a5 +--- /dev/null ++++ b/products/rhel8/profiles/cis_server_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_server +diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile +new file mode 100644 +index 00000000000..230e4c2f0ba +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_workstation +diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile +new file mode 100644 +index 00000000000..c0d1698c2f0 +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l2.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 2 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l2_workstation + +From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 1 Jul 2021 16:35:19 +0100 +Subject: [PATCH 02/55] Add CIS control file for RHEL 8 + +--- + controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 758 insertions(+) + create mode 100644 controls/cis_rhel8.yml + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +new file mode 100644 +index 00000000000..a84bb078e34 +--- /dev/null ++++ b/controls/cis_rhel8.yml +@@ -0,0 +1,758 @@ ++policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++title: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++id: cis_rhel8 ++version: '1.0.1' ++source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux ++levels: ++ - id: l1_server ++ - id: l2_server ++ inherits_from: ++ - l1_server ++ - id: l1_workstation ++ - id: l2_workstation ++ inherits_from: ++ - l1_workstation ++ ++controls: ++ - id: reload_dconf_db ++ title: Reload Dconf database ++ levels: ++ - l1_server ++ - l1_workstation ++ notes: <- ++ This is a helper rule to reload Dconf datbase correctly. ++ automated: yes ++ rules: ++ - dconf_db_up_to_date ++ ++ - id: 1.1.1.1 ++ title: Ensure mounting of cramfs filesystems is disabled (Automated) ++ levels: ++ - l1_workstation ++ - l1_server ++ automated: yes ++ rules: ++ - kernel_module_cramfs_disabled ++ ++ - id: 1.1.1.2 ++ title: Ensure mounting of vFAT filesystems is limited (Manual) ++ levels: ++ - l2_workstation ++ - l2_server ++ automated: no ++ related_rules: ++ - kernel_module_vfat_disabled ++ ++ - id: 1.1.1.3 ++ title: Ensure mounting of squashfs filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_squashfs_disabled ++ ++ - id: 1.1.1.4 ++ title: Ensure mounting of udf filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_udf_disabled ++ ++ - id: 1.1.2 ++ title: Ensure /tmp is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - partition_for_tmp ++ ++ - id: 1.1.3 ++ title: Ensure nodev option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nodev ++ ++ - id: 1.1.4 ++ title: Ensure nosuid option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nosuid ++ ++ - id: 1.1.5 ++ title: Ensure noexec option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_noexec ++ ++ - id: 1.1.6 ++ title: Ensure separate partition exists for /var (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var ++ ++ - id: 1.1.7 ++ title: Ensure separate partition exists for /var/tmp (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_tmp ++ ++ - id: 1.1.8 ++ title: Ensure nodev option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nodev ++ ++ - id: 1.1.9 ++ title: Ensure nosuid option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nosuid ++ ++ - id: 1.1.10 ++ title: Ensure noexec option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_noexec ++ ++ - id: 1.1.11 ++ title: Ensure separate partition exists for /var/log (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log ++ ++ - id: 1.1.12 ++ title: Ensure separate partition exists for /var/log/audit (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log_audit ++ ++ - id: 1.1.13 ++ title: Ensure separate partition exists for /home (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_home ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on /home partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_home_nodev ++ ++ - id: 1.1.15 ++ title: Ensure nodev option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nodev ++ ++ - id: 1.1.16 ++ title: Ensure nosuid option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nosuid ++ ++ - id: 1.1.17 ++ title: Ensure noexec option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_noexec ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nodev_removable_partitions ++ ++ - id: 1.1.19 ++ title: Ensure nosuid option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nosuid_removable_partitions ++ ++ - id: 1.1.20 ++ title: Ensure noexec option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_noexec_removable_partitions ++ ++ - id: 1.1.22 ++ title: Disable Automounting (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_autofs_disabled ++ ++ - id: 1.1.23 ++ title: Disable USB Storage (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_usb-storage_disabled ++ ++ - id: 1.2.1 ++ title: Ensure Red Hat Subscription Manager connection is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.2.2 ++ title: Disable the rhnsd Daemon (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - service_rhnsd_disabled ++ ++ - id: 1.2.3 ++ title: Ensure GPG keys are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - ensure_redhat_gpgkey_installed ++ ++ - id: 1.2.4 ++ title: Ensure gpgcheck is globally activated (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - ensure_gpgcheck_globally_activated ++ ++ - id: 1.2.5 ++ title: Ensure package manager repositories are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.3.1 ++ title: Ensure sudo is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_sudo_installed ++ ++ - id: 1.3.2 ++ title: Ensure sudo commands use pty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_add_use_pty ++ ++ - id: 1.3.3 ++ title: Ensure sudo log file exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_custom_logfile ++ ++ - id: 1.4.1 ++ title: Ensure AIDE is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_aide_installed ++ ++ - id: 1.4.2 ++ title: Ensure filesystem integrity is regularly checked (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - aide_periodic_cron_checking ++ ++ - id: 1.5.1 ++ title: Ensure permissions on bootloader config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ ++ - id: 1.5.1 ++ title: Ensure bootloader password is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - grub2_password ++ ++ - id: 1.5.3 ++ title: Ensure authentication required for single user mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ ++ - id: 1.6.1 ++ title: Ensure core dumps are restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_users_coredumps ++ - sysctl_fs_suid_dumpable ++ - coredump_disable_backtraces ++ - coredump_disable_storage ++ ++ - id: 1.6.2 ++ title: Ensure address space layout randomization (ASLR) is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_kernel_randomize_va_space ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.2 ++ title: Ensure SELinux is not disabled in bootloader configuration (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_enable_selinux ++ ++ - id: 1.7.1.3 ++ title: Ensure SELinux policy is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ - id: 1.7.1.4 ++ title: Ensure the SELinux state is enforcing (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_state=enforcing ++ - selinux_state ++ ++ - id: 1.7.1.5 ++ title: Ensure no unconfined services exist (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - selinux_confinement_of_daemons ++ ++ - id: 1.7.1.6 ++ title: Ensure SETroubleshoot is not installed (Automated) ++ levels: ++ - l2_server ++ automated: yes ++ rules: ++ - package_setroubleshoot_removed ++ ++ - id: 1.7.1.7 ++ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_mcstrans_removed ++ ++ - id: 1.8.1.1 ++ title: Ensure message of the day is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_motd ++ ++ - id: 1.8.1.2 ++ title: Ensure local login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_issue ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5225 ++ - id: 1.8.1.3 ++ title: Ensure remote login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.8.1.4 ++ title: Ensure permissions on /etc/motd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_motd ++ ++ - id: 1.8.1.5 ++ title: Ensure permissions on /etc/issue are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_issue ++ ++ - id: 1.8.2 ++ title: Ensure GDM login banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dconf_gnome_banner_enabled ++ - dconf_gnome_login_banner_text ++ ++ - id: 1.9 ++ title: Ensure updates, patches, and additional security software are installed (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - security_patches_up_to_date ++ ++ - id: 1.10 ++ title: Ensure system-wide crypto policy is not legacy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_crypto_policy ++ ++ # This rule works in conjunction with the configure_crypto_policy above. ++ # If a system is remediated to CIS Level 1, just the rule above will apply ++ # and will enforce the default value for var_system_crypto_policy (DEFAULT). ++ # If the system is remediated to Level 2 then this rule will be selected, ++ # and the value applied by the rule above will will be overridden to ++ # FUTURE through the var_system_crypto_policy variable. ++ - id: 1.11 ++ title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_system_crypto_policy=future ++ ++ - id: 2.1.1 ++ title: Ensure xinetd is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_xinetd_removed ++ ++ - id: 2.2.1.1 ++ title: Ensure time synchronization is in use (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - package_chrony_installed ++ ++ - id: 2.1.1 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user ++ ++ - id: 2.2.2 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ automated: yes ++ rules: ++ - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target ++ ++ - id: 2.2.3 ++ title: Ensure rsync service is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyncd_disabled ++ ++ - id: 2.2.4 ++ title: Ensure Avahi Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_avahi-daemon_disabled ++ ++ - id: 2.2.5 ++ title: Ensure SNMP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_snmpd_disabled ++ ++ - id: 2.2.6 ++ title: Ensure HTTP Proxy Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_squid_removed ++ ++ - id: 2.2.7 ++ title: Ensure Samba is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_smb_disabled ++ ++ - id: 2.2.8 ++ title: Ensure IMAP and POP3 server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dovecot_disabled ++ ++ - id: 2.2.9 ++ title: Ensure HTTP server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_httpd_disabled ++ ++ - id: 2.2.10 ++ title: Ensure FTP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_vsftpd_disabled ++ ++ - id: 2.2.11 ++ title: Ensure DNS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_named_disabled ++ ++ - id: 2.2.12 ++ title: Ensure NFS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_nfs_disabled ++ ++ - id: 2.2.13 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rpcbind_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5231 ++ - id: 2.2.14 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.15 ++ title: Ensure DHCP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dhcpd_disabled ++ ++ - id: 2.2.16 ++ title: Ensure CUPS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_cups_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 ++ - id: 2.2.17 ++ title: Ensure NIS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.18 ++ title: Ensure mail transfer agent is configured for local-only mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - postfix_network_listening_disabled ++ ++ - id: 2.3.1 ++ title: Ensure NIS Client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_ypbind_removed ++ ++ - id: 2.3.2 ++ title: Ensure telnet client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_telnet_removed ++ ++ - id: 2.3.3 ++ title: Ensure LDAP client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_openldap-clients_removed + +From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 2 Jul 2021 20:47:49 +0100 +Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file + +--- + controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 726 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a84bb078e34..b63dc6cf9e1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -712,8 +712,8 @@ controls: + rules: + - service_cups_disabled + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/5232 ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 + - id: 2.2.17 + title: Ensure NIS Server is not enabled (Automated) + levels: +@@ -756,3 +756,727 @@ controls: + automated: yes + rules: + - package_openldap-clients_removed ++ ++ - id: 3.1.1 ++ title: Ensure IP forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ ++ - id: 3.1.2 ++ title: Ensure packet redirect sending is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ - id: 3.2.1 ++ title: Ensure source routed packets are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ ++ - id: 3.2.2 ++ title: Ensure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ - id: 3.2.3 ++ title: Ensure secure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ ++ - id: 3.2.4 ++ title: Ensure suspicious packets are logged (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ ++ - id: 3.2.5 ++ title: Ensure broadcast ICMP requests are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ - id: 3.2.6 ++ title: Ensure bogus ICMP responses are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ ++ - id: 3.2.7 ++ title: Ensure Reverse Path Filtering is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.9 ++ title: Ensure IPv6 router advertisements are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ - id: 3.3.1 ++ title: Ensure DCCP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_dccp_disabled ++ ++ - id: 3.3.2 ++ title: Ensure SCTP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_sctp_disabled ++ ++ - id: 3.3.3 ++ title: Ensure RDS is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_rds_disabled ++ ++ - id: 3.3.4 ++ title: Ensure TIPC is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_tipc_disabled ++ ++ # NEEDS RULE ++ # This rule is currently quite opinionated and expects firewalld ++ # as the installed firewall package. But, as per the CIS control, ++ # this rule should also be satisfied by nftables or iptables. ++ - id: 3.4.1.1 ++ title: Ensure a Firewall package is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_firewalld_installed ++ ++ - id: 3.4.2.1 ++ title: Ensure firewalld service is enabled and running (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_firewalld_enabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5238 ++ - id: 3.4.2.2 ++ title: Ensure iptables service is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5239 ++ - id: 3.4.2.3 ++ title: Ensure nftables is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.4 ++ title: Ensure firewalld default zone is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_firewalld_default_zone ++ ++ - id: 3.4.2.5 ++ title: Ensure network interfaces are assigned to appropriate zone (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.6 ++ title: Ensure firewalld drops unnecessary services and ports (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.1 ++ title: Ensure iptables are flushed with nftables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5244 ++ - id: 3.4.3.2 ++ title: Ensure an nftables table exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5245 ++ - id: 3.4.3.3 ++ title: Ensure nftables base chains exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5246 ++ - id: 3.4.3.4 ++ title: Ensure nftables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.5 ++ title: Ensure nftables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5248 ++ - id: 3.4.3.6 ++ title: Ensure nftables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5249 ++ - id: 3.4.3.7 ++ title: Ensure nftables service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5250 ++ - id: 3.4.3.8 ++ title: Ensure nftables rules are permanent (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5252 ++ - id: 3.4.4.1.1 ++ title: Ensure iptables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5253 ++ - id: 3.4.4.1.2 ++ title: Ensure iptables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.1.3 ++ title: Ensure iptables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5255 ++ - id: 3.4.4.1.4 ++ title: Ensure iptables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7190 ++ - id: 3.4.4.1.5 ++ title: Ensure iptables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5257 ++ - id: 3.4.4.2.1 ++ title: Ensure ip6tables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5258 ++ - id: 3.4.4.2.2 ++ title: Ensure ip6tables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.2.3 ++ title: Ensure ip6tables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7191 ++ - id: 3.4.4.2.4 ++ title: Ensure ip6tables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7192 ++ - id: 3.4.4.2.5 ++ title: Ensure ip6tables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.5 ++ title: Ensure wireless interfaces are disabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - wireless_disable_interfaces ++ ++ - id: 3.6 ++ title: Disable IPv6 (Manual) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_ipv6_option_disabled ++ ++ - id: 4.1.1.1 ++ title: Ensure auditd is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_audit_installed ++ ++ - id: 4.1.1.2 ++ title: Ensure auditd service is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_auditd_enabled ++ ++ - id: 4.1.1.3 ++ title: Ensure auditing for processes that start prior to auditd is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_argument ++ ++ - id: 4.1.1.4 ++ title: Ensure audit_backlog_limit is sufficient (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_backlog_limit_argument ++ ++ - id: 4.1.2.1 ++ title: Ensure audit log storage size is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file ++ ++ - id: 4.1.2.2 ++ title: Ensure audit logs are not automatically deleted (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file_action ++ ++ - id: 4.1.2.3 ++ title: Ensure system is disabled when audit logs are full (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_action_mail_acct ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_space_left_action ++ - var_auditd_action_mail_acct=root ++ - var_auditd_admin_space_left_action=halt ++ - var_auditd_space_left_action=email ++ ++ - id: 4.1.3 ++ title: Ensure changes to system administration scope (sudoers) is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_sysadmin_actions ++ ++ - id: 4.1.4 ++ title: Ensure login and logout events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ ++ - id: 4.1.5 ++ title: Ensure session initiation information is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_session_events ++ ++ - id: 4.1.6 ++ title: Ensure events that modify date and time information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_watch_localtime ++ ++ # NEEDS RULE ++ # -w /usr/share/selinux/ -p wa ++ # https://github.com/ComplianceAsCode/content/issues/5264 ++ - id: 4.1.7 ++ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_mac_modification ++ ++ - id: 4.1.8 ++ title: Ensure events that modify the system's network environment are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_networkconfig_modification ++ ++ - id: 4.1.9 ++ title: Ensure discretionary access control permission modification events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ ++ - id: 4.1.10 ++ title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ ++ - id: 4.1.11 ++ title: Ensure events that modify user/group information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ ++ - id: 4.1.12 ++ title: Ensure successful file system mounts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_media_export ++ ++ - id: 4.1.13 ++ title: Ensure use of privileged commands is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_privileged_commands ++ ++ - id: 4.1.14 ++ title: Ensure file deletion events by users are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir ++ ++ - id: 4.1.15 ++ title: Ensure kernel module loading and unloading is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_kernel_module_loading ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5516 ++ - id: 4.1.16 ++ title: Ensure system administrator actions (sudolog) are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: no ++ ++ - id: 4.1.17 ++ title: Ensure the audit configuration is immutable (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_immutable ++ ++ - id: 4.2.1.1 ++ title: Ensure rsyslog is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_rsyslog_installed ++ ++ - id: 4.2.1.2 ++ title: Ensure rsyslog Service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyslog_enabled ++ ++ - id: 4.2.1.3 ++ title: Ensure rsyslog default file permissions configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_files_permissions ++ ++ - id: 4.2.1.4 ++ title: Ensure logging is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.2.1.5 ++ title: Ensure rsyslog is configured to send logs to a remote log host (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_remote_loghost ++ ++ - id: 4.2.1.6 ++ title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rsyslog_nolisten ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5520 ++ - id: 4.2.2.1 ++ title: Ensure journald is configured to send logs to rsyslog (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5521 ++ - id: 4.2.2.2 ++ title: Ensure journald is configured to compress large log files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5522 ++ - id: 4.2.2.3 ++ title: Ensure journald is configured to write logfiles to persistent disk (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5523 ++ - id: 4.2.3 ++ title: Ensure permissions on all logfiles are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.3 ++ title: Ensure logrotate is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:08:31 +0100 +Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file + +--- + controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 460 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index b63dc6cf9e1..85c821bc60d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1480,3 +1480,463 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 5.1.1 ++ title: Ensure cron daemon is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_crond_enabled ++ ++ - id: 5.1.2 ++ title: Ensure permissions on /etc/crontab are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ ++ - id: 5.1.3 ++ title: Ensure permissions on /etc/cron.hourly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ ++ - id: 5.1.4 ++ title: Ensure permissions on /etc/cron.daily are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ ++ - id: 5.1.5 ++ title: Ensure permissions on /etc/cron.weekly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ ++ - id: 5.1.6 ++ title: Ensure permissions on /etc/cron.monthly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ ++ - id: 5.1.7 ++ title: Ensure permissions on /etc/cron.d are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7195 ++ - id: 5.1.8 ++ title: Ensure at/cron is restricted to authorized users (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.1 ++ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7196 ++ - id: 5.2.2 ++ title: Ensure SSH access is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # TODO ++ # Rule sets permissions to 0640 but benchmark wants it to be 0600 ++ # ++ # TODO ++ # Check owner of private keys in /etc/ssh is root:root ++ - id: 5.2.3 ++ title: Ensure permissions on SSH private host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_private_key ++ ++ # TODO ++ # Check owner of public keys in /etc/ssh is root:root ++ - id: 5.2.4 ++ title: Ensure permissions on SSH public host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_pub_key ++ ++ - id: 5.2.5 ++ title: Ensure SSH LogLevel is appropriate (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_loglevel_info ++ ++ - id: 5.2.6 ++ title: Ensure SSH X11 forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_x11_forwarding ++ ++ - id: 5.2.7 ++ title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ ++ - id: 5.2.8 ++ title: Ensure SSH IgnoreRhosts is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_rhosts ++ ++ - id: 5.2.9 ++ title: Ensure SSH HostbasedAuthentication is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_host_auth ++ ++ - id: 5.2.10 ++ title: Ensure SSH root login is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_root_login ++ ++ - id: 5.2.11 ++ title: Ensure SSH PermitEmptyPasswords is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_empty_passwords ++ ++ - id: 5.2.12 ++ title: Ensure SSH PermitUserEnvironment is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_do_not_permit_user_env ++ ++ - id: 5.2.13 ++ title: Ensure SSH Idle Timeout Interval is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_idle_timeout_value=5_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive_0 ++ - var_sshd_set_keepalive=0 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5525 ++ - id: 5.2.14 ++ title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.15 ++ title: Ensure SSH warning banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_enable_warning_banner ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5526 ++ - id: 5.2.16 ++ title: Ensure SSH PAM is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.17 ++ title: Ensure SSH AllowTcpForwarding is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - sshd_disable_tcp_forwarding ++ ++ - id: 5.2.18 ++ title: Ensure SSH MaxStartups is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_maxstartups ++ ++ - id: 5.2.19 ++ title: Ensure SSH MaxSessions is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=4 ++ ++ - id: 5.2.20 ++ title: Ensure system-wide crypto policy is not over-ridden (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_ssh_crypto_policy ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5530 ++ - id: 5.3.1 ++ title: Create custom authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5531 ++ - id: 5.3.2 ++ title: Select authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5532 ++ - id: 5.3.2 ++ title: Ensure authselect includes with-faillock (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE: try_first_pass ++ # https://github.com/ComplianceAsCode/content/issues/5533 ++ - id: 5.4.1 ++ title: Ensure password creation requirements are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ ++ - id: 5.4.2 ++ title: Ensure lockout for failed password attempts is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_unlock_time ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ ++ - id: 5.4.3 ++ title: Ensure password reuse is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_unix_remember ++ - var_password_pam_unix_remember=5 ++ ++ - id: 5.4.4 ++ title: Ensure password hashing algorithm is SHA-512 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_password_hashing_algorithm_systemauth ++ ++ - id: 5.5.1.1 ++ title: Ensure password expiration is 365 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_maximum_age_login_defs ++ - var_accounts_maximum_age_login_defs=365 ++ ++ - id: 5.5.1.2 ++ title: Ensure minimum days between password changes is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_minimum_age_login_defs ++ - var_accounts_minimum_age_login_defs=7 ++ ++ - id: 5.5.1.3 ++ title: Ensure password expiration warning days is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_warn_age_login_defs ++ - var_accounts_password_warn_age_login_defs=7 ++ ++ # TODO ++ # Rule doesn't check list of users ++ - id: 5.5.1.4 ++ title: Ensure inactive password lock is 30 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5537 ++ - id: 5.5.1.5 ++ title: Ensure all users last password change date is in the past (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.2 ++ title: Ensure system accounts are secured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_shelllogin_for_systemaccounts ++ ++ - id: 5.5.3 ++ title: Ensure default user shell timeout is 900 seconds or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5539 ++ - id: 5.5.4 ++ title: Ensure default group for the root account is GID 0 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.5 ++ title: Ensure default user umask is 027 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile ++ - var_accounts_user_umask=027 ++ ++ - id: 5.6 ++ title: Ensure root login is restricted to system console (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - no_direct_root_logins ++ - securetty_root_login_console_only ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5541 ++ - id: 5.7 ++ title: Ensure access to the su command is restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:33:15 +0100 +Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file + +--- + controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 325 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 85c821bc60d..bc77e25d122 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1940,3 +1940,328 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 6.1.1 ++ title: Audit system file permissions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ ++ - id: 6.1.2 ++ title: Ensure permissions on /etc/passwd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_passwd ++ - file_owner_etc_passwd ++ - file_permissions_etc_passwd ++ ++ - id: 6.1.3 ++ title: Ensure permissions on /etc/passwd- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ ++ - id: 6.1.4 ++ title: Ensure permissions on /etc/shadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ ++ - id: 6.1.5 ++ title: Ensure permissions on /etc/shadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ ++ - id: 6.1.6 ++ title: Ensure permissions on /etc/gshadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_permissions_etc_gshadow ++ ++ - id: 6.1.7 ++ title: Ensure permissions on /etc/gshadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow ++ ++ - id: 6.1.8 ++ title: Ensure permissions on /etc/group are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ ++ - id: 6.1.9 ++ title: Ensure permissions on /etc/group- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ ++ - id: 6.1.10 ++ title: Ensure no world writable files exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_unauthorized_world_writable ++ ++ - id: 6.1.11 ++ title: Ensure no unowned files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_files_unowned_by_user ++ ++ - id: 6.1.12 ++ title: Ensure no ungrouped files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_ungroupowned ++ ++ - id: 6.1.13 ++ title: Audit SUID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_suid ++ ++ - id: 6.1.14 ++ title: Audit SGID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_sgid ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7197 ++ - id: 6.2.1 ++ title: Ensure password fields are not empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.2 ++ title: Ensure no legacy "+" entries exist in /etc/passwd (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_passwd ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7198 ++ - id: 6.2.3 ++ title: Ensure root PATH Integrity (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.4 ++ title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_shadow ++ ++ - id: 6.2.5 ++ title: Ensure no legacy "+" entries exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_group ++ ++ - id: 6.2.6 ++ title: Ensure root is the only UID 0 account (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_no_uid_except_zero ++ ++ - id: 6.2.7 ++ title: Ensure users' home directories permissions are 750 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_home_dirs ++ ++ # NEEDS RULE (for user ownership) ++ # https://github.com/ComplianceAsCode/content/issues/5507 ++ - id: 6.2.8 ++ title: Ensure users own their home directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupownership_home_directories ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5506 ++ - id: 6.2.9 ++ title: Ensure users' dot files are not group or world writable (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5505 ++ - id: 6.2.10 ++ title: Ensure no users have .forward files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.11 ++ title: Ensure no users have .netrc files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_netrc_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5504 ++ - id: 6.2.12 ++ title: Ensure users' .netrc Files are not group or world accessible (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.13 ++ title: Ensure no users have .rhosts files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_rsh_trust_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5503 ++ - id: 6.2.14 ++ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5502 ++ - id: 6.2.15 ++ title: Ensure no duplicate UIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5501 ++ - id: 6.2.16 ++ title: Ensure no duplicate GIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.17 ++ title: Ensure no duplicate user names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_unique_name ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5500 ++ - id: 6.2.18 ++ title: Ensure no duplicate group names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5499 ++ - id: 6.2.19 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.20 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_user_interactive_home_directory_exists + +From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:36:01 +0100 +Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint + +--- + controls/cis_rhel8.yml | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bc77e25d122..161a2aac58e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1,3 +1,4 @@ ++--- + policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' + title: 'CIS Benchmark for Red Hat Enterprise Linux 8' + id: cis_rhel8 +@@ -1597,7 +1598,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_private_key ++ - file_permissions_sshd_private_key + + # TODO + # Check owner of public keys in /etc/ssh is root:root +@@ -1608,7 +1609,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_pub_key ++ - file_permissions_sshd_pub_key + + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) +@@ -1617,7 +1618,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_set_loglevel_info ++ - sshd_set_loglevel_info + + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) +@@ -1626,7 +1627,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding + + - id: 5.2.7 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + +From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 9 Jul 2021 00:11:57 +0100 +Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR + +--- + controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 161a2aac58e..c93d6128ca4 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -170,7 +170,7 @@ controls: + rules: + - partition_for_home + +- - id: 1.1.18 ++ - id: 1.1.14 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server +@@ -212,7 +212,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nodev_removable_partitions + + - id: 1.1.19 +@@ -221,7 +221,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nosuid_removable_partitions + + - id: 1.1.20 +@@ -230,9 +230,18 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_noexec_removable_partitions + ++ - id: 1.1.21 ++ title: Ensure sticky bit is set on all world-writable directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ + - id: 1.1.22 + title: Disable Automounting (Automated) + levels: +@@ -348,7 +357,7 @@ controls: + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + +- - id: 1.5.1 ++ - id: 1.5.2 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server +@@ -356,6 +365,7 @@ controls: + automated: yes + rules: + - grub2_password ++ - grub2_uefi_password + + - id: 1.5.3 + title: Ensure authentication required for single user mode (Automated) +@@ -397,15 +407,6 @@ controls: + rules: + - package_libselinux_installed + +- - id: 1.7.1.1 +- title: Ensure SELinux is installed (Automated) +- levels: +- - l2_server +- - l2_workstation +- automated: yes +- rules: +- - package_libselinux_installed +- + - id: 1.7.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: +@@ -469,6 +470,7 @@ controls: + automated: yes + rules: + - banner_etc_motd ++ - login_banner_text=usgcb_default + + - id: 1.8.1.2 + title: Ensure local login warning banner is configured properly (Automated) +@@ -478,6 +480,7 @@ controls: + automated: yes + rules: + - banner_etc_issue ++ - login_banner_text=usgcb_default + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5225 +@@ -495,6 +498,8 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.8.1.5 +@@ -504,8 +509,19 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue + - file_permissions_etc_issue + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7225 ++ - id: 1.8.1.6 ++ title: Ensure permissions on /etc/issue.net are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: +@@ -515,6 +531,7 @@ controls: + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text ++ - login_banner_text=usgcb_default + + - id: 1.9 + title: Ensure updates, patches, and additional security software are installed (Manual) + +From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:21:02 +0100 +Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional + on merge of #7226) + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c93d6128ca4..9140711fb66 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -550,6 +550,7 @@ controls: + automated: yes + rules: + - configure_crypto_policy ++ - var_system_crypto_policy=default + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply + +From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:34:41 +0100 +Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules + +--- + controls/cis_rhel8.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 9140711fb66..782dc7666f3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -585,7 +585,7 @@ controls: + related_rules: + - package_chrony_installed + +- - id: 2.1.1 ++ - id: 2.2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server +@@ -597,13 +597,12 @@ controls: + - chronyd_run_as_chrony_user + + - id: 2.2.2 +- title: Ensure chrony is configured (Automated) ++ title: Ensure X Window System is not installed (Automated) + levels: + - l1_server + automated: yes + rules: +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target ++ - xwindows_remove_packages + + - id: 2.2.3 + title: Ensure rsync service is not enabled (Automated) +@@ -639,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_removed ++ - package_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) +@@ -707,7 +706,7 @@ controls: + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5231 + - id: 2.2.14 +- title: Ensure RPC is not enabled (Automated) ++ title: Ensure LDAP server is not enabled (Automated) + levels: + - l1_server + - l1_workstation +@@ -748,6 +747,7 @@ controls: + automated: yes + rules: + - postfix_network_listening_disabled ++ - var_postfix_inet_interfaces=loopback-only + + - id: 2.3.1 + title: Ensure NIS Client is not installed (Automated) + +From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 15:03:09 +0100 +Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules + +--- + controls/cis_rhel8.yml | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 782dc7666f3..1d34337411f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -785,6 +785,7 @@ controls: + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.1.2 + title: Ensure packet redirect sending is disabled (Automated) +@@ -804,9 +805,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.2.2 + title: Ensure ICMP redirects are not accepted (Automated) +@@ -816,9 +821,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + + - id: 3.2.3 + title: Ensure secure ICMP redirects are not accepted (Automated) +@@ -828,7 +837,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + + - id: 3.2.4 + title: Ensure suspicious packets are logged (Automated) +@@ -838,7 +849,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled + + - id: 3.2.5 + title: Ensure broadcast ICMP requests are ignored (Automated) +@@ -848,6 +861,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.2.6 + title: Ensure bogus ICMP responses are ignored (Automated) +@@ -857,6 +871,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.2.7 + title: Ensure Reverse Path Filtering is enabled (Automated) +@@ -866,7 +881,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.2.8 + title: Ensure TCP SYN Cookies is enabled (Automated) +@@ -876,15 +893,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_tcp_syncookies +- +- - id: 3.2.8 +- title: Ensure TCP SYN Cookies is enabled (Automated) +- levels: +- - l1_server +- - l1_workstation +- automated: yes +- rules: +- - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 3.2.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) +@@ -894,7 +903,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + + - id: 3.3.1 + title: Ensure DCCP is disabled (Automated) + +From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 20 Jul 2021 08:43:10 +0100 +Subject: [PATCH 11/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 1d34337411f..2acf9aef28d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -638,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_disabled ++ - service_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) + +From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:13:25 +0100 +Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2acf9aef28d..e63fc57ddea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -351,7 +351,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + +From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:19:14 +0100 +Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1 + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e63fc57ddea..2163655d9d3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -353,8 +353,11 @@ controls: + - l1_workstation + automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: +- - file_owner_grub2_cfg ++ - file_groupowner_efi_grub2_cfg + - file_groupowner_grub2_cfg ++ - file_owner_efi_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_efi_grub2_cfg + - file_permissions_grub2_cfg + + - id: 1.5.2 + +From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:11:38 +0100 +Subject: [PATCH 14/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2163655d9d3..aa9c2b6c809 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1655,7 +1655,7 @@ controls: + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: +- - l1_server ++ - l2_server + - l1_workstation + automated: yes + rules: + +From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:22:44 +0100 +Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index aa9c2b6c809..af874fd789e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1234,6 +1234,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file_action ++ - var_auditd_max_log_file_action=keep_logs + + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + +From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:31:20 +0100 +Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6 + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af874fd789e..af1314325ab 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1225,6 +1225,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file ++ - var_auditd_max_log_file=6 + + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + +From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:36:48 +0100 +Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not + directly align with CIS + +--- + controls/cis_rhel8.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af1314325ab..a81a9ef4605 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,11 +1284,10 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +- - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + +From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:37:25 +0100 +Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve + full automation + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a81a9ef4605..cba86f40c9e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial + rules: + - audit_rules_mac_modification + + +From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:38:54 +0100 +Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cba86f40c9e..6e8c5cf10f0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1345,8 +1345,6 @@ controls: + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at + + - id: 4.1.11 + title: Ensure events that modify user/group information are collected (Automated) + +From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:41:13 +0100 +Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation + key + +--- + controls/cis_rhel8.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 6e8c5cf10f0..829f0515cb0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,7 +1284,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. ++ automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial ++ automated: partially + rules: + - audit_rules_mac_modification + + +From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:42:57 +0100 +Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not + align exactly with the benchmark + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 829f0515cb0..76a7c8bbfa9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1373,8 +1373,9 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: ++ automated: no ++ related_rules: ++ # The rule below is almost correct but cannot be used as it does not set the perm=x flag. + - audit_rules_privileged_commands + + - id: 4.1.14 + +From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:44:03 +0100 +Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 76a7c8bbfa9..e6a53516666 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1389,8 +1389,6 @@ controls: + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir + + - id: 4.1.15 + title: Ensure kernel module loading and unloading is collected (Automated) + +From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:47:53 +0100 +Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does + not align with the benchmark + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e6a53516666..327400abd65 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1435,14 +1435,15 @@ controls: + rules: + - service_rsyslog_enabled + ++ # NEEDS RULE ++ # The rsyslog_files_permissions rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7332 + - id: 4.2.1.3 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_files_permissions ++ automated: no + + - id: 4.2.1.4 + title: Ensure logging is configured (Manual) + +From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:52:17 +0100 +Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align + perfectly with the benchmark + +--- + controls/cis_rhel8.yml | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 327400abd65..f5a8ce45848 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1452,14 +1452,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The rsyslog_remote_loghost rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7333 + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_remote_loghost ++ automated: no + + - id: 4.2.1.6 + title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) +@@ -1617,19 +1618,15 @@ controls: + - l1_workstation + automated: no + +- # TODO +- # Rule sets permissions to 0640 but benchmark wants it to be 0600 +- # +- # TODO +- # Check owner of private keys in /etc/ssh is root:root ++ # NEEDS RULE ++ # The file_permissions_sshd_private_key rule is not aligned with the benchmark ++ # https://github.com/ComplianceAsCode/content/issues/7334 + - id: 5.2.3 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - file_permissions_sshd_private_key ++ automated: no + + # TODO + # Check owner of public keys in /etc/ssh is root:root + +From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:53:10 +0100 +Subject: [PATCH 25/55] 5.2.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index f5a8ce45848..0e3fa99d32e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1635,7 +1635,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - file_permissions_sshd_pub_key + + +From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:55:32 +0100 +Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used + properly + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0e3fa99d32e..439b3265fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1721,7 +1721,7 @@ controls: + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout +- - sshd_set_keepalive_0 ++ - sshd_set_keepalive + - var_sshd_set_keepalive=0 + + # NEEDS RULE + +From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:47:24 +0100 +Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely + with CIS benchmark + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 439b3265fe9..92ac0dd85c5 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -595,9 +595,9 @@ controls: + - l1_workstation + automated: yes + rules: +- - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user ++ - var_multiple_time_servers=rhel + + - id: 2.2.2 + title: Ensure X Window System is not installed (Automated) + +From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:54:14 +0100 +Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file + +--- + controls/cis_rhel8.yml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 92ac0dd85c5..565974817f1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1645,7 +1645,12 @@ controls: + - l1_server + - l1_workstation + automated: yes ++ # The CIS benchmark is not opinionated about which loglevel is selected ++ # here. Here, this profile uses VERBOSE by default, as it allows for ++ # the capture of login and logout activity as well as key fingerprints. + rules: ++ - sshd_set_loglevel_verbose ++ related_rules: + - sshd_set_loglevel_info + + - id: 5.2.6 + +From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:17 +0100 +Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses + wrong path) + +--- + controls/cis_rhel8.yml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 565974817f1..53f024fffea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1738,14 +1738,16 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The current sshd_enable_warning_banner rule uses /etc/issue instead ++ # of the /etc/issue.net that the benchmark expects. ++ # + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - sshd_enable_warning_banner ++ automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5526 + +From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:48 +0100 +Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups + rule in RHEL 8 CIS profile + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 53f024fffea..3345a37d098 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1775,6 +1775,7 @@ controls: + automated: yes + rules: + - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 + + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + +From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:19:43 +0100 +Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits + for vs the one in the control title + +--- + controls/cis_rhel8.yml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3345a37d098..3b6219f3296 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1777,6 +1777,13 @@ controls: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + ++ # The title of this control does not appear to match the suggested audit and ++ # remediation in the CIS Benchmark version 1.0.1 - this profile uses the ++ # value from the audit and remediation sections of the benchmark rather than ++ # from the title. ++ # ++ # An upstream ticket has been opened about this issue: ++ # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + levels: +@@ -1785,7 +1792,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=4 ++ - var_sshd_max_sessions=10 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:20:45 +0100 +Subject: [PATCH 32/55] Fix rule ID for 5.3.3 + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3b6219f3296..55c8378529d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1823,7 +1823,7 @@ controls: + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5532 +- - id: 5.3.2 ++ - id: 5.3.3 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + +From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:23:40 +0100 +Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2 + +--- + controls/cis_rhel8.yml | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 55c8378529d..c7f651994d6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1845,17 +1845,14 @@ controls: + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7337 + - id: 5.4.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - accounts_passwords_pam_faillock_deny +- - accounts_passwords_pam_faillock_unlock_time +- - var_accounts_passwords_pam_faillock_deny=5 +- - var_accounts_passwords_pam_faillock_unlock_time=900 ++ automated: no + + - id: 5.4.3 + title: Ensure password reuse is limited (Automated) + +From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:29:15 +0100 +Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c7f651994d6..10816e1ba35 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1830,14 +1830,15 @@ controls: + - l1_workstation + automated: no + +- # NEEDS RULE: try_first_pass ++ # NEEDS RULE ++ # try_first_pass + # https://github.com/ComplianceAsCode/content/issues/5533 + - id: 5.4.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + +From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:37:15 +0100 +Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited" + rule from RHEL 7 + +--- + controls/cis_rhel8.yml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 10816e1ba35..0ea36362832 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1861,9 +1861,15 @@ controls: + - l1_server + - l1_workstation + automated: yes +- rules: +- - accounts_password_pam_unix_remember +- - var_password_pam_unix_remember=5 ++ notes: |- ++ Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. ++ See here for more details about pam_unix.so: ++ https://bugzilla.redhat.com/show_bug.cgi?id=1778929 ++ rules: ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 + + - id: 5.4.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) + +From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:41:13 +0100 +Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0ea36362832..be46d870965 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1876,7 +1876,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark. + rules: + - set_password_hashing_algorithm_systemauth + + +From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:42:57 +0100 +Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index be46d870965..e41c2eb4dae 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1885,7 +1885,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + +From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:44:17 +0100 +Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e41c2eb4dae..0b2b3d04621 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1895,7 +1895,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control. + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + +From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:22 +0100 +Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0b2b3d04621..70312f6399a 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1905,7 +1905,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control. + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:54 +0100 +Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 70312f6399a..42dbf14c816 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1910,14 +1910,12 @@ controls: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +- # TODO +- # Rule doesn't check list of users + - id: 5.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + +From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 15:17:53 +0100 +Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 42dbf14c816..e8e340e0c36 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1724,7 +1724,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_idle_timeout_value=5_minutes ++ - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + +From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:12:47 +0100 +Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8e340e0c36..2d534d95072 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1929,12 +1929,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # We are missing the component of this control which locks non-root system accounts ++ # https://github.com/ComplianceAsCode/content/issues/7352 + - id: 5.5.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - no_shelllogin_for_systemaccounts + + +From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:17:13 +0100 +Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2d534d95072..784af3e0fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1946,7 +1946,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark + rules: + - accounts_tmout + - var_accounts_tmout=15_min + +From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:21:39 +0100 +Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated + +--- + controls/cis_rhel8.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 784af3e0fe9..045e219d90f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1965,9 +1965,10 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark + rules: + - accounts_umask_etc_bashrc ++ - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + +From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:23:32 +0100 +Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by + use_pam_wheel_for_su + +--- + controls/cis_rhel8.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 045e219d90f..84a3269afc6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1989,7 +1989,9 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: partially ++ rules: ++ - use_pam_wheel_for_su + + - id: 6.1.1 + title: Audit system file permissions (Manual) + +From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:31:56 +0100 +Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3 + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 84a3269afc6..d02f2cbbf86 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2154,14 +2154,15 @@ controls: + rules: + - no_legacy_plus_entries_etc_passwd + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/7198 + - id: 6.2.3 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: yes ++ rules: ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot + + - id: 6.2.4 + title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) + +From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:34:47 +0100 +Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without + OVAL checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index d02f2cbbf86..a3f3d4e6d4f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2196,8 +2196,8 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - file_permissions_home_dirs + + # NEEDS RULE (for user ownership) +@@ -2207,7 +2207,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. + rules: + - file_groupownership_home_directories + + +From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:35:23 +0100 +Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL + checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a3f3d4e6d4f..cfefd245300 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2311,10 +2311,10 @@ controls: + automated: no + + - id: 6.2.20 +- title: Ensure shadow group is empty (Automated) ++ title: Ensure all users' home directories exist (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - accounts_user_interactive_home_directory_exists + +From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:38:11 +0100 +Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because + it also checks for finit_module syscall + +--- + controls/cis_rhel8.yml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cfefd245300..e8d3f24ccbb 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1397,7 +1397,11 @@ controls: + - l2_workstation + automated: yes + rules: +- - audit_rules_kernel_module_loading ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_privileged_commands_insmod ++ - audit_rules_privileged_commands_modprobe ++ - audit_rules_privileged_commands_rmmod + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5516 + +From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Mon, 9 Aug 2021 11:49:56 +0100 +Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control + is not automated + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8d3f24ccbb..a624d06cb56 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2128,7 +2128,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_suid + + - id: 6.1.14 +@@ -2137,7 +2137,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_sgid + + # NEEDS RULE +@@ -2212,7 +2212,7 @@ controls: + - l1_server + - l1_workstation + automated: no # The rule below exists, but does not have any OVAL checks or remediations. +- rules: ++ related_rules: + - file_groupownership_home_directories + + # NEEDS RULE + +From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 10 Aug 2021 09:12:18 +0100 +Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream + Draft Benchmark 1.1.0 + +--- + controls/cis_rhel8.yml | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a624d06cb56..bff2200ce12 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1782,11 +1782,11 @@ controls: + - var_sshd_set_maxstartups=10:30:60 + + # The title of this control does not appear to match the suggested audit and +- # remediation in the CIS Benchmark version 1.0.1 - this profile uses the +- # value from the audit and remediation sections of the benchmark rather than +- # from the title. ++ # remediation in the CIS Benchmark version 1.0.1 ++ # ++ # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0 ++ # which confirms that '4' is the intended value for this control. + # +- # An upstream ticket has been opened about this issue: + # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) +@@ -1796,7 +1796,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=10 ++ - var_sshd_max_sessions=4 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 11 Aug 2021 10:37:23 +0100 +Subject: [PATCH 52/55] Control to disable IPv6 should not be automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bff2200ce12..29d972427cf 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1177,9 +1177,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: +- - kernel_module_ipv6_option_disabled ++ automated: no + + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) + +From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:09:48 +0100 +Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8 + +--- + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 + + .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 + + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 4 ---- + 5 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 24a0feaf0aa..748d9d9d188 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -21,6 +21,7 @@ severity: unknown + + identifiers: + cce@rhel7: CCE-80199-3 ++ cce@rhel8: CCE-85914-0 + + references: + cis-csc: 11,3,9 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +index 288b6706b03..f44e85a059a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83430-9 ++ cce@rhel8: CCE-85915-7 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +index edcda693591..a9468d00ddc 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83429-1 ++ cce@rhel8: CCE-85913-2 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +index 6e636a7caf7..bc4fdcc7e04 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83431-7 ++ cce@rhel8: CCE-85912-4 + + references: + cis-csc: 12,13,14,15,16,18,3,5 + +From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:15:15 +0100 +Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules + +--- + .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + + .../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 + + .../root_logins/use_pam_wheel_for_su/rule.yml | 1 + + .../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 + + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index 2ffb01a3983..ee54a53dfd4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -27,6 +27,7 @@ identifiers: + + references: + cis@rhel7: 5.3.5 ++ cis@rhel8: 5.2.5 + disa: CCI-000067 + nerc-cip: CIP-007-3 R7.1 + nist: AC-17(a),AC-17(1),CM-6(a) +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index c548b1e3ea2..935766db26d 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -41,6 +41,7 @@ identifiers: + + references: + cis@rhel7: 2.2.2 ++ cis@rhel8: 2.2.2 + disa: CCI-000366 + nist: CM-6(b) + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 984a8cf333e..616a0aa0052 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,6 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" ++ cis@rhel8: 5.7 + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +index 81c30174c71..057701075e5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +@@ -23,6 +23,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cis@sle15: 6.2.4 + cis@ubuntu2004: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 748d9d9d188..c94de8fa3e6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -26,6 +26,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index 46e81737199..51f8e51fa6a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -25,6 +25,7 @@ references: + anssi: BP28(R35) + cis-csc: 11,18,3,9 + cis@rhel7: 5.5.5 ++ cis@rhel8: 5.5.5 + cis@ubuntu2004: 5.4.4 + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + +From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:25:45 +0100 +Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an + integer + +--- + .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 616a0aa0052..08677cbb7dc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,7 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" +- cis@rhel8: 5.7 ++ cis@rhel8: "5.7" + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 diff --git a/SOURCES/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch b/SOURCES/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch new file mode 100644 index 0000000..e2526fc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch @@ -0,0 +1,31 @@ +From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 15:26:00 +0200 +Subject: [PATCH] Remove a spurious whitespace trim + +The first line of the if- block ended up in the metadata comment. +--- + .../disable_ctrlaltdel_reboot/bash/shared.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +index 4cbf5c8465..610da67668 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +@@ -1,8 +1,8 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux +-{{%- if init_system == "systemd" -%}} ++{{% if init_system == "systemd" -%}} + systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target +-{{%- else -%}} ++{{%- else %}} + # If system does not contain control-alt-delete.override, + if [ ! -f /etc/init/control-alt-delete.override ]; then + # but does have control-alt-delete.conf file, +@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then + fi + fi + sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override +-{{%- endif -%}} ++{{%- endif %}} diff --git a/SOURCES/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch b/SOURCES/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch new file mode 100644 index 0000000..7734df6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch @@ -0,0 +1,160 @@ +From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Aug 2021 15:16:59 +0200 +Subject: [PATCH] Fix RHEL7 documentation links. + +--- + linux_os/guide/services/ldap/openldap_client/group.yml | 2 +- + linux_os/guide/services/ldap/openldap_server/group.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +- + linux_os/guide/services/ntp/group.yml | 2 +- + .../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +- + linux_os/guide/services/sssd/group.yml | 2 +- + .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +--- + linux_os/guide/system/auditing/group.yml | 2 +- + .../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +- + .../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +- + 11 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml +index bf17a053cd5..a64f105395f 100644 +--- a/linux_os/guide/services/ldap/openldap_client/group.yml ++++ b/linux_os/guide/services/ldap/openldap_client/group.yml +@@ -13,7 +13,7 @@ description: |- + files, which is useful when trying to use SSL cleanly across several protocols. + Installation and configuration of OpenLDAP on {{{ full_name }}} is available at + {{% if product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% elif product == "ol7" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml +index c180820e9fc..d571867a7f8 100644 +--- a/linux_os/guide/services/ldap/openldap_server/group.yml ++++ b/linux_os/guide/services/ldap/openldap_server/group.yml +@@ -7,5 +7,5 @@ description: |- + for an OpenLDAP server. + {{% if product == "rhel7" %}} + Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +index 8f939356ab1..7dc188589ee 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 503aecc0de2..27df8595efa 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml +index 181b10dfd65..b944ee03116 100644 +--- a/linux_os/guide/services/ntp/group.yml ++++ b/linux_os/guide/services/ntp/group.yml +@@ -54,7 +54,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% elif "ubuntu" in product %}} + {{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}} + {{% elif "debian" in product %}} +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +index 065cf301b95..00739816f5e 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +@@ -17,7 +17,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for guidance which NTP daemon to choose depending on the environment used. + +diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml +index 5b0caf7d64b..3f4eced7ca7 100644 +--- a/linux_os/guide/services/sssd/group.yml ++++ b/linux_os/guide/services/sssd/group.yml +@@ -11,7 +11,7 @@ description: |- +

+ For more information, see + {{%- if product == "rhel7" -%}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}} + {{%- elif product == "rhel8" -%}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}} + {{%- elif product == "ol7" -%}} +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +index fc7f149bf40..62a343cf396 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +@@ -8,9 +8,7 @@ description: |- + To enable smart card authentication, consult the documentation at: +
    + {{% if product == "rhel7" %}} +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
  • +- {{% elif product == "rhel8" %}} +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
  • ++
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}
  • + {{% elif product == "ol7" %}} +
  • {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}
  • + {{% endif %}} +diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml +index 82f87e81c47..5fce88db032 100644 +--- a/linux_os/guide/system/auditing/group.yml ++++ b/linux_os/guide/system/auditing/group.yml +@@ -38,7 +38,7 @@ description: |- + Examining some example audit records demonstrates how the Linux audit system + satisfies common requirements. + The following example from Fedora Documentation available at +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} + shows the substantial amount of information captured in a + two typical "raw" audit messages, followed by a breakdown of the most important + fields. In this example the message is SELinux-related and reports an AVC +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index add0a41fa94..cd07fb4c0ca 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -38,7 +38,7 @@ description: |- + {{% elif product in ["sle12", "sle15"] %}} + {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}. + {{% else %}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}. + {{% endif %}} +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +index 8e8b32f1d79..299b96c0592 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +@@ -14,5 +14,5 @@ description: |- + the man page dconf(1). + {{% else %}} + For more information about enforcing preferences in the GNOME3 environment using the DConf +- configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/> and the man page dconf(1). ++ configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/> and the man page dconf(1). + {{% endif %}} diff --git a/SOURCES/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch b/SOURCES/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch new file mode 100644 index 0000000..a1a7742 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch @@ -0,0 +1,28 @@ +From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 3 Aug 2021 16:50:23 +0200 +Subject: [PATCH] add details about gpgkey package for rhel9 + +--- + products/rhel9/product.yml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml +index 78c65fd805..4ceb332adf 100644 +--- a/products/rhel9/product.yml ++++ b/products/rhel9/product.yml +@@ -13,10 +13,10 @@ init_system: "systemd" + dconf_gdm_dir: "distro.d" + + # The fingerprints below are retrieved from https://access.redhat.com/security/team/key +-pkg_release: "" +-pkg_version: "" +-aux_pkg_release: "" +-aux_pkg_version: "" ++pkg_release: "4ae0493b" ++pkg_version: "fd431d51" ++aux_pkg_release: "5b32db75" ++aux_pkg_version: "d4082792" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" diff --git a/SOURCES/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch b/SOURCES/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch new file mode 100644 index 0000000..79a2711 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch @@ -0,0 +1,55 @@ +From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 27 Jul 2021 15:20:08 -0400 +Subject: [PATCH] Remove FragmentPath check from service_disabled + +In https://github.com/systemd/systemd/issues/582 it is documented that +systemd could eventually replace FragmentPath=/dev/null (on masked +services) with the actual service path -- not the fully (symlink) +resolved path as is currently the case. + +This matches the behavior currently seen in Ubuntu (all versions) and +RHEL 9/Fedora 34. + +Per discussion with Gabriel, Matej, Richard, and Matt, it is best to +remove this check, especially since ActiveState=Masked suffices. + +Resolves: #7280 +Resolves: #7248 + +Signed-off-by: Alexander Scheel +--- + shared/templates/service_disabled/oval.template | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template +index 33b52518307..e4ccb0566e7 100644 +--- a/shared/templates/service_disabled/oval.template ++++ b/shared/templates/service_disabled/oval.template +@@ -13,7 +13,6 @@ + + + +- + + + +@@ -41,18 +40,6 @@ + masked + + +- +- +- +- +- +- ^{{{ SERVICENAME }}}\.(service|socket)$ +- FragmentPath +- +- +- /dev/null +- +- + {{% else %}} + + {{% if init_system != "systemd" %}} diff --git a/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch b/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch new file mode 100644 index 0000000..e38943c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch @@ -0,0 +1,256 @@ +From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 13:08:10 +0200 +Subject: [PATCH] Add ISM Official kickstarts + +--- + .../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++ + .../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++ + 2 files changed, 232 insertions(+) + create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg + +diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +new file mode 100644 +index 0000000000..d84d98b12d +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +new file mode 100644 +index 0000000000..517919539a +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch b/SOURCES/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch new file mode 100644 index 0000000..164c3c6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch @@ -0,0 +1,1834 @@ +From e3844b648a537ae2d28aeb66b30522363e26c8c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 19 Aug 2021 15:58:08 +0200 +Subject: [PATCH 1/4] Base the RHEL9 CIS preview on RHEL8 + +Harness the policy files to get a RHEL9 projection of the RHEL8 CIS. +--- + products/rhel9/profiles/cis.profile | 1079 +---------------- + products/rhel9/profiles/cis_server_l1.profile | 19 + + .../rhel9/profiles/cis_workstation_l1.profile | 19 + + .../rhel9/profiles/cis_workstation_l2.profile | 19 + + 4 files changed, 63 insertions(+), 1073 deletions(-) + create mode 100644 products/rhel9/profiles/cis_server_l1.profile + create mode 100644 products/rhel9/profiles/cis_workstation_l1.profile + create mode 100644 products/rhel9/profiles/cis_workstation_l2.profile + +diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile +index 8d7816e5e2..4240f743df 100644 +--- a/products/rhel9/profiles/cis.profile ++++ b/products/rhel9/profiles/cis.profile +@@ -1,1086 +1,19 @@ + documentation_complete: true + + metadata: +- version: 0.0.0 ++ version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark' ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server' + + description: |- +- This is a draft CIS profile based on the RHEL8 CIS ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. + + selections: +- # Necessary for dconf rules +- - dconf_db_up_to_date +- +- ### Partitioning +- - mount_option_home_nodev +- +- ## 1.1 Filesystem Configuration +- +- ### 1.1.1 Disable unused filesystems +- +- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) +- - kernel_module_cramfs_disabled +- +- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) +- +- +- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) +- - kernel_module_squashfs_disabled +- +- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) +- - kernel_module_udf_disabled +- +- ### 1.1.2 Ensure /tmp is configured (Scored) +- - partition_for_tmp +- +- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) +- - mount_option_tmp_nodev +- +- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) +- - mount_option_tmp_nosuid +- +- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) +- - mount_option_tmp_noexec +- +- ### 1.1.6 Ensure separate partition exists for /var (Scored) +- - partition_for_var +- +- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) +- - partition_for_var_tmp +- +- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nodev +- +- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nosuid +- +- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_noexec +- +- ### 1.1.11 Ensure separate partition exists for /var/log (Scored) +- - partition_for_var_log +- +- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) +- - partition_for_var_log_audit +- +- ### 1.1.13 Ensure separate partition exists for /home (Scored) +- - partition_for_home +- +- ### 1.1.14 Ensure nodev option set on /home partition (Scored) +- - mount_option_home_nodev +- +- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nodev +- +- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nosuid +- +- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_noexec +- +- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) +- - mount_option_nodev_removable_partitions +- +- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) +- - mount_option_nosuid_removable_partitions +- +- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) +- - mount_option_noexec_removable_partitions +- +- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) +- - dir_perms_world_writable_sticky_bits +- +- ### 1.1.22 Disable Automounting (Scored) +- - service_autofs_disabled +- +- ### 1.1.23 Disable USB Storage (Scored) +- - kernel_module_usb-storage_disabled +- +- ## 1.2 Configure Software Updates +- +- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 +- +- ### 1.2.2 Disable the rhnsd Daemon (Not Scored) +- - service_rhnsd_disabled +- +- ### 1.2.3 Ensure GPG keys are configured (Not Scored) +- - ensure_redhat_gpgkey_installed +- +- ### 1.2.4 Ensure gpgcheck is globally activated (Scored) +- - ensure_gpgcheck_globally_activated +- +- ### 1.2.5 Ensure package manager repositories are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 +- +- ## 1.3 Configure sudo +- +- ### 1.3.1 Ensure sudo is installed (Scored) +- - package_sudo_installed +- +- ### 1.3.2 Ensure sudo commands use pty (Scored) +- - sudo_add_use_pty +- +- ### 1.3.3 Ensure sudo log file exists (Scored) +- - sudo_custom_logfile +- +- ## 1.4 Filesystem Integrity Checking +- +- ### 1.4.1 Ensure AIDE is installed (Scored) +- - package_aide_installed +- +- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) +- - aide_periodic_cron_checking +- +- ## Secure Boot Settings +- +- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) +- #### chown root:root /boot/grub2/grub.cfg +- - file_owner_grub2_cfg +- - file_groupowner_grub2_cfg +- +- #### chmod og-rwx /boot/grub2/grub.cfg +- - file_permissions_grub2_cfg +- +- #### chown root:root /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- #### chmod og-rwx /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- ### 1.5.2 Ensure bootloader password is set (Scored) +- - grub2_password +- +- ### 1.5.3 Ensure authentication required for single user mode (Scored) +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- - require_singleuser_auth +- +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency +- - require_emergency_target_auth +- +- ## 1.6 Additional Process Hardening +- +- ### 1.6.1 Ensure core dumps are restricted (Scored) +- #### * hard core 0 +- - disable_users_coredumps +- +- #### fs.suid_dumpable = 0 +- - sysctl_fs_suid_dumpable +- +- #### ProcessSizeMax=0 +- - coredump_disable_backtraces +- +- #### Storage=none +- - coredump_disable_storage +- +- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- - sysctl_kernel_randomize_va_space +- +- ## 1.7 Mandatory Access Control +- +- ### 1.7.1 Configure SELinux +- +- #### 1.7.1.1 Ensure SELinux is installed (Scored) +- - package_libselinux_installed +- +- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) +- - grub2_enable_selinux +- +- #### 1.7.1.3 Ensure SELinux policy is configured (Scored) +- - var_selinux_policy_name=targeted +- - selinux_policytype +- +- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) +- - var_selinux_state=enforcing +- - selinux_state +- +- #### 1.7.1.5 Ensure no unconfied services exist (Scored) +- - selinux_confinement_of_daemons +- +- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) +- - package_setroubleshoot_removed +- +- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) +- - package_mcstrans_removed +- +- ## Warning Banners +- +- ### 1.8.1 Command Line Warning Baners +- +- #### 1.8.1.1 Ensure message of the day is configured properly (Scored) +- - banner_etc_motd +- +- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) +- - banner_etc_issue +- +- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 +- +- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) +- # chmod u-x,go-wx /etc/motd +- - file_permissions_etc_motd +- +- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) +- # chmod u-x,go-wx /etc/issue +- - file_permissions_etc_issue +- +- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) +- # Previously addressed via 'rpm_verify_permissions' rule +- +- ### 1.8.2 Ensure GDM login banner is configured (Scored) +- #### banner-message-enable=true +- - dconf_gnome_banner_enabled +- +- #### banner-message-text='' +- - dconf_gnome_login_banner_text +- +- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) +- - security_patches_up_to_date +- +- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) +- - var_system_crypto_policy=future +- - configure_crypto_policy +- +- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) +- # Previously addressed via 'configure_crypto_policy' rule +- +- # Services +- +- ## 2.1 inetd Services +- +- ### 2.1.1 Ensure xinetd is not installed (Scored) +- - package_xinetd_removed +- +- ## 2.2 Special Purpose Services +- +- ### 2.2.1 Time Synchronization +- +- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - package_chrony_installed +- +- #### 2.2.1.2 Ensure chrony is configured (Scored) +- - service_chronyd_enabled +- - chronyd_specify_remote_server +- - chronyd_run_as_chrony_user +- +- ### 2.2.2 Ensure X Window System is not installed (Scored) +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target +- +- ### 2.2.3 Ensure rsync service is not enabled (Scored) +- - service_rsyncd_disabled +- +- ### 2.2.4 Ensure Avahi Server is not enabled (Scored) +- - service_avahi-daemon_disabled +- +- ### 2.2.5 Ensure SNMP Server is not enabled (Scored) +- - service_snmpd_disabled +- +- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) +- - package_squid_removed +- +- ### 2.2.7 Ensure Samba is not enabled (Scored) +- - service_smb_disabled +- +- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) +- - service_dovecot_disabled +- +- ### 2.2.9 Ensure HTTP server is not enabled (Scored) +- - service_httpd_disabled +- +- ### 2.2.10 Ensure FTP Server is not enabled (Scored) +- - service_vsftpd_disabled +- +- ### 2.2.11 Ensure DNS Server is not enabled (Scored) +- - service_named_disabled +- +- ### 2.2.12 Ensure NFS is not enabled (Scored) +- - service_nfs_disabled +- +- ### 2.2.13 Ensure RPC is not enabled (Scored) +- - service_rpcbind_disabled +- +- ### 2.2.14 Ensure LDAP service is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 +- +- ### 2.2.15 Ensure DHCP Server is not enabled (Scored) +- - service_dhcpd_disabled +- +- ### 2.2.16 Ensure CUPS is not enabled (Scored) +- - service_cups_disabled +- +- ### 2.2.17 Ensure NIS Server is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 +- +- ### 2.2.18 Ensure mail transfer agent is configured for +- ### local-only mode (Scored) +- - postfix_network_listening_disabled +- +- ## 2.3 Service Clients +- +- ### 2.3.1 Ensure NIS Client is not installed (Scored) +- - package_ypbind_removed +- +- ### 2.3.2 Ensure telnet client is not installed (Scored) +- - package_telnet_removed +- +- ### Ensure LDAP client is not installed +- - package_openldap-clients_removed +- +- # 3 Network Configuration +- +- ## 3.1 Network Parameters (Host Only) +- +- ### 3.1.1 Ensure IP forwarding is disabled (Scored) +- #### net.ipv4.ip_forward = 0 +- - sysctl_net_ipv4_ip_forward +- +- #### net.ipv6.conf.all.forwarding = 0 +- - sysctl_net_ipv6_conf_all_forwarding +- +- ### 3.1.2 Ensure packet redirect sending is disabled (Scored) +- #### net.ipv4.conf.all.send_redirects = 0 +- - sysctl_net_ipv4_conf_all_send_redirects +- +- #### net.ipv4.conf.default.send_redirects = 0 +- - sysctl_net_ipv4_conf_default_send_redirects +- +- ## 3.2 Network Parameters (Host and Router) +- +- ### 3.2.1 Ensure source routed packets are not accepted (Scored) +- #### net.ipv4.conf.all.accept_source_route = 0 +- - sysctl_net_ipv4_conf_all_accept_source_route +- +- #### net.ipv4.conf.default.accept_source_route = 0 +- - sysctl_net_ipv4_conf_default_accept_source_route +- +- #### net.ipv6.conf.all.accept_source_route = 0 +- - sysctl_net_ipv6_conf_all_accept_source_route +- +- #### net.ipv6.conf.default.accept_source_route = 0 +- - sysctl_net_ipv6_conf_default_accept_source_route +- +- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.accept_redirects = 0 +- - sysctl_net_ipv4_conf_all_accept_redirects +- +- #### net.ipv4.conf.default.accept_redirects +- - sysctl_net_ipv4_conf_default_accept_redirects +- +- #### net.ipv6.conf.all.accept_redirects = 0 +- - sysctl_net_ipv6_conf_all_accept_redirects +- +- #### net.ipv6.conf.defaults.accept_redirects = 0 +- - sysctl_net_ipv6_conf_default_accept_redirects +- +- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.secure_redirects = 0 +- - sysctl_net_ipv4_conf_all_secure_redirects +- +- #### net.ipv4.cof.default.secure_redirects = 0 +- - sysctl_net_ipv4_conf_default_secure_redirects +- +- ### 3.2.4 Ensure suspicious packets are logged (Scored) +- #### net.ipv4.conf.all.log_martians = 1 +- - sysctl_net_ipv4_conf_all_log_martians +- +- #### net.ipv4.conf.default.log_martians = 1 +- - sysctl_net_ipv4_conf_default_log_martians +- +- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- +- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) +- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- +- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +- #### net.ipv4.conf.all.rp_filter = 1 +- - sysctl_net_ipv4_conf_all_rp_filter +- +- #### net.ipv4.conf.default.rp_filter = 1 +- - sysctl_net_ipv4_conf_default_rp_filter +- +- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +- - sysctl_net_ipv4_tcp_syncookies +- +- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) +- #### net.ipv6.conf.all.accept_ra = 0 +- - sysctl_net_ipv6_conf_all_accept_ra +- +- #### net.ipv6.conf.default.accept_ra = 0 +- - sysctl_net_ipv6_conf_default_accept_ra +- +- ## 3.3 Uncommon Network Protocols +- +- ### 3.3.1 Ensure DCCP is disabled (Scored) +- - kernel_module_dccp_disabled +- +- ### Ensure SCTP is disabled (Scored) +- - kernel_module_sctp_disabled +- +- ### 3.3.3 Ensure RDS is disabled (Scored) +- - kernel_module_rds_disabled +- +- ### 3.3.4 Ensure TIPC is disabled (Scored) +- - kernel_module_tipc_disabled +- +- ## 3.4 Firewall Configuration +- +- ### 3.4.1 Ensure Firewall software is installed +- +- #### 3.4.1.1 Ensure a Firewall package is installed (Scored) +- ##### firewalld +- - package_firewalld_installed +- +- ##### nftables +- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 +- +- ##### iptables +- #- package_iptables_installed +- +- ### 3.4.2 Configure firewalld +- +- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) +- - service_firewalld_enabled +- +- #### 3.4.2.2 Ensure iptables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 +- +- #### 3.4.2.3 Ensure nftables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 +- +- #### 3.4.2.4 Ensure default zone is set (Scored) +- - set_firewalld_default_zone +- +- #### 3.4.2.5 Ensure network interfaces are assigned to +- #### appropriate zone (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 +- +- #### 3.4.2.6 Ensure unnecessary services and ports are not +- #### accepted (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 +- +- ### 3.4.3 Configure nftables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 +- +- #### 3.4.3.1 Ensure iptables are flushed (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 +- +- #### 3.4.3.2 Ensure a table exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 +- +- #### 3.4.3.3 Ensure base chains exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 +- +- #### 3.4.3.4 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 +- +- #### 3.4.3.5 Ensure outbound and established connections are +- #### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 +- +- #### 3.4.3.6 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 +- +- #### 3.4.3.7 Ensure nftables service is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 +- +- #### 3.4.3.8 Ensure nftables rules are permanent (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 +- +- ### 3.4.4 Configure iptables +- +- #### 3.4.4.1 Configure IPv4 iptables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 +- +- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 +- +- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 +- +- ##### 3.4.4.1.3 Ensure outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 +- +- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 +- +- #### 3.4.4.2 Configure IPv6 ip6tables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 +- +- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 +- +- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 +- +- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 +- +- ## 3.5 Ensure wireless interfaces are disabled (Scored) +- - wireless_disable_interfaces +- +- ## 3.6 Disable IPv6 (Not Scored) +- - kernel_module_ipv6_option_disabled +- +- # Logging and Auditing +- +- ## 4.1 Configure System Accounting (auditd) +- +- ### 4.1.1 Ensure auditing is enabled +- +- #### 4.1.1.1 Ensure auditd is installed (Scored) +- - package_audit_installed +- +- #### 4.1.1.2 Ensure auditd service is enabled (Scored) +- - service_auditd_enabled +- +- #### 4.1.1.3 Ensure auditing for processes that start prior to audit +- #### is enabled (Scored) +- - grub2_audit_argument +- +- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +- - grub2_audit_backlog_limit_argument +- +- ### 4.1.2 Configure Data Retention +- +- #### 4.1.2.1 Ensure audit log storage size is configured (Scored) +- - auditd_data_retention_max_log_file +- +- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) +- - auditd_data_retention_max_log_file_action +- +- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) +- - var_auditd_space_left_action=email +- - auditd_data_retention_space_left_action +- +- ##### action_mail_acct = root +- - var_auditd_action_mail_acct=root +- - auditd_data_retention_action_mail_acct +- +- ##### admin_space_left_action = halt +- - var_auditd_admin_space_left_action=halt +- - auditd_data_retention_admin_space_left_action +- +- ### 4.1.3 Ensure changes to system administration scope +- ### (sudoers) is collected (Scored) +- - audit_rules_sysadmin_actions +- +- ### 4.1.4 Ensure login and logout events are collected (Scored) +- - audit_rules_login_events_faillock +- - audit_rules_login_events_lastlog +- +- ### 4.1.5 Ensure session initiation information is collected (Scored) +- - audit_rules_session_events +- +- ### 4.1.6 Ensure events that modify date and time information +- ### are collected (Scored) +- #### adjtimex +- - audit_rules_time_adjtimex +- +- #### settimeofday +- - audit_rules_time_settimeofday +- +- #### stime +- - audit_rules_time_stime +- +- #### clock_settime +- - audit_rules_time_clock_settime +- +- #### -w /etc/localtime -p wa +- - audit_rules_time_watch_localtime +- +- ### 4.1.7 Ensure events that modify the system's Mandatory +- ### Access Control are collected (Scored) +- #### -w /etc/selinux/ -p wa +- - audit_rules_mac_modification +- +- #### -w /usr/share/selinux/ -p wa +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 +- +- ### 4.1.8 Ensure events that modify the system's network +- ### enironment are collected (Scored) +- - audit_rules_networkconfig_modification +- +- ### 4.1.9 Ensure discretionary access control permission modification +- ### events are collected (Scored) +- - audit_rules_dac_modification_chmod +- - audit_rules_dac_modification_fchmod +- - audit_rules_dac_modification_fchmodat +- - audit_rules_dac_modification_chown +- - audit_rules_dac_modification_fchown +- - audit_rules_dac_modification_fchownat +- - audit_rules_dac_modification_lchown +- - audit_rules_dac_modification_setxattr +- - audit_rules_dac_modification_lsetxattr +- - audit_rules_dac_modification_fsetxattr +- - audit_rules_dac_modification_removexattr +- - audit_rules_dac_modification_lremovexattr +- - audit_rules_dac_modification_fremovexattr +- +- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are +- ### collected (Scored) +- - audit_rules_unsuccessful_file_modification_creat +- - audit_rules_unsuccessful_file_modification_open +- - audit_rules_unsuccessful_file_modification_openat +- - audit_rules_unsuccessful_file_modification_truncate +- - audit_rules_unsuccessful_file_modification_ftruncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at +- +- ### 4.1.11 Ensure events that modify user/group information are +- ### collected (Scored) +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_group +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- +- ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- - audit_rules_media_export +- +- ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- - audit_rules_privileged_commands +- +- ### 4.1.14 Ensure file deletion events by users are collected +- ### (Scored) +- - audit_rules_file_deletion_events_unlink +- - audit_rules_file_deletion_events_unlinkat +- - audit_rules_file_deletion_events_rename +- - audit_rules_file_deletion_events_renameat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir +- +- ### 4.1.15 Ensure kernel module loading and unloading is collected +- ### (Scored) +- - audit_rules_kernel_module_loading +- +- ### 4.1.16 Ensure system administrator actions (sudolog) are +- ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 +- +- ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- - audit_rules_immutable +- +- ## 4.2 Configure Logging +- +- ### 4.2.1 Configure rsyslog +- +- #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- - package_rsyslog_installed +- +- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- - service_rsyslog_enabled +- +- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- - rsyslog_files_permissions +- +- #### 4.2.1.4 Ensure logging is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 +- +- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote +- #### log host (Scored) +- - rsyslog_remote_loghost +- +- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on +- #### designated log hosts (Not Scored) +- - rsyslog_nolisten +- +- ### 4.2.2 Configure journald +- +- #### 4.2.2.1 Ensure journald is configured to send logs to +- #### rsyslog (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 +- +- #### 4.2.2.2 Ensure journald is configured to compress large +- #### log files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 +- +- +- #### 4.2.2.3 Ensure journald is configured to write logfiles to +- #### persistent disk (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 +- +- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 +- +- ## 4.3 Ensure logrotate is configured (Not Scored) +- +- # 5 Access, Authentication and Authorization +- +- ## 5.1 Configure cron +- +- ### 5.1.1 Ensure cron daemon is enabled (Scored) +- - service_crond_enabled +- +- +- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +- # chown root:root /etc/crontab +- - file_owner_crontab +- - file_groupowner_crontab +- # chmod og-rwx /etc/crontab +- - file_permissions_crontab +- +- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +- # chown root:root /etc/cron.hourly +- - file_owner_cron_hourly +- - file_groupowner_cron_hourly +- # chmod og-rwx /etc/cron.hourly +- - file_permissions_cron_hourly +- +- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +- # chown root:root /etc/cron.daily +- - file_owner_cron_daily +- - file_groupowner_cron_daily +- # chmod og-rwx /etc/cron.daily +- - file_permissions_cron_daily +- +- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +- # chown root:root /etc/cron.weekly +- - file_owner_cron_weekly +- - file_groupowner_cron_weekly +- # chmod og-rwx /etc/cron.weekly +- - file_permissions_cron_weekly +- +- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +- # chown root:root /etc/cron.monthly +- - file_owner_cron_monthly +- - file_groupowner_cron_monthly +- # chmod og-rwx /etc/cron.monthly +- - file_permissions_cron_monthly +- +- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) +- # chown root:root /etc/cron.d +- - file_owner_cron_d +- - file_groupowner_cron_d +- # chmod og-rwx /etc/cron.d +- - file_permissions_cron_d +- +- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) +- +- +- ## 5.2 SSH Server Configuration +- +- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) +- # chown root:root /etc/ssh/sshd_config +- - file_owner_sshd_config +- - file_groupowner_sshd_config +- +- # chmod og-rwx /etc/ssh/sshd_config +- - file_permissions_sshd_config +- +- ### 5.2.2 Ensure SSH access is limited (Scored) +- +- +- ### 5.2.3 Ensure permissions on SSH private host key files are +- ### configured (Scored) +- # TO DO: The rule sets to 640, but benchmark wants 600 +- - file_permissions_sshd_private_key +- # TO DO: check owner of private keys in /etc/ssh is root:root +- +- ### 5.2.4 Ensure permissions on SSH public host key files are configured +- ### (Scored) +- - file_permissions_sshd_pub_key +- # TO DO: check owner of pub keys in /etc/ssh is root:root +- +- # Ensure that the configuration is done the right way +- - sshd_use_directory_configuration +- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) +- - sshd_set_loglevel_info +- +- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) +- - sshd_disable_x11_forwarding +- +- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +- - sshd_max_auth_tries_value=4 +- - sshd_set_max_auth_tries +- +- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) +- - sshd_disable_rhosts +- +- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) +- - disable_host_auth +- +- ### 5.2.10 Ensure SSH root login is disabled (Scored) +- - sshd_disable_root_login +- +- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) +- - sshd_disable_empty_passwords +- +- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) +- - sshd_do_not_permit_user_env +- +- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) +- # ClientAliveInterval 300 +- - sshd_idle_timeout_value=5_minutes +- - sshd_set_idle_timeout +- +- # ClientAliveCountMax 0 +- - var_sshd_set_keepalive=0 +- +- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute +- ### or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 +- +- ### 5.2.15 Ensure SSH warning banner is configured (Scored) +- - sshd_enable_warning_banner +- +- ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 +- +- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) +- - sshd_disable_tcp_forwarding +- +- ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 +- +- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) +- - sshd_set_max_sessions +- - var_sshd_max_sessions=4 +- +- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) +- - configure_ssh_crypto_policy +- +- ## 5.3 Configure authselect +- +- +- ### 5.3.1 Create custom authselectet profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 +- +- ### 5.3.2 Select authselect profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 +- +- ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 +- +- ## 5.4 Configure PAM +- +- ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 +- - accounts_password_pam_retry +- - var_password_pam_minlen=14 +- - accounts_password_pam_minlen +- - var_password_pam_minclass=4 +- - accounts_password_pam_minclass +- +- ### 5.4.2 Ensure lockout for failed password attempts is +- ### configured (Scored) +- - var_accounts_passwords_pam_faillock_unlock_time=900 +- - var_accounts_passwords_pam_faillock_deny=5 +- - accounts_passwords_pam_faillock_unlock_time +- - accounts_passwords_pam_faillock_deny +- +- ### 5.4.3 Ensure password reuse is limited (Scored) +- - var_password_pam_unix_remember=5 +- - accounts_password_pam_unix_remember +- +- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- - set_password_hashing_algorithm_systemauth +- +- ## 5.5 User Accounts and Environment +- +- ### 5.5.1 Set Shadow Password Suite Parameters +- +- #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- - var_accounts_maximum_age_login_defs=365 +- - accounts_maximum_age_login_defs +- +- #### 5.5.1.2 Ensure minimum days between password changes is 7 +- #### or more (Scored) +- - var_accounts_minimum_age_login_defs=7 +- - accounts_minimum_age_login_defs +- +- #### 5.5.1.3 Ensure password expiration warning days is +- #### 7 or more (Scored) +- - var_accounts_password_warn_age_login_defs=7 +- - accounts_password_warn_age_login_defs +- +- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # TODO: Rule doesn't check list of users +- # https://github.com/ComplianceAsCode/content/issues/5536 +- - var_account_disable_post_pw_expiration=30 +- - account_disable_post_pw_expiration +- +- #### 5.5.1.5 Ensure all users last password change date is +- #### in the past (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 +- +- ### 5.5.2 Ensure system accounts are secured (Scored) +- - no_shelllogin_for_systemaccounts +- +- ### 5.5.3 Ensure default user shell timeout is 900 seconds +- ### or less (Scored) +- - var_accounts_tmout=15_min +- - accounts_tmout +- +- ### 5.5.4 Ensure default group for the root account is +- ### GID 0 (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 +- +- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- - var_accounts_user_umask=027 +- - accounts_umask_etc_bashrc +- - accounts_umask_etc_profile +- +- ## 5.6 Ensure root login is restricted to system console (Not Scored) +- - securetty_root_login_console_only +- - no_direct_root_logins +- +- ## 5.7 Ensure access to the su command is restricted (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 +- +- # System Maintenance +- +- ## 6.1 System File Permissions +- +- ### 6.1.1 Audit system file permissions (Not Scored) +- - rpm_verify_permissions +- - rpm_verify_ownership +- +- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- # chown root:root /etc/passwd +- - file_owner_etc_passwd +- - file_groupowner_etc_passwd +- +- # chmod 644 /etc/passwd +- - file_permissions_etc_passwd +- +- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- # chown root:root /etc/shadow +- - file_owner_etc_shadow +- - file_groupowner_etc_shadow +- +- # chmod o-rwx,g-wx /etc/shadow +- - file_permissions_etc_shadow +- +- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- # chown root:root /etc/group +- - file_owner_etc_group +- - file_groupowner_etc_group +- +- # chmod 644 /etc/group +- - file_permissions_etc_group +- +- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- # chown root:root /etc/gshadow +- - file_owner_etc_gshadow +- - file_groupowner_etc_gshadow +- +- # chmod o-rwx,g-rw /etc/gshadow +- - file_permissions_etc_gshadow +- +- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- # chown root:root /etc/passwd- +- - file_owner_backup_etc_passwd +- - file_groupowner_backup_etc_passwd +- +- # chmod 644 /etc/passwd- +- - file_permissions_backup_etc_passwd +- +- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- # chown root:root /etc/shadow- +- - file_owner_backup_etc_shadow +- - file_groupowner_backup_etc_shadow +- +- # chmod 0000 /etc/shadow- +- - file_permissions_backup_etc_shadow +- +- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- # chown root:root /etc/group- +- - file_owner_backup_etc_group +- - file_groupowner_backup_etc_group +- +- # chmod 644 /etc/group- +- - file_permissions_backup_etc_group +- +- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- # chown root:root /etc/gshadow- +- - file_owner_backup_etc_gshadow +- - file_groupowner_backup_etc_gshadow +- +- # chmod 0000 /etc/gshadow- +- - file_permissions_backup_etc_gshadow +- +- ### 6.1.10 Ensure no world writable files exist (Scored) +- - file_permissions_unauthorized_world_writable +- +- ### 6.1.11 Ensure no unowned files or directories exist (Scored) +- - no_files_unowned_by_user +- +- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- - file_permissions_ungroupowned +- +- ### 6.1.13 Audit SUID executables (Not Scored) +- - file_permissions_unauthorized_suid +- +- ### 6.1.14 Audit SGID executables (Not Scored) +- - file_permissions_unauthorized_sgid +- +- ## 6.2 User and Group Settings +- +- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- - no_legacy_plus_entries_etc_passwd +- +- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- - no_legacy_plus_entries_etc_shadow +- +- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- - no_legacy_plus_entries_etc_group +- +- ### 6.2.6 Ensure root is the only UID 0 account (Scored) +- - accounts_no_uid_except_zero +- +- ### 6.2.7 Ensure users' home directories permissions are 750 +- ### or more restrictive (Scored) +- - file_permissions_home_dirs +- +- ### 6.2.8 Ensure users own their home directories (Scored) +- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 +- - file_groupownership_home_directories +- +- ### 6.2.9 Ensure users' dot files are not group or world +- ### writable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 +- +- ### 6.2.10 Ensure no users have .forward files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 +- +- ### 6.2.11 Ensure no users have .netrc files (Scored) +- - no_netrc_files +- +- ### 6.2.12 Ensure users' .netrc Files are not group or +- ### world accessible (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 +- +- ### 6.2.13 Ensure no users have .rhosts files (Scored) +- - no_rsh_trust_files +- +- ### 6.2.14 Ensure all groups in /etc/passwd exist in +- ### /etc/group (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 +- +- ### 6.2.15 Ensure no duplicate UIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 +- +- ### 6.2.16 Ensure no duplicate GIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 +- +- ### 6.2.17 Ensure no duplicate user names exist (Scored) +- - account_unique_name +- +- ### 6.2.18 Ensure no duplicate group names exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 +- +- ### 6.2.19 Ensure shadow group is empty (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 +- +- ### 6.2.20 Ensure all users' home directories exist (Scored) +- - accounts_user_interactive_home_directory_exists ++ - cis_rhel8:all:l2_server +diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile +new file mode 100644 +index 0000000000..18314d9c46 +--- /dev/null ++++ b/products/rhel9/profiles/cis_server_l1.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l1_server +diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile +new file mode 100644 +index 0000000000..3ce1c80089 +--- /dev/null ++++ b/products/rhel9/profiles/cis_workstation_l1.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l1_workstation +diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile +new file mode 100644 +index 0000000000..84d76b801f +--- /dev/null ++++ b/products/rhel9/profiles/cis_workstation_l2.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l2_workstation + +From 11c06fcbc1c75bcc17a765d611449af66efcf3e0 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 20 Aug 2021 17:35:21 +0200 +Subject: [PATCH 2/4] Add RHEL9 CIS kickstarts + +Those are based on their RHEL8 counterparts +--- + products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg | 6 +- + .../kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel9-cis_workstation_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel9-cis_workstation_l2-ks.cfg | 143 ++++++++++++++++++ + 4 files changed, 412 insertions(+), 3 deletions(-) + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg + +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +index 47685726dd..88290ff977 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +@@ -1,6 +1,6 @@ +-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 9 Server ++# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 9 Server + # Version: 0.0.1 +-# Date: 2021-07-13 ++# Date: 2021-08-12 + # + # Based on: + # https://pykickstart.readthedocs.io/en/latest/ +@@ -124,7 +124,7 @@ logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + # Harden installation with CIS profile + # For more details and configuration options see +-# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program + %addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +new file mode 100644 +index 0000000000..d8d24e4394 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_server_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +new file mode 100644 +index 0000000000..fb6d0ab9a4 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg +new file mode 100644 +index 0000000000..037de3a1b9 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg +@@ -0,0 +1,143 @@ ++# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 6775cda905bce1f01cc8e89245f7f5d3f53a5b8d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 23 Aug 2021 10:16:50 +0200 +Subject: [PATCH 3/4] Add CCEs + +to rules that freshly made it into the RHEL9 CIS draft. +--- + .../ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + + .../services/ssh/ssh_server/sshd_set_maxstartups/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 6 ------ + 7 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index ee54a53dfd..059d25cc7c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82419-3 + cce@rhel8: CCE-82420-1 ++ cce@rhel9: CCE-86923-0 + cce@sle12: CCE-83077-8 + cce@sle15: CCE-83270-9 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +index 7aec7ffb2c..5a1bf4906e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-90714-7 + cce@rhel8: CCE-90718-8 ++ cce@rhel9: CCE-87872-8 + + references: + cis@rhel7: 5.3.21 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +index 62b6f55e00..cf6c38d6f7 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83476-2 + cce@rhel8: CCE-83478-8 ++ cce@rhel9: CCE-86354-8 + + references: + cis-csc: 1,12,15,16,5 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +index 8cc56eb876..0eae61281f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83479-6 + cce@rhel8: CCE-83480-4 ++ cce@rhel9: CCE-89176-2 + + references: + cis-csc: 1,12,15,16,5 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index c94de8fa3e..151ad1ebe2 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -22,6 +22,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80199-3 + cce@rhel8: CCE-85914-0 ++ cce@rhel9: CCE-88059-1 + + references: + cis-csc: 11,3,9 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +index bc4fdcc7e0..d9c0be8ccf 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83431-7 + cce@rhel8: CCE-85912-4 ++ cce@rhel9: CCE-85925-6 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 6c33c2e85f..e80f25156e 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -50,7 +50,6 @@ CCE-85921-5 + CCE-85922-3 + CCE-85923-1 + CCE-85924-9 +-CCE-85925-6 + CCE-85926-4 + CCE-85927-2 + CCE-85928-0 +@@ -458,7 +457,6 @@ CCE-86350-6 + CCE-86351-4 + CCE-86352-2 + CCE-86353-0 +-CCE-86354-8 + CCE-86355-5 + CCE-86356-3 + CCE-86357-1 +@@ -1016,7 +1014,6 @@ CCE-86919-8 + CCE-86920-6 + CCE-86921-4 + CCE-86922-2 +-CCE-86923-0 + CCE-86924-8 + CCE-86925-5 + CCE-86926-3 +@@ -1947,7 +1944,6 @@ CCE-87868-6 + CCE-87869-4 + CCE-87870-2 + CCE-87871-0 +-CCE-87872-8 + CCE-87873-6 + CCE-87874-4 + CCE-87875-1 +@@ -2132,7 +2128,6 @@ CCE-88055-9 + CCE-88056-7 + CCE-88057-5 + CCE-88058-3 +-CCE-88059-1 + CCE-88060-9 + CCE-88061-7 + CCE-88062-5 +@@ -3226,7 +3221,6 @@ CCE-89171-3 + CCE-89172-1 + CCE-89173-9 + CCE-89174-7 +-CCE-89176-2 + CCE-89177-0 + CCE-89178-8 + CCE-89179-6 + +From 6835e3d0d26ac210f2d376fdad647bb37cb22c8d Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Tue, 24 Aug 2021 10:43:22 +0200 +Subject: [PATCH 4/4] Increase partition size for CIS kickstarts + +--- + products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 2 +- + products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +- + products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 2 +- + products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +index d8d24e4394..1abcf90304 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +@@ -106,7 +106,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" + logvol swap --name=lv_swap --vgname=VolGroup --size=2016 +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +index fb6d0ab9a4..e18e86f474 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +@@ -106,7 +106,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" + logvol swap --name=lv_swap --vgname=VolGroup --size=2016 diff --git a/SOURCES/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch b/SOURCES/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch new file mode 100644 index 0000000..9878022 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch @@ -0,0 +1,39 @@ +From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 24 Aug 2021 12:48:46 +0200 +Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it + RHEL8 CIS. + +This new selector is used to select explicit DEFAULT value in RHEL8 CIS +L1 profiles. The "default" selector cannot be selected and it causes +errors if used. +--- + controls/cis_rhel8.yml | 2 +- + .../software/integrity/crypto/var_system_crypto_policy.var | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 29d972427cf..c0d3f5f40de 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -553,7 +553,7 @@ controls: + automated: yes + rules: + - configure_crypto_policy +- - var_system_crypto_policy=default ++ - var_system_crypto_policy=default_policy + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply +diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var +index ce301154a39..8b89848d122 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var +@@ -13,6 +13,7 @@ interactive: false + + options: + default: DEFAULT ++ default_policy: DEFAULT + default_nosha1: "DEFAULT:NO-SHA1" + fips: FIPS + fips_ospp: "FIPS:OSPP" diff --git a/SOURCES/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch b/SOURCES/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch new file mode 100644 index 0000000..0336950 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch @@ -0,0 +1,186 @@ +From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Aug 2021 15:05:35 +0200 +Subject: [PATCH 1/3] Add cpe platform for s390x arch + +--- + .../guide/system/bootloader-zipl/group.yml | 2 +- + shared/applicability/arch.yml | 12 +++++++ + shared/applicability/general.yml | 5 --- + ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++----------- + .../proc_sys_kernel_osrelease_arch_s390x.xml | 33 +++++++++++++++++++ + 5 files changed, 48 insertions(+), 26 deletions(-) + create mode 100644 shared/applicability/arch.yml + create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +index 64c6c8dffbe..4f8ce753726 100644 +--- a/linux_os/guide/system/bootloader-zipl/group.yml ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -8,4 +8,4 @@ description: |- + options to it. + The default {{{ full_name }}} boot loader for s390x systems is called zIPL. + +-platform: zipl ++platform: s390x_arch +diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml +new file mode 100644 +index 00000000000..48b2aa3ef30 +--- /dev/null ++++ b/shared/applicability/arch.yml +@@ -0,0 +1,12 @@ ++cpes: ++ ++ - not_s390x_arch: ++ name: "cpe:/a:not_s390x_arch" ++ title: "System architecture is not S390X" ++ check_id: proc_sys_kernel_osrelease_arch_not_s390x ++ ++ - s390x_arch: ++ name: "cpe:/a:s390x_arch" ++ title: "System architecture is S390X" ++ check_id: proc_sys_kernel_osrelease_arch_s390x ++ +diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml +index 7382b7dd302..6e3ecfd9bf9 100644 +--- a/shared/applicability/general.yml ++++ b/shared/applicability/general.yml +@@ -24,11 +24,6 @@ cpes: + title: "Package net-snmp is installed" + check_id: installed_env_has_net-snmp_package + +- - not_s390x_arch: +- name: "cpe:/a:not_s390x_arch" +- title: "System architecture is not S390X" +- check_id: proc_sys_kernel_osrelease_arch_not_s390x +- + - nss-pam-ldapd: + name: "cpe:/a:nss-pam-ldapd" + title: "Package nss-pam-ldapd is installed" +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +index 1fc625a1e75..d95ce249c49 100644 +--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +@@ -9,26 +9,8 @@ + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + +- ++ + + +- +- +- +- +- +- +- /proc/sys/kernel/osrelease +- ^.*\.(.*)$ +- 1 +- +- +- +- ^s390x$ +- +- + +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +new file mode 100644 +index 00000000000..abc6f1b0b88 +--- /dev/null ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +@@ -0,0 +1,33 @@ ++ ++ ++ ++ Test for different architecture than s390x ++ ++ multi_platform_all ++ ++ Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/osrelease ++ ^.*\.(.*)$ ++ 1 ++ ++ ++ ++ ^s390x$ ++ ++ + +From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Aug 2021 16:16:11 +0200 +Subject: [PATCH 2/3] Remove zipl CPE platform + +The package names for zipl changed recently. +As zipl is an s390 exclusive, lets use the arch check instead of +package name check. +--- + shared/applicability/bootloaders.yml | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml +index 57832118447..6856578621c 100644 +--- a/shared/applicability/bootloaders.yml ++++ b/shared/applicability/bootloaders.yml +@@ -4,8 +4,3 @@ cpes: + name: "cpe:/a:grub2" + title: "Package grub2 is installed" + check_id: installed_env_has_grub2_package +- +- - zipl: +- name: "cpe:/a:zipl" +- title: "System uses zipl" +- check_id: installed_env_has_zipl_package + +From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Tue, 17 Aug 2021 19:53:59 +0200 +Subject: [PATCH 3/3] Fix typo in check title +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml + +Co-authored-by: Jan Černý +--- + shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +index abc6f1b0b88..7f416de6475 100644 +--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml +@@ -2,7 +2,7 @@ + + +- Test for different architecture than s390x ++ Test that the architecture is s390x + + multi_platform_all + diff --git a/SOURCES/scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch b/SOURCES/scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch new file mode 100644 index 0000000..1379e75 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch @@ -0,0 +1,74 @@ +From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 18 Aug 2021 16:17:15 +0200 +Subject: [PATCH 1/2] Come up with a better basename + +On Red Hat systems, there is 50-redhat.conf, so +60-complianceascode.conf seems to be a generally good fit. +--- + shared/templates/sshd_lineinfile/bash.template | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template +index eac758e310b..e15ab9521b8 100644 +--- a/shared/templates/sshd_lineinfile/bash.template ++++ b/shared/templates/sshd_lineinfile/bash.template +@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d + touch /etc/ssh/sshd_config.d/hardening + {{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}} + {{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}} ++{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}} + {{{ set_config_file( +- path="/etc/ssh/sshd_config.d/hardening", ++ path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename, + parameter=PARAMETER, + value=VALUE, + create=true, + +From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 18 Aug 2021 17:51:17 +0200 +Subject: [PATCH 2/2] Fix the sshd directory config check + +The check should consider only files matching .*\.conf +--- + .../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++-- + .../tests/correct_value_directory.pass.sh | 2 +- + shared/macros-oval.jinja | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +index 177a99e0b82..6e064ffc739 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +@@ -11,5 +11,5 @@ else + echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config + fi + +-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config +-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf ++echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +index 0aa2e775dbe..acb650915fe 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +@@ -11,4 +11,4 @@ else + echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config + fi + +-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index 87e0fd7d87d..f2fa7d79fc8 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -227,7 +227,7 @@ + {{%- endmacro %}} + + {{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}} +-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}} ++{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}} + {{%- endmacro %}} + + {{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}} diff --git a/SOURCES/scap-security-guide-0.1.58-sshd_directory-PR_6926.patch b/SOURCES/scap-security-guide-0.1.58-sshd_directory-PR_6926.patch new file mode 100644 index 0000000..a131424 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-sshd_directory-PR_6926.patch @@ -0,0 +1,664 @@ +From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 29 Apr 2021 16:54:03 +0200 +Subject: [PATCH 1/6] Updated checks and remediations of the sshd template. + +Configuration of sshd moves from one config file to a config directory. +Therefore, checks should consider all those files, and the remediation should aim +to deliver fixes to one of those files in the config directory. + +Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products. +--- + .../tests/commented.fail.sh | 7 ++ + .../tests/conflict.fail.sh | 15 ++++ + .../tests/correct_value_directory.pass.sh | 14 ++++ + shared/macros-bash.jinja | 9 +++ + shared/macros-oval.jinja | 61 +++++++++++------ + .../templates/sshd_lineinfile/bash.template | 22 ++++++ + .../templates/sshd_lineinfile/oval.template | 68 +++++++++++++++++-- + 7 files changed, 168 insertions(+), 28 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh +new file mode 100644 +index 00000000000..484c2165532 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +new file mode 100644 +index 00000000000..177a99e0b82 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# platform = Fedora,Red Hat Enterprise Linux 9 ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi ++ ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config ++echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +new file mode 100644 +index 00000000000..0aa2e775dbe +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++# platform = Fedora,Red Hat Enterprise Linux 9 ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi ++ ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 1cd2c62b5e0..b4518d83c19 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -471,6 +471,15 @@ fi + LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" + {{%- endmacro -%}} + ++{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}} ++ {{%- if insensitive -%}} ++ {{%- set modifier="Id" -%}} ++ {{%- else -%}} ++ {{%- set modifier="d" -%}} ++ {{%- endif -%}} ++LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/* ++{{%- endmacro -%}} ++ + {{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}} + {{%- if insensitive -%}} + {{%- set grep_args="-q -m 1 -i" -%}} +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index be2ac268206..d38db96d9e3 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -92,15 +92,18 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}} ++{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- set prefix_text = "Check the" -%}} + {{%- if missing_parameter_pass %}} + {{%- set suffix_id = suffix_id_default_not_overriden -%}} + {{%- set prefix_text = prefix_text + " absence of" -%}} + {{%- endif %}} +- ++{{%- if not comment -%}} ++{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}} ++{{%- endif -%}} ++ + {{%- endmacro %}} + + {{# +@@ -110,7 +113,7 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}} ++{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- if missing_parameter_pass %}} + {{%- set check_existence = "none_exist" -%}} +@@ -120,14 +123,14 @@ + {{%- set check_existence = "all_exist" -%}} + {{%- set prefix_text = "value" -%}} + {{%- endif %}} +- +- ++ id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1"> ++ + {{%- if not missing_parameter_pass %}} +- ++ + {{%- endif %}} +- ++ + {{%- endmacro %}} + + {{# +@@ -141,7 +144,7 @@ + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + #}} +-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}} ++{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- if multi_value -%}} + {{%- set group_regex = "([^#]*).*$" -%}} +@@ -173,16 +176,16 @@ + {{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}} + {{%- endif %}} + {{%- endif %}} +- ++ + {{%- if filepath_regex %}} +- {{{ path }}} +- {{{ filepath_regex }}} ++ {{{ path }}} ++ {{{ filepath_regex }}} + {{%- else %}} +- {{{ path }}} ++ {{{ path }}} + {{%- endif %}} +- {{{ regex }}} +- 1 +- ++ {{{ regex }}} ++ 1 ++ + {{%- endmacro %}} + + {{# +@@ -193,7 +196,7 @@ + - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. + For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. + #}} +-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}} ++{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}} + {{%- set regex = value -%}} + {{%- if quotes != "" %}} + {{%- if "\\1" in value > 0 %}} +@@ -206,9 +209,25 @@ + {{%- else %}} + {{%- set regex = "^"+regex+"$" -%}} + {{%- endif %}} +- +- {{{ regex }}} +- ++ ++ {{{ regex }}} ++ ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}} ++{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}} ++{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}} ++{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}} ++{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}} + {{%- endmacro %}} + + {{# +diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template +index ca1b512bb3d..eac758e310b 100644 +--- a/shared/templates/sshd_lineinfile/bash.template ++++ b/shared/templates/sshd_lineinfile/bash.template +@@ -3,4 +3,26 @@ + # strategy = restrict + # complexity = low + # disruption = low ++{{%- if product in ("fedora", "rhel9") %}} ++{{%- set prefix_regex = "^\s*" -%}} ++{{%- set separator_regex = "\s\+" -%}} ++{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}} ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/hardening ++{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}} ++{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}} ++{{{ set_config_file( ++ path="/etc/ssh/sshd_config.d/hardening", ++ parameter=PARAMETER, ++ value=VALUE, ++ create=true, ++ insert_after="", ++ insert_before="^Match", ++ insensitive=true, ++ separator=" ", ++ separator_regex=separator_regex, ++ prefix_regex=prefix_regex) ++ }}} ++{{%- else %}} + {{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}} ++{{%- endif %}} +diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template +index df63d542505..2cc38776eb2 100644 +--- a/shared/templates/sshd_lineinfile/oval.template ++++ b/shared/templates/sshd_lineinfile/oval.template +@@ -1,7 +1,61 @@ +-{{{ +-oval_sshd_config( +- parameter=PARAMETER, +- value=VALUE, +- missing_parameter_pass=MISSING_PARAMETER_PASS +-) +-}}} ++{{%- set config_path = "/etc/ssh/sshd_config" %}} ++{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}} ++{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}} ++{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}} ++{{%- if product in products_with_distributed_configuration %}} ++{{%- set description = description ~ " and in " ~ config_dir -%}} ++{{%- endif %}} ++{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} ++ ++ ++ ++ {{{ oval_metadata(description) }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}} ++ {{%- if MISSING_PARAMETER_PASS %}} ++ ++ {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}} ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}} ++ {{%- endif %}} ++ ++ {{%- endif %}} ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}} ++ {{%- endif %}} ++ ++ ++ ++ ++ {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}} ++ {{{ oval_line_in_file_state(VALUE) | indent (2) }}} ++ ++ {{%- if MISSING_PARAMETER_PASS %}} ++ {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}} ++ {{%- endif %}} ++ ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}} ++ {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}} ++ {{{ oval_line_in_directory_state(VALUE) | indent (2) }}} ++ ++ {{%- if MISSING_PARAMETER_PASS %}} ++ {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}} ++ {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}} ++ {{%- endif %}} ++ {{%- endif %}} ++ + +From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 30 Apr 2021 11:52:22 +0200 +Subject: [PATCH 2/6] Improved the lineinfile template. + +It now escapes the text contents if parts of them could be incorrectly interpreted as regexes. +--- + shared/macros-bash.jinja | 2 +- + shared/templates/lineinfile/oval.template | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index b4518d83c19..d654a0e0e89 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 + # prefix_regex: regular expression describing allowed leading characters at each line + #}} + {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}} +- {{%- set line_regex = prefix_regex+parameter+separator_regex -%}} ++ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} + {{%- set new_line = parameter+separator+value -%}} + if [ -e "{{{ path }}}" ] ; then + {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}} +diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template +index a38856d9177..644327b7d6e 100644 +--- a/shared/templates/lineinfile/oval.template ++++ b/shared/templates/lineinfile/oval.template +@@ -1,4 +1,4 @@ +-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}} ++{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}} + + + {{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}} + +From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 30 Apr 2021 11:54:12 +0200 +Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule. + +The rule makes sure that the sshd configuration is distributed in the +/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory +in another rules. +--- + .../bash/shared.sh | 15 ++++++++++ + .../oval/shared.xml | 29 +++++++++++++++++++ + .../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++ + .../tests/match.fail.sh | 4 +++ + .../tests/simple.fail.sh | 3 ++ + .../tests/simple.pass.sh | 4 +++ + shared/references/cce-redhat-avail.txt | 1 - + shared/templates/extra_ovals.yml | 6 ++++ + 8 files changed, 87 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +new file mode 100644 +index 00000000000..2ff58ec373c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +@@ -0,0 +1,15 @@ ++# platform = multi_platform_all ++ ++{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} ++if test -f {{{ target_file}}}; then ++ {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} ++else ++ mkdir -p /etc/ssh/sshd_config.d ++ mv /etc/ssh/sshd_config {{{ target_file }}} ++cat > /etc/ssh/sshd_config << EOF ++# To modify the system-wide sshd configuration, create a *.conf file under ++# /etc/ssh/sshd_config.d/ which will be automatically included below ++ ++Include /etc/ssh/sshd_config.d/*.conf ++EOF ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +new file mode 100644 +index 00000000000..0ffb429adff +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +@@ -0,0 +1,29 @@ ++{{%- set config_path = "/etc/ssh/sshd_config" %}} ++ ++ ++ ++ {{{ oval_metadata("foo") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}} ++ ++ ++ ++ ++ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}} ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +new file mode 100644 +index 00000000000..8c370036e61 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel9 ++ ++title: 'Distribute the SSH Server configuration to multiple files in a config directory.' ++ ++description: |- ++ Make sure to have the Include /etc/ssh/sshd_config.d/*.conf line in the /etc/ssh/sshd_config file. ++ Ideally, don't have any active configuration directives in that file, and distribute the service configuration ++ to several files in the /etc/ssh/sshd_config.d directory. ++ ++rationale: |- ++ This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the /etc/ssh/sshd_config.d config directory are effective, there has to be a rule that ensures this. ++ Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87681-3 ++ ++ocil_clause: "you don't include other configuration files from the main configuration file" ++ ++ocil: |- ++ To determine whether the SSH server includes configuration files from the right directory, run the following command: ++
    $ sudo grep -i '^Include' /etc/ssh/sshd_config
    ++ If a line Include /etc/ssh/sshd_config.d/*.conf is returned, then the configuration file inclusion is set correctly. +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh +new file mode 100644 +index 00000000000..fa2ee0654f2 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++echo "Match something" >> /etc/ssh/sshd_config ++echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh +new file mode 100644 +index 00000000000..a6013ad7cfa +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh +new file mode 100644 +index 00000000000..7a26f521415 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++# Handling of case-insensitivity of include is tricky ++echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 73d025484e6..40a2b9b5868 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1780,7 +1780,6 @@ CCE-87677-1 + CCE-87678-9 + CCE-87679-7 + CCE-87680-5 +-CCE-87681-3 + CCE-87682-1 + CCE-87683-9 + CCE-87684-7 +diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml +index 095d911ee1c..69062ebe541 100644 +--- a/shared/templates/extra_ovals.yml ++++ b/shared/templates/extra_ovals.yml +@@ -57,3 +57,9 @@ service_syslog_disabled: + vars: + servicename: syslog + packagename: rsyslog ++ ++sshd_includes_config_files: ++ name: lineinfile ++ vars: ++ path: /etc/ssh/sshd_config ++ text: "Include /etc/ssh/sshd_config.d/*.conf" + +From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 11 May 2021 16:06:29 +0200 +Subject: [PATCH 4/6] Improved error reporting related to macros. + +--- + ssg/jinja.py | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/ssg/jinja.py b/ssg/jinja.py +index a46246ad0fb..28edd9a6dcd 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None): + + add_python_functions(substitutions_dict) + try: +- update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict) ++ filenames = [ ++ JINJA_MACROS_BASE_DEFINITIONS, ++ JINJA_MACROS_HIGHLEVEL_DEFINITIONS, ++ JINJA_MACROS_ANSIBLE_DEFINITIONS, ++ JINJA_MACROS_BASH_DEFINITIONS, ++ JINJA_MACROS_OVAL_DEFINITIONS, ++ JINJA_MACROS_IGNITION_DEFINITIONS, ++ JINJA_MACROS_KUBERNETES_DEFINITIONS, ++ ] ++ for filename in filenames: ++ update_substitutions_dict(filename, substitutions_dict) + except Exception as exc: +- msg = ("Error extracting macro definitions: {0}" +- .format(str(exc))) ++ msg = ("Error extracting macro definitions from '{1}': {0}" ++ .format(str(exc), filename)) + raise RuntimeError(msg) + + return substitutions_dict + +From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 11 May 2021 16:44:50 +0200 +Subject: [PATCH 5/6] Removed devault values that are variables from Jinja + +Support in older jinja2 packages is not in a good shape. +--- + shared/macros-oval.jinja | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index d38db96d9e3..87e0fd7d87d 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -92,7 +92,8 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- set prefix_text = "Check the" -%}} + {{%- if missing_parameter_pass %}} +@@ -113,7 +114,8 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- if missing_parameter_pass %}} + {{%- set check_existence = "none_exist" -%}} +@@ -144,7 +146,8 @@ + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + #}} +-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- if multi_value -%}} + {{%- set group_regex = "([^#]*).*$" -%}} +@@ -196,7 +199,8 @@ + - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. + For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. + #}} +-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set regex = value -%}} + {{%- if quotes != "" %}} + {{%- if "\\1" in value > 0 %}} + +From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 30 Jul 2021 17:25:25 +0200 +Subject: [PATCH 6/6] Don't remediate when it is inappropriate + +Don't remediate when the config file already contains the include +directive. +--- + .../sshd_use_directory_configuration/bash/shared.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +index 2ff58ec373c..9317b23992d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +@@ -1,12 +1,15 @@ + # platform = multi_platform_all + + {{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} ++{{% set base_config = "/etc/ssh/sshd_config" -%}} + if test -f {{{ target_file}}}; then + {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} ++elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then ++ {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}} + else + mkdir -p /etc/ssh/sshd_config.d +- mv /etc/ssh/sshd_config {{{ target_file }}} +-cat > /etc/ssh/sshd_config << EOF ++ mv {{{ base_config }}} {{{ target_file }}} ++cat > {{{ base_config }}} << EOF + # To modify the system-wide sshd configuration, create a *.conf file under + # /etc/ssh/sshd_config.d/ which will be automatically included below + diff --git a/SOURCES/scap-security-guide-0.1.58-various_fixes-PR_7335.patch b/SOURCES/scap-security-guide-0.1.58-various_fixes-PR_7335.patch new file mode 100644 index 0000000..56d209c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-various_fixes-PR_7335.patch @@ -0,0 +1,942 @@ +From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 30 Jul 2021 16:57:13 +0200 +Subject: [PATCH 1/5] Enable more RHEL9 content + +--- + .../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++- + .../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +- + .../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ---- + .../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++- + .../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++- + .../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++- + .../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++- + .../installed_OS_is_FIPS_certified/oval/shared.xml | 1 + + .../rule.yml | 3 ++- + products/rhel9/profiles/hipaa.profile | 6 +++--- + products/rhel9/profiles/ospp.profile | 8 ++++---- + products/rhel9/profiles/pci-dss.profile | 4 ++-- + shared/references/cce-redhat-avail.txt | 6 ------ + 13 files changed, 23 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +index f43f92c2f15..c0fbe2c5e34 100644 +--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,rhel8,rhcos4 ++prodtype: ol8,rhel8,rhel9,rhcos4 + + title: 'Configure session renegotiation for SSH client' + +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82880-6 ++ cce@rhel9: CCE-87522-9 + + references: + disa: CCI-000068 +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh +index 7d4faedfb47..d8063726fb4 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +index 94767ad5993..4cbf5c84651 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh +@@ -1,9 +1,5 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + {{%- if init_system == "systemd" -%}} +-{{% if product in ["rhel7", "rhel8"] %}} +-# The process to disable ctrl+alt+del has changed in RHEL7. +-# Reference: https://access.redhat.com/solutions/1123873 +-{{% endif %}} + systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target + {{%- else -%}} +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +index 0652fbeadaf..9c6534cf401 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Install the pcsc-lite package' + +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82347-6 + cce@rhel8: CCE-80993-9 ++ cce@rhel9: CCE-86280-5 + + references: + disa: CCI-001954 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +index e14db48c22a..6472ade5791 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 + + title: 'Enable the pcscd Service' + +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80569-7 + cce@rhel8: CCE-80881-6 ++ cce@rhel9: CCE-87907-2 + + references: + disa: CCI-001954 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index a6862c2af25..984a8cf333e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 + + title: 'Enforce usage of pam_wheel for su authentication' + +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-85855-5 + cce@rhel8: CCE-83318-6 ++ cce@rhel9: CCE-90085-2 + + references: + cis@rhel7: "5.7" +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +index 1b71c7d3acd..3779b396b4e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004 ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004 + + title: 'Ensure the Default C Shell Umask is Set Correctly' + +@@ -20,6 +20,7 @@ identifiers: + cce@rhcos4: CCE-84261-7 + cce@rhel7: CCE-80203-3 + cce@rhel8: CCE-81037-4 ++ cce@rhel9: CCE-87721-7 + + references: + cis-csc: '18' +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +index a65bec7348c..3a4847ff9d8 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +@@ -6,6 +6,7 @@ + + + ++ + + + +diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +index 8b6577226fb..4f49b3b825d 100644 +--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel8 ++prodtype: rhel8,rhel9 + + title: 'Install dnf-plugin-subscription-manager Package' + +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel8: CCE-82315-3 ++ cce@rhel9: CCE-89879-1 + + references: + ism: 0940,1144,1467,1472,1483,1493,1494,1495 +diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile +index 1e0ea047b98..797c62708e2 100644 +--- a/products/rhel9/profiles/hipaa.profile ++++ b/products/rhel9/profiles/hipaa.profile +@@ -33,9 +33,9 @@ selections: + - require_singleuser_auth + - restrict_serial_port_logins + - securetty_root_login_console_only +- - service_debug-shell_disabled # not supported in RHEL9 ATM +- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM +- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM ++ - service_debug-shell_disabled ++ - disable_ctrlaltdel_reboot ++ - disable_ctrlaltdel_burstaction + - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 0ae391c60bf..adec0cbd774 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -107,7 +107,7 @@ selections: + - var_accounts_user_umask=027 + - accounts_umask_etc_profile + - accounts_umask_etc_bashrc +-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM ++ - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed +@@ -177,7 +177,7 @@ selections: + - package_aide_installed + - package_dnf-automatic_installed + - package_subscription-manager_installed +-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM ++ - package_dnf-plugin-subscription-manager_installed + - package_firewalld_installed + - package_openscap-scanner_installed + - package_policycoreutils_installed +@@ -221,7 +221,7 @@ selections: + - securetty_root_login_console_only + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember +-# - use_pam_wheel_for_su # not supported in RHEL9 ATM ++ - use_pam_wheel_for_su + + ### SELinux Configuration + - var_selinux_state=enforcing +@@ -422,7 +422,7 @@ selections: + - kerberos_disable_no_keytab + + # set ssh client rekey limit +-# - ssh_client_rekey_limit # not supported in RHEL9 ATM ++ - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + +diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile +index af347501989..1fe85d39ae0 100644 +--- a/products/rhel9/profiles/pci-dss.profile ++++ b/products/rhel9/profiles/pci-dss.profile +@@ -121,8 +121,8 @@ selections: + - var_smartcard_drivers=cac + - configure_opensc_card_drivers + - force_opensc_card_drivers +-# - package_pcsc-lite_installed # not supported in RHEL9 ATM +-# - service_pcscd_enabled # not supported in RHEL9 ATM ++ - package_pcsc-lite_installed ++ - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index aa0b30da834..e78838a45aa 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -396,7 +396,6 @@ CCE-86276-3 + CCE-86277-1 + CCE-86278-9 + CCE-86279-7 +-CCE-86280-5 + CCE-86281-3 + CCE-86282-1 + CCE-86283-9 +@@ -1618,7 +1617,6 @@ CCE-87518-7 + CCE-87519-5 + CCE-87520-3 + CCE-87521-1 +-CCE-87522-9 + CCE-87523-7 + CCE-87525-2 + CCE-87526-0 +@@ -1812,7 +1810,6 @@ CCE-87717-5 + CCE-87718-3 + CCE-87719-1 + CCE-87720-9 +-CCE-87721-7 + CCE-87722-5 + CCE-87723-3 + CCE-87724-1 +@@ -1994,7 +1991,6 @@ CCE-87903-1 + CCE-87904-9 + CCE-87905-6 + CCE-87906-4 +-CCE-87907-2 + CCE-87908-0 + CCE-87909-8 + CCE-87910-6 +@@ -3932,7 +3928,6 @@ CCE-89874-2 + CCE-89875-9 + CCE-89877-5 + CCE-89878-3 +-CCE-89879-1 + CCE-89880-9 + CCE-89881-7 + CCE-89882-5 +@@ -4135,7 +4130,6 @@ CCE-90081-1 + CCE-90082-9 + CCE-90083-7 + CCE-90084-5 +-CCE-90085-2 + CCE-90086-0 + CCE-90087-8 + CCE-90088-6 + +From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 4 Aug 2021 16:30:45 +0200 +Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules + +--- + .../configure_bashrc_exec_tmux/bash/shared.sh | 2 +- + .../configure_tmux_lock_after_time/bash/shared.sh | 2 +- + .../configure_tmux_lock_command/bash/shared.sh | 2 +- + .../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +- + .../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +index 0c544bfbb82..737d725872d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then + cat >> /etc/bashrc <<'EOF' +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh +index 233047afcbc..947e1dd7ee5 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + tmux_conf="/etc/tmux.conf" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh +index f2430618ab3..0c11c1224e2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora ++# platform = multi_platform_all + + tmux_conf="/etc/tmux.conf" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh +index 45c43e8d374..60e0a7e34c8 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 ++# platform = multi_platform_all + + if grep -q 'tmux$' /etc/shells ; then + sed -i '/tmux$/d' /etc/shells +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +index 87476a7b315..c98847ded72 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +@@ -1,3 +1,3 @@ +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 ++# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4 + + fips-mode-setup --enable + +From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 4 Aug 2021 17:56:57 +0200 +Subject: [PATCH 3/5] Update the grub config path + +RHEL9 and Fedora EFI/legacy grub paths have been unified: +https://fedoraproject.org/wiki/Changes/UnifyGrubConfig + +The location of Ubuntu EFI grub paths has been estimated from +https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg + +Location of SLE EFI grub paths has been taken from existing rules +--- + .../grub2_uefi_admin_username/oval/shared.xml | 16 ++++--------- + .../uefi/grub2_uefi_admin_username/rule.yml | 2 +- + .../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------ + .../uefi/grub2_uefi_password/rule.yml | 10 ++++---- + .../uefi_no_removeable_media/oval/shared.xml | 16 ++++--------- + products/fedora/product.yml | 2 ++ + products/rhel7/product.yml | 2 ++ + products/rhel8/product.yml | 2 ++ + products/rhel9/product.yml | 2 ++ + products/sle12/product.yml | 2 ++ + products/sle15/product.yml | 1 + + products/ubuntu1604/product.yml | 1 + + products/ubuntu1804/product.yml | 1 + + products/ubuntu2004/product.yml | 1 + + ssg/constants.py | 1 + + ssg/products.py | 4 ++++ + tests/shared/grub2.sh | 10 +++++--- + 17 files changed, 50 insertions(+), 47 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +index 8545e8ab2c7..7950c15a848 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +@@ -1,26 +1,20 @@ +-{{% if product == "fedora" %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} +-{{% else %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} +-{{% endif %}} +- + + + {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}} + + +- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} +- ++ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} ++ + + + +- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} + +- ++ + + + +- {{{ grub_cfg_prefix + "/grub.cfg" }}} ++ {{{ grub2_uefi_boot_path + "/grub.cfg" }}} + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 8a98cbdc95f..128d7cc1cb8 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -20,7 +20,7 @@ description: |- + Once the superuser account has been added, + update the + grub.cfg file by running: +-
    grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    ++
    grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
    + + rationale: |- + Having a non-default grub superuser username makes password-guessing attacks less effective. +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +index 230aab73139..a67c8ad99bb 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +@@ -1,32 +1,26 @@ +-{{% if product == "fedora" %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}} +-{{% else %}} +-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}} +-{{% endif %}} +- + + + {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}} + + +- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}} + + +- +- ++ ++ + +- ++ + + + + +- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}} ++ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}} + +- ++ + + + +- {{{ grub_cfg_prefix }}}/grub.cfg ++ {{{ grub2_uefi_boot_path }}}/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + +@@ -35,7 +29,7 @@ + + + +- {{{ grub_cfg_prefix }}}/user.cfg ++ {{{ grub2_uefi_boot_path }}}/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + +@@ -44,7 +38,7 @@ + +
    + +- {{{ grub_cfg_prefix }}}/grub.cfg ++ {{{ grub2_uefi_boot_path }}}/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index cb0d60c3ddf..cc68441e5ad 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -31,10 +31,8 @@ description: |- + grub.cfg file by running: + {{% if "ubuntu" in product %}} +
    update-grub
    +- {{% elif product in ["sle12", "sle15"] %}} +-
    grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg
    + {{% else %}} +-
    grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    ++
    grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
    + {{% endif %}} + + rationale: |- +@@ -91,18 +89,18 @@ ocil: |- + To verify the boot loader superuser account password has been set, + and the password encrypted, run the following command: + {{% if product in ["sle12", "sle15"] %}} +-
    sudo cat /boot/efi/EFI/sles/grub.cfg
    ++
    sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
    + The output should be similar to: +
    password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
    +     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
    +     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
    +     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
    + {{% elif "ubuntu" in product %}} +-
    grep -i password /boot/grub/grub.cfg
    ++
    grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
    + The output should contain something similar to: +
    password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
    + {{% else %}} +-
    sudo cat /boot/efi/EFI/redhat/user.cfg
    ++
    sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
    + The output should be similar to: +
    GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
    +     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
    +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
    +index 72872d907e3..89a9fae86ec 100644
    +--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
    ++++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
    +@@ -1,27 +1,21 @@
    +-{{% if product == "fedora" %}}
    +-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
    +-{{% else %}}
    +-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
    +-{{% endif %}}
    +-
    + 
    +   
    +     {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
    +     
    +-      
    +-      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
    ++      
    ++      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
    +     
    +   
    + 
    +   
    +   
    +   
    +   
    + 
    +   
    +-    {{{ grub_cfg_prefix + "/grub.cfg" }}}
    ++    {{{ grub2_uefi_boot_path + "/grub.cfg" }}}
    +     ^[ \t]*set root=(.+?)[ \t]*(?:$|#)
    +     1
    +   
    +@@ -30,5 +24,5 @@
    +     ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$
    +   
    + 
    +-  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
    ++  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
    + 
    +diff --git a/products/fedora/product.yml b/products/fedora/product.yml
    +index 0cb53c5331e..ea8e98eea78 100644
    +--- a/products/fedora/product.yml
    ++++ b/products/fedora/product.yml
    +@@ -10,6 +10,8 @@ pkg_manager: "dnf"
    + 
    + init_system: "systemd"
    + 
    ++grub2_boot_path: "/boot/grub2"
    ++
    + dconf_gdm_dir: "distro.d"
    + 
    + cpes_root: "../../shared/applicability"
    +diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
    +index fb5d17786da..6438797f218 100644
    +--- a/products/rhel7/product.yml
    ++++ b/products/rhel7/product.yml
    +@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
    + auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
    + oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
    + 
    ++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
    ++
    + cpes_root: "../../shared/applicability"
    + cpes:
    +   - rhel7:
    +diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
    +index 78c987b2457..f6d2102558d 100644
    +--- a/products/rhel8/product.yml
    ++++ b/products/rhel8/product.yml
    +@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
    + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
    + oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
    + 
    ++grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
    ++
    + cpes_root: "../../shared/applicability"
    + cpes:
    +   - rhel8:
    +diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
    +index 4ceb332adf3..6b5a15d5cee 100644
    +--- a/products/rhel9/product.yml
    ++++ b/products/rhel9/product.yml
    +@@ -10,6 +10,8 @@ pkg_manager: "dnf"
    + 
    + init_system: "systemd"
    + 
    ++grub2_boot_path: "/boot/grub2"
    ++
    + dconf_gdm_dir: "distro.d"
    + 
    + # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
    +diff --git a/products/sle12/product.yml b/products/sle12/product.yml
    +index d1301a17f91..b9e44e0725c 100644
    +--- a/products/sle12/product.yml
    ++++ b/products/sle12/product.yml
    +@@ -12,6 +12,8 @@ pkg_manager: "zypper"
    + pkg_manager_config_file: "/etc/zypp/zypp.conf"
    + oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
    + 
    ++grub2_uefi_boot_path: "/boot/efi/EFI/sles"
    ++
    + cpes_root: "../../shared/applicability"
    + cpes:
    +   - sle12-server:
    +diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
    +index 827a875d493..36ec98397f6 100644
    +--- a/products/ubuntu1604/product.yml
    ++++ b/products/ubuntu1604/product.yml
    +@@ -12,6 +12,7 @@ init_system: "systemd"
    + oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
    + 
    + grub2_boot_path: "/boot/grub"
    ++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
    + 
    + cpes_root: "../../shared/applicability"
    + cpes:
    +diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
    +index 68922441a2a..f1671b8d7dd 100644
    +--- a/products/ubuntu1804/product.yml
    ++++ b/products/ubuntu1804/product.yml
    +@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
    + init_system: "systemd"
    + 
    + grub2_boot_path: "/boot/grub"
    ++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
    + 
    + cpes_root: "../../shared/applicability"
    + cpes:
    +diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
    +index 15565b6748f..d75624d70a3 100644
    +--- a/products/ubuntu2004/product.yml
    ++++ b/products/ubuntu2004/product.yml
    +@@ -12,6 +12,7 @@ init_system: "systemd"
    + oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
    + 
    + grub2_boot_path: "/boot/grub"
    ++grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
    + 
    + cpes_root: "../../shared/applicability"
    + cpes:
    +diff --git a/ssg/constants.py b/ssg/constants.py
    +index 666d7a4d3c8..f9c978a22a2 100644
    +--- a/ssg/constants.py
    ++++ b/ssg/constants.py
    +@@ -383,4 +383,5 @@
    + # Application constants
    + DEFAULT_UID_MIN = 1000
    + DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
    ++DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
    + DEFAULT_DCONF_GDM_DIR = 'gdm.d'
    +diff --git a/ssg/products.py b/ssg/products.py
    +index 25178b741b2..fb55f5c2f4b 100644
    +--- a/ssg/products.py
    ++++ b/ssg/products.py
    +@@ -9,6 +9,7 @@
    + from .constants import (product_directories,
    +                         DEFAULT_UID_MIN,
    +                         DEFAULT_GRUB2_BOOT_PATH,
    ++                        DEFAULT_GRUB2_UEFI_BOOT_PATH,
    +                         DEFAULT_DCONF_GDM_DIR,
    +                         PKG_MANAGER_TO_SYSTEM,
    +                         PKG_MANAGER_TO_CONFIG_FILE,
    +@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
    +     if "grub2_boot_path" not in existing_properties:
    +         result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
    + 
    ++    if "grub2_uefi_boot_path" not in existing_properties:
    ++        result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
    ++
    +     if "dconf_gdm_dir" not in existing_properties:
    +         result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
    + 
    +diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
    +index bce7683a7c1..f024b3766cf 100644
    +--- a/tests/shared/grub2.sh
    ++++ b/tests/shared/grub2.sh
    +@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
    + 
    + function set_grub_uefi_root {
    + 	if grep NAME /etc/os-release | grep -iq fedora; then
    +-		GRUB_CFG_ROOT=/boot/efi/EFI/fedora
    +-	else
    +-		GRUB_CFG_ROOT=/boot/efi/EFI/redhat
    ++		GRUB_CFG_ROOT=/boot/grub2
    ++	elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
    ++		if grep VERSION /etc/os-release | grep -q '9\.0'; then
    ++			GRUB_CFG_ROOT=/boot/grub2
    ++		else
    ++			GRUB_CFG_ROOT=/boot/efi/EFI/redhat
    ++		fi
    + 	fi
    + }
    + 
    +
    +From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
    +From: Matej Tyc 
    +Date: Thu, 5 Aug 2021 17:59:39 +0200
    +Subject: [PATCH 4/5] Add the sshd directory configuration rule
    +
    +Remediations of other sshd rules assumes that sshd is configured using
    +multiple files as opposed to one huge file, and this rule
    +makes sure that the assumption is guarded.
    +---
    + controls/anssi.yml                      | 3 +++
    + products/rhel9/profiles/cis.profile     | 2 ++
    + products/rhel9/profiles/cjis.profile    | 1 +
    + products/rhel9/profiles/e8.profile      | 1 +
    + products/rhel9/profiles/hipaa.profile   | 1 +
    + products/rhel9/profiles/ism_o.profile   | 1 +
    + products/rhel9/profiles/ospp.profile    | 1 +
    + products/rhel9/profiles/pci-dss.profile | 1 +
    + products/rhel9/profiles/rht-ccp.profile | 1 +
    + 9 files changed, 12 insertions(+)
    +
    +diff --git a/controls/anssi.yml b/controls/anssi.yml
    +index 7737e67ea51..eee79cf1ef7 100644
    +--- a/controls/anssi.yml
    ++++ b/controls/anssi.yml
    +@@ -384,6 +384,9 @@ controls:
    +     - package_sudo_installed
    +     - audit_rules_privileged_commands_sudo
    + 
    ++    # This rule should be present in the profile at least once
    ++    - sshd_use_directory_configuration
    ++
    +   - id: R20
    +     levels:
    +     - enhanced
    +diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
    +index 622f88e3766..8d7816e5e2d 100644
    +--- a/products/rhel9/profiles/cis.profile
    ++++ b/products/rhel9/profiles/cis.profile
    +@@ -791,6 +791,8 @@ selections:
    +     - file_permissions_sshd_pub_key
    +     # TO DO: check owner of pub keys in /etc/ssh is root:root
    + 
    ++    # Ensure that the configuration is done the right way
    ++    - sshd_use_directory_configuration
    +     ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
    +     - sshd_set_loglevel_info
    + 
    +diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
    +index b45ba19d84f..0aaf7cb0206 100644
    +--- a/products/rhel9/profiles/cjis.profile
    ++++ b/products/rhel9/profiles/cjis.profile
    +@@ -98,6 +98,7 @@ selections:
    +     - dconf_gnome_screensaver_idle_activation_enabled
    +     - dconf_gnome_screensaver_lock_enabled
    +     - dconf_gnome_screensaver_mode_blank
    ++    - sshd_use_directory_configuration
    +     - sshd_allow_only_protocol2
    +     - sshd_set_idle_timeout
    +     - var_sshd_set_keepalive=0
    +diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
    +index 6d87a778eee..3851255ccec 100644
    +--- a/products/rhel9/profiles/e8.profile
    ++++ b/products/rhel9/profiles/e8.profile
    +@@ -126,6 +126,7 @@ selections:
    +   - audit_rules_kernel_module_loading
    + 
    +   ### Secure access
    ++  - sshd_use_directory_configuration
    +   - sshd_disable_root_login
    +   - sshd_disable_gssapi_auth
    +   - sshd_print_last_log
    +diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
    +index 797c62708e2..d1dc18ba33c 100644
    +--- a/products/rhel9/profiles/hipaa.profile
    ++++ b/products/rhel9/profiles/hipaa.profile
    +@@ -39,6 +39,7 @@ selections:
    +     - dconf_db_up_to_date
    +     - dconf_gnome_remote_access_credential_prompt
    +     - dconf_gnome_remote_access_encryption
    ++    - sshd_use_directory_configuration
    +     - sshd_disable_empty_passwords
    +     - sshd_disable_root_login
    +     - libreswan_approved_tunnels
    +diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
    +index 82e863ad3d3..6fc919da128 100644
    +--- a/products/rhel9/profiles/ism_o.profile
    ++++ b/products/rhel9/profiles/ism_o.profile
    +@@ -56,6 +56,7 @@ selections:
    +   ## Authentication hardening
    +   ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
    +   ## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
    ++  - sshd_use_directory_configuration
    +   - sshd_max_auth_tries_value=5
    +   - disable_host_auth
    +   - require_emergency_target_auth
    +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
    +index adec0cbd774..08ffcccd9e2 100644
    +--- a/products/rhel9/profiles/ospp.profile
    ++++ b/products/rhel9/profiles/ospp.profile
    +@@ -58,6 +58,7 @@ selections:
    + 
    +     ### Services
    +     # sshd
    ++    - sshd_use_directory_configuration
    +     - sshd_disable_root_login
    +     - sshd_enable_strictmodes
    +     - disable_host_auth
    +diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
    +index 1fe85d39ae0..bd16dc97721 100644
    +--- a/products/rhel9/profiles/pci-dss.profile
    ++++ b/products/rhel9/profiles/pci-dss.profile
    +@@ -105,6 +105,7 @@ selections:
    +     - dconf_gnome_screensaver_idle_activation_enabled
    +     - dconf_gnome_screensaver_lock_enabled
    +     - dconf_gnome_screensaver_mode_blank
    ++    - sshd_use_directory_configuration
    +     - sshd_set_idle_timeout
    +     - var_sshd_set_keepalive=0
    +     - accounts_password_pam_minlen
    +diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
    +index e1d9a70b493..8576975aa54 100644
    +--- a/products/rhel9/profiles/rht-ccp.profile
    ++++ b/products/rhel9/profiles/rht-ccp.profile
    +@@ -87,6 +87,7 @@ selections:
    +     - service_telnet_disabled
    +     - package_telnet-server_removed
    +     - package_telnet_removed
    ++    - sshd_use_directory_configuration
    +     - sshd_allow_only_protocol2
    +     - sshd_set_idle_timeout
    +     - var_sshd_set_keepalive=0
    +
    +From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
    +From: Matej Tyc 
    +Date: Wed, 11 Aug 2021 16:43:00 +0200
    +Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
    +
    +Packages dnf-plugin-subscription-manager and subscription-manager are
    +merged to subscription-manager in RHEL9 - see
    +https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
    +---
    + .../rule.yml                                             | 3 +--
    + .../package_subscription-manager_installed/rule.yml      | 9 ++++++++-
    + products/rhel9/profiles/ospp.profile                     | 1 -
    + 3 files changed, 9 insertions(+), 4 deletions(-)
    +
    +diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
    +index 4f49b3b825d..8b6577226fb 100644
    +--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
    ++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
    +@@ -1,6 +1,6 @@
    + documentation_complete: true
    + 
    +-prodtype: rhel8,rhel9
    ++prodtype: rhel8
    + 
    + title: 'Install dnf-plugin-subscription-manager Package'
    + 
    +@@ -17,7 +17,6 @@ severity: medium
    + 
    + identifiers:
    +     cce@rhel8: CCE-82315-3
    +-    cce@rhel9: CCE-89879-1
    + 
    + references:
    +     ism: 0940,1144,1467,1472,1483,1493,1494,1495
    +diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
    +index b90a7588270..32e5ce9a129 100644
    +--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
    ++++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
    +@@ -12,7 +12,14 @@ rationale: |-
    +     and subscriptions on a local system to help manage subscription assignments.
    +     It communicates with the backend subscription service (the Customer Portal
    +     or an on-premise server such as Subscription Asset Manager) and works with
    +-    content management tools such as yum.
    ++    content management tools such as {{{ package_manager }}}.
    ++
    ++    {{% if product in ["rhel9"] %}}
    ++    The package provides, among other things, {{{ package_manager }}} plugins
    ++    to interact with repositories and subscriptions
    ++    from the Red Hat entitlement platform - the subscription-manager and
    ++    product-id plugins.
    ++    {{% endif %}}
    + 
    + severity: medium
    + 
    +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
    +index 08ffcccd9e2..1b060c7bf07 100644
    +--- a/products/rhel9/profiles/ospp.profile
    ++++ b/products/rhel9/profiles/ospp.profile
    +@@ -178,7 +178,6 @@ selections:
    +     - package_aide_installed
    +     - package_dnf-automatic_installed
    +     - package_subscription-manager_installed
    +-    - package_dnf-plugin-subscription-manager_installed
    +     - package_firewalld_installed
    +     - package_openscap-scanner_installed
    +     - package_policycoreutils_installed
    diff --git a/SOURCES/scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch b/SOURCES/scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
    new file mode 100644
    index 0000000..e4e92bb
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
    @@ -0,0 +1,29 @@
    +From d1c2810ca3ba0cea44cc70db34eb80e313408cb5 Mon Sep 17 00:00:00 2001
    +From: Gabriel Becker 
    +Date: Wed, 25 Aug 2021 10:59:11 +0200
    +Subject: [PATCH] Remove package applicability from s390x_arch generated
    + remediations.
    +
    +This makes sure that there will be no package applicability check in the
    +remediations of rules that use the s390x_arch platform applicability,
    +since the check is made by checking a line in file instead. At this
    +moment the build system does not allow doing such checks. The side
    +effect is that Bash and Ansible roles will apply this remediation even
    +on a system that is not s390_arch, so using OpenSCAP scanner is highly
    +recommended.
    +---
    + ssg/constants.py | 1 +
    + 1 file changed, 1 insertion(+)
    +
    +diff --git a/ssg/constants.py b/ssg/constants.py
    +index 9bb4e1b5f4..adb76bfa8f 100644
    +--- a/ssg/constants.py
    ++++ b/ssg/constants.py
    +@@ -353,6 +353,7 @@
    +   "uefi": None,
    +   "non-uefi": None,
    +   "not_s390x_arch": None,
    ++  "s390x_arch": None,
    + }
    + 
    + # _version_name_map = {
    diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
    new file mode 100644
    index 0000000..cc92ea1
    --- /dev/null
    +++ b/SPECS/scap-security-guide.spec
    @@ -0,0 +1,473 @@
    +# SSG build system and tests count with build directory name `build`.
    +# For more details see:
    +# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
    +%global _vpath_builddir build
    +
    +Name:		scap-security-guide
    +Version:	0.1.57
    +Release:	5%{?dist}
    +Summary:	Security guidance and baselines in SCAP formats
    +License:	BSD-3-Clause
    +URL:		https://github.com/ComplianceAsCode/content/
    +Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
    +BuildArch:	noarch
    +
    +Patch0:		scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
    +Patch1:		scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
    +Patch2:		scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
    +Patch3:		scap-security-guide-0.1.58-various_fixes-PR_7335.patch
    +Patch4:		scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
    +Patch5:		scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
    +Patch6:		scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
    +Patch7:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch
    +Patch8:		scap-security-guide-0.1.58-cis_def-PR_6976.patch
    +Patch9:		scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch
    +Patch10:		scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
    +Patch11:		scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
    +Patch12:		scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
    +Patch13:		scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
    +
    +BuildRequires:	libxslt
    +BuildRequires:	expat
    +BuildRequires:	openscap-scanner >= 1.2.5
    +BuildRequires:	cmake >= 2.8
    +# To get python3 inside the buildroot require its path explicitly in BuildRequires
    +BuildRequires: /usr/bin/python3
    +BuildRequires:	python%{python3_pkgversion}
    +BuildRequires:	python%{python3_pkgversion}-jinja2
    +BuildRequires:	python%{python3_pkgversion}-PyYAML
    +Requires:	xml-common, openscap-scanner >= 1.2.5
    +
    +%description
    +The scap-security-guide project provides a guide for configuration of the
    +system from the final system's security point of view. The guidance is specified
    +in the Security Content Automation Protocol (SCAP) format and constitutes
    +a catalog of practical hardening advice, linked to government requirements
    +where applicable. The project bridges the gap between generalized policy
    +requirements and specific implementation guidelines. The system
    +administrator can use the oscap CLI tool from openscap-scanner package, or the
    +scap-workbench GUI tool from scap-workbench package to verify that the system
    +conforms to provided guideline. Refer to scap-security-guide(8) manual page for
    +further information.
    +
    +%package	doc
    +Summary:	HTML formatted security guides generated from XCCDF benchmarks
    +Requires:	%{name} = %{version}-%{release}
    +
    +%description	doc
    +The %{name}-doc package contains HTML formatted documents containing
    +hardening guidances that have been generated from XCCDF benchmarks
    +present in %{name} package.
    +
    +%if ( %{defined rhel} && (! %{defined centos}) )
    +%package	rule-playbooks
    +Summary:	Ansible playbooks per each rule.
    +Group:		System Environment/Base
    +Requires:	%{name} = %{version}-%{release}
    +
    +%description	rule-playbooks
    +The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
    +%endif
    +
    +%prep
    +%autosetup -p1
    +
    +%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
    +%define cmake_defines_specific %{nil}
    +%if 0%{?rhel}
    +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
    +%endif
    +%if 0%{?centos}
    +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
    +%endif
    +
    +mkdir -p build
    +%build
    +%cmake %{cmake_defines_common} %{cmake_defines_specific}
    +%cmake_build
    +
    +%install
    +%cmake_install
    +rm %{buildroot}/%{_docdir}/%{name}/README.md
    +rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
    +
    +%files
    +%{_datadir}/xml/scap/ssg/content
    +%{_datadir}/%{name}/kickstart
    +%{_datadir}/%{name}/ansible/*.yml
    +%lang(en) %{_mandir}/man8/scap-security-guide.8.*
    +%doc %{_docdir}/%{name}/LICENSE
    +%if ( %{defined rhel} && (! %{defined centos}) )
    +%exclude %{_datadir}/%{name}/ansible/rule_playbooks
    +%endif
    +
    +%files doc
    +%doc %{_docdir}/%{name}/guides/*.html
    +%doc %{_docdir}/%{name}/tables/*.html
    +
    +%if ( %{defined rhel} && (! %{defined centos}) )
    +%files rule-playbooks
    +%defattr(-,root,root,-)
    +%{_datadir}/%{name}/ansible/rule_playbooks
    +%endif
    +
    +%changelog
    +* Wed Aug 25 2021 Matej Tyc  - 0.1.57-5
    +- Fix remediations applicability of zipl rules
    +  Resolves: rhbz#1996847
    +
    +* Tue Aug 24 2021 Matej Tyc  - 0.1.57-4
    +- Fix a broken HTTP link
    +  Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
    +  Resolves: rhbz#1962564
    +
    +* Tue Aug 17 2021 Matej Tyc  - 0.1.57-3
    +- Use SSHD directory-based configuration.
    +  Resolves: rhbz#1962564
    +- Introduce ISM kickstarts
    +  Resolves: rhbz#1978290
    +- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
    +  TLDR: Enable remediations by means of platform metadata,
    +  enable the RHEL9 GPG rule, introduce the s390x platform,
    +  fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
    +  address the subscription-manager package merge, and
    +  enable and select more rules applicable to RHEL9.
    +  Resolves: rhbz#1987227
    +  Resolves: rhbz#1987226
    +  Resolves: rhbz#1987231
    +  Resolves: rhbz#1988289
    +
    +* Tue Aug 10 2021 Mohan Boddu  - 0.1.57-2
    +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
    +  Related: rhbz#1991688
    +
    +* Wed Jul 28 2021 Matej Tyc  - 0.1.57-1
    +- Upgrade to the latest upstream release
    +- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
    +
    +* Wed Jul 07 2021 Matej Tyc  - 0.1.56-3
    +- Introduced the playbooks subpackage.
    +- Enabled CentOS content on CentOS systems.
    +- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
    +
    +* Mon Jun 28 2021 Matej Tyc  - 0.1.56-2
    +- Enable more RHEL9 rules and introduce RHEL9 profile stubs
    +
    +* Wed May 19 2021 Jan Černý  - 0.1.56-1
    +- Upgrade to the latest upstream release
    +- remove README.md and Contributors.md
    +- remove SCAP component files
    +- remove SCAP 1.2 source data streams
    +- remove HTML guides for the virtual “(default)” profile
    +- remove profile Bash remediation scripts
    +- build only RHEL9 content
    +- remove other products
    +- use autosetup in %prep phase
    +
    +* Fri Apr 16 2021 Mohan Boddu  - 0.1.54-3
    +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
    +
    +* Fri Feb 12 2021 Vojtech Polasek  - 0.1.54-2
    +- fix definition of build directory
    +
    +* Fri Feb 05 2021 Vojtech Polasek  - 0.1.54-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
    +
    +* Wed Jan 27 2021 Fedora Release Engineering  - 0.1.53-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
    +
    +* Mon Nov 16 2020 Vojtech Polasek  - 0.1.53-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
    +
    +* Wed Sep 23 2020 Vojtech Polasek  - 0.1.52-3
    +- revert previous rework, it did not solve the problem
    +
    +* Wed Sep 23 2020 Vojtech Polasek  - 0.1.52-2
    +- rewrite solution for CMake out of source builds
    +
    +* Mon Sep 21 2020 Vojtech Polasek  - 0.1.52-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
    +
    +* Tue Aug 04 2020 Jan Černý  - 0.1.51-4
    +- Update for new CMake out of source builds
    +  https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
    +- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
    +
    +* Sat Aug 01 2020 Fedora Release Engineering  - 0.1.51-3
    +- Second attempt - Rebuilt for
    +  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
    +
    +* Wed Jul 29 2020 Fedora Release Engineering  - 0.1.51-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
    +
    +* Fri Jul 17 2020 Vojtech Polasek  - 0.1.51-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
    +
    +* Mon Mar 23 2020 Watson Sato  - 0.1.49-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
    +
    +* Thu Jan 30 2020 Fedora Release Engineering  - 0.1.48-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
    +
    +* Thu Jan 16 2020 Watson Sato  - 0.1.48-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
    +
    +* Mon Dec 09 2019 Matěj Týč  - 0.1.47-2
    +- Hotfix of the XML parsing fix.
    +
    +* Mon Dec 09 2019 Matěj Týč  - 0.1.47-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
    +- Fixed XML parsing of remediation functions.
    +
    +* Mon Jul 29 2019 Watson Sato  - 0.1.45-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
    +
    +* Fri Jul 26 2019 Fedora Release Engineering  - 0.1.44-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
    +
    +* Mon May 06 2019 Watson Yuuma Sato  - 0.1.44-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
    +
    +* Fri Feb 22 2019 Watson Yuuma Sato  - 0.1.43-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
    +- Update URL and source URL
    +
    +* Sat Feb 02 2019 Fedora Release Engineering  - 0.1.42-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
    +
    +* Wed Dec 12 2018 Watson Yuuma Sato  - 0.1.42-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
    +- Fix man page build dependency on derivative content
    +
    +* Mon Oct 01 2018 Watson Yuuma Sato  - 0.1.41-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
    +  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
    +- Fix Licence of this package
    +
    +* Wed Jul 25 2018 Matěj Týč  - 0.1.40-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
    +- Update to use Python3 for build.
    +
    +* Sat Jul 14 2018 Fedora Release Engineering  - 0.1.39-3
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
    +
    +* Fri May 04 2018 Watson Yuuma Sato  - 0.1.39-2
    +- Add python version to python2-jinja2 package
    +
    +* Fri May 04 2018 Watson Yuuma Sato  - 0.1.39-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
    +
    +* Mon Mar 05 2018 Watson Yuuma Sato  - 0.1.38-2
    +- Add python version to python package prefixes
    +
    +* Mon Mar 05 2018 Watson Yuuma Sato  - 0.1.38-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
    +
    +* Fri Feb 09 2018 Fedora Release Engineering  - 0.1.37-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
    +
    +* Thu Jan 04 2018 Watson Yuuma Sato  - 0.1.37-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
    +
    +* Wed Nov 01 2017 Watson Yuuma Sato  - 0.1.36-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
    +
    +* Tue Aug 29 2017 Watson Sato  - 0.1.35-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
    +
    +* Thu Jul 27 2017 Fedora Release Engineering  - 0.1.34-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
    +
    +* Mon Jul 03 2017 Watson Sato  - 0.1.34-1
    +- updated to latest upstream release
    +
    +* Mon May 01 2017 Martin Preisler  - 0.1.33-1
    +- updated to latest upstream release
    +
    +* Thu Mar 30 2017 Martin Preisler  - 0.1.32-1
    +- updated to latest upstream release
    +
    +* Sat Feb 11 2017 Fedora Release Engineering  - 0.1.31-3
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
    +
    +* Mon Nov 28 2016 Martin Preisler  - 0.1.31-2
    +- use make_build and make_install RPM macros
    +
    +* Mon Nov 28 2016 Martin Preisler  - 0.1.31-1
    +- update to the latest upstream release
    +- new default location for content /usr/share/scap/ssg
    +- install HTML tables in the doc subpackage
    +
    +* Mon Jun 27 2016 Jan iankko Lieskovsky  - 0.1.30-2
    +- Correct currently failing parallel SCAP Security Guide build
    +
    +* Mon Jun 27 2016 Jan iankko Lieskovsky  - 0.1.30-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
    +- Drop shell library for remediation functions since it is not required
    +  starting from 0.1.30 release any more
    +
    +* Thu May 05 2016 Jan iankko Lieskovsky  - 0.1.29-1
    +- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
    +  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
    +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
    +  in 0.1.29 upstream release
    +
    +* Thu Feb 04 2016 Fedora Release Engineering  - 0.1.28-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
    +
    +* Wed Jan 20 2016 Šimon Lukašík  - 0.1.28-1
    +- upgrade to the latest upstream release
    +
    +* Fri Dec 11 2015 Šimon Lukašík  - 0.1.27-1
    +- update to the latest upstream release
    +
    +* Tue Oct 20 2015 Šimon Lukašík  - 0.1.26-1
    +- update to the latest upstream release
    +
    +* Sat Sep 05 2015 Šimon Lukašík  - 0.1.25-1
    +- update to the latest upstream release
    +
    +* Thu Jul 09 2015 Šimon Lukašík  - 0.1.24-1
    +- update to the latest upstream release
    +- created doc sub-package to ship all the guides
    +- start distributing centos and scientific linux content
    +- rename java content to jre
    +
    +* Fri Jun 19 2015 Fedora Release Engineering  - 0.1.22-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
    +
    +* Tue May 05 2015 Šimon Lukašík  - 0.1.22-1
    +- update to the latest upstream release
    +- only DataStream file is now available for Fedora
    +- start distributing security baseline for Firefox
    +- start distributing security baseline for Java RunTime deployments
    +
    +* Wed Mar 04 2015 Šimon Lukašík  - 0.1.21-1
    +- update to the latest upstream release
    +- move content to /usr/share/scap/ssg/content
    +
    +* Thu Oct 02 2014 Šimon Lukašík  - 0.1.19-1
    +- update to the latest upstream release
    +
    +* Mon Jul 14 2014 Šimon Lukašík  - 0.1.5-4
    +- require only openscap-scanner, not whole openscap-utils package
    +
    +* Tue Jul 01 2014 Šimon Lukašík  - 0.1.5-3
    +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
    +- Add STIG DISCLAIMER to the shipped documentation
    +
    +* Sun Jun 08 2014 Fedora Release Engineering  - 0.1.5-2
    +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
    +
    +* Thu Feb 27 2014 Jan iankko Lieskovsky  0.1.5-1
    +- Fix fedora-srpm and fedora-rpm Make targets to work again
    +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
    +- EOL for Fedora 18 support
    +- Include Fedora datastream file for remote Fedora system scans
    +
    +* Mon Jan 06 2014 Jan iankko Lieskovsky  0.1.4-2
    +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
    +
    +* Fri Dec 20 2013 Jan iankko Lieskovsky  0.1.4-1
    +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
    +  it to /shared
    +- Add shared remediations for sshd disable empty passwords and
    +  sshd set idle timeout
    +- Shared remediation for sshd disable root login
    +- Add empty -compat subpackage to ensure backward-compatibility with
    +  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
    +- OVAL check for sshd disable root login
    +- Fix typo in OVAL check for sshd disable empty passwords
    +- OVAL check for sshd disable empty passwords
    +- Unselect no shelllogin for systemaccounts rule from being run by default
    +- Rename XCCDF rules
    +- Revert Set up Fedora release name and CPE based on build system properties
    +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
    +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
    +- Shared OVAL check for Verify that System Executables Have Root Ownership
    +- Shared OVAL check for Verify that Shared Library Files Have Restrictive
    +  Permissions
    +- Fix remediation for Disable Prelinking rule
    +- OVAL check and remediation for sshd's ClientAliveCountMax rule
    +- OVAL check for sshd's ClientAliveInterval rule
    +- Include descriptions for permissions section, and rules for checking
    +  permissions and ownership of shared library files and system executables
    +- Disable selected rules by default
    +- Add remediation for Disable Prelinking rule
    +- Adjust service-enable-macro, service-disable-macro XSLT transforms
    +  definition to evaluate to proper systemd syntax
    +- Fix service_ntpd_enabled OVAL check make validate to pass again
    +- Include patch from Šimon Lukašík to obsolete openscap-content
    +  package (RH BZ#1028706)
    +- Add OVAL check to test if there's is remote NTP server configured for
    +  time data
    +- Add system settings section for the guide (to track system wide
    +  hardening configurations)
    +- Include disable prelink rule and OVAL check for it
    +- Initial OVAL check if ntpd service is enabled. Add package_installed
    +  OVAL templating directory structure and functionality.
    +- Include services section, and XCCDF description for selected ntpd's
    +  sshd's service rules
    +- Include remediations for login.defs' based password minimum, maximum and
    +  warning age rules
    +- Include directory structure to support remediations
    +- Add SCAP "replace or append pattern value in text file based on variable"
    +  remediation script generator
    +- Add remediation for "Set Password Minimum Length in login.defs" rule
    +
    +* Mon Nov 18 2013 Jan iankko Lieskovsky  0.1.3-1
    +- Update versioning scheme - move fedorassgrelease to be part of
    +  upstream version. Rename it to fedorassgversion to avoid name collision
    +  with Fedora package release.
    +
    +* Tue Oct 22 2013 Jan iankko Lieskovsky  0.1-3
    +- Add .gitignore for Fedora output directory
    +- Set up Fedora release name and CPE based on build system properties
    +- Use correct file paths in scap-security-guide(8) manual page 
    +  (RH BZ#1018905, c#10)
    +- Apply further changes motivated by scap-security-guide Fedora RPM review
    +  request (RH BZ#1018905, c#8):
    +  * update package description,
    +  * make content files to be owned by the scap-security-guide package,
    +  * remove Fedora release number from generated content files,
    +  * move HTML form of the guide under the doc directory (together
    +    with that drop fedora/content subdir and place the content
    +    directly under fedora/ subdir).
    +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
    +  * drop Fedora release from package provided files' final path (c#5),
    +  * drop BuildRoot, selected Requires:, clean section, drop chcon for
    +    manual page, don't gzip man page (c#4),
    +  * change package's description (c#4),
    +  * include PD license text (#c4).
    +
    +* Mon Oct 14 2013 Jan iankko Lieskovsky  0.1-2
    +- Provide manual page for scap-security-guide
    +- Remove percent sign from spec's changelog to silence rpmlint warning
    +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
    +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
    +- Introduce 'Account and Access Control' section
    +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
    +  rules to Fedora
    +- Set proper name of the build directory in the spec's setup macro.
    +- Replace hard-coded paths with macros. Preserve attributes when copying files.
    +
    +* Tue Sep 17 2013 Jan iankko Lieskovsky  0.1-1
    +- Initial Fedora SSG RPM.