diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0dccc12 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.42.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..e18edb6 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +b2c3ac02bd89fd7e9d40f89bfc415e0079001e8e SOURCES/scap-security-guide-0.1.42.tar.bz2 diff --git a/SOURCES/add-missing-kickstart-files.patch b/SOURCES/add-missing-kickstart-files.patch new file mode 100644 index 0000000..677b20a --- /dev/null +++ b/SOURCES/add-missing-kickstart-files.patch @@ -0,0 +1,568 @@ +From 6dcc73bc19c63a090c0aa76a8958e40190194a05 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 11 Dec 2018 14:56:26 +0100 +Subject: [PATCH 1/6] Add RHEL8 kickstart files for OSPP and PCI-DSS profiles. + +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 179 +++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg | 163 +++++++++++++++++ + 2 files changed, 342 insertions(+) + create mode 100644 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +new file mode 100644 +index 0000000000..9077e09c9f +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -0,0 +1,179 @@ ++# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.2 ++# Date: 2015-11-19 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++# ++# PASSWORD TEMPORARILY DISABLED - see bz1651624 ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=12288 --grow ++# CCE-26557-9: Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26435-8: Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# CCE-26639-5: Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# CCE-26215-4: Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) ++# content - security policies - on the installed system.This add-on has been enabled by default ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# functionality will automatically be installed. However, by default, no policies are enforced, ++# meaning that no checks are performed during or after installation unless specifically configured. ++# ++# Important ++# Applying a security policy is not necessary on all systems. This screen should only be used ++# when a specific policy is mandated by your organization rules or government regulations. ++# Unlike most other commands, this add-on does not accept regular options, but uses key-value ++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. ++# Values can be optionally enclosed in single quotes (') or double quotes ("). ++# ++# The following keys are recognized by the add-on: ++# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. ++# - If the content-type is scap-security-guide, the add-on will use content provided by the ++# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. ++# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. ++# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. ++# xccdf-id - ID of the benchmark you want to use. ++# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. ++# profile - ID of the profile to be applied. Use default to apply the default profile. ++# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. ++# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. ++# ++# The following is an example %addon org_fedora_oscap section which uses content from the ++# scap-security-guide on the installation media: ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ospp ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++# Install selected additional packages (required by profile) ++# CCE-27024-9: Install AIDE ++aide ++ ++# Install libreswan package ++libreswan ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +\ No newline at end of file +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg +new file mode 100644 +index 0000000000..524c90d85e +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg +@@ -0,0 +1,163 @@ ++# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.2 ++# Date: 2015-08-02 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow ++# CCE-26557-9: Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26435-8: Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# CCE-26639-5: Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# CCE-26215-4: Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) ++# content - security policies - on the installed system.This add-on has been enabled by default ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# functionality will automatically be installed. However, by default, no policies are enforced, ++# meaning that no checks are performed during or after installation unless specifically configured. ++# ++# Important ++# Applying a security policy is not necessary on all systems. This screen should only be used ++# when a specific policy is mandated by your organization rules or government regulations. ++# Unlike most other commands, this add-on does not accept regular options, but uses key-value ++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. ++# Values can be optionally enclosed in single quotes (') or double quotes ("). ++# ++# The following keys are recognized by the add-on: ++# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. ++# - If the content-type is scap-security-guide, the add-on will use content provided by the ++# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. ++# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. ++# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. ++# xccdf-id - ID of the benchmark you want to use. ++# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. ++# profile - ID of the profile to be applied. Use default to apply the default profile. ++# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. ++# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. ++# ++# The following is an example %addon org_fedora_oscap section which uses content from the ++# scap-security-guide on the installation media: ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_pci-dss ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Install selected additional packages (required by PCI-DSS profile) ++# CCE-27024-9: Install AIDE ++aide ++ ++# Install libreswan package ++libreswan ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 46b3cb9b9231513fa59e9612d034a267ede7b618 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 11 Dec 2018 17:03:50 +0100 +Subject: [PATCH 2/6] Fix references for RHEL8 and remove date/version from + RHEL8 kickstart files. + +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 +--- + ...sg-rhel8-pci-dss-oaa-ks.cfg => ssg-rhel8-pci-dss-ks.cfg} | 6 ++---- + 2 files changed, 3 insertions(+), 7 deletions(-) + rename rhel8/kickstart/{ssg-rhel8-pci-dss-oaa-ks.cfg => ssg-rhel8-pci-dss-ks.cfg} (98%) + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 9077e09c9f..3cda22fd49 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -1,6 +1,4 @@ +-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server +-# Version: 0.0.2 +-# Date: 2015-11-19 ++# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 Server + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +similarity index 98% +rename from rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg +rename to rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +index 524c90d85e..8f333864fb 100644 +--- a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +@@ -1,6 +1,4 @@ +-# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server +-# Version: 0.0.2 +-# Date: 2015-08-02 ++# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 Server + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +@@ -15,7 +13,7 @@ install + # the selected choice with proper options & un-comment it + # + # Install from an installation tree on a remote server via FTP or HTTP: +-# --url the URL to install from ++# --url the URL to install from + # + # Example: + # + +From 16dea2bcffff16d85ae65d54df37f653c8a3d5cd Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 12 Dec 2018 09:48:56 +0100 +Subject: [PATCH 3/6] Remove RHEL7 references from RHEL8 kickstart files. + +Remove variant "Server" as it doesn't exist in RHEL8 anymore. +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 3 +-- + rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 3cda22fd49..8f701fe7aa 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -1,8 +1,7 @@ +-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 Server ++# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + + # Install a fresh new system (optional) +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +index 8f333864fb..a01025d122 100644 +--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +@@ -1,8 +1,7 @@ +-# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 Server ++# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + + # Install a fresh new system (optional) + +From 3d244c082c8068462da75a4d25c039b105577a1c Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 12 Dec 2018 13:34:12 +0100 +Subject: [PATCH 4/6] Remove USGCB reference from RHEL8 OSPP profile kickstart. + +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 8f701fe7aa..920de1c7d9 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -1,4 +1,4 @@ +-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 ++# SCAP Security Guide OSPP profile kickstart for Red Hat Enterprise Linux 8 + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart + +From 0a86d0f204e9d49115a40585f4a1a72689f02b7a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 13 Dec 2018 17:29:14 +0100 +Subject: [PATCH 5/6] Remove device "eth0" option from RHEL8 kickstart files. + +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 2 +- + rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 920de1c7d9..352035db56 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -50,7 +50,7 @@ keyboard us + # "--bootproto=static" must be used. For example: + # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 + # +-network --onboot yes --device eth0 --bootproto dhcp ++network --onboot yes --bootproto dhcp + + # Set the system's root password (required) + # Plaintext password is: server +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +index a01025d122..c8d634266a 100644 +--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +@@ -46,7 +46,7 @@ keyboard us + # --device device to be activated and / or configured with the network command + # --bootproto method to obtain networking configuration for device (default dhcp) + # --noipv6 disable IPv6 on this device +-network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++network --onboot yes --bootproto dhcp --noipv6 + + # Set the system's root password (required) + # Plaintext password is: server + +From a929f93bc25a6f749083437eb4622db2c13963bf Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 14 Dec 2018 16:04:01 +0100 +Subject: [PATCH 6/6] Disable default password for MBR encryption from RHEL8 + kickstart files. + +There is a bug preventing that to work properly and it should be +reverted when it gets fixed. +--- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ---- + rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 11 ++++++++--- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 352035db56..5c6210a097 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -83,14 +83,10 @@ selinux --enforcing + timezone --utc America/New_York + + # Specify how the bootloader should be installed (required) +-# Plaintext password is: password + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-# +-# PASSWORD TEMPORARILY DISABLED - see bz1651624 + bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" +-#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 + + # Initialize (format) all disks (optional) + zerombr +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +index c8d634266a..a00476c8f4 100644 +--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +@@ -75,9 +75,14 @@ timezone --utc America/New_York + + # Specify how the bootloader should be installed (required) + # Plaintext password is: password +-# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create +-# encrypted password form for different plaintext password +-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++# ++# PASSWORD TEMPORARILY DISABLED ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ + + # Initialize (format) all disks (optional) + zerombr diff --git a/SOURCES/assign_cce_to_content.patch b/SOURCES/assign_cce_to_content.patch new file mode 100644 index 0000000..545e402 --- /dev/null +++ b/SOURCES/assign_cce_to_content.patch @@ -0,0 +1,4515 @@ +diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml +index 503f6658d..a6e8ffe8a 100644 +--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml ++++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml +@@ -17,6 +17,9 @@ rationale: |- + vulnerabilities in software executing on the system, as well as sensitive + information from within a process's address space or registers. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80948-3 + + {{{ complete_ocil_entry_package(package="abrt") }}} +diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +index b82f63d5b..a34c616f4 100644 +--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +@@ -17,11 +17,12 @@ rationale: |- + vulnerabilities in software executing on the system, as well as sensitive + information from within a process's address space or registers. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27247-6 + cce@rhel7: 26872-2 ++ cce@rhel8: 80870-9 + + references: + stigid@rhel6: RHEL-06-000261 +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index 81c48ff68..367bebc90 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel6: 26850-8 + cce@rhel7: 80258-7 ++ cce@rhel8: 80878-2 + + references: + disa: "366" +diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +index 7efd76810..c5b32e597 100644 +--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +@@ -18,11 +18,12 @@ rationale: |- + reboots. In any event, the functionality of the ntpdate service is now + available in the ntpd program and should be considered deprecated. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27256-7 + cce@rhel7: 80262-9 ++ cce@rhel8: 80879-0 + + references: + stigid@rhel6: RHEL-06-000265 +diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +index 48956bbc2..e86953d48 100644 +--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +@@ -17,11 +17,12 @@ rationale: |- + tasks by privileged programs, on behalf of unprivileged ones, has traditionally + been a source of privilege escalation security issues. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27257-5 + cce@rhel7: 80263-7 ++ cce@rhel8: 80880-8 + + references: + stigid@rhel6: RHEL-06-000266 +diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +index f88ffe3bd..5e87ca040 100644 +--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +@@ -13,11 +13,12 @@ description: |- + + rationale: "The qpidd service is automatically installed when the \"base\" \npackage selection is selected during installation. The qpidd service listens \nfor network connections, which increases the attack surface of the system. If \nthe system is not intended to receive AMQP traffic, then the qpidd \nservice is not needed and should be disabled or removed." + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26928-2 + cce@rhel7: 80266-0 ++ cce@rhel8: 80882-4 + + references: + stigid@rhel6: RHEL-06-000267 +diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +index 7874ff43a..ed7523e80 100644 +--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +@@ -17,11 +17,12 @@ rationale: |- + some special-purpose systems often use DHCP (instead of IRDP) to retrieve + dynamic network configuration information. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27261-7 + cce@rhel7: 80268-6 ++ cce@rhel8: 80883-2 + + references: + stigid@rhel6: RHEL-06-000268 +diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +index b21c11a6a..e01520f5c 100644 +--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +@@ -18,11 +18,12 @@ rationale: |- + accountability. Furthermore, the need to schedule tasks with at or + batch is not common. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27249-2 + cce@rhel7: 80345-2 ++ cce@rhel8: 80871-7 + + references: + stigid@rhel6: RHEL-06-000262 +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index 0d16f192c..52b6f8676 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel6: 27070-2 + cce@rhel7: 27323-5 ++ cce@rhel8: 80875-8 + + references: + stigid@rhel6: RHEL-06-000224 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml +index 7a8bb8235..47bea73fe 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_log_format/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80548-1" ++ cce@rhel7: "80548-1" + + references: + stigid: WA00612 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +index b8cf4cd30..8da682989 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80551-5" ++ cce@rhel7: "80551-5" + + references: + stigid: WG110 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml +index 91f80e92d..3911f83ba 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_antivirus_scan_uploads/rule.yml +@@ -22,7 +22,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80561-4" ++ cce@rhel7: "80561-4" + + references: + stigid: WG237 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml +index eeeb974b5..b0630338d 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/http_configure_log_file_ownership/rule.yml +@@ -20,7 +20,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80562-2" ++ cce@rhel7: "80562-2" + + references: + stigid: WG255 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml +index 81fc326e8..447e51b96 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_perl_securely/httpd_configure_perl_taint/rule.yml +@@ -29,7 +29,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80560-6" ++ cce@rhel7: "80560-6" + + references: + stigid: WG460 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml +index 2021de1da..770a4dc49 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_anonymous_content_sharing/rule.yml +@@ -20,7 +20,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80555-6" ++ cce@rhel7: "80555-6" + + references: + stigid: WG210 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml +index bf815ffc5..9d2944eb5 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_configure_script_permissions/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: high + + identifiers: +- cce: "80556-4" ++ cce@rhel7: "80556-4" + + references: + stigid: WG290 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml +index 754e982a0..f0f64c438 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_disable_anonymous_ftp_access/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80553-1" ++ cce@rhel7: "80553-1" + + references: + stigid: WG430 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml +index 47b045ff4..302b50d75 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_directory_restrictions/httpd_ignore_htaccess_files/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80554-9" ++ cce@rhel7: "80554-9" + + references: + stigid: WG400 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml +index 8e2f7f0f3..ee94dd410 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_error_logging/rule.yml +@@ -20,7 +20,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "81130-7" ++ cce@rhel7: "81130-7" + + references: + stigid: WA00605 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +index e59af0022..69f11e524 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +@@ -23,7 +23,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80550-7" ++ cce@rhel7: "80550-7" + + references: + stigid: WA00620 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml +index c49f17bb9..8210b4268 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_system_logging/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80549-9" ++ cce@rhel7: "80549-9" + + references: + stigid: WA00615 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml +index 7620f0730..08a16e8b4 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_enable_log_config/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80552-3" ++ cce@rhel7: "80552-3" + + references: + stigid: WG240 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml +index d34741b3f..a31989990 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_tls/rule.yml +@@ -23,7 +23,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80557-2" ++ cce@rhel7: "80557-2" + + references: + stigid: WG340 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml +index d0be5950c..af5813d1e 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_configure_valid_server_cert/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80559-8" ++ cce@rhel7: "80559-8" + + references: + stigid: WG350 +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml +index 22909c0fe..7e346b721 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: "80558-0" ++ cce@rhel7: "80558-0" + + references: + stigid: WG140 +diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +index ceef1201f..964692959 100644 +--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml ++++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80512-7 ++ cce@rhel7: 80512-7 + + references: + disa: "366" +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml +index b5d683bb3..fd9b76345 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel7: 27464-7 ++ cce@rhel8: 80924-4 + + references: + disa: "366" +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +index 78932821b..6757afc1c 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +@@ -35,10 +35,11 @@ rationale: |- + unavailable. This is typical for a system acting as an NTP server for + other systems. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 27012-4 ++ cce@rhel8: 80764-4 + + references: + nist: AU-8(1) +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 285b35008..783d228b7 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -38,6 +38,7 @@ severity: medium + + identifiers: + cce@rhel7: 27278-1 ++ cce@rhel8: 80765-1 + + references: + cis: "3.6" +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +index cf346aa82..409f206c6 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +@@ -37,6 +37,7 @@ severity: medium + + identifiers: + cce@rhel7: 27444-9 ++ cce@rhel8: 80874-1 + + references: + cis: 2.2.1.1 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +index 7bc91ea9d..558fe0663 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +@@ -11,11 +11,12 @@ rationale: |- + Removing the xinetd package decreases the risk of the + xinetd service's accidental (or intentional) activation. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27005-8 + cce@rhel7: 27354-0 ++ cce@rhel8: 80850-1 + + references: + stigid@rhel6: RHEL-06-000204 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +index cfa074998..67a52a931 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel6: 27046-2 + cce@rhel7: 27443-1 ++ cce@rhel8: 80888-1 + + references: + stigid@rhel6: RHEL-06-000203 +diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +index 2778ab6ca..84d41ad39 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: high + + identifiers: +- cce: 80513-5 ++ cce@rhel7: 80513-5 + + references: + disa: "366" +diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +index f8567d3af..87515a365 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +@@ -21,6 +21,7 @@ severity: high + identifiers: + cce@rhel6: 27270-8 + cce@rhel7: 27406-8 ++ cce@rhel8: 80842-8 + + references: + stigid@rhel6: RHEL-06-000019 +diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +index 39a0a47e6..2a3e8e064 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +@@ -21,7 +21,7 @@ rationale: |- + severity: high + + identifiers: +- cce: 80514-3 ++ cce@rhel7: 80514-3 + + references: + disa: "366" +diff --git a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml +index 4d454081b..554a24017 100644 +--- a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel6: 27208-8 + cce@rhel7: 27408-4 ++ cce@rhel8: 80884-0 + + references: + stigid@rhel6: RHEL-06-000216 +diff --git a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml +index 65d935189..ea691cfe9 100644 +--- a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: high + identifiers: + cce@rhel6: 26865-6 + cce@rhel7: 27336-7 ++ cce@rhel8: 80885-7 + + references: + stigid@rhel6: RHEL-06-000218 +diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +index 85ce97ea3..bfc1ece90 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +@@ -16,11 +16,12 @@ rationale: |- + for communications. Removing the talk package decreases the + risk of the accidental (or intentional) activation of talk client program. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27373-0 + cce@rhel7: 27432-4 ++ cce@rhel8: 80848-5 + + references: + cis: 2.3.3 +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index 9e5611ac5..e93b7adb9 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -17,6 +17,7 @@ severity: low + identifiers: + cce@rhel6: 27428-2 + cce@rhel7: 27305-2 ++ cce@rhel8: 80849-3 + + references: + cis: 2.3.4 +diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +index fc0435ede..a5f9fc5db 100644 +--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +@@ -41,6 +41,7 @@ severity: high + identifiers: + cce@rhel6: 26836-7 + cce@rhel7: 27401-9 ++ cce@rhel8: 80887-3 + + references: + disa@rhel6: 68,1436,197,877,888 +diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +index e0d853b18..faf2141cc 100644 +--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml ++++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel7: 27191-6 ++ cce@rhel8: 80889-9 + + references: + disa: "366" +diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +index b19ec72c4..68ffec513 100644 +--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27091-8 + cce@rhel7: 27413-4 ++ cce@rhel8: 80786-7 + + references: + stigid@rhel6: RHEL-06-000236 +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +index 969adcaed..733c1df84 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +@@ -15,10 +15,11 @@ rationale: |- + If inbound SSH connections are expected, adding a firewall rule exception + will allow remote access through the SSH port. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 80361-9 ++ cce@rhel8: 80820-4 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +index 5cfceb130..f906b39a1 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +@@ -20,6 +20,7 @@ severity: high + identifiers: + cce@rhel6: 27072-8 + cce@rhel7: 27320-1 ++ cce@rhel8: 80894-9 + + references: + nist@debian8: AC-17(7) +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +index 9fc4c3115..b20360f35 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80224-9 ++ cce@rhel8: 80895-6 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +index 66e744763..64972b825 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +@@ -18,6 +18,7 @@ severity: high + identifiers: + cce@rhel6: 26887-0 + cce@rhel7: 27471-2 ++ cce@rhel8: 80896-4 + + references: + anssi@debian8: NT007(R17) +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +index cd7819639..b748685d1 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel7: 80220-7 ++ cce@rhel8: 80897-2 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +index c7de48ef6..b88c71b85 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: 80221-5 ++ cce@rhel8: 80898-0 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +index c2bf06ff8..e7d29c89b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel6: 27124-7 + cce@rhel7: 27377-1 ++ cce@rhel8: 80899-8 + + references: + stigid@rhel6: RHEL-06-000234 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml +index d13733f27..8f307e8b9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel7: 80373-4 ++ cce@rhel8: 80900-4 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +index 453cec5f2..722a4b8ed 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27100-7 + cce@rhel7: 27445-6 ++ cce@rhel8: 80901-2 + + references: + anssi@debian8: NT007(R21) +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +index 332ec16d0..361ab90d5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80372-6 ++ cce@rhel8: 80902-0 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +index aee1825df..f0be1fd3f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel6: 27201-3 + cce@rhel7: 27363-1 ++ cce@rhel8: 80903-8 + + references: + stigid@rhel6: RHEL-06-000241 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +index 79b43e25d..b7776ff8b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel7: 80222-3 ++ cce@rhel8: 80904-6 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index 1a14f7c13..b5a22f08d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel6: 27112-2 + cce@rhel7: 27314-4 ++ cce@rhel8: 80905-3 + + references: + stigid@rhel6: RHEL-06-000240 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index fdc8bf802..06b2ca8f9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 26919-1 + cce@rhel7: 27433-2 ++ cce@rhel8: 80906-1 + + references: + nist@debian8: SA-8 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index 5a6995cdf..28824306c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel6: 26282-4 + cce@rhel7: 27082-7 ++ cce@rhel8: 80907-9 + + references: + stigid@rhel6: RHEL-06-000231 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +index d0be2621a..58ddfb9e1 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel7: 80223-1 ++ cce@rhel8: 80908-7 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml +index 226b58908..367f1dd25 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml +@@ -24,7 +24,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80516-8 ++ cce@rhel7: 80516-8 + + references: + disa: "1453" +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml +index 0aa4fe27b..8b710a6dc 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml +@@ -24,7 +24,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80515-0 ++ cce@rhel7: 80515-0 + + references: + disa: "1453" +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +index 33105633c..a3d40d51e 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80570-5 ++ cce@rhel8: 80909-5 + + references: + disa: "1954" +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +index 54fe9f582..83af0add2 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 80364-3 ++ cce@rhel8: 80910-3 + + references: + disa: "2007" +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +index e2893d260..99154a3bf 100644 +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: 80365-0 ++ cce@rhel8: 80911-1 + + references: + disa: "2007" +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +index 62af708f9..df27b1a71 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel6: 26974-6 + cce@rhel7: 27303-7 ++ cce@rhel8: 80763-6 + + references: + stigid@rhel6: RHEL-06-000073 +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +index 5a31ed7df..92d8b37e1 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 26970-4 ++ cce@rhel8: 80768-5 + + references: + cis: 1.7.2 +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +index 99331203d..b08d1c17b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +@@ -30,6 +30,7 @@ severity: medium + + identifiers: + cce@rhel7: 26892-0 ++ cce@rhel8: 80770-1 + + references: + cis: 1.7.2 +diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +index 224dc1304..648bf8c09 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +@@ -22,6 +22,7 @@ severity: low + identifiers: + cce@rhel6: 27291-4 + cce@rhel7: 27275-7 ++ cce@rhel8: 80788-3 + + references: + stigid@rhel6: RHEL-06-000372 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index 13e3ce31c..0c3be3f48 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel6: 26741-9 + cce@rhel7: 26923-3 ++ cce@rhel8: 80666-1 + + references: + stigid@rhel6: RHEL-06-000274 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +index b55f4537f..72fa89173 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26844-1 + cce@rhel7: 27350-8 ++ cce@rhel8: 80667-9 + + references: + stigid@rhel6: RHEL-06-000061 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +index 18f26f896..9e227dc90 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel7: 80353-6 ++ cce@rhel8: 80668-7 + + references: + disa: "2238" +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +index c6669610f..5af47ce33 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +@@ -37,6 +37,7 @@ severity: medium + identifiers: + cce@rhel6: 27215-3 + cce@rhel7: 27297-1 ++ cce@rhel8: 80669-5 + + references: + stigid@rhel6: RHEL-06-000357 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +index 7b01031a3..d3ce96049 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel6: 27110-6 + cce@rhel7: 26884-7 ++ cce@rhel8: 80670-3 + + references: + stigid@rhel6: RHEL-06-000356 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +index 3b8796bc2..c2cc014a8 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 27214-6 ++ cce@rhel8: 80653-9 + + references: + cis: 6.3.2 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +index 7394eb774..a3e340ab0 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +@@ -31,6 +31,7 @@ severity: medium + + identifiers: + cce@rhel7: 26631-2 ++ cce@rhel8: 80654-7 + + references: + cjis: 5.6.2.1.1 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +index 70a819dd5..f99df85db 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 27345-8 ++ cce@rhel8: 80655-4 + + references: + disa: "193" +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +index dd949a6f9..29bfdd417 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 27293-0 ++ cce@rhel8: 80656-2 + + references: + cis: 6.3.2 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +index f2a6a0a40..b983f7e2f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 27360-7 ++ cce@rhel8: 80663-8 + + references: + disa: "1619" +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +index 8a7d222e0..3e030a77d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +@@ -17,10 +17,11 @@ rationale: |- + draw additional attention to some types of password-guessing attacks. Note that this + is different from account lockout, which is provided by the pam_faillock module. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 27160-1 ++ cce@rhel8: 80664-6 + + references: + cis: 6.3.2 +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +index 01105a44d..018d38f7d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 27200-5 ++ cce@rhel8: 80665-3 + + references: + cis: 6.3.2 +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +index 0884f26b6..1cb4ca189 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel6: 27229-4 + cce@rhel7: 27053-8 ++ cce@rhel8: 80891-5 + + references: + stigid@rhel6: RHEL-06-000064 +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +index 82cfd0c12..12b856252 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27228-6 + cce@rhel7: 27124-7 ++ cce@rhel8: 80892-3 + + references: + stigid@rhel6: RHEL-06-000063 +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index 5221c6b96..4c77b3837 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26303-8 + cce@rhel7: 27104-9 ++ cce@rhel8: 80893-1 + + references: + stigid@rhel6: RHEL-06-000062 +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +index 3da99ba13..4c2a01033 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +@@ -22,6 +22,7 @@ severity: high + + identifiers: + cce@rhel7: 80449-2 ++ cce@rhel8: 80784-2 + + references: + cui: 3.4.5 +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +index 7efa627a6..f607d4213 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +@@ -49,6 +49,7 @@ severity: high + + identifiers: + cce@rhel7: 27511-5 ++ cce@rhel8: 80785-9 + + references: + cui: 3.4.5 +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +index ea65f40d8..658249a28 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: 27335-9 ++ cce@rhel8: 80826-1 + + references: + cui: 3.1.2,3.4.5 +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index be11787cb..65f9a9c5c 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -36,6 +36,7 @@ severity: medium + identifiers: + cce@rhel6: 27040-5 + cce@rhel7: 27287-2 ++ cce@rhel8: 80855-0 + + references: + stigid@rhel6: RHEL-06-000069 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +index 34893bcc6..a2f5d4559 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +@@ -20,6 +20,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80940-0 ++ + ocil_clause: 'lock-command is not set' + + ocil: |- +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +index 9a44f66a3..7dafbfe65 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 80565-5 ++ cce@rhel8: 80766-9 + + references: + disa: 765,766,767,768,771,772,884 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml +index c0259c9c6..37619fcb8 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80567-1 ++ cce@rhel8: 80767-7 + + references: + disa: 765,766,767,768,771,772,884 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +index 356bf4bff..99cddf235 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +@@ -28,6 +28,7 @@ severity: medium + + identifiers: + cce@rhel7: 80207-4 ++ cce@rhel8: 80821-2 + + references: + disa: 765,766,767,768,771,772,884 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 63c570e07..6b01ddb2e 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -24,7 +24,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80519-2 ++ cce@rhel7: 80519-2 + + references: + disa: "1954" +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +index 8203abbf0..8946fd764 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: 80568-9 ++ cce@rhel8: 80846-9 + + references: + disa: "1954" +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +index 941fad13b..d0a8cfa05 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: 80569-7 ++ cce@rhel8: 80881-6 + + references: + disa: "1954" +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +index cb49b7f17..56af0e394 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +@@ -25,7 +25,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80520-0 ++ cce@rhel7: 80520-0 + + references: + disa: "1954" +diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +index a186825b4..cfaf67eb2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 80206-6 ++ cce@rhel8: 80876-6 + + references: + cui: 3.4.5 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index f9ce8e7de..e59817b22 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -32,6 +32,7 @@ severity: medium + identifiers: + cce@rhel6: 27283-1 + cce@rhel7: 27355-7 ++ cce@rhel8: 80954-1 + + references: + stigid@rhel6: RHEL-06-000334 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 03f1e4681..d5ee139bc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -6,11 +6,12 @@ description: 'Change usernames, or delete accounts, so each has a unique name.' + + rationale: 'Unique usernames allow for accountability on the system.' + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27609-7 + cce@rhel7: 80208-2 ++ cce@rhel8: 80674-5 + + references: + stigid@rhel6: RHEL-06-000296 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index 56ada88b3..7c5e6f74a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26985-2 + cce@rhel7: 27051-2 ++ cce@rhel8: 80647-1 + + references: + stigid@rhel6: RHEL-06-000053 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 95d07174d..9e7a35775 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27013-2 + cce@rhel7: 27002-5 ++ cce@rhel8: 80648-9 + + references: + stigid@rhel6: RHEL-06-000051 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +index e024b1244..c7cd5ce6a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel6: 27002-5 + cce@rhel7: 27123-9 ++ cce@rhel8: 80652-1 + + references: + stigid@rhel6: RHEL-06-000050 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +index 8ed61a8b2..4b04426a8 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80522-6 ++ cce@rhel7: 80522-6 + + references: + disa: "199" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +index 2d5a65136..3427a3d1d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80521-8 ++ cce@rhel7: 80521-8 + + references: + disa: "198" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +index 81e6c1f28..86fcaa3ad 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +@@ -15,11 +15,12 @@ rationale: |- + Setting the password warning age enables users to + make the change at a practical time. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26988-6 + cce@rhel7: 26486-1 ++ cce@rhel8: 80671-1 + + references: + stigid@rhel6: RHEL-06-000054 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml +index ed47892de..77e5b8061 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 26476-2 + cce@rhel7: 27352-4 ++ cce@rhel8: 80651-3 + + references: + stigid@rhel6: RHEL-06-000031 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml +index 43c0906ae..95f1095bf 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml +@@ -14,6 +14,7 @@ severity: low + identifiers: + cce@rhel6: 27379-7 + cce@rhel7: 27503-2 ++ cce@rhel8: 80822-0 + + references: + stigid@rhel6: RHEL-06-000294 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +index fea018fa2..5ab22ceca 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +@@ -19,6 +19,7 @@ severity: high + identifiers: + cce@rhel6: 27038-9 + cce@rhel7: 27286-4 ++ cce@rhel8: 80841-0 + + references: + stigid@rhel6: RHEL-06-000030 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +index 5622f7499..981072ed7 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +@@ -16,6 +16,7 @@ severity: high + identifiers: + cce@rhel6: 26971-2 + cce@rhel7: 27175-9 ++ cce@rhel8: 80649-7 + + references: + stigid@rhel6: RHEL-06-000032 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +index 727da27ea..ec22c7f91 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel6: 26891-2 + cce@rhel7: 27294-8 ++ cce@rhel8: 80840-2 + + references: + cis: "5.5" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +index c0b2220cd..00f792a7d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26966-2 + cce@rhel7: 26448-1 ++ cce@rhel8: 80843-6 + + references: + disa@rhel6: '178' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml +index f4f83d736..983aaea44 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/rule.yml +@@ -18,6 +18,7 @@ severity: unknown + identifiers: + cce@rhel6: 27047-0 + cce@rhel7: 27268-2 ++ cce@rhel8: 80856-8 + + references: + stigid@rhel6: RHEL-06-000028 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +index 1bae06775..960ce88b4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel6: 26855-7 + cce@rhel7: 27318-5 ++ cce@rhel8: 80864-2 + + references: + stigid@rhel6: RHEL-06-000027 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +index a33db7f55..97a516b31 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel6: 27457-1 + cce@rhel7: 27081-9 ++ cce@rhel8: 80955-8 + + references: + stigid@rhel6: RHEL-06-000319 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 2bf379ed3..e219c5cf8 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27333-4 + cce@rhel7: 27557-8 ++ cce@rhel8: 80673-7 + + references: + cui: 3.1.11 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +index d9c532f87..c11a85a40 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80526-7 ++ cce@rhel7: 80526-7 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +index 554a3ef9c..8b2877ff9 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80523-4 ++ cce@rhel7: 80523-4 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +index 3d2a24e62..77d95db59 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80527-5 ++ cce@rhel7: 80527-5 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +index e1eadd9fd..1166ed20b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +@@ -23,7 +23,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80524-2 ++ cce@rhel7: 80524-2 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +index d620bb0aa..69b42ccce 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +@@ -15,7 +15,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80528-3 ++ cce@rhel7: 80528-3 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index 5c0774d8c..6d803c903 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -20,7 +20,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80529-1 ++ cce@rhel7: 80529-1 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml +index 747281ef0..a414b4e6b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80534-1 ++ cce@rhel7: 80534-1 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +index a9df4e84e..ab77bc555 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80533-3 ++ cce@rhel7: 80533-3 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml +index 2f3af6738..adaa13531 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80535-8 ++ cce@rhel7: 80535-8 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 62e0d90e2..6e1a016fb 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80532-5 ++ cce@rhel7: 80532-5 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +index 717d6d041..48f84c88c 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80531-7 ++ cce@rhel7: 80531-7 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +index 4ce8b4d55..801672ee5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80525-9 ++ cce@rhel7: 80525-9 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +index 789bea9c2..18323547e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80530-9 ++ cce@rhel7: 80530-9 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +index ec09e14c4..e9669cf58 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +@@ -13,11 +13,12 @@ rationale: |- + execute code provided by unprivileged users, + and potentially malicious code. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26768-2 + cce@rhel7: 80200-9 ++ cce@rhel8: 80672-9 + + references: + disa: "366" +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +index f1a7fa125..d58ee6339 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +@@ -17,7 +17,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80536-6 ++ cce@rhel7: 80536-6 + + references: + disa: "1814" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index c10938e8c..9649a2ded 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 26280-8 + cce@rhel7: 27339-1 ++ cce@rhel8: 80685-1 + + references: + stigid@rhel6: RHEL-06-000184 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index 60e709f53..2e395a9f3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27173-4 + cce@rhel7: 27364-9 ++ cce@rhel8: 80686-9 + + references: + stigid@rhel6: RHEL-06-000185 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index b4c79f035..6e198cbc6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27174-2 + cce@rhel7: 27393-8 ++ cce@rhel8: 80687-7 + + references: + stigid@rhel6: RHEL-06-000186 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 36d318c6f..83527e945 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27175-9 + cce@rhel7: 27388-8 ++ cce@rhel8: 80688-5 + + references: + stigid@rhel6: RHEL-06-000187 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index 1e5b80170..f3a5f7f78 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27177-5 + cce@rhel7: 27356-5 ++ cce@rhel8: 80689-3 + + references: + stigid@rhel6: RHEL-06-000188 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index d2fc3fb4f..6732047ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27178-3 + cce@rhel7: 27387-0 ++ cce@rhel8: 80690-1 + + references: + stigid@rhel6: RHEL-06-000189 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index e643dd7fc..7465bfe9b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel6: 27179-1 + cce@rhel7: 27353-2 ++ cce@rhel8: 80691-9 + + references: + stigid@rhel6: RHEL-06-000190 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index a509cd43c..c625c2475 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27180-9 + cce@rhel7: 27389-6 ++ cce@rhel8: 80692-7 + + references: + stigid@rhel6: RHEL-06-000191 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 9e6c70649..4c0804c73 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27181-7 + cce@rhel7: 27083-5 ++ cce@rhel8: 80693-5 + + references: + stigid@rhel6: RHEL-06-000192 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 4fe072bc8..a6be5564d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel6: 27182-5 + cce@rhel7: 27410-0 ++ cce@rhel8: 80694-3 + + references: + stigid@rhel6: RHEL-06-000193 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index e2b4d5e8c..29b2dc307 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27183-3 + cce@rhel7: 27280-7 ++ cce@rhel8: 80695-0 + + references: + stigid@rhel6: RHEL-06-000194 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 9baaf7411..2093a4152 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel6: 27184-1 + cce@rhel7: 27367-2 ++ cce@rhel8: 80696-8 + + references: + stigid@rhel6: RHEL-06-000195 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 67e9beb2c..8446637bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -29,6 +29,7 @@ severity: unknown + identifiers: + cce@rhel6: 27185-8 + cce@rhel7: 27213-8 ++ cce@rhel8: 80697-6 + + references: + stigid@rhel6: RHEL-06-000196 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +index 98838b70c..feb8aad6f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80393-2 ++ cce@rhel8: 80698-4 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +index 1004ecc0c..6fbed3dd6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80394-0 ++ cce@rhel8: 80699-2 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +index e2dbdd5a6..0f9793b38 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80391-6 ++ cce@rhel8: 80700-8 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +index 44ebae92a..478cf0850 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80392-4 ++ cce@rhel8: 80701-6 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +index 80c36cc9a..1c582219f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80933-5 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +index eb1d33675..816997d6e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel6: 26651-0 + cce@rhel7: 27206-2 ++ cce@rhel8: 80702-4 + + references: + disa@rhel6: "126" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index 75890215e..a06682bb5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 27206-2 ++ cce@rhel8: 80703-2 + + references: + cis: 5.2.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index 92ad7d70d..01137eae9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 80413-8 ++ cce@rhel8: 80704-0 + + references: + cis: 5.2.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index f5eda6870..4bf9c795b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 80412-0 ++ cce@rhel8: 80705-7 + + references: + cis: 5.2.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +index 2e3c71d36..b4f638f41 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 27206-2 ++ cce@rhel8: 80706-5 + + references: + cis: 5.2.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index 88306a0f6..f93df0924 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -27,6 +27,7 @@ severity: medium + + identifiers: + cce@rhel7: 27206-2 ++ cce@rhel8: 80707-3 + + references: + cis: 5.2.14 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +index a8f05038a..a0dfb4a25 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel6: 26611-4 + cce@rhel7: 27129-6 ++ cce@rhel8: 80709-9 + + references: + disa@rhel6: "126" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml +index dde79de47..5980f509f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/rule.yml +@@ -23,6 +23,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80710-7 ++ + references: + disa: "172" + srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index ddb5c3acb..c57f0a1d9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: 80415-3 ++ cce@rhel8: 80711-5 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index 5010a07ab..71943c022 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: 80547-3 ++ cce@rhel8: 80712-3 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index f70cbc02c..0c4cb5541 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: 80414-6 ++ cce@rhel8: 80713-1 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml +index 958452d05..14ca4922e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 80446-8 ++ cce@rhel8: 80714-9 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml +index e923739af..d037b2a34 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 80417-9 ++ cce@rhel8: 80715-6 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml +index 6cd132654..b22487fc6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 80416-1 ++ cce@rhel8: 80716-4 + + references: + cis: 5.2.17 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +index 8d415c8b7..f23a9b9c8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +@@ -29,6 +29,7 @@ severity: medium + identifiers: + cce@rhel6: 26691-6 + cce@rhel7: 27204-7 ++ cce@rhel8: 80717-2 + + references: + nist@rhel6: AC-3(10) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index caadcd3cb..9d9da4b72 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -26,6 +26,7 @@ severity: medium + + identifiers: + cce@rhel7: 80383-3 ++ cce@rhel8: 80718-0 + + references: + cis: 5.2.8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 6cf28ce80..674079217 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -26,6 +26,7 @@ severity: medium + + identifiers: + cce@rhel7: 80384-1 ++ cce@rhel8: 80719-8 + + references: + cis: 5.2.8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +index 18b6ba452..34b8f3cd1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +@@ -26,6 +26,7 @@ severity: medium + + identifiers: + cce@rhel7: 80382-5 ++ cce@rhel8: 80720-6 + + references: + cis: 5.2.8 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +index 7c2773334..b3bfa16eb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +@@ -39,6 +39,7 @@ severity: medium + identifiers: + cce@rhel6: 26457-2 + cce@rhel7: 27437-3 ++ cce@rhel8: 80724-8 + + references: + disa@rhel6: "40" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index 400c8129e..f2b40b448 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80398-1 ++ cce@rhel8: 80725-5 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +index 903c13208..4285aec38 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80404-7 ++ cce@rhel8: 80726-3 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index 9ac6bd819..371d82ecd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80410-4 ++ cce@rhel8: 80727-1 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +index 537e6ba41..4e8e2f0ee 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80397-3 ++ cce@rhel8: 80728-9 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +index 8b381bbf8..b9cf8d67f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80403-9 ++ cce@rhel8: 80729-7 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index 6c597d0ad..8474aba30 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80411-2 ++ cce@rhel8: 80730-5 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index 575ab8c53..ed1afd38a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80395-7 ++ cce@rhel8: 80731-3 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +index 6b2457029..ea6de5430 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80406-2 ++ cce@rhel8: 80732-1 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +index 54965075c..8c30cee5f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80407-0 ++ cce@rhel8: 80733-9 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +index 8bcfcb899..6e3ca8682 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80409-6 ++ cce@rhel8: 80734-7 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index 466d8fc04..c43768cb5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80408-8 ++ cce@rhel8: 80735-4 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index a6e0a50ae..e0f39441a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80400-5 ++ cce@rhel8: 80736-2 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index 92881180c..1a3045761 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80401-3 ++ cce@rhel8: 80737-0 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +index cca1be806..76cb01ab1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80402-1 ++ cce@rhel8: 80738-8 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index 53f3f61d7..9e921f00c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80405-4 ++ cce@rhel8: 80739-6 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index 17fd7e93f..25b47655a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80396-5 ++ cce@rhel8: 80740-4 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +index d28d2d7ed..db802f631 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +@@ -32,6 +32,7 @@ severity: medium + + identifiers: + cce@rhel7: 80399-9 ++ cce@rhel8: 80741-2 + + references: + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +index 269a019bd..de7d8c510 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +@@ -22,6 +22,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80927-7 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +index 2333cab53..8f36c074e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +@@ -22,6 +22,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80929-3 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +index 83629fba4..dc04e13f6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +@@ -22,6 +22,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80928-5 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +index f0ea00296..0d56be161 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +@@ -22,6 +22,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80930-1 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +index 3af3e184b..c8df487f9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +@@ -21,6 +21,9 @@ rationale: |- + Auditing these events could serve as evidence of potential system compromise. + + severity: medium ++ ++identifiers: ++ cce@rhel8: 80932-7 + + references: + ospp@rhel7: FAU_GEN.1.1.c +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +index 6166aa138..2ccdd2230 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +@@ -22,6 +22,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80931-9 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +index 2823cd707..7067ef478 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26612-2 + cce@rhel7: 27097-5 ++ cce@rhel8: 80708-1 + + references: + cis: 4.1.18 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +index 67c80e966..9d4f44e9a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +@@ -18,11 +18,12 @@ rationale: |- + arbitrarily changed by anything other than administrator action. All changes to + MAC policy should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26657-7 + cce@rhel7: 27168-4 ++ cce@rhel8: 80721-4 + + references: + stigid@rhel6: RHEL-06-000183 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +index 8740350ec..cdd32d85e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26573-6 + cce@rhel7: 27447-2 ++ cce@rhel8: 80722-2 + + references: + stigid@rhel6: RHEL-06-000199 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +index 3c23ad814..866bc867d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +@@ -28,11 +28,12 @@ rationale: |- + than administrator action. Any change to network parameters should be + audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26648-6 + cce@rhel7: 27076-9 ++ cce@rhel8: 80723-0 + + references: + stigid@rhel6: RHEL-06-000182 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +index 3aac975f9..96057cdec 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +@@ -24,11 +24,12 @@ rationale: |- + Manual editing of these files may indicate nefarious activity, such + as an attacker attempting to remove evidence of an intrusion. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26610-6 + cce@rhel7: 27301-1 ++ cce@rhel8: 80742-0 + + references: + nist@rhel6: AC-3(10) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index 4ad19e125..539199c7a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -25,6 +25,7 @@ severity: unknown + identifiers: + cce@rhel6: 26662-7 + cce@rhel7: 27461-3 ++ cce@rhel8: 80743-8 + + references: + stigid@rhel6: RHEL-06-000201 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +index 42e99187c..bbf1584aa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80381-7 ++ cce@rhel8: 80744-6 + + references: + cui: 3.3.1,3.3.4 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +index 2838470d8..dbb92ce93 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +@@ -29,11 +29,12 @@ rationale: |- + will alert the system administrator(s) to any modifications. Any unexpected + users, groups, or modifications should be investigated for legitimacy. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26664-3 + cce@rhel7: 27192-4 ++ cce@rhel8: 80757-8 + + references: + stigid@rhel6: RHEL-06-000174 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index 47d6f06ac..24a39a602 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80433-6 ++ cce@rhel8: 80758-6 + + references: + cis: 5.2.5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index dbe900e3e..d90b668b5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80432-8 ++ cce@rhel8: 80759-4 + + references: + cis: 5.2.5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index 958483a1a..e6c81a5f1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80430-2 ++ cce@rhel8: 80760-2 + + references: + cis: 5.2.5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index 0e8ed3b5b..78f096588 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80435-1 ++ cce@rhel8: 80761-0 + + references: + cis: 5.2.5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 081244a11..521322767 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80431-0 ++ cce@rhel8: 80762-8 + + references: + cis: 5.2.5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +index bb71a9050..c4b754b04 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +@@ -28,11 +28,12 @@ rationale: |- + are highly dependent upon an accurate system time (such as sshd). All changes + to the system time should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26242-8 + cce@rhel7: 27290-6 ++ cce@rhel8: 80745-3 + + references: + stigid@rhel6: RHEL-06-000165 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +index de2c4dfda..de2ae9ce7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +@@ -28,11 +28,12 @@ rationale: |- + are highly dependent upon an accurate system time (such as sshd). All changes + to the system time should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27170-0 + cce@rhel7: 27219-5 ++ cce@rhel8: 80746-1 + + references: + stigid@rhel6: RHEL-06-000171 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +index b8e2f5c95..a6188c2be 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +@@ -28,11 +28,12 @@ rationale: |- + are highly dependent upon an accurate system time (such as sshd). All changes + to the system time should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27203-9 + cce@rhel7: 27216-1 ++ cce@rhel8: 80747-9 + + references: + stigid@rhel6: RHEL-06-000167 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +index 7b2fe7b9f..2e74abf14 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +@@ -32,11 +32,12 @@ rationale: |- + are highly dependent upon an accurate system time (such as sshd). All changes + to the system time should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27169-2 + cce@rhel7: 27299-7 ++ cce@rhel8: 80748-7 + + references: + stigid@rhel6: RHEL-06-000169 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +index 08c8de2b4..3072909c0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +@@ -22,11 +22,12 @@ rationale: |- + are highly dependent upon an accurate system time (such as sshd). All changes + to the system time should be audited. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27172-6 + cce@rhel7: 27310-2 ++ cce@rhel8: 80749-5 + + references: + stigid@rhel6: RHEL-06-000173 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +index f1770e00b..95fba1e0b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +@@ -33,6 +33,7 @@ severity: medium + identifiers: + cce@rhel6: 26712-0 + cce@rhel7: 27347-4 ++ cce@rhel8: 80750-3 + + references: + disa@rhel6: "126" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index 18ebaa0ef..050921624 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80385-8 ++ cce@rhel8: 80751-1 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 371131bcc..7b4d89af2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80390-8 ++ cce@rhel8: 80752-9 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 21ca96d59..00d7748d5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80386-6 ++ cce@rhel8: 80753-7 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 6699c644f..776f2335e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80388-2 ++ cce@rhel8: 80755-2 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index 463d85b56..a89a18d03 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80387-4 ++ cce@rhel8: 80754-5 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 1a0416a1f..1f5f946e2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -34,6 +34,7 @@ severity: medium + + identifiers: + cce@rhel7: 80389-0 ++ cce@rhel8: 80756-0 + + references: + cis: 5.2.10 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml +index d4dc9d2f8..1567576de 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml +@@ -22,7 +22,10 @@ rationale: |- + references: + ospp@rhel7: FAU_GEN.1.1.c + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80941-8 + + ocil_clause: "no line is returned" + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index 8a6d2eb96..b5e02986d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel6: 27244-3 + cce@rhel7: 80125-8 ++ cce@rhel8: 80808-9 + + references: + stigid@rhel6: RHEL-06-000384 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +index fb0cf9133..740509406 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel6: 27243-5 + cce@rhel7: 27205-4 ++ cce@rhel8: 80819-6 + + references: + stigid@rhel6: RHEL-06-000383 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +index 2af5cd02f..f108f2942 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +@@ -27,7 +27,8 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80541-6 ++ cce@rhel7: 80541-6 ++ cce@rhel8: 80925-1 + + references: + disa: "1851" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +index a9eaf4c7a..0635d1e5e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +@@ -22,7 +22,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80539-0 ++ cce@rhel7: 80539-0 + + references: + disa: "1851" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +index fba580ae4..a3721388c 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +@@ -24,7 +24,8 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80540-8 ++ cce@rhel7: 80540-8 ++ cce@rhel8: 80926-9 + + references: + disa: "1851" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +index 6feb77b47..c8699c7ba 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +@@ -22,7 +22,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80538-2 ++ cce@rhel7: 80538-2 + + references: + disa: "1851" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +index 184e59fd1..6c03602a7 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel6: 26933-2 + cce@rhel7: 27341-7 ++ cce@rhel8: 80677-8 + + references: + stigid@rhel6: RHEL-06-000509 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +index 97675adf8..66657c615 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27241-9 + cce@rhel7: 27394-6 ++ cce@rhel8: 80678-6 + + references: + stigid@rhel6: RHEL-06-000313 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +index 3824c19da..3bf1e42b3 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel6: 27239-3 + cce@rhel7: 27370-6 ++ cce@rhel8: 80679-4 + + references: + stigid@rhel6: RHEL-06-000163 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +index 138e14392..4fe519084 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +@@ -16,10 +16,11 @@ rationale: |- + log integrity. These parameters assure that all audit event data is fully + synchronized with the log files on the disk. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 27331-8 ++ cce@rhel8: 80680-2 + + references: + cui: 3.3.1 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +index cdc57663a..1531320e1 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel6: 27550-3 + cce@rhel7: 27319-3 ++ cce@rhel8: 80681-0 + + references: + stigid@rhel6: RHEL-06-000160 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +index ae3fd8723..182e86bd2 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel6: 27237-7 + cce@rhel7: 27231-0 ++ cce@rhel8: 80682-8 + + references: + stigid@rhel6: RHEL-06-000161 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +index f60ecab0b..a83876bf8 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27522-2 + cce@rhel7: 27348-2 ++ cce@rhel8: 80683-6 + + references: + stigid@rhel6: RHEL-06-000159 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index 96f9da5e3..22793b81a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -21,7 +21,7 @@ severity: medium + + identifiers: + cce@rhel6: 80507-7 +- cce: 80537-4 ++ cce@rhel7: 80537-4 + + references: + stigid@rhel6: RHEL-06-000311 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 1995b59bd..26498a02b 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -31,6 +31,7 @@ severity: medium + identifiers: + cce@rhel6: 27238-5 + cce@rhel7: 27375-5 ++ cce@rhel8: 80684-4 + + references: + stigid@rhel6: RHEL-06-000005 +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 1c405fc87..6e8072cd6 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: 27212-0 ++ cce@rhel8: 80825-3 + + references: + cis: 4.1.3 +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index b646ec725..1e56ff0aa 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -17,7 +17,10 @@ rationale: |- + are stored in this queue. If the queue is overrun during boot process, the action + defined by audit failure flag is taken. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80943-4 + + ocil_clause: 'audit backlog limit is not configured' + +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index c48a7bb7f..f7e5cf665 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -23,6 +23,7 @@ severity: high + identifiers: + cce@rhel6: 27058-7 + cce@rhel7: 27407-6 ++ cce@rhel8: 80872-5 + + references: + stigid@rhel6: RHEL-06-000145 +diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +index 7381dd3c9..50c69b389 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: 26812-8 ++ cce@rhel8: 80800-6 + + references: + cis: 1.4.1 +diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +index 63f29aafd..81883aa0d 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel7: 26860-7 ++ cce@rhel8: 80805-5 + + references: + cis: 1.4.1 +diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/rule.yml +index 0a048f2a3..88c3eb9a8 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel7: 27054-6 ++ cce@rhel8: 80814-7 + + references: + cis: 1.4.1 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +index 52430f5e4..6c66ca02e 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80517-6 ++ cce@rhel7: 80517-6 + + references: + disa: "1814" +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +index 5160c7ced..d3d6b7d6d 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +@@ -48,6 +48,7 @@ severity: high + + identifiers: + cce@rhel7: 27309-4 ++ cce@rhel8: 80828-7 + + references: + cis: 1.4.2 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +index b3f5fb311..c65b87fd6 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +@@ -48,6 +48,7 @@ severity: medium + + identifiers: + cce@rhel7: 80354-4 ++ cce@rhel8: 80829-5 + + references: + cis: 1.4.2 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +index 0cfef2f75..78a4f5452 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80518-4 ++ cce@rhel7: 80518-4 + + references: + disa: "1814" +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +index 33b4d8e4e..05e82f5c1 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80380-9 ++ cce@rhel8: 80859-2 + + references: + disa: "366" +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +index 92128698c..52d7b9616 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel6: 26821-9 + cce@rhel7: 80190-2 ++ cce@rhel8: 80860-0 + + references: + anssi@debian8: NT28(R46),NT28(R5) +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +index 45dfffb5a..f3e3176aa 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel6: 26812-8 + cce@rhel7: 80189-4 ++ cce@rhel8: 80861-8 + + references: + anssi@debian8: NT28(R46),NT28(R5) +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index dca943d5f..79d1ad93f 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel6: 27190-8 + cce@rhel7: 80191-0 ++ cce@rhel8: 80862-6 + + references: + cis@debian8: 5.1.4 +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index 21ed3ae98..9871085f7 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -15,11 +15,12 @@ rationale: |- + that they fill up the /var/log partition. Valuable logging information could be lost + if the /var/log partition becomes full. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27014-0 + cce@rhel7: 80195-1 ++ cce@rhel8: 80794-1 + + references: + stigid@rhel6: RHEL-06-000138 +diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +index 6f6da0dfb..fb0c701f2 100644 +--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26809-4 + cce@rhel7: 80187-8 ++ cce@rhel8: 80847-7 + + references: + cis@debian8: 5.1.1 +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 4dbe9612d..716571b6f 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -38,6 +38,7 @@ severity: unknown + identifiers: + cce@rhel6: 26801-1 + cce@rhel7: 27343-3 ++ cce@rhel8: 80863-4 + + references: + cis@debian8: 5.1.5 +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index 6f07d64a7..2b3c056d3 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel6: 26807-8 + cce@rhel7: 80188-6 ++ cce@rhel8: 80886-5 + + references: + cis@debian8: 5.1.2 +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index 7e7cc10e9..99314a436 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + + identifiers: + cce@rhel7: 27361-5 ++ cce@rhel8: 80877-4 + + references: + cis: "4.7" +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml +index 8549c324b..d884bc366 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80542-4 ++ cce@rhel7: 80542-4 + + references: + disa: "2385" +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +index cf0944f94..0c3dc0712 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel7: 27349-0 ++ cce@rhel8: 80890-7 + + references: + cjis: 5.10.1 +diff --git a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml +index 7b743e4aa..dc0fc9b4a 100644 +--- a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml ++++ b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: 80171-2 ++ cce@rhel8: 80836-0 + + references: + disa: "336" +diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +index 4aad1cce8..05336397d 100644 +--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml ++++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel6: 27626-1 + cce@rhel7: 80170-4 ++ cce@rhel8: 80845-1 + + references: + srg@rhel6: SRG-OS-000160 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index ed6ad3e71..954999e6e 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 27027-2 + cce@rhel7: 80158-9 ++ cce@rhel8: 80917-8 + + references: + stigid@rhel6: RHEL-06-000084 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +index ff28c1d52..8909a90a7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 27015-7 + cce@rhel7: 80163-9 ++ cce@rhel8: 80919-4 + + references: + stigid@rhel6: RHEL-06-000091 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +index ac49111a1..47da88024 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26983-7 + cce@rhel7: 80162-1 ++ cce@rhel8: 80920-2 + + references: + stigid@rhel6: RHEL-06-000089 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index d3a2c9e33..dec9cf231 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 26883-9 + cce@rhel7: 80165-4 ++ cce@rhel8: 80922-8 + + references: + stigid@rhel6: RHEL-06-000092 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +index c3433b443..f2e173439 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel6: 27053-8 + cce@rhel7: 27495-1 ++ cce@rhel8: 80923-6 + + references: + stigid@rhel6: RHEL-06-000095 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index 5c265f54f..837712899 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27004-1 + cce@rhel7: 80156-3 ++ cce@rhel8: 80918-6 + + references: + stigid@rhel6: RHEL-06-000081 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index 1b9ea87e5..818dd1f61 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27001-7 + cce@rhel7: 80156-3 ++ cce@rhel8: 80921-0 + + references: + stigid@rhel6: RHEL-06-000080 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +index 929d2d630..c7b61975a 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel6: 26448-1 + cce@rhel7: 26828-4 ++ cce@rhel8: 80833-7 + + references: + stigid@rhel6: RHEL-06-000124 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +index 86ab0c31c..33a96719e 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel6: 26410-1 + cce@rhel7: 27106-4 ++ cce@rhel8: 80834-5 + + references: + stigid@rhel6: RHEL-06-000125 +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +index 0413b8190..5e02f40e9 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 26763-3 + cce@rhel7: 27327-6 ++ cce@rhel8: 80832-9 + + references: + stigid@rhel6: RHEL-06-000315 +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +index abbd3e671..da6816719 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +@@ -20,11 +20,12 @@ description: |- + + rationale: "Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.\n

\nThe only authorized public directories are those temporary directories supplied with the system, \nor those designed to be temporary file repositories. The setting is normally reserved for directories \nused by the system, by users for temporary file storage (such as /tmp), and for directories \nrequiring global read/write access." + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26840-9 + cce@rhel7: 80130-8 ++ cce@rhel8: 80783-4 + + references: + stigid@rhel6: RHEL-06-000336 +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index dad9c0f31..259a79541 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -15,11 +15,12 @@ rationale: |- + unprivileged users to elevate privileges. The presence of these files should be + strictly controlled on the system. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26769-0 + cce@rhel7: 80132-4 ++ cce@rhel8: 80816-2 + + references: + cis: 6.1.14 +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 5ccf98274..894273c87 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -15,11 +15,12 @@ rationale: |- + unprivileged users to elevate privileges. The presence of these files should be + strictly controlled on the system. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26497-8 + cce@rhel7: 80133-2 ++ cce@rhel8: 80817-0 + + references: + cis: 6.1.13 +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +index 24f3efa62..bb57854c4 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel6: 26910-0 + cce@rhel7: 80131-6 ++ cce@rhel8: 80818-8 + + references: + stigid@rhel6: RHEL-06-000282 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +index 6f864fecd..9130e759a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26930-8 + cce@rhel7: 27037-1 ++ cce@rhel8: 80796-6 + + references: + stigid@rhel6: RHEL-06-000043 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +index cc3746ad9..9e1cc6264 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26975-3 + cce@rhel7: 26840-9 ++ cce@rhel8: 80797-4 + + references: + stigid@rhel6: RHEL-06-000037 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +index 9d171e350..7d1bf839d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26856-5 + cce@rhel7: 26639-5 ++ cce@rhel8: 80798-2 + + references: + stigid@rhel6: RHEL-06-000040 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +index f6ec7e154..e9f6d40b6 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26967-0 + cce@rhel7: 27125-4 ++ cce@rhel8: 80799-0 + + references: + stigid@rhel6: RHEL-06-000034 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +index c0496430f..c88acfd1a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26822-7 + cce@rhel7: 26933-2 ++ cce@rhel8: 80801-4 + + references: + stigid@rhel6: RHEL-06-000042 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +index 22b6dadb0..a061f14ec 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 27026-4 + cce@rhel7: 27161-9 ++ cce@rhel8: 80802-2 + + references: + stigid@rhel6: RHEL-06-000036 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +index 3e8fba2b8..c317b7e4f 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel6: 26953-0 + cce@rhel7: 27138-7 ++ cce@rhel8: 80803-0 + + references: + stigid@rhel6: RHEL-06-000039 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +index ac0aac953..7db00cd0a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel6: 26947-2 + cce@rhel7: 26795-5 ++ cce@rhel8: 80804-8 + + references: + stigid@rhel6: RHEL-06-000033 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +index dbccf7ea0..efc21706f 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel6: 26954-8 + cce@rhel7: 26949-8 ++ cce@rhel8: 80810-5 + + references: + stigid@rhel6: RHEL-06-000044 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +index c7673ecc8..12da56efa 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel6: 26951-4 + cce@rhel7: 27162-7 ++ cce@rhel8: 80811-3 + + references: + anssi@debian8: NT28(R36) +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +index 0f5e2585b..5fedecd7d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel6: 26868-0 + cce@rhel7: 26887-0 ++ cce@rhel8: 80812-1 + + references: + stigid@rhel6: RHEL-06-000041 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +index dea08423d..394dda148 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel6: 26992-8 + cce@rhel7: 27100-7 ++ cce@rhel8: 80813-9 + + references: + anssi@debian8: NT28(R36) +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +index 1baa608b2..106d404a6 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 27623-8 + cce@rhel7: 27119-7 ++ cce@rhel8: 80806-3 + + references: + stigid@rhel6: RHEL-06-000048 +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +index 1248f001f..6fb992748 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel6: 27424-1 + cce@rhel7: 26648-6 ++ cce@rhel8: 80807-1 + + references: + stigid@rhel6: RHEL-06-000046 +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +index 2a749490a..8aa5becb6 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 27289-8 + cce@rhel7: 27075-1 ++ cce@rhel8: 80809-7 + + references: + stigid@rhel6: RHEL-06-000047 +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +index f8f5eacaa..d2339f156 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +@@ -28,6 +28,7 @@ severity: medium + identifiers: + cce@rhel6: 27381-3 + cce@rhel7: 26966-2 ++ cce@rhel8: 80815-4 + + references: + stigid@rhel6: RHEL-06-000045 +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index ccba1a95e..7d16722aa 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel6: 27016-5 + cce@rhel7: 27277-3 ++ cce@rhel8: 80835-2 + + references: + stigid@rhel6: RHEL-06-000503 +diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +index 2dc0d3082..2c531bc4f 100644 +--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhel6: 26976-1 + cce@rhel7: 27498-5 ++ cce@rhel8: 80873-3 + + references: + stigid@rhel6: RHEL-06-000526 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +index 685ddbf9e..bd2c6467a 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +@@ -8,11 +8,12 @@ rationale: |- + The only legitimate location for device files is the /dev directory + located on the root partition. The only exception to this is chroot jails. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26778-1 + cce@rhel7: 80152-2 ++ cce@rhel8: 80837-8 + + references: + cis: 1.1.15 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +index f6d7a8105..90c39c4ee 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +@@ -15,11 +15,12 @@ rationale: |- + Allowing users to execute binaries from world-writable directories + such as /dev/shm can expose the system to potential compromise. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26622-1 + cce@rhel7: 80153-0 ++ cce@rhel8: 80838-6 + + references: + cis: 1.1.17 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +index 9c54c6f7f..f7c1dcf6c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +@@ -12,11 +12,12 @@ rationale: |- + The presence of SUID and SGID executables should be tightly controlled. Users + should not be able to execute SUID or SGID binaries from temporary storage partitions. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26486-1 + cce@rhel7: 80154-8 ++ cce@rhel8: 80839-4 + + references: + cis: 1.1.16 +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml +index a3eab555f..1e67f62f1 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable/rule.yml +@@ -11,11 +11,12 @@ rationale: |- + setuid program to write a core file decreases the risk of unauthorized access + of such data. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27044-7 + cce@rhel7: 26900-1 ++ cce@rhel8: 80912-9 + + references: + cis: 1.5.1 +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +index affd0996a..aa4a5782f 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@hrel6: 27007-4 + cce@rhel7: 27211-2 ++ cce@rhel8: 80914-5 + + references: + srg@rhel6: SRG-OS-999999 +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index 492d2e7c0..3701e9f75 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -13,6 +13,9 @@ rationale: |- + + severity: low + ++identifiers: ++ cce@rhel8: 80915-2 ++ + references: + anssi: NT28(R23) + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +index 2b0e58380..d5db3d846 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +@@ -11,6 +11,7 @@ severity: medium + identifiers: + cce@rhel6: 26999-3 + cce@rhel7: 27127-0 ++ cce@rhel8: 80916-0 + + references: + stigid@rhel6: RHEL-06-000078 +diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml +index bac986fe1..dfc1ddd91 100644 +--- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml +@@ -15,7 +15,10 @@ rationale: |- + Virtual Syscalls provide an opportunity of attack for a user who has control + of the return instruction pointer. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80946-7 + + ocil_clause: 'vsyscalls are enabled' + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index a296a4b48..b8ecfa8e0 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -18,7 +18,10 @@ rationale: |- + This prevents many types of use-after-free vulnerabilities at little performance cost. + Also prevents leak of data and detection of corrupted memory. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80944-2 + + ocil_clause: 'page allocator poisoning is not enabled' + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index d5dbfcf25..cbe8f5ca6 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -18,7 +18,10 @@ rationale: |- + This prevents many types of use-after-free vulnerabilities at little performance cost. + Also prevents leak of data and detection of corrupted memory. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80945-9 + + ocil_clause: 'SLUB/SLAB poisoning is not enabled' + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +index a4bd28eca..6a869f9bb 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +@@ -8,11 +8,12 @@ description: '{{{ describe_sysctl_option_value(sysctl="kernel.dmesg_restrict", v + + rationale: "Unprivileged access to the kernel syslog can expose sensitive kernel \naddress information." + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27366-4 + cce@rhel7: 27050-4 ++ cce@rhel8: 80913-7 + + references: + cui: 3.1.5 +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +index af4b96bdd..a6c1186a7 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +@@ -10,8 +10,10 @@ rationale: | + Disabling kexec_load allows greater control of the kernel memory. + It makes it impossible to load another kernel image after it has been disabled. + +-severity: unknown ++severity: medium + ++identifiers: ++ cce@rhel8: 80952-5 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index 49a883eb2..f75b65c2a 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -12,8 +12,10 @@ rationale: | + sensitive information from the target processes (e.g. SSH sessions, web browser, ...) + without any additional assistance from the user (i.e. without resorting to phishing). + +-severity: unknown ++severity: medium + ++identifiers: ++ cce@rhel8: 80953-3 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} + +diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +index ae76ca147..ad099555d 100644 +--- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml ++++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel7: 26961-3 ++ cce@rhel8: 80827-9 + + references: + cis: 1.6.1.1 +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +index b4b1bf09a..c60e255f5 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +@@ -13,6 +13,9 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel8: 80949-1 ++ + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +index 6d1f90f4f..3df0591ab 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +@@ -13,6 +13,9 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel8: 80950-9 ++ + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +index 409acdeb2..588d0ef9b 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +@@ -14,6 +14,9 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel8: 80951-7 ++ + references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +index 1fb2f4ae5..e18a20a74 100644 +--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel6: 26774-0 + cce@rhel7: 27326-8 ++ cce@rhel8: 80866-7 + + references: + stigid@rhel6: RHEL-06-000025 +diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +index a83397321..8e07f14a0 100644 +--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel6: 27111-4 + cce@rhel7: 27288-0 ++ cce@rhel8: 80867-5 + + references: + cis: 1.6.1.6 +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index 22176cf44..5ed6508ed 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -30,6 +30,7 @@ severity: high + identifiers: + cce@rhel6: 26875-5 + cce@rhel7: 27279-9 ++ cce@rhel8: 80868-3 + + references: + stigid@rhel6: RHEL-06-000023 +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index 58d5f6e24..e03031912 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -21,6 +21,7 @@ severity: high + identifiers: + cce@rhel6: 26969-6 + cce@rhel7: 27334-2 ++ cce@rhel8: 80869-1 + + references: + stigid@rhel6: RHEL-06-000020 +diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +index 946779230..fc1f87b41 100644 +--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +@@ -33,7 +33,7 @@ rationale: |- + severity: medium + + identifiers: +- cce: 80543-2 ++ cce@rhel7: 80543-2 + + references: + disa: "2235" +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index a0271ea39..636dbc8b1 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -45,6 +45,7 @@ severity: high + identifiers: + cce@rhel6: 27596-6 + cce@rhel7: 27128-8 ++ cce@rhel8: 80789-1 + + references: + stigid@rhel6: RHEL-06-000275 +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +index 7a70dedcb..b3683d950 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +@@ -17,6 +17,7 @@ severity: low + identifiers: + cce@rhel6: 26435-8 + cce@rhel7: 27173-4 ++ cce@rhel8: 80851-9 + + references: + anssi@debian8: NT28(R12) +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +index 950c64a1c..59f3e7efb 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +@@ -19,6 +19,7 @@ severity: low + identifiers: + cce@rhel6: 26639-5 + cce@rhel7: 26404-4 ++ cce@rhel8: 80852-7 + + references: + anssi@debian8: NT28(R12) +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +index 5dff78f5d..0106f11e1 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +@@ -12,11 +12,12 @@ rationale: |- + enables better separation between log files + and other files in /var/. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26215-4 + cce@rhel7: 26967-0 ++ cce@rhel8: 80853-5 + + references: + anssi@debian8: NT28(R12),NT28(R47) +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +index b95bf4874..e9eab6ecb 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +@@ -20,6 +20,7 @@ severity: low + identifiers: + cce@rhel6: 26436-6 + cce@rhel7: 26971-2 ++ cce@rhel8: 80854-3 + + references: + stigid@rhel6: RHEL-06-000004 +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml +index 2d1da022b..778a24ea4 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml +@@ -29,6 +29,7 @@ severity: medium + + identifiers: + cce@rhel7: 80109-2 ++ cce@rhel8: 80771-9 + + references: + cui: 3.1.8 +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +index 87f9f2761..e81d27462 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +@@ -21,6 +21,7 @@ severity: high + + identifiers: + cce@rhel7: 80104-3 ++ cce@rhel8: 80823-8 + + references: + cui: 3.1.1 +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml +index ab604a3ce..1aff4a69c 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/rule.yml +@@ -21,6 +21,7 @@ severity: high + + identifiers: + cce@rhel7: 80105-0 ++ cce@rhel8: 80824-6 + + references: + cui: 3.1.1 +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +index 9c7307c9d..34e7c928d 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +@@ -26,6 +26,7 @@ severity: medium + + identifiers: + cce@rhel7: 80120-9 ++ cce@rhel8: 80772-7 + + references: + cui: 3.1.12 +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +index 464ffbc25..3f745a337 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +@@ -26,6 +26,7 @@ severity: medium + + identifiers: + cce@rhel7: 80121-7 ++ cce@rhel8: 80773-5 + + references: + cui: 3.1.13 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +index 74d45ef1f..8b84a0a58 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +@@ -33,6 +33,7 @@ severity: medium + + identifiers: + cce@rhel7: 80111-8 ++ cce@rhel8: 80774-3 + + references: + cjis: 5.5.5 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +index c9d1904b8..f4413f4d9 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +@@ -30,6 +30,7 @@ severity: medium + + identifiers: + cce@rhel7: 80110-0 ++ cce@rhel8: 80775-0 + + references: + cjis: 5.5.5 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +index b02c31ad8..017276291 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: 80370-0 ++ cce@rhel8: 80776-8 + + references: + cui: 3.1.10 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +index ef18cc148..8fe55d62a 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: 80112-6 ++ cce@rhel8: 80777-6 + + references: + cjis: 5.5.5 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +index 877f7cda3..3756d50c4 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +@@ -21,10 +21,11 @@ rationale: |- + Setting the screensaver mode to blank-only conceals the + contents of the display from passersby. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 80113-4 ++ cce@rhel8: 80778-4 + + references: + cjis: 5.5.5 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml +index d4d208396..dc4a4f3e1 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml +@@ -23,10 +23,11 @@ rationale: |- + Setting the splash screen to not reveal the logged in user's name + conceals who has access to the system from passersby. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: 80114-2 ++ cce@rhel8: 80779-2 + + references: + ospp@rhel7: FMT_MOF_EXT.1 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +index 2b18ea574..997ade6e0 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: 80371-8 ++ cce@rhel8: 80780-0 + + references: + cui: 3.1.10 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +index 57520d1fc..9766b4dba 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: 80544-0 ++ cce@rhel8: 80781-8 + + references: + cui: 3.1.10 +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml +index 18000ef80..c26524d6e 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml +@@ -30,6 +30,7 @@ severity: high + + identifiers: + cce@rhel7: 80115-9 ++ cce@rhel8: 80769-3 + + references: + cui: 3.1.5 +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +index ffdc4825d..985190bda 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +@@ -32,6 +32,9 @@ warnings: + + severity: high + ++identifiers: ++ cce@rhel8: 80830-3 ++ + ocil_clause: 'the installed operating system is not FIPS 140-2 certified' + + {{% if product in ["rhel6", "rhel7"] %}} +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index 6c5afede5..ee41e99d6 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -27,6 +27,9 @@ warnings: + + severity: high + ++identifiers: ++ cce@rhel8: 80947-5 ++ + references: + disa: "366" + nist: SI-2(c) +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +index b719be52b..eb383a67c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +@@ -19,7 +19,10 @@ rationale: |- + Overriding the system crypto policy makes the behavior of the BIND service violate expectations, + and makes system configuration more fragmented. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80934-3 + + ocil_clause: |- + BIND is installed and the BIND config file doesn't contain the +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index d0a9eef19..bb4896053 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -16,6 +16,9 @@ rationale: |- + + severity: high + ++identifiers: ++ cce@rhel8: 80935-0 ++ + ocil_clause: 'cryptographic policy is not configured or is configured incorrectly' + + ocil: |- +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +index 54cc5fc1a..cb961e028 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +@@ -16,7 +16,10 @@ rationale: |- + Overriding the system crypto policy makes the behavior of Kerberos violate expectations, + and makes system configuration more fragmented. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80936-8 + + ocil_clause: 'the symlink does not exist or points to a different target' + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +index 0fdb73a80..8f55ab7ce 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +@@ -20,7 +20,10 @@ rationale: |- + service violate expectations, and makes system configuration more + fragmented. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80937-6 + + ocil_clause: |- + Libreswan is installed and /etc/ipsec.conf does not contain include /etc/crypto-policies/back-ends/libreswan.config +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +index 6466fea2a..ee680bb1b 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +@@ -17,7 +17,10 @@ rationale: |- + Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, + and makes system configuration more fragmented. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80938-4 + + ocil_clause: |- + the OpenSSL config file doesn't contain the whole section, +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index 0267e8b3f..454805772 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -16,7 +16,10 @@ rationale: |- + Overriding the system crypto policy makes the behavior of the SSH service violate expectations, + and makes system configuration more fragmented. + +-severity: unknown ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80939-2 + + ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' + +diff --git a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +index 1ce54c535..592383d73 100644 +--- a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml ++++ b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +@@ -14,11 +14,12 @@ rationale: |- + Because the prelinking feature changes binaries, it can interfere with the + operation of certain software and/or modes such as AIDE, FIPS, etc. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 27221-1 + cce@rhel7: 27078-5 ++ cce@rhel8: 80787-5 + + references: + cis: 1.5.4 +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +index d5c2165a6..5b835b59c 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +@@ -23,6 +23,7 @@ severity: high + identifiers: + cce@rhel6: 27409-2 + cce@rhel7: 26818-5 ++ cce@rhel8: 80831-1 + + references: + disa: "1263" +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 72db413df..e540db94b 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: high + ++identifiers: ++ cce@rhel8: 80942-6 ++ + ocil_clause: 'FIPS mode is not enabled' + + ocil: |- +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +index 07e739273..470b33b93 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel6: 27135-3 + cce@rhel7: 27220-3 ++ cce@rhel8: 80675-2 + + references: + disa@rhel6: 374,416,1069,1263,1297,1589 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +index 9728144f8..9beef8e72 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +@@ -34,6 +34,7 @@ severity: medium + identifiers: + cce@rhel6: 27222-9 + cce@rhel7: 26952-2 ++ cce@rhel8: 80676-0 + + references: + disa@rhel6: 374,416,1069,1263,1297,1589 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index a5e1fee18..0f2f9380c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel6: 27024-9 + cce@rhel7: 27096-7 ++ cce@rhel8: 80844-4 + + references: + disa@rhel6: "1069" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml +index 8d3d7c215..ddb985aa7 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml +@@ -36,6 +36,7 @@ severity: high + identifiers: + cce@rhel6: 7223-7 + cce@rhel7: 27157-7 ++ cce@rhel8: 80857-6 + + references: + disa@rhel6: "1496" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index 56ffd9031..3b4776b89 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -32,6 +32,7 @@ severity: high + identifiers: + cce@rhel6: 26731-0 + cce@rhel7: 27209-6 ++ cce@rhel8: 80858-4 + + references: + disa@rhel6: 1493,1495 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +index a91f459dc..4c8f19c15 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +@@ -19,6 +19,7 @@ severity: high + identifiers: + cce@rhel6: 26709-6 + cce@rhel7: 26989-4 ++ cce@rhel8: 80790-9 + + references: + stigid@rhel6: RHEL-06-000013 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +index 5d75a5176..2bd00ac31 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +@@ -21,6 +21,7 @@ severity: high + + identifiers: + cce@rhel7: 80347-8 ++ cce@rhel8: 80791-7 + + references: + cui: 3.4.8 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +index 116714329..eaa23329c 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +@@ -16,6 +16,7 @@ severity: high + identifiers: + cce@rhel6: 26647-8 + cce@rhel7: 26876-3 ++ cce@rhel8: 80792-5 + + references: + stigid@rhel6: RHEL-06-000015 +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +index 3802033ca..3200ca2d5 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +@@ -33,6 +33,7 @@ severity: high + + identifiers: + cce@rhel7: 80348-6 ++ cce@rhel8: 80793-3 + + references: + disa: "1749" +diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +index 18e02598c..4ae24efaf 100644 +--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +@@ -13,6 +13,7 @@ severity: high + identifiers: + cce@rhel6: 26506-6 + cce@rhel7: 26957-1 ++ cce@rhel8: 80795-8 + + references: + stigid@rhel6: RHEL-06-000008 +diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +index b2fa742ab..06d554115 100644 +--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml ++++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +@@ -34,6 +34,7 @@ severity: high + identifiers: + cce@rhel6: 27635-2 + cce@rhel7: 26895-3 ++ cce@rhel8: 80865-9 + + references: + stigid@rhel6: RHEL-06-000011 diff --git a/SOURCES/assign_cce_to_ospp_rules.patch b/SOURCES/assign_cce_to_ospp_rules.patch new file mode 100644 index 0000000..f17bda3 --- /dev/null +++ b/SOURCES/assign_cce_to_ospp_rules.patch @@ -0,0 +1,440 @@ +commit 0f82de52d96cd1e98e92ecfd5b8b82acbc050859 +Author: Gabriel Becker +Date: Mon Mar 11 14:44:01 2019 +0100 + + Assign RHEL8 CCE to OSPP rules which were missed during last CCE batch assignment. + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml +index ca21ca80c..8a1abb475 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80988-9 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +index 569e67390..f977fcf9b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80989-7 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml +index d05aad935..878932fe6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80991-3 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml +index 6e251ae77..0cd0337f1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80992-1 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml +index 24b24ae82..9bb571290 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl/rule.yml +@@ -30,6 +30,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80990-5 ++ + references: + ospp@rhel7: FAU_GEN.1.1.c + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +index 0fead2af7..81804a44b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80975-6 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="chmod") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +index a7866b9e8..414946dfd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80984-8 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="chown") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +index d99ed0be6..68ddc37ee 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80977-2 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +index 988c604f6..dfea56dc3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80976-4 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +index 09aabbb8e..313f359f1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80986-3 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +index 28617ead9..fd688b54f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80985-5 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml +index 62030fe81..1c47c86aa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80978-0 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +index 0a7c9f1ec..3eac105a9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80979-8 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +index 990925706..01a6393ba 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80987-1 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml +index 167ae03c6..66f340118 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80980-6 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +index 106d30321..928705ff3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80981-4 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +index c509cf49c..4c60c1397 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +@@ -34,6 +34,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80965-7 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +index fb72b3d4f..7375db879 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +@@ -33,6 +33,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80966-5 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml +index c71447c34..7a79af855 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/rule.yml +@@ -45,6 +45,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80967-3 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +index 86e43df25..34bfd9099 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +@@ -34,6 +34,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80968-1 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +index a05b8127b..f954430d7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +@@ -33,6 +33,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80969-9 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml +index 6f792a5d7..cf04d5414 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml +@@ -45,6 +45,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80970-7 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +index 94eed0637..8ceb3c3b1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +@@ -34,6 +34,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80962-4 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +index 9875ae121..cf740430d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +@@ -33,6 +33,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80963-2 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml +index 22f3b850d..65f9d1909 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/rule.yml +@@ -45,6 +45,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80964-0 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml +index 18fac94b1..b0898544e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80982-2 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +index 7409ed4ab..6fd73df0d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80973-1 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +index 96ce23fc7..beb16b6d5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80974-9 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +index b8fbc09d1..1aff0f14e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +@@ -27,6 +27,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80983-0 ++ + {{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}} + + warnings: +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +index 692d7fe4b..5f84d08a0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80971-5 ++ + references: + cis: 5.2.10 + cui: 3.1.7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +index e52c07889..00bad657e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 80972-3 ++ + references: + cis: 5.2.10 + cui: 3.1.7 diff --git a/SOURCES/audit_parameter_position.patch b/SOURCES/audit_parameter_position.patch new file mode 100644 index 0000000..631aaa9 --- /dev/null +++ b/SOURCES/audit_parameter_position.patch @@ -0,0 +1,1009 @@ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +index 910b8a335d..5784e5ad8f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
+ + rationale: |- + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +index fbf0bd1665..81841900f0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +index 4ae6609bbc..3515398d50 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +index fb0f465ed4..deb20d24c5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ + rationale: |- + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +index 4c489f2679..d65c9171e4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +index e5decedd03..da910036b2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +index 4e36f77912..c509cf49c3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml +@@ -58,4 +58,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +index c5ef0ad70a..fb72b3d4f7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml +@@ -57,4 +57,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +index 414956e43d..86e43df256 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml +@@ -19,13 +19,13 @@ description: |- + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. +
+-    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+     
+ If the system is 64 bit then also add the following lines: +
+-    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+     
+ + rationale: |- +@@ -58,4 +58,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +index 0108be7bb6..a05b8127b2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml +@@ -18,13 +18,13 @@ description: |- + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. +
+-    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+-    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+     
+ If the system is 64 bit then also add the following lines: +
+-    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+-    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+     
+ + rationale: |- +@@ -57,4 +57,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml +index 64e7389981..6f792a5d73 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml +@@ -21,19 +21,19 @@ description: |- + utility to read audit rules during daemon startup, check the order of rules below in + /etc/audit/audit.rules file. +
+-    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+-    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+     -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
+     -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
+     
+ If the system is 64 bit then also add the following lines: +
+-    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+-    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+-    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+     -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
+     -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
+     
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +index 593cb7eeb6..94eed06377 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml +@@ -58,4 +58,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +index 7d2343544d..9875ae1215 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml +@@ -57,4 +57,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
+diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py +index 0283bf439c..9ab984491e 100644 +--- a/shared/templates/create_audit_rules_path_syscall.py ++++ b/shared/templates/create_audit_rules_path_syscall.py +@@ -11,7 +11,7 @@ + + class AuditRulesPathSyscallGenerator(FilesGenerator): + def generate(self, target, args): +- path,syscall = args[0:2] ++ path,syscall,pos = args[0:3] + pathid = re.sub('[-\./]', '_', path) + # remove root slash made into '_' + pathid = pathid[1:] +@@ -21,7 +21,8 @@ def generate(self, target, args): + { + "PATH": path, + "PATHID": pathid, +- "SYSCALL": syscall ++ "SYSCALL": syscall, ++ "POS": pos + }, + "./oval/audit_rules_{0}_{1}.xml", pathid, syscall + ) +@@ -30,4 +31,4 @@ def generate(self, target, args): + + def csv_format(self): + return("CSV should contains lines of the format: " + +- "PATH,SYSCALL") ++ "PATH,SYSCALL,POS") +diff --git a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py +index c14c35a381..5afed5993d 100644 +--- a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py ++++ b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py +@@ -14,26 +14,29 @@ + + class ARUFMDetailedGenerator(FilesGenerator): + def generate(self, target, args): +- syscall = re.sub('[-\./]', '_', args[0]) ++ syscall,pos = args[0:2] + if target == "oval": + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_o_creat", + { +- "SYSCALL": syscall ++ "SYSCALL": syscall, ++ "POS": pos + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_o_creat.xml", syscall + ) + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write", + { +- "SYSCALL": syscall ++ "SYSCALL": syscall, ++ "POS": pos + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_o_trunc_write.xml", syscall + ) + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_rule_order", + { +- "SYSCALL": syscall ++ "SYSCALL": syscall, ++ "POS": pos + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_rule_order.xml", syscall + ) +diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv +index 015f02f58d..3738369e7e 100644 +--- a/shared/templates/csv/audit_rules_path_syscall.csv ++++ b/shared/templates/csv/audit_rules_path_syscall.csv +@@ -2,10 +2,11 @@ + # , + # - path is the absolute path to watch + # - syscall is the syscall to wath the path for ++# - pos is the position of syscall parameter with flags (in audit format) + +-/etc/passwd,open +-/etc/passwd,openat +-/etc/passwd,open_by_handle_at +-/etc/group,open +-/etc/group,openat +-/etc/group,open_by_handle_at ++/etc/passwd,open,a1 ++/etc/passwd,openat,a2 ++/etc/passwd,open_by_handle_at,a2 ++/etc/group,open,a1 ++/etc/group,openat,a2 ++/etc/group,open_by_handle_at,a2 +diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv +index 97d5c04e14..99d007048f 100644 +--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv ++++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv +@@ -1,7 +1,8 @@ + # format: + # + # - syscall is the syscall to generate detailed rules for ++# - pos is the position of syscall parameter with flags (in audit format) + +-open +-openat +-open_by_handle_at ++open,a1 ++openat,a2 ++open_by_handle_at,a2 +diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall +index b720091f5b..3e5db49b54 100644 +--- a/shared/templates/template_OVAL_audit_rules_path_syscall ++++ b/shared/templates/template_OVAL_audit_rules_path_syscall +@@ -46,11 +46,11 @@ + + + +- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+{{{ POS }}}&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + +- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+{{{ POS }}}&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat +index 8b3e9970e2..9d31e8a14b 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat +@@ -17,16 +17,16 @@ + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +@@ -34,16 +34,16 @@ + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +@@ -72,7 +72,7 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -81,7 +81,7 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM) + + + +@@ -90,7 +90,7 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -99,7 +99,7 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM) + + + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write +index 392e82485a..a4ed459a34 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write +@@ -17,16 +17,16 @@ + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +@@ -34,16 +34,16 @@ + + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +@@ -72,7 +72,7 @@ + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -81,7 +81,7 @@ + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM) + + + +@@ -90,7 +90,7 @@ + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -99,7 +99,7 @@ + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM) + + + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order +index 38be967c75..8178c94e11 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order +@@ -73,14 +73,14 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -96,14 +96,14 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM) + + + +@@ -119,14 +119,14 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES) + + + +@@ -142,14 +142,14 @@ + + + +- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + +- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) ++ (?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM) + + + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh +index 1d7e184d77..a9a4207877 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh +@@ -6,5 +6,5 @@ + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh +deleted file mode 100644 +index 3a021a17c2..0000000000 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +- +-# profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none +- +-# Use auditctl in RHEL7 +-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +- +-echo "-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +-echo "-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh +index 86b90c7081..0eabbe097c 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh +@@ -6,5 +6,5 @@ + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh +index 5498915471..6e17de9c20 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh +@@ -3,5 +3,5 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = none + +-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh +index 2852da3aaa..7b7b6bc76d 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh +@@ -3,5 +3,5 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = none + +-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh +new file mode 100644 +index 0000000000..472b62ee57 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++# Use auditctl in RHEL7 ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh +new file mode 100644 +index 0000000000..595a97ab22 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++# Use auditctl in RHEL7 ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh +new file mode 100644 +index 0000000000..6ef86ff816 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++# Use auditctl in RHEL7 ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh +new file mode 100644 +index 0000000000..8c4aaaac25 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh +new file mode 100644 +index 0000000000..28ee5ffd9d +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh +new file mode 100644 +index 0000000000..9c9ac0fad4 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules ++echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules +index 0a07041e63..1b4fca8722 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules +@@ -1,5 +1,5 @@ + ## Unsuccessful file creation (open with O_CREAT) +--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules +index 0ce682f401..7313ee8afd 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules +@@ -1,5 +1,5 @@ + ## Unsuccessful file modifications (open for write or truncate) +--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules +new file mode 100644 +index 0000000000..b8b4020a58 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful file creation (open with O_CREAT) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules +new file mode 100644 +index 0000000000..21083847d8 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful file modifications (open for write or truncate) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh +deleted file mode 100644 +index acdec877ef..0000000000 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh ++++ /dev/null +@@ -1,7 +0,0 @@ +-#!/bin/bash +- +-# profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none +- +-sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules +-sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh +deleted file mode 100644 +index 33a3ad88bf..0000000000 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh ++++ /dev/null +@@ -1,7 +0,0 @@ +-#!/bin/bash +- +-# profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none +- +-sed 's/_by_handle_at//' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules +-sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh +new file mode 100644 +index 0000000000..8ad6e6db48 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh +new file mode 100644 +index 0000000000..920799a16a +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++sed 's/_by_handle_at/at/' ../audit_openat_o_creat.rules > /etc/audit/rules.d/openat_o_creat.rules ++sed -i 's/openat,/open_by_handle_at,/' /etc/audit/rules.d/openat_o_creat.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh +new file mode 100644 +index 0000000000..177e34e936 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_openat_o_creat.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh +new file mode 100644 +index 0000000000..c5c656184f +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_openat_o_trunc_write.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh +new file mode 100644 +index 0000000000..4da58d43ca +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_open.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh +new file mode 100644 +index 0000000000..6d274c2c8a +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++sed '3,4d' ../audit_openat_o_creat.rules > /etc/audit/rules.d/openat-o_creat.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh +new file mode 100644 +index 0000000000..8ad6e6db48 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh +new file mode 100644 +index 0000000000..18c2133ff2 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_open_o_creat.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh +new file mode 100644 +index 0000000000..9156a1c53f +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_open_o_trunc_write.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh +new file mode 100644 +index 0000000000..4da58d43ca +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cp ../audit_open.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh +new file mode 100644 +index 0000000000..7f677fd2c6 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++sed '3,4d' ../audit_open_o_trunc_write.rules > /etc/audit/rules.d/open-o_trunc_write.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh +new file mode 100644 +index 0000000000..72673b69a5 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++grep -h 'arch=b32.*EACCES' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_arch_error.rules ++grep -h 'arch=b32.*EPERM' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules ++grep -h 'arch=b64.*EACCES' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules ++grep -h 'arch=b64.*EPERM' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh +new file mode 100644 +index 0000000000..993c399c26 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_filter.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh +new file mode 100644 +index 0000000000..885548c7c5 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_filter.rules ++sed -i '2d' /etc/audit/rules.d/ordered_by_filter.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh +new file mode 100644 +index 0000000000..bee7042570 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > ./ordered_by_filter.rules ++sort ./ordered_by_filter.rules > /etc/audit/rules.d/unsuccessful_open.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh +new file mode 100644 +index 0000000000..6e71b5456e +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = none ++ ++# The rule without filter is less specific, and thus, catches more events than the more specific rules (with O_CREAT and O_TRUNC filters) ++# If they rule withou filter is first, it will catch everything and rules below it will never trigger ++grep -h 'arch=b32.*EACCES' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules > /etc/audit/rules.d/unordered.rules ++grep -h 'arch=b32.*EPERM' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules ++grep -h 'arch=b64.*EACCES' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules ++grep -h 'arch=b64.*EPERM' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules diff --git a/SOURCES/audit_rule_order_regex.patch b/SOURCES/audit_rule_order_regex.patch new file mode 100644 index 0000000..450fd4c --- /dev/null +++ b/SOURCES/audit_rule_order_regex.patch @@ -0,0 +1,240 @@ +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order +index 8178c94e11..7329aa8b4e 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order +@@ -64,11 +64,6 @@ + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + +- +- +- (?:[^.]|\.\s)* +- +- + + + +@@ -183,13 +178,25 @@ + + + ++ ++ ^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -222,13 +229,25 @@ + + + ++ ++ ^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -261,13 +280,25 @@ + + + ++ ++ ^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -300,13 +331,25 @@ + + + ++ ++ ^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -339,13 +382,25 @@ + + + ++ ++ ^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -379,13 +434,25 @@ + + + ++ ++ ^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -418,13 +485,25 @@ + + + ++ ++ ^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + +@@ -457,13 +536,25 @@ + + + ++ ++ ^ + +- ++ $\n(^(?! ++ ++ | ++ ++ ).*$\n)*^ ++ ++ $\n(^(?! + +- ++ | ++ ++ ).*$\n)*^ + ++ $ + + ++ + + diff --git a/SOURCES/audit_rule_order_remediations.patch b/SOURCES/audit_rule_order_remediations.patch new file mode 100644 index 0000000..95d9aa9 --- /dev/null +++ b/SOURCES/audit_rule_order_remediations.patch @@ -0,0 +1,232 @@ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/bash/rhel8.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/bash/rhel8.sh +new file mode 100644 +index 0000000000..086b1a7bf1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/bash/rhel8.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platorm_ol ++# ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/shared/bash_remediation_functions/create_audit_remediation_unsuccessful_file_modification_detailed.sh b/shared/bash_remediation_functions/create_audit_remediation_unsuccessful_file_modification_detailed.sh +new file mode 100644 +index 0000000000..13336a080a +--- /dev/null ++++ b/shared/bash_remediation_functions/create_audit_remediation_unsuccessful_file_modification_detailed.sh +@@ -0,0 +1,46 @@ ++function create_audit_remediation_unsuccessful_file_modification_detailed { ++ mkdir -p "$(dirname "$1")" ++ # The - option to mark a here document limit string (<<-EOF) suppresses leading tabs (but not spaces) in the output. ++ cat <<-EOF > "$1" ++ ## This content is a section of an Audit config snapshot recommended for RHEL8 sytems that target OSPP compliance. ++ ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules ++ ++ ## The purpose of these rules is to meet the requirements for Operating ++ ## System Protection Profile (OSPP)v4.2. These rules depends on having ++ ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. ++ ++ ## Unsuccessful file creation (open with O_CREAT) ++ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ++ ++ ## Unsuccessful file modifications (open for write or truncate) ++ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ++ ++ ## Unsuccessful file access (any other opens) This has to go last. ++ -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access ++ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access ++ -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access ++ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access ++ EOF ++} diff --git a/SOURCES/audit_rules_etc_shadow_gshadow.patch b/SOURCES/audit_rules_etc_shadow_gshadow.patch new file mode 100644 index 0000000..11637bb --- /dev/null +++ b/SOURCES/audit_rules_etc_shadow_gshadow.patch @@ -0,0 +1,425 @@ +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index f13f97a537..877caff01a 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -198,6 +198,12 @@ selections: + - audit_rules_etc_group_open + - audit_rules_etc_group_openat + - audit_rules_etc_group_open_by_handle_at ++ - audit_rules_etc_shadow_open ++ - audit_rules_etc_shadow_openat ++ - audit_rules_etc_shadow_open_by_handle_at ++ - audit_rules_etc_gshadow_open ++ - audit_rules_etc_gshadow_openat ++ - audit_rules_etc_gshadow_open_by_handle_at + - package_abrt_removed + - package_sendmail_removed + - mount_option_dev_shm_nodev +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +index a80c7dab8c..103a445cd3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +index 6181ad50f1..bb47451c46 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +index 9a69643a34..8d9aa4d97c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml +new file mode 100644 +index 0000000000..a9934fbe7e +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via open syscall - /etc/gshadow' ++ ++description: |- ++ The audit system should collect write events to /etc/gshadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80959-0 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml +new file mode 100644 +index 0000000000..7a4861b3fc +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow' ++ ++description: |- ++ The audit system should collect write events to /etc/gshadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80960-8 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml +new file mode 100644 +index 0000000000..437fb61299 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via openat syscall - /etc/gshadow' ++ ++description: |- ++ The audit system should collect write events to /etc/gshadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80961-6 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +index 630b03b1b4..acb517fbc0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +index f1b9fbcd17..7b7fc43304 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +index 5460009264..2275152fd0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +@@ -14,6 +14,8 @@ description: |- + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
++ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml +new file mode 100644 +index 0000000000..0755d2487b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via open syscall - /etc/shadow' ++ ++description: |- ++ The audit system should collect write events to /etc/shadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80956-6 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml +new file mode 100644 +index 0000000000..f5446b7c31 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow' ++ ++description: |- ++ The audit system should collect write events to /etc/shadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80957-4 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml +new file mode 100644 +index 0000000000..b68b0ae19a +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Record Events that Modify User/Group Information via openat syscall - /etc/shadow' ++ ++description: |- ++ The audit system should collect write events to /etc/shadow file for all users and root. ++ If the auditd daemon is configured ++ to use the augenrules program to read audit rules during daemon ++ startup (the default), add the following lines to a file with suffix ++ .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following lines to ++ /etc/audit/audit.rules file: ++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ If the system is 64 bit then also add the following line: ++
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++ ++rationale: |- ++ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. ++ Auditing these events could serve as evidence of potential system compromise. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 80958-2 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ ++{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} ++ ++warnings: ++ - general: |- ++ Note that these rules can be configured in a ++ number of ways while still achieving the desired effect. Here the system calls ++ have been placed independent of other system calls. Grouping system calls related ++ to the same event is more efficient. See the following example: ++
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile +index e2173c973b..f3a5072f04 100644 +--- a/rhel7/profiles/ospp42.profile ++++ b/rhel7/profiles/ospp42.profile +@@ -197,6 +197,12 @@ selections: + - audit_rules_etc_group_open + - audit_rules_etc_group_openat + - audit_rules_etc_group_open_by_handle_at ++ - audit_rules_etc_shadow_open ++ - audit_rules_etc_shadow_openat ++ - audit_rules_etc_shadow_open_by_handle_at ++ - audit_rules_etc_gshadow_open ++ - audit_rules_etc_gshadow_openat ++ - audit_rules_etc_gshadow_open_by_handle_at + - package_abrt_removed + - package_sendmail_removed + - mount_option_dev_shm_nodev +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 3c6e1931e1..cd9e90e981 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -170,6 +170,12 @@ selections: + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow ++ - audit_rules_etc_shadow_open ++ - audit_rules_etc_shadow_openat ++ - audit_rules_etc_shadow_open_by_handle_at ++ - audit_rules_etc_gshadow_open ++ - audit_rules_etc_gshadow_openat ++ - audit_rules_etc_gshadow_open_by_handle_at + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_su +diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv +index 3738369e7e..825025e2f7 100644 +--- a/shared/templates/csv/audit_rules_path_syscall.csv ++++ b/shared/templates/csv/audit_rules_path_syscall.csv +@@ -10,3 +10,9 @@ + /etc/group,open,a1 + /etc/group,openat,a2 + /etc/group,open_by_handle_at,a2 ++/etc/shadow,open,a1 ++/etc/shadow,openat,a2 ++/etc/shadow,open_by_handle_at,a2 ++/etc/gshadow,open,a1 ++/etc/gshadow,openat,a2 ++/etc/gshadow,open_by_handle_at,a2 diff --git a/SOURCES/audit_rules_path_syscall.patch b/SOURCES/audit_rules_path_syscall.patch new file mode 100644 index 0000000..a0e4c4d --- /dev/null +++ b/SOURCES/audit_rules_path_syscall.patch @@ -0,0 +1,404 @@ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +index 5784e5ad8f..a80c7dab8c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +index 81841900f0..6181ad50f1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +index 3515398d50..9a69643a34 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +index deb20d24c5..630b03b1b4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +index d65c9171e4..f1b9fbcd17 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +index da910036b2..5460009264 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml +@@ -10,11 +10,11 @@ description: |- + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ + rationale: |- + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +@@ -36,4 +36,4 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +-
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
++
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py +index 9ab984491e..4164f7b44f 100644 +--- a/shared/templates/create_audit_rules_path_syscall.py ++++ b/shared/templates/create_audit_rules_path_syscall.py +@@ -26,6 +26,29 @@ def generate(self, target, args): + }, + "./oval/audit_rules_{0}_{1}.xml", pathid, syscall + ) ++ ++ elif target == "bash": ++ self.file_from_template( ++ "./template_BASH_audit_rules_path_syscall", ++ { ++ "PATH": path, ++ "SYSCALL": syscall, ++ "POS": pos ++ }, ++ "./bash/audit_rules_{0}_{1}.sh", pathid, syscall ++ ) ++ ++ elif target == "ansible": ++ self.file_from_template( ++ "./template_ANSIBLE_audit_rules_path_syscall", ++ { ++ "PATH": path, ++ "SYSCALL": syscall, ++ "POS": pos ++ }, ++ "./ansible/audit_rules_{0}_{1}.yml", pathid, syscall ++ ) ++ + else: + raise UnknownTargetError(target) + +diff --git a/shared/templates/template_ANSIBLE_audit_rules_path_syscall b/shared/templates/template_ANSIBLE_audit_rules_path_syscall +new file mode 100644 +index 0000000000..4a27e0f521 +--- /dev/null ++++ b/shared/templates/template_ANSIBLE_audit_rules_path_syscall +@@ -0,0 +1,76 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit {{{ SYSCALL }}} tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++# ++# Inserts/replaces the rule in /etc/audit/rules.d ++# ++- name: Search /etc/audit/rules.d for other DAC audit rules ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*" ++ patterns: "*.rules" ++ register: find_{{{ SYSCALL }}} ++ ++- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/modify.rules ++ when: find_{{{ SYSCALL }}}.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}" ++ when: find_{{{ SYSCALL }}}.matched > 0 ++ ++- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ item }}" ++ create: yes ++ regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" ++ with_items: ++ - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ ++- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ item }}" ++ create: yes ++ regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" ++ with_items: ++ - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ when: audit_arch == 'b64' ++# ++# Inserts/replaces the rule in /etc/audit/audit.rules ++# ++- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86 ++ lineinfile: ++ line: "{{ item }}" ++ state: present ++ dest: /etc/audit/audit.rules ++ regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" ++ with_items: ++ - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ ++- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64 ++ lineinfile: ++ line: "{{ item }}" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" ++ with_items: ++ - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ when: audit_arch == 'b64' +diff --git a/shared/templates/template_BASH_audit_rules_path_syscall b/shared/templates/template_BASH_audit_rules_path_syscall +new file mode 100644 +index 0000000000..c3d31aade9 +--- /dev/null ++++ b/shared/templates/template_BASH_audit_rules_path_syscall +@@ -0,0 +1,18 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# First perform the remediation of the syscall rule ++# Retrieve hardware architecture of the underlying system ++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") ++ ++for ARCH in "${RULE_ARCHS[@]}" ++do ++ PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*" ++ GROUP="modify" ++ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++done +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh +index a9a4207877..8db9eab037 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh +index 0eabbe097c..532ecedb88 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh +index 6e17de9c20..72254d5c5c 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules + echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh +index 7b7b6bc76d..d4e169dcc6 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules + echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh +index 472b62ee57..409e96ad73 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh +index 595a97ab22..9aca34dd42 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh +index 6ef86ff816..b8c14e63f8 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh +index 8c4aaaac25..a6c4c8814f 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules + echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh +index 28ee5ffd9d..7b7f1fd5c9 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules + echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh +index 9c9ac0fad4..0747c40b70 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules + echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/SOURCES/audit_var_log_directory_access.patch b/SOURCES/audit_var_log_directory_access.patch new file mode 100644 index 0000000..b1e6c67 --- /dev/null +++ b/SOURCES/audit_var_log_directory_access.patch @@ -0,0 +1,118 @@ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +new file mode 100644 +index 0000000000..31b65a0833 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +@@ -0,0 +1,38 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++- name: Search /etc/audit/rules.d for audit rule entries ++ find: ++ paths: /etc/audit/rules.d ++ recurse: false ++ contains: ^.*dir=/var/log/audit/.*$ ++ patterns: '*.rules' ++ register: find_var_log_audit ++ ++- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/access-audit-trail.rules ++ when: find_var_log_audit.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}' ++ when: find_var_log_audit.matched > 0 ++ ++- name: Inserts/replaces the /var/log/audit/ rule in rules.d ++ lineinfile: ++ path: '{{ all_files[0] }}' ++ line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset ++ -F key=access-audit-trail ++ create: true ++ ++- name: Inserts/replaces the /var/log/audit/ rule in audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset ++ -F key=access-audit-trail ++ create: true +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +new file mode 100644 +index 0000000000..515bef7b85 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +@@ -0,0 +1,11 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8, multi_platform_fedora, multi_platform_ol,multi_platform_rhv ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*" ++GROUP="access-audit-trail" ++FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail" ++# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh +index e9b1d56af3..2a8a51ff2e 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh +index 1c68a3229b..ba4086d9b7 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + # Use auditctl in RHEL7 + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh +index 58ef8bc15f..891cddefb7 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh +@@ -1,6 +1,5 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh +index 29f0f2d38e..18ca9936fa 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh +index 82eae1895d..617e93d121 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash + + # profiles = xccdf_org.ssgproject.content_profile_ospp +-# remediation = none + + echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/SOURCES/bind_libreswan_scenarios.patch b/SOURCES/bind_libreswan_scenarios.patch new file mode 100644 index 0000000..b38d9ea --- /dev/null +++ b/SOURCES/bind_libreswan_scenarios.patch @@ -0,0 +1,35 @@ +From d7e02c8991daf5f706d26303f7e9d7c742545083 Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Mon, 21 Jan 2019 09:46:38 +0100 +Subject: [PATCH] Fixed bind and libreswan crypto policy test scenarios + +* bind and libreswan test scenarios did not have applicability set. + This commit adds Fedora and RHEL8 to platforms and missing OSPP + profile to the profiles section. +--- + .../bind_not_installed.pass.sh | 3 ++- + .../libreswan_not_installed.pass.sh | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh +index a81415df04..b38329aab2 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum remove -y bind || true +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh +index 69ec02fe13..f7ecb0622d 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum remove -y libreswan || true diff --git a/SOURCES/crypto_kerboeros_fix.patch b/SOURCES/crypto_kerboeros_fix.patch new file mode 100644 index 0000000..6d3b98e --- /dev/null +++ b/SOURCES/crypto_kerboeros_fix.patch @@ -0,0 +1,92 @@ +From 78ae04d629ede2185093d7183eba57a1539fefef Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Jan 2019 15:46:48 +0100 +Subject: [PATCH] Enhance configure_kerberos_crypto_policy check + +The goal of this check is to verify that /etc/krb5.conf.d/crypto-policies is +a symlink, and points to /etc/crypto-policies/back-ends/krb5.config. + +As the symlink_test goes all the way through to the canonical path, +and the canonical path is the actual selected policy configuration, thus check +was dependent on selected policy and was failing when symlink was +correct, but selected crypto policy was wrong. + +Making sure that /etc/krb5.conf.d/crypto-polices links to correct crypto-policy +is not the poinof this check. With this changes, the check is now +verifying the symlink independently of the selected crypto policy. +--- + .../oval/shared.xml | 50 +++++++++++-------- + 1 file changed, 28 insertions(+), 22 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml +index 23d9c077d2..235345e985 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml +@@ -1,5 +1,5 @@ + {{%- if target_oval_version == [5, 11] -%}} +-{{# there is no good alternative for symlink_test for OVAL 5.10 #}} ++{{# there is no good alternative for symlink_object for OVAL 5.10 #}} + + + +@@ -11,33 +11,39 @@ + Kerberos should be configured to use the system-wide crypto policy setting. + + +- ++ + + + +- ++ + +- +- +- +- ^/usr/share/crypto-policies/ +- +- /krb5.txt$ +- +- ++ ++ ++ ++ ++ ++ var_symlink_kerberos_crypto_policy_configuration ++ ++ ++ ++ + +- +- +- +- +- ++ + /etc/krb5.conf.d/crypto-policies + +- +- /etc/krb5.conf.d/crypto-policies +- +- ++ ++ ++ ++ ++ ++ /etc/crypto-policies/back-ends/krb5.config ++ ++ ++ ++ ++ + + {{%- endif -%}} diff --git a/SOURCES/crypto_nss_fix.patch b/SOURCES/crypto_nss_fix.patch new file mode 100644 index 0000000..a7b85da --- /dev/null +++ b/SOURCES/crypto_nss_fix.patch @@ -0,0 +1,113 @@ +From c8d00d88a253efc7d3eed11349c4481f8a7e344d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 Feb 2019 14:40:25 +0100 +Subject: [PATCH 1/3] Add test scenario for crypto-policy nss.config + +--- + .../nss_config_as_file.pass.sh | 12 ++++++++++++ + .../nss_config_as_symlink.pass.sh | 12 ++++++++++++ + 2 files changed, 24 insertions(+) + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh +new file mode 100644 +index 0000000000..89927d0537 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++update-crypto-policies --set "FIPS" ++ ++CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config" ++SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/" ++SYMLINK_TO_FILE="nss.txt" ++rm -f $CRYPTO_POLICY_LIB_FILE ++mkdir -p $SYMLINK_TO_FOLDER ++cp $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh +new file mode 100644 +index 0000000000..28d704e54f +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++update-crypto-policies --set "FIPS" ++ ++CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config" ++SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/" ++SYMLINK_TO_FILE="nss.txt" ++rm -f $CRYPTO_POLICY_LIB_FILE ++mkdir -p $SYMLINK_TO_FOLDER ++ln -s $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE + +From 0c3fb5b64f19fef3ae2dac8bbeb71d9d2ae29b54 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 Feb 2019 14:41:01 +0100 +Subject: [PATCH 2/3] Update check for configure_crypto_policy + +--- + .../crypto/configure_crypto_policy/oval/shared.xml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml +index 2d42ac26d1..446c584a76 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml +@@ -55,11 +55,11 @@ + {{{ crypto_policy_symlink_criterion(library="java") }}} + {{{ crypto_policy_symlink_criterion(library="krb5") }}} + {{{ crypto_policy_symlink_criterion(library="libreswan") }}} +- {{{ crypto_policy_symlink_criterion(library="nss") }}} + {{{ crypto_policy_symlink_criterion(library="openssh") }}} + {{{ crypto_policy_symlink_criterion(library="opensshserver") }}} + {{{ crypto_policy_symlink_criterion(library="openssl") }}} + {{% endif %}} ++ +
+ + +@@ -146,6 +146,13 @@ id="object_crypto_policies_config_file_modified_time" version="1"> + {{{ crypto_policy_symlink_check(library="openssl") }}} + {{% endif %}} + ++ ++ ++ ++ ++ /etc/crypto-policies/back-ends/nss.config ++ ++ + + + +From e43c26bbcbedf32607a5c997b786b48973df2bcf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 Feb 2019 17:47:51 +0100 +Subject: [PATCH 3/3] Add negative test for crypto-policy nss.config + +--- + .../missing_nss_config.fail.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh +new file mode 100644 +index 0000000000..7611efd3f3 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++update-crypto-policies --set "FIPS" ++ ++rm -f "/etc/crypto-policies/back-ends/nss.config" diff --git a/SOURCES/crypto_uninstalled_fix.patch b/SOURCES/crypto_uninstalled_fix.patch new file mode 100644 index 0000000..374835e --- /dev/null +++ b/SOURCES/crypto_uninstalled_fix.patch @@ -0,0 +1,315 @@ +From 23204bd31684333b786ab922801dfa58dfbab80e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Jan 2019 16:29:31 +0100 +Subject: [PATCH 1/4] Pass rule configure_bind_crypto_policy if bind is not + installed + +OVAL definition and tests are updated. +--- + .../crypto/configure_bind_crypto_policy/oval/shared.xml | 5 +++-- + .../integrity/crypto/configure_bind_crypto_policy/rule.yml | 2 ++ + .../rule_configure_bind_crypto_policy/absent.fail.sh | 2 ++ + .../bind_not_installed.pass.sh | 4 ++++ + .../rule_configure_bind_crypto_policy/no_config_file.fail.sh | 2 ++ + .../rule_configure_bind_crypto_policy/ok.pass.sh | 2 ++ + .../rule_configure_bind_crypto_policy/overrides.fail.sh | 2 ++ + 7 files changed, 17 insertions(+), 2 deletions(-) + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml +index a77a17de24..0a4044709f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml +@@ -6,9 +6,10 @@ + multi_platform_fedora + Red Hat Enterprise Linux 8 + +- BIND should be configured to use the system-wide crypto policy setting. ++ BIND is not installed or is configured to use the system-wide crypto policy setting. + +- ++ ++ + + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +index 77fdbb9f9c..b0f48ec4b1 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +@@ -9,6 +9,8 @@ description: |- + BIND is supported by crypto policy, but the BIND configuration may be + set up to ignore it. + ++ Either BIND is not installed, or it is configured to use the system-wide defined crypto policy. ++ + To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf + includes the appropriate configuration: + In the options section of /etc/named.conf, make sure that the following line +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh +index 99f603f1a5..70194db999 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y bind ++ + BIND_CONF='/etc/named.conf' + + cat << EOF > "$BIND_CONF" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh +new file mode 100644 +index 0000000000..a81415df04 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/bind_not_installed.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_standard ++ ++yum remove -y bind || true +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh +index 59e45aa260..4fcfc70a5b 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh +@@ -4,6 +4,8 @@ + # We don't remediate anything if the config file is missing completely. + # remediation = none + ++yum install -y bind ++ + BIND_CONF='/etc/named.conf' + + rm -f "$BIND_CONF" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh +index 145e25cfa5..cfadd5c156 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh +@@ -3,6 +3,8 @@ + + BIND_CONF='/etc/named.conf' + ++yum install -y bind ++ + cat << EOF > "$BIND_CONF" + options { + listen-on port 53 { 127.0.0.1; }; +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh +index 79e14c1cc6..28652f8ec2 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y bind ++ + BIND_CONF='/etc/named.conf' + + cat << EOF > "$BIND_CONF" + +From d10bbdcfc4ff40ab84e9a42c5233894f7ba8b736 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Jan 2019 16:58:41 +0100 +Subject: [PATCH 2/4] Pass rule configure_libreswan_crypto_policy if libreswan + is not installed + +OVAL definition and tests are updated. +--- + .../crypto/configure_libreswan_crypto_policy/oval/shared.xml | 5 +++-- + .../crypto/configure_libreswan_crypto_policy/rule.yml | 2 ++ + .../libreswan_not_installed.pass.sh | 4 ++++ + .../line_commented.fail.sh | 2 ++ + .../line_is_there.pass.sh | 2 ++ + .../line_not_there.fail.sh | 2 ++ + .../wrong_value.fail.sh | 2 ++ + 7 files changed, 17 insertions(+), 2 deletions(-) + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml +index bf4b1d8b3a..51c2dd67cf 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml +@@ -6,9 +6,10 @@ + multi_platform_fedora + Red Hat Enterprise Linux 8 + +- Libreswan should be configured to use the system-wide crypto policy setting. ++ Libreswan is not installed or is configured to use the system-wide crypto policy setting. + +- ++ ++ + + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +index fc61e29bd7..51a8aed38f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +@@ -9,6 +9,8 @@ description: |- + Libreswan is supported by system crypto policy, but the Libreswan configuration may be + set up to ignore it. + ++ Either Libreswan is not installed, or it is configured to use the system-wide defined crypto policy. ++ + To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf + includes the appropriate configuration file. + In /etc/ipsec.conf, make sure that the following line +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh +new file mode 100644 +index 0000000000..69ec02fe13 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/libreswan_not_installed.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_standard ++ ++yum remove -y libreswan || true +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh +index 053f60dd95..dc72e276c2 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y libreswan ++ + cp ipsec.conf /etc + config_file="/etc/ipsec.conf" + crypto="/etc/crypto-policies/back-ends/libreswan.config" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh +index bb357a0a6f..0ccb3f7ebf 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y libreswan ++ + cp ipsec.conf /etc + config_file="/etc/ipsec.conf" + if ! grep -P '^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:|(?:#.*))$' "$config_file" ; then +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh +index 8756c09dd6..e1760ca4bc 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y libreswan ++ + cp ipsec.conf /etc + config_file="/etc/ipsec.conf" + crypto="/etc/crypto-policies/back-ends/libreswan.config" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh +index 75ba9f4f33..d3aa2d158c 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_standard + ++yum install -y libreswan ++ + cp ipsec.conf /etc + config_file="/etc/ipsec.conf" + crypto="/etc/crypto-policies/back-ends/libreswan.config" + +From 462b6bac6630b6b9678dd1281e06487825005491 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Jan 2019 17:54:21 +0100 +Subject: [PATCH 3/4] Move message to OCIL clause + +Move bind and libreswan package not installed or configured message from +description to ocil clause. +--- + .../integrity/crypto/configure_bind_crypto_policy/rule.yml | 4 +--- + .../crypto/configure_libreswan_crypto_policy/rule.yml | 4 +--- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +index b0f48ec4b1..b719be52bc 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +@@ -9,8 +9,6 @@ description: |- + BIND is supported by crypto policy, but the BIND configuration may be + set up to ignore it. + +- Either BIND is not installed, or it is configured to use the system-wide defined crypto policy. +- + To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf + includes the appropriate configuration: + In the options section of /etc/named.conf, make sure that the following line +@@ -24,7 +22,7 @@ rationale: |- + severity: unknown + + ocil_clause: |- +- the BIND config file doesn't contain the ++ BIND is installed and the BIND config file doesn't contain the +
include "/etc/crypto-policies/back-ends/bind.config";
directive + + ocil: |- +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +index 51a8aed38f..0fdb73a809 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +@@ -9,8 +9,6 @@ description: |- + Libreswan is supported by system crypto policy, but the Libreswan configuration may be + set up to ignore it. + +- Either Libreswan is not installed, or it is configured to use the system-wide defined crypto policy. +- + To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf + includes the appropriate configuration file. + In /etc/ipsec.conf, make sure that the following line +@@ -25,7 +23,7 @@ rationale: |- + severity: unknown + + ocil_clause: |- +- /etc/ipsec.conf does not contain include /etc/crypto-policies/back-ends/libreswan.config ++ Libreswan is installed and /etc/ipsec.conf does not contain include /etc/crypto-policies/back-ends/libreswan.config + + ocil: |- + To verify that Libreswan uses the system crypto policy, run the following command: + +From 6648e01079c8aaa133b6e0beedb2e4da45527714 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 7 Jan 2019 11:05:06 +0100 +Subject: [PATCH 4/4] Revert OVAL check description update + +--- + .../crypto/configure_bind_crypto_policy/oval/shared.xml | 2 +- + .../crypto/configure_libreswan_crypto_policy/oval/shared.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml +index 0a4044709f..34c3af14b3 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml +@@ -6,7 +6,7 @@ + multi_platform_fedora + Red Hat Enterprise Linux 8 + +- BIND is not installed or is configured to use the system-wide crypto policy setting. ++ BIND should be configured to use the system-wide crypto policy setting. + + + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml +index 51c2dd67cf..cc448c74b1 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml +@@ -6,7 +6,7 @@ + multi_platform_fedora + Red Hat Enterprise Linux 8 + +- Libreswan is not installed or is configured to use the system-wide crypto policy setting. ++ Libreswan should be configured to use the system-wide crypto policy setting. + + + diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..ae3d0dd --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,82 @@ +From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 17 Dec 2018 13:30:06 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. + +They raise too many errors and fails. +--- + rhel8/CMakeLists.txt | 3 ++- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 6 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index 99bccbed7..77f8ccaec 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") ++# Standard profile is disabled for RHEL8 as it is not in good shape ++#ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + + # Uncomment when anssi profiles are marked documentation_complete: true +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index a7f8c0b16..c460793be 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Criminal Justice Information Services (CJIS) Security Policy' + +diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile +index eb62252a4..e8f369708 100644 +--- a/rhel8/profiles/cui.profile ++++ b/rhel8/profiles/cui.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index feb98007c..0667f65ed 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -1,4 +1,4 @@ +-documentation_complete: True ++documentation_complete: false + + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index 023663b21..8b22bc711 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.19.2 + diff --git a/SOURCES/fips-rename_def.patch b/SOURCES/fips-rename_def.patch new file mode 100644 index 0000000..788a01e --- /dev/null +++ b/SOURCES/fips-rename_def.patch @@ -0,0 +1,30 @@ +From 95691c05ef43c7fe487b116d024d497fa9b91a95 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 2 Jan 2019 13:58:50 +0100 +Subject: [PATCH] Fix extended definition reference in enable_fips_mode OVAL + +There is a problem that the rule `enable_fips_mode` introduced in +https://github.com/ComplianceAsCode/content/pull/3623 depends on +`installed_OS_is_certified`. However, that rule which was removed by the +https://github.com/ComplianceAsCode/content/pull/3643, which was +unfortunately merged before updating the rule `enable_fips_mode` +accordingly. As a result, the rule `enable_fips_mode` in the built +datastream doesn't contain OVAL. +--- + .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 2c1e52c831..a56f6812b4 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -13,7 +13,7 @@ + + + +- ++ + + + + diff --git a/SOURCES/fips.patch b/SOURCES/fips.patch new file mode 100644 index 0000000..b1c9a06 --- /dev/null +++ b/SOURCES/fips.patch @@ -0,0 +1,705 @@ +From 17844ccdf81a07244881949b7269adaef0328d16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 26 Nov 2018 14:17:10 +0100 +Subject: [PATCH 1/7] New rule to enable FIPS mode on RHEL8 and Fedora + +On RHEL8, a different method is used to enable FIPS mode than on +RHEL6/7. Package `dracut-fips` doesn't exist anymore, GRUB config file +doesn't need to be edited. Instead, a new utility `fips-mode-setup` +should be used to setup and configure FIPS mode. To verify that FIPS +mode is enabled, the following 2 conditions have to be fulfilled: + 1. /etc/system-fips exists + 2. /proc/sys/crypto/fips_enabled is set to 1 +We can also check if the Dracut FIPS module is configured to be loaded. +In FIPS mode, the system-wide crypto policy is configured to to FIPS. +The same facts apply also for Fedora 29. +This commit adds a new rule `enable_fips_mode` for RHEL8 and Fedora, +which replaces the old rule `grub2_enable_fips_mode` in RHEL8 and Fedora +OSPP profiles. The platform in `grub2_enable_fips_mode` and dependent +rule `package_dracut-fips_installed` in changed to exclude RHEL8 and +Fedora. Currently it fails on both RHEL8 and Fedora because it depends +on rule `installed_OS_is_certified` which allows only RHEL6 and RHEL7. +--- + fedora/profiles/ospp.profile | 3 +- + .../enable_dracut_fips_module/oval/shared.xml | 32 +++++++++++++++ + .../fips/enable_dracut_fips_module/rule.yml | 26 +++++++++++++ + .../fips/enable_fips_mode/bash/shared.sh | 3 ++ + .../fips/enable_fips_mode/oval/shared.xml | 19 +++++++++ + .../integrity/fips/enable_fips_mode/rule.yml | 39 +++++++++++++++++++ + .../etc_system_fips_exists/oval/shared.xml | 23 +++++++++++ + .../fips/etc_system_fips_exists/rule.yml | 28 +++++++++++++ + .../anaconda/shared.anaconda | 2 +- + .../grub2_enable_fips_mode/bash/shared.sh | 2 +- + .../grub2_enable_fips_mode/oval/shared.xml | 2 - + .../fips/grub2_enable_fips_mode/rule.yml | 2 +- + .../anaconda/shared.anaconda | 2 +- + .../ansible/shared.yml | 2 +- + .../bash/shared.sh | 2 +- + .../oval/shared.xml | 4 +- + .../package_dracut-fips_installed/rule.yml | 2 +- + .../oval/shared.xml | 28 +++++++++++++ + .../fips/sysctl_crypto_fips_enabled/rule.yml | 30 ++++++++++++++ + rhel8/profiles/ospp.profile | 2 +- + 20 files changed, 240 insertions(+), 13 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml + +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index c115ab6bce..0eb3b8ec63 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -17,7 +17,8 @@ selections: + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - service_auditd_enabled +- - grub2_enable_fips_mode ++ - enable_fips_mode ++ - var_system_crypto_policy=fips + - rpm_verify_hashes + - selinux_all_devicefiles_labeled + - selinux_confinement_of_daemons +diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml +new file mode 100644 +index 0000000000..03ff256da2 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml +@@ -0,0 +1,32 @@ ++ ++ ++ ++ Enable Dracut FIPS Module ++ ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ fips module should be enabled in Dracut configuration ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/dracut.conf.d/40-fips.conf ++ ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:|(?:#.*))?$ ++ 1 ++ ++ ++ ++ fips ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +new file mode 100644 +index 0000000000..3de551d2ca +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: rhel8,fedora ++ ++title: "Enable Dracut FIPS Module" ++ ++description: |- ++ To enable FIPS, the system requires that the fips module is added in ++ dracut configuration. ++ Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " ++ ++rationale: |- ++ Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ++ protect data. The operating system must implement cryptographic modules adhering to the higher ++ standards approved by the federal government since this provides assurance they have been tested ++ and validated. ++ ++severity: medium ++ ++ocil_clause: 'the Dracut FIPS module is not enabled' ++ ++ocil: |- ++ To verify that the Dracut FIPS module is enabled, run the following command: ++ grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf ++ The output should look like this: ++ add_dracutmodules+=" fips " +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +new file mode 100644 +index 0000000000..b2138a5e1e +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = Red Hat Enterprise Linux 8, multi_platform_fedora ++ ++fips-mode-setup --enable +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +new file mode 100644 +index 0000000000..9e6e9b5608 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -0,0 +1,19 @@ ++ ++ ++ ++ Enable FIPS Mode ++ ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ Check if FIPS mode is enabled on the system ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +new file mode 100644 +index 0000000000..b7fda5bee1 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel8,fedora ++ ++title: Enable FIPS Mode ++ ++description: |- ++ To enable FIPS mode, run the following command: ++
fips-mode-setup --enable
++ ++rationale: |- ++ Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ++ protect data. The operating system must implement cryptographic modules adhering to the higher ++ standards approved by the federal government since this provides assurance they have been tested ++ and validated. ++ ++severity: high ++ ++ocil_clause: 'FIPS mode is not enabled' ++ ++ocil: |- ++ To verify that FIPS is enabled properly, run the following command: ++
fips-mode-setup --check
++ The output should contain the following: ++
FIPS mode is enabled.
++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ The ability to enable FIPS does not denote FIPS compliancy or certification. ++ Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community ++ projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. ++ Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. ++

++ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} ++ for a list of FIPS certified vendors. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml +new file mode 100644 +index 0000000000..8e0360543d +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ ++ Check /etc/system-fips exists ++ ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ Check /etc/system-fips exists ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/system-fips ++ ++ +diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +new file mode 100644 +index 0000000000..0f48cbf274 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: rhel8,fedora ++ ++title: Ensure '/etc/system-fips' exists ++ ++description: |- ++ On a system where FIPS mode is enabled, /etc/system-fips must exist. ++ To enable FIPS mode, run the following command: ++
fips-mode-setup --enable
++ ++rationale: |- ++ Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ++ protect data. The operating system must implement cryptographic modules adhering to the higher ++ standards approved by the federal government since this provides assurance they have been tested ++ and validated. ++ ++severity: high ++ ++ocil_clause: /etc/system-fips does not exist ++ ++ocil: |- ++ To verify /etc/system-fips exists, run the following command: ++
ls -l /etc/system-fips
++ The output should be similar to the the following: ++
-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips
++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +index 089f104181..99693f62d6 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +@@ -1,3 +1,3 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora ++# platform = Red Hat Enterprise Linux 7 + + package --add=dracut-fips +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +index 097b64080d..b784f9f658 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora ++# platform = Red Hat Enterprise Linux 7 + + # include remediation functions library + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +index b8f84e32d3..9dee4066d2 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +@@ -4,8 +4,6 @@ + Enable FIPS Mode in GRUB2 + + Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- multi_platform_fedora + + Look for argument fips=1 in the kernel line in /etc/default/grub. + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +index c8c11f8a5e..82c3dc5f68 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8,fedora ++prodtype: rhel7 + + title: 'Enable FIPS Mode in GRUB2' + +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda +index 38b5193e8e..e2ad6654f6 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda +@@ -1,3 +1,3 @@ +-# platform = multi_platform_rhel, multi_platform_fedora ++# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 + + package --add=dracut-fips +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml +index a3dadd7af0..13a1f0b372 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel, multi_platform_fedora ++# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 + # reboot = false + # strategy = enable + # complexity = low +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh +index fd319418d9..36ecb73c25 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel, multi_platform_fedora ++# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 + + # include remediation functions library + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +index 1483429a6a..4d3de0bc3e 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +@@ -8,8 +8,8 @@ + + Package dracut-fips Installed + +- multi_platform_rhel +- multi_platform_fedora ++ Red Hat Enterprise Linux 6 ++ Red Hat Enterprise Linux 7 + + The RPM package dracut-fips should be installed. + +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml +index 5065cca35b..c7cd8552b0 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8,fedora ++prodtype: rhel6,rhel7 + + title: 'Install the dracut-fips Package' + +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml +new file mode 100644 +index 0000000000..1b34965949 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml +@@ -0,0 +1,28 @@ ++ ++ ++ ++ Kernel "crypto.fips_enabled" Parameter Runtime Check ++ ++ multi_platform_fedora ++ Red Hat Enterprise Linux 8 ++ ++ The kernel "crypto.fips_enabled" parameter should be set to "1" in system runtime. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ crypto.fips_enabled ++ ++ ++ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +new file mode 100644 +index 0000000000..a8e9c0d36e +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -0,0 +1,30 @@ ++documentation_complete: true ++ ++prodtype: rhel8,fedora ++ ++title: "Set kernel parameter 'crypto.fips_enabled' to 1" ++ ++description: |- ++ System running in FIPS mode is indicated by kernel parameter ++ 'crypto.fips_enabled'. This parameter should be set to 1 ++ in FIPS mode. ++ To enable FIPS mode, run the following command: ++
fips-mode-setup --enable
++ ++rationale: |- ++ Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to ++ protect data. The operating system must implement cryptographic modules adhering to the higher ++ standards approved by the federal government since this provides assurance they have been tested ++ and validated. ++ ++severity: high ++ ++ocil_clause: 'crypto.fips_enabled is not 1' ++ ++ocil: |- ++ To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: ++
sysctl crypto.fips_enabled
++ The output should contain the following: ++
crypto.fips_enabled =  1
++ ++platform: machine +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 4c8fe02f17..a78060a355 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -12,7 +12,7 @@ selections: + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - service_auditd_enabled +- - grub2_enable_fips_mode ++ - enable_fips_mode + - rpm_verify_hashes + - selinux_all_devicefiles_labeled + - selinux_confinement_of_daemons + +From fc10f00b21ca8303cb1e83189d969991069b9d1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 5 Dec 2018 17:41:39 +0100 +Subject: [PATCH 2/7] Improve description of rule "Enable FIPS mode" + +Describes the process based on `fips-mode-setup` manual page +and describes the facts that are checked by the rule. +--- + .../integrity/fips/enable_fips_mode/rule.yml | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index b7fda5bee1..67090ea863 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -7,6 +7,20 @@ title: Enable FIPS Mode + description: |- + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
++
++ The fips-mode-setup command completes the installation of FIPS ++ modules by calling fips-finish-install. Then, it changes the ++ system crypto policy to FIPS by calling update-crypto-policies ++ tool. Also, the command modifies the boot loader configuration to add ++ fips=1 and boot=<boot-device> options to the kernel ++ command line. ++
++ On a system running in FIPS mode, the kernel FIPS mode flag ++ (/proc/sys/crypto/fips_enabled) should be set to 1 and ++ the /etc/system-fips should exist. The system crypto policy should ++ be set to FIPS in /etc/crypto-policies/config. Also, the Dracut ++ fips module should be loaded. Furthermore, the system running in ++ FIPS mode should be FIPS certified. + + rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + +From 420be5900a27772422d14489c0c776754a3621e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 11 Dec 2018 08:55:45 +0100 +Subject: [PATCH 3/7] Remove a paragraph from rule description + +--- + .../software/integrity/fips/enable_fips_mode/rule.yml | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 67090ea863..7532191961 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -8,13 +8,6 @@ description: |- + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+
+- The fips-mode-setup command completes the installation of FIPS +- modules by calling fips-finish-install. Then, it changes the +- system crypto policy to FIPS by calling update-crypto-policies +- tool. Also, the command modifies the boot loader configuration to add +- fips=1 and boot=<boot-device> options to the kernel +- command line. +-
+ On a system running in FIPS mode, the kernel FIPS mode flag + (/proc/sys/crypto/fips_enabled) should be set to 1 and + the /etc/system-fips should exist. The system crypto policy should + +From bdf0a27ef924c7cf8bf26dc4a650ae47d51195d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 11 Dec 2018 09:56:23 +0100 +Subject: [PATCH 4/7] Check if external variable has the expected value + +This commit adds a new criterion to OVAL definition for rule +`enable_fips_mode`. The test checks if `var_system_crypto_policy` is set +to FIPS. This solves the situation when user tailors his profile and +refines the XCCDF value `var_system_crypto_policy` to a different value +than FIPS. In this situation the rule passes, although the FIPS mode is +not enabled. It is obvious that this tailoring does not make any sense, +but we should be more anticipatory. +--- + .../integrity/fips/enable_fips_mode/oval/shared.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 9e6e9b5608..9324989899 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -14,6 +14,17 @@ + + + ++ +
+ ++ ++ ++ ++ ++ ++ var_system_crypto_policy ++ ++ ++ FIPS ++ + + +From 92fe3acfc3785c18a696696dd0a1827a399136c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 11 Dec 2018 11:39:52 +0100 +Subject: [PATCH 5/7] Add missing external_variable in OVAL + +--- + .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 9324989899..2c1e52c831 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -27,4 +27,5 @@ + + FIPS + ++ + + +From e59104a23b01bbf5f2bc141e5480e594eb2a30ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 12 Dec 2018 09:04:25 +0100 +Subject: [PATCH 6/7] Add warnings to other FIPS-related rules + +--- + .../fips/enable_dracut_fips_module/rule.yml | 14 ++++++++++++++ + .../integrity/fips/etc_system_fips_exists/rule.yml | 12 ++++++++++++ + .../fips/sysctl_crypto_fips_enabled/rule.yml | 12 ++++++++++++ + 3 files changed, 38 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +index 3de551d2ca..b23d2e8c46 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +@@ -5,6 +5,8 @@ prodtype: rhel8,fedora + title: "Enable Dracut FIPS Module" + + description: |- ++ To enable FIPS mode, run the following command: ++
fips-mode-setup --enable
+ To enable FIPS, the system requires that the fips module is added in + dracut configuration. + Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " +@@ -24,3 +26,15 @@ ocil: |- + grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf + The output should look like this: + add_dracutmodules+=" fips " ++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ The ability to enable FIPS does not denote FIPS compliancy or certification. ++ Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community ++ projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. ++ Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. ++

++ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} ++ for a list of FIPS certified vendors. +diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +index 0f48cbf274..0f1b398a0e 100644 +--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +@@ -25,4 +25,16 @@ ocil: |- + The output should be similar to the the following: +
-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips
+ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ The ability to enable FIPS does not denote FIPS compliancy or certification. ++ Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community ++ projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. ++ Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. ++

++ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} ++ for a list of FIPS certified vendors. ++ + platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index a8e9c0d36e..734fa558a7 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -27,4 +27,16 @@ ocil: |- + The output should contain the following: +
crypto.fips_enabled =  1
+ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ The ability to enable FIPS does not denote FIPS compliancy or certification. ++ Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community ++ projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. ++ Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. ++

++ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} ++ for a list of FIPS certified vendors. ++ + platform: machine + +From 4c3c890a63a6061d380c5171f32f048165af0ee8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 13 Dec 2018 17:33:39 +0100 +Subject: [PATCH 7/7] Improve wording in rule description enable_fips_mode + +--- + .../integrity/fips/enable_fips_mode/rule.yml | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 7532191961..72db413dff 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -8,12 +8,15 @@ description: |- + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+
+- On a system running in FIPS mode, the kernel FIPS mode flag +- (/proc/sys/crypto/fips_enabled) should be set to 1 and +- the /etc/system-fips should exist. The system crypto policy should +- be set to FIPS in /etc/crypto-policies/config. Also, the Dracut +- fips module should be loaded. Furthermore, the system running in +- FIPS mode should be FIPS certified. ++ The fips-mode-setup command will configure the system in ++ FIPS mode by automatically configuring the following: ++
    ++
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • ++
  • Creating /etc/system-fips
  • ++
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • ++
  • Loading the Dracut fips module
  • ++
++ Furthermore, the system running in FIPS mode should be FIPS certified by NIST. + + rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to diff --git a/SOURCES/podman_backend.patch b/SOURCES/podman_backend.patch new file mode 100644 index 0000000..def844d --- /dev/null +++ b/SOURCES/podman_backend.patch @@ -0,0 +1,810 @@ +From 1b4e88f7ce56db4f8eb8e1d0a4272c91b421aefb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Jan 2019 14:43:19 +0100 +Subject: [PATCH 1/7] Update SSG test suite container backend Dockerfiles + +- It's more appopriate to describe CentOS container as CentOS-based + than RHEL based. +- The utility that generates SSH keys is ssh-keygen, not sshd-keygen + which is a legacy service. +- We remove pam_loginuid.so from SSHD PAM configuration in the container + as it prevents users to log in via ssh to the container. As our test + suite doesn't check if oscap scans produce audit messages, we can + simply remove that. +--- + Dockerfiles/test_suite-centos | 5 +++-- + Dockerfiles/test_suite-fedora | 1 + + Dockerfiles/test_suite-rhel | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/Dockerfiles/test_suite-centos b/Dockerfiles/test_suite-centos +index d653345486..0160917bb9 100644 +--- a/Dockerfiles/test_suite-centos ++++ b/Dockerfiles/test_suite-centos +@@ -1,4 +1,4 @@ +-# This Dockerfile is a minimal example for a RHEL-based SSG test suite target container. ++# This Dockerfile is a minimal example for a CentOS-based SSG test suite target container. + FROM centos + + ENV AUTH_KEYS=/root/.ssh/authorized_keys +@@ -12,9 +12,10 @@ RUN true \ + && true + + RUN true \ +- && for key_type in rsa ecdsa ed25519; do sshd-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ ++ && for key_type in rsa ecdsa ed25519; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ ++ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ + && true + +diff --git a/Dockerfiles/test_suite-fedora b/Dockerfiles/test_suite-fedora +index 250da22e64..3bc4e8f6a7 100644 +--- a/Dockerfiles/test_suite-fedora ++++ b/Dockerfiles/test_suite-fedora +@@ -16,5 +16,6 @@ RUN true \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ ++ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ + && true + +diff --git a/Dockerfiles/test_suite-rhel b/Dockerfiles/test_suite-rhel +index ac264da0db..96c3af24b7 100644 +--- a/Dockerfiles/test_suite-rhel ++++ b/Dockerfiles/test_suite-rhel +@@ -12,8 +12,9 @@ RUN true \ + && true + + RUN true \ +- && for key_type in rsa ecdsa ed25519; do sshd-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ ++ && for key_type in rsa ecdsa ed25519; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ ++ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ + && true + +From c9de05e77285597ceb80216ec5e54a5a354d891e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Jan 2019 14:49:10 +0100 +Subject: [PATCH 2/7] Introduce Podman backend to SSG Test Suite harness + +On RHEL8, Docker isn't available and it's replaced by Podman. Therefore, +we need to implement a backend for Podman to run container-based tests. +The Podman backend works similar way as the Docker backend. However, +it's implemented by invoking podman CLI calls (subprocess) instead of +using Python 3 bindings, because as of python3-podman version 0.12.1.2 +it doesn't allow to run, inspect and commit containers. Users will use +this backend using `--container` cmdline option. +--- + tests/ssg_test_suite/test_env.py | 137 ++++++++++++++++++++++++++++++- + tests/test_suite.py | 9 ++ + 2 files changed, 145 insertions(+), 1 deletion(-) + +diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py +index 3b0d549d42..4c1503542c 100644 +--- a/tests/ssg_test_suite/test_env.py ++++ b/tests/ssg_test_suite/test_env.py +@@ -4,6 +4,7 @@ + import sys + import os + import time ++import subprocess + + import docker + +@@ -172,7 +173,7 @@ def offline_scan(self, args, verbose_path): + + + class DockerTestEnv(TestEnv): +- name = "container-based" ++ name = "docker-based" + + def __init__(self, mode, image_name): + super(DockerTestEnv, self).__init__(mode) +@@ -249,6 +250,7 @@ def reset_state_to(self, state_name, new_running_state_name): + return new_container + + def _find_image_by_name(self, image_name): ++ # only in DockerTestEnv + return self.client.images.get(image_name) + + def _new_container_from_image(self, image_name, container_name): +@@ -285,3 +287,136 @@ def offline_scan(self, args, verbose_path): + command_list = self._local_oscap_check_base_arguments() + args + + return common.run_cmd_local(command_list, verbose_path) ++ ++ ++class PodmanTestEnv(TestEnv): ++ # TODO: Rework this class using Podman Python bindings (python3-podman) ++ # at the moment when their API will provide methods to run containers, ++ # commit images and inspect containers ++ name = "podman-based" ++ ++ def __init__(self, scanning_mode, image_name): ++ super(PodmanTestEnv, self).__init__(scanning_mode) ++ self._name_stem = "ssg_test" ++ self.base_image = image_name ++ self.created_images = [] ++ self.containers = [] ++ self.domain_ip = None ++ ++ def start(self): ++ self.run_container(self.base_image) ++ ++ def finalize(self): ++ self._terminate_current_running_container_if_applicable() ++ ++ def image_stem2fqn(self, stem): ++ image_name = "{0}_{1}".format(self.base_image, stem) ++ return image_name ++ ++ @property ++ def current_container(self): ++ if self.containers: ++ return self.containers[-1] ++ return None ++ ++ @property ++ def current_image(self): ++ if self.created_images: ++ return self.created_images[-1] ++ return self.base_image ++ ++ def _create_new_image(self, from_container, name): ++ new_image_name = self.image_stem2fqn(name) ++ if not from_container: ++ from_container = self.run_container(self.current_image) ++ podman_cmd = ["podman", "commit", from_container, new_image_name] ++ try: ++ subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ self.created_images.append(new_image_name) ++ return new_image_name ++ ++ def _save_state(self, state_name): ++ state = self._create_new_image(self.current_container, state_name) ++ return state ++ ++ def run_container(self, image_name, container_name="running"): ++ new_container = self._new_container_from_image(image_name, container_name) ++ self.containers.append(new_container) ++ # Get the container time to fully start its service ++ time.sleep(0.2) ++ self.domain_ip = self._get_container_ip(new_container) ++ return new_container ++ ++ def reset_state_to(self, state_name, new_running_state_name): ++ self._terminate_current_running_container_if_applicable() ++ image_name = self.image_stem2fqn(state_name) ++ ++ new_container = self.run_container(image_name, new_running_state_name) ++ ++ return new_container ++ ++ def _new_container_from_image(self, image_name, container_name): ++ long_name = "{0}_{1}".format(self._name_stem, container_name) ++ podman_cmd = ["podman", "run", "--name", long_name, ++ "--publish", "22", "--detach", image_name, ++ "/usr/sbin/sshd", "-D"] ++ try: ++ podman_output = subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ container_id = podman_output.decode("utf-8").strip() ++ return container_id ++ ++ def _get_container_ip(self, container): ++ # only in PodmanTestEnv ++ podman_cmd = ["podman", "inspect", container, "--format", "{{.NetworkSettings.IPAddress}}"] ++ try: ++ podman_output = subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ ip_address = podman_output.decode("utf-8") ++ return ip_address ++ ++ def _terminate_current_running_container_if_applicable(self): ++ if self.containers: ++ running_state = self.containers.pop() ++ podman_cmd = ["podman", "stop", running_state] ++ try: ++ subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ podman_cmd = ["podman", "rm", running_state] ++ try: ++ subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ ++ def _delete_saved_state(self, image): ++ self._terminate_current_running_container_if_applicable() ++ ++ assert self.created_images ++ ++ associated_image = self.created_images.pop() ++ assert associated_image == image ++ podman_cmd = ["podman", "rmi", associated_image] ++ try: ++ subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) ++ except subprocess.CalledProcessError as e: ++ msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) ++ raise RuntimeError(msg) ++ ++ def discard_running_state(self, state_handle): ++ self._terminate_current_running_container_if_applicable() ++ ++ def _local_oscap_check_base_arguments(self): ++ raise NotImplementedError ++ ++ def offline_scan(self, args, verbose_path): ++ raise NotImplementedError("OpenSCAP doesn't support offline scanning of Podman Containers") +diff --git a/tests/test_suite.py b/tests/test_suite.py +index 667fdd7296..275a147bdf 100755 +--- a/tests/test_suite.py ++++ b/tests/test_suite.py +@@ -30,6 +30,9 @@ def parse_args(): + backends.add_argument( + "--docker", dest="docker", metavar="BASE_IMAGE", + help="Use Docker test environment with this base image.") ++ backends.add_argument( ++ "--container", dest="container", metavar="BASE_IMAGE", ++ help="Use container test environment with this base image.") + + backends.add_argument( + "--libvirt", dest="libvirt", metavar="HYPERVISOR DOMAIN", nargs=2, +@@ -163,6 +166,12 @@ def normalize_passed_arguments(options): + logging.info( + "The base image option has been specified, " + "choosing Docker-based test environment.") ++ elif options.container: ++ options.test_env = ssg_test_suite.test_env.PodmanTestEnv( ++ options.scanning_mode, options.container) ++ logging.info( ++ "The base image option has been specified, " ++ "choosing Podman-based test environment.") + else: + hypervisor, domain_name = options.libvirt + options.test_env = ssg_test_suite.test_env.VMTestEnv( + +From 05bf3c7cfcc25a2d7b4970712df8b2c67336ba23 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Jan 2019 14:56:45 +0100 +Subject: [PATCH 3/7] Update tests/README.md with the new Podman backend + +--- + tests/README.md | 70 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 52 insertions(+), 18 deletions(-) + +diff --git a/tests/README.md b/tests/README.md +index 02ddc2921e..517f754c8c 100644 +--- a/tests/README.md ++++ b/tests/README.md +@@ -10,7 +10,7 @@ remediation works. + + ## Prerequisites + +-You can use the more powerful VM-based tests, or more lightweight Docker-based tests. ++You can use the more powerful VM-based tests, or more lightweight container-based tests. + + For the Test Suite to work, you need to have libvirt domains prepared for + testing. +@@ -69,9 +69,10 @@ VM-based tests: + - `hypervisor`: Typically, you will use the `qemu:///system` value. + - `domain`: `libvirt` domain, which is basically name of the virtual machine. + +-docker-based tests: ++Container-based tests: + +-- `--docker`: Accepts the base image name. ++- `--docker`: Uses Docker as container engine. Accepts the base image name. ++- `--container`: Uses Podman as container engine. Accepts the base image name. + + ### Profile-based testing + +@@ -187,41 +188,74 @@ Now, you can perform validation check with command + ./test_suite.py rule --libvirt qemu:///system ssg-test-suite-centos --datastream ../build/ssg-centos7-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_sshd_disable_kerb_auth + ``` + +-## Docker backend ++## Container backends + +-You can also use the docker-based for running tests, just use the script with the `--docker` argument. +-You need to provide `--docker ` option on the command-line. ++You can also run the tests in a container. There are 2 container backends, Podman and Docker, supported. ++ ++To use container backends, use the following options on the command line: ++ ++- Podman - `--container ` ++- Docker - `--docker ` + + To obtain the base image, you can use `test_suite-*` Dockerfiles in the `Dockerfiles` directory to build it. + We recommend to use RHEL-based containers, as the test suite is optimized for testing the RHEL content. + +-Build the image using this command: ++To use Podman backend, you need to have: + +-``` +-public_key="ssh-rsa AAAAB3NzaC1y...rJSs4BL me@localhost" +-docker build --build-arg CLIENT_PUBLIC_KEY="$public_key" -t ssg_test_suite -f test_suite-rhel . +-``` +- +-Run the test suite using this command: ++- `podman` package installed, and ++- rights that allow you to start/stop containers and to create images. + +-``` +-./test_suite.py rule --docker ssg_test_suite --datastream ../build/ssg-centos7-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_sshd_disable_kerb_auth +-``` ++To use Docker backend, you need to have: + +-On your side, you need to have + - the [docker](https://pypi.org/project/docker/) Python module installed. You may have to use `pip` to install it on older distributions s.a. RHEL 7, running `pip install --user docker` as `root` will do the trick of installing it only for the `root` user. + - the Docker service running, and + - rights that allow you to start/stop containers and to create images. + This level of rights is considered to be insecure, so it is recommended to run the test suite in a VM. + You can accomplish this by creating a `docker` group, then add yourself in it and restart `docker`. + +-The Docker image you want to use with the tests needs to be prepared, so it can scan itself, and that it can accept connections and data. ++ ++### Building the base image ++ ++The container image you want to use with the tests needs to be prepared, so it can scan itself, and that it can accept connections and data. + Following services need to be supported: + + - `sshd` (`openssh-server` needs to be installed, server host keys have to be in place, root's `.ssh/authorized_keys` are set up with correct permissions) + - `scp` (`openssh-clients` need to be installed - `scp` requires more than a ssh server on the server-side) + - `oscap` (`openscap-scanner` - the container has to be able to scan itself) + - You may want to include another packages, as base images tend to be bare-bone and tests may require more packages to be present. ++ ++Using Podman: ++ ++NOTE: With Podman, you have to run all the operations as root. Podman supports rootless containers, but the test suite internally uses a container exposing a TCP port. As of Podman version 0.12.1.2, port bindings are not yet supported by rootless containers. ++ ++``` ++# public_key="ssh-rsa AAAAB3NzaC1y...rJSs4BL root@localhost" ++# podman build --build-arg CLIENT_PUBLIC_KEY="$public_key" -t ssg_test_suite -f test_suite-rhel . ++``` ++ ++Using Docker: ++ ++``` ++public_key="ssh-rsa AAAAB3NzaC1y...rJSs4BL me@localhost" ++docker build --build-arg CLIENT_PUBLIC_KEY="$public_key" -t ssg_test_suite -f test_suite-rhel . ++``` ++ ++### Running the tests ++ ++This is an example to run test scenarios for rule `rule_sshd_disable_kerb_auth`: ++ ++Using Podman: ++ ++``` ++./test_suite.py rule --container ssg_test_suite --datastream ../build/ssg-centos7-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_sshd_disable_kerb_auth ++``` ++ ++Using Docker: ++ ++``` ++./test_suite.py rule --docker ssg_test_suite --datastream ../build/ssg-centos7-ds.xml --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml rule_sshd_disable_kerb_auth ++``` ++ + Also, as containers may get any IP address, a conflict may appear in your local client's `known_hosts` file. + You might have a version of `oscap-ssh` that doesn't support ssh connection customization at the client-side, so it may be a good idea to disable known hosts checks for all hosts if you are testing on a VM or under a separate user. + You can do that by putting following lines in your `$HOME/.ssh/config` file: + +From e27f410f20dd1fb7fb719f5d4874774ef43316ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Jan 2019 15:47:44 +0100 +Subject: [PATCH 4/7] Refactor: Extract common code to a parent class + +Classes DockerTestEnv and PodmanTestEnv contain a lot of duplicate code. +They're very similar because both of them are a specific implementation +of a generic container backend. We introduce a new parent class +ContainerTestEnv that contains common code. Then, DockerTestEnv and +PodmanTestEnv will inherit from ContainerTestEnv. +--- + tests/ssg_test_suite/test_env.py | 188 ++++++++++++------------------- + 1 file changed, 74 insertions(+), 114 deletions(-) + +diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py +index 4c1503542c..1b11f4888b 100644 +--- a/tests/ssg_test_suite/test_env.py ++++ b/tests/ssg_test_suite/test_env.py +@@ -172,28 +172,14 @@ def offline_scan(self, args, verbose_path): + return common.run_cmd_local(command_list, verbose_path) + + +-class DockerTestEnv(TestEnv): +- name = "docker-based" +- +- def __init__(self, mode, image_name): +- super(DockerTestEnv, self).__init__(mode) +- ++class ContainerTestEnv(TestEnv): ++ def __init__(self, scanning_mode, image_name): ++ super(ContainerTestEnv, self).__init__(scanning_mode) + self._name_stem = "ssg_test" +- +- try: +- self.client = docker.from_env(version="auto") +- self.client.ping() +- except Exception as exc: +- msg = ( +- "Unable to start the Docker test environment, " +- "is the Docker service started " +- "and do you have rights to access it?" +- .format(str(exc))) +- raise RuntimeError(msg) +- + self.base_image = image_name + self.created_images = [] + self.containers = [] ++ self.domain_ip = None + + def start(self): + self.run_container(self.base_image) +@@ -221,7 +207,7 @@ def _create_new_image(self, from_container, name): + new_image_name = self.image_stem2fqn(name) + if not from_container: + from_container = self.run_container(self.current_image) +- from_container.commit(repository=new_image_name) ++ self._commit(from_container, new_image_name) + self.created_images.append(new_image_name) + return new_image_name + +@@ -232,13 +218,10 @@ def _save_state(self, state_name): + def run_container(self, image_name, container_name="running"): + new_container = self._new_container_from_image(image_name, container_name) + self.containers.append(new_container) +- + # Get the container time to fully start its service + time.sleep(0.2) + +- new_container.reload() +- self.domain_ip = new_container.attrs["NetworkSettings"]["Networks"]["bridge"]["IPAddress"] +- ++ self.domain_ip = self._get_container_ip(new_container) + return new_container + + def reset_state_to(self, state_name, new_running_state_name): +@@ -249,114 +232,104 @@ def reset_state_to(self, state_name, new_running_state_name): + + return new_container + +- def _find_image_by_name(self, image_name): +- # only in DockerTestEnv +- return self.client.images.get(image_name) ++ def _delete_saved_state(self, image): ++ self._terminate_current_running_container_if_applicable() ++ ++ assert self.created_images ++ ++ associated_image = self.created_images.pop() ++ assert associated_image == image ++ self._remove_image(associated_image) ++ ++ def discard_running_state(self, state_handle): ++ self._terminate_current_running_container_if_applicable() ++ ++ def offline_scan(self, args, verbose_path): ++ command_list = self._local_oscap_check_base_arguments() + args ++ ++ return common.run_cmd_local(command_list, verbose_path) ++ ++ def _commit(self, container, image): ++ pass + + def _new_container_from_image(self, image_name, container_name): +- img = self._find_image_by_name(image_name) ++ pass ++ ++ def _get_container_ip(self, container): ++ pass ++ ++ def _terminate_current_running_container_if_applicable(self): ++ pass ++ ++ def _remove_image(self, image): ++ pass ++ ++ def _local_oscap_check_base_arguments(self): ++ pass ++ ++ ++class DockerTestEnv(ContainerTestEnv): ++ name = "docker-based" ++ ++ def __init__(self, mode, image_name): ++ super(DockerTestEnv, self).__init__(mode, image_name) ++ try: ++ self.client = docker.from_env(version="auto") ++ self.client.ping() ++ except Exception as exc: ++ msg = ( ++ "Unable to start the Docker test environment, " ++ "is the Docker service started " ++ "and do you have rights to access it?" ++ .format(str(exc))) ++ raise RuntimeError(msg) ++ ++ def _commit(self, container, image): ++ container.commit(repository=image) ++ ++ def _new_container_from_image(self, image_name, container_name): ++ img = self.client.images.get(image_name) + result = self.client.containers.run( + img, "/usr/sbin/sshd -D", + name="{0}_{1}".format(self._name_stem, container_name), ports={"22": None}, + detach=True) + return result + ++ def _get_container_ip(self, container): ++ container.reload() ++ container_ip = container.attrs["NetworkSettings"]["Networks"]["bridge"]["IPAddress"] ++ return container_ip ++ + def _terminate_current_running_container_if_applicable(self): + if self.containers: + running_state = self.containers.pop() + running_state.stop() + running_state.remove() + +- def _delete_saved_state(self, image): +- self._terminate_current_running_container_if_applicable() +- +- assert self.created_images +- +- associated_image = self.created_images.pop() +- assert associated_image == image +- self.client.images.remove(associated_image) +- +- def discard_running_state(self, state_handle): +- self._terminate_current_running_container_if_applicable() ++ def _remove_image(self, image): ++ self.client.images.remove(image) + + def _local_oscap_check_base_arguments(self): + return ['oscap-docker', "container", self.current_container.id, + 'xccdf', 'eval'] + +- def offline_scan(self, args, verbose_path): +- command_list = self._local_oscap_check_base_arguments() + args +- +- return common.run_cmd_local(command_list, verbose_path) +- + +-class PodmanTestEnv(TestEnv): ++class PodmanTestEnv(ContainerTestEnv): + # TODO: Rework this class using Podman Python bindings (python3-podman) + # at the moment when their API will provide methods to run containers, + # commit images and inspect containers + name = "podman-based" + + def __init__(self, scanning_mode, image_name): +- super(PodmanTestEnv, self).__init__(scanning_mode) +- self._name_stem = "ssg_test" +- self.base_image = image_name +- self.created_images = [] +- self.containers = [] +- self.domain_ip = None +- +- def start(self): +- self.run_container(self.base_image) +- +- def finalize(self): +- self._terminate_current_running_container_if_applicable() +- +- def image_stem2fqn(self, stem): +- image_name = "{0}_{1}".format(self.base_image, stem) +- return image_name ++ super(PodmanTestEnv, self).__init__(scanning_mode, image_name) + +- @property +- def current_container(self): +- if self.containers: +- return self.containers[-1] +- return None +- +- @property +- def current_image(self): +- if self.created_images: +- return self.created_images[-1] +- return self.base_image +- +- def _create_new_image(self, from_container, name): +- new_image_name = self.image_stem2fqn(name) +- if not from_container: +- from_container = self.run_container(self.current_image) +- podman_cmd = ["podman", "commit", from_container, new_image_name] ++ def _commit(self, container, image): ++ podman_cmd = ["podman", "commit", container, image] + try: + subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) + raise RuntimeError(msg) +- self.created_images.append(new_image_name) +- return new_image_name +- +- def _save_state(self, state_name): +- state = self._create_new_image(self.current_container, state_name) +- return state +- +- def run_container(self, image_name, container_name="running"): +- new_container = self._new_container_from_image(image_name, container_name) +- self.containers.append(new_container) +- # Get the container time to fully start its service +- time.sleep(0.2) +- self.domain_ip = self._get_container_ip(new_container) +- return new_container +- +- def reset_state_to(self, state_name, new_running_state_name): +- self._terminate_current_running_container_if_applicable() +- image_name = self.image_stem2fqn(state_name) +- +- new_container = self.run_container(image_name, new_running_state_name) +- +- return new_container + + def _new_container_from_image(self, image_name, container_name): + long_name = "{0}_{1}".format(self._name_stem, container_name) +@@ -372,7 +345,6 @@ def _new_container_from_image(self, image_name, container_name): + return container_id + + def _get_container_ip(self, container): +- # only in PodmanTestEnv + podman_cmd = ["podman", "inspect", container, "--format", "{{.NetworkSettings.IPAddress}}"] + try: + podman_output = subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) +@@ -398,25 +370,13 @@ def _terminate_current_running_container_if_applicable(self): + msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) + raise RuntimeError(msg) + +- def _delete_saved_state(self, image): +- self._terminate_current_running_container_if_applicable() +- +- assert self.created_images +- +- associated_image = self.created_images.pop() +- assert associated_image == image +- podman_cmd = ["podman", "rmi", associated_image] ++ def _remove_image(self, image): ++ podman_cmd = ["podman", "rmi", image] + try: + subprocess.check_output(podman_cmd, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + msg = "Command '{0}' returned {1}:\n{2}".format(" ".join(e.cmd), e.returncode, e.output.decode("utf-8")) + raise RuntimeError(msg) + +- def discard_running_state(self, state_handle): +- self._terminate_current_running_container_if_applicable() +- + def _local_oscap_check_base_arguments(self): +- raise NotImplementedError +- +- def offline_scan(self, args, verbose_path): + raise NotImplementedError("OpenSCAP doesn't support offline scanning of Podman Containers") + +From cbc93c8cf4320f81e00061492e5e2d76cc733c6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Jan 2019 16:28:43 +0100 +Subject: [PATCH 5/7] Import docker only if needed + +If people use only other backends than Docker they don't need to +install docker Python module. +--- + tests/ssg_test_suite/test_env.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py +index 1b11f4888b..1bbc955f7d 100644 +--- a/tests/ssg_test_suite/test_env.py ++++ b/tests/ssg_test_suite/test_env.py +@@ -6,8 +6,6 @@ + import time + import subprocess + +-import docker +- + import ssg_test_suite + from ssg_test_suite.virt import SnapshotStack + from ssg_test_suite import common +@@ -273,6 +271,10 @@ class DockerTestEnv(ContainerTestEnv): + + def __init__(self, mode, image_name): + super(DockerTestEnv, self).__init__(mode, image_name) ++ try: ++ import docker ++ except ImportError: ++ raise RuntimeError("Can't import Docker, Docker backend will not work.") + try: + self.client = docker.from_env(version="auto") + self.client.ping() + +From 5e76fd5ec49eabc7ef378d63fd86caeb2afb3b48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 17 Jan 2019 14:12:14 +0100 +Subject: [PATCH 6/7] Remove unused method discard_running_state + +--- + tests/ssg_test_suite/test_env.py | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py +index 1bbc955f7d..2590102217 100644 +--- a/tests/ssg_test_suite/test_env.py ++++ b/tests/ssg_test_suite/test_env.py +@@ -151,9 +151,6 @@ def reset_state_to(self, state_name, new_running_state_name): + state = self.snapshot_stack.revert(delete=False) + return state + +- def discard_running_state(self, state_handle): +- pass +- + def _save_state(self, state_name): + state = self.snapshot_stack.create(state_name) + return state +@@ -239,9 +236,6 @@ def _delete_saved_state(self, image): + assert associated_image == image + self._remove_image(associated_image) + +- def discard_running_state(self, state_handle): +- self._terminate_current_running_container_if_applicable() +- + def offline_scan(self, args, verbose_path): + command_list = self._local_oscap_check_base_arguments() + args + + +From 50bfbaacb237e7f04a7f0d58a1468d4663889d25 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 18 Jan 2019 15:07:11 +0100 +Subject: [PATCH 7/7] Raise NotImplementedError in ContainerTestEnv + +--- + tests/ssg_test_suite/test_env.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/ssg_test_suite/test_env.py b/tests/ssg_test_suite/test_env.py +index 2590102217..34da74b0a5 100644 +--- a/tests/ssg_test_suite/test_env.py ++++ b/tests/ssg_test_suite/test_env.py +@@ -242,22 +242,22 @@ def offline_scan(self, args, verbose_path): + return common.run_cmd_local(command_list, verbose_path) + + def _commit(self, container, image): +- pass ++ raise NotImplementedError + + def _new_container_from_image(self, image_name, container_name): +- pass ++ raise NotImplementedError + + def _get_container_ip(self, container): +- pass ++ raise NotImplementedError + + def _terminate_current_running_container_if_applicable(self): +- pass ++ raise NotImplementedError + + def _remove_image(self, image): +- pass ++ raise NotImplementedError + + def _local_oscap_check_base_arguments(self): +- pass ++ raise NotImplementedError + + + class DockerTestEnv(ContainerTestEnv): diff --git a/SOURCES/profile_desc.patch b/SOURCES/profile_desc.patch new file mode 100644 index 0000000..ac60a48 --- /dev/null +++ b/SOURCES/profile_desc.patch @@ -0,0 +1,325 @@ +From 8e1b095971e92e7960f606bb43810102c6c77152 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 7 Jan 2019 14:36:06 +0100 +Subject: [PATCH] Reformatted profile descriptions. + +Went for the `description: |-` way, so there is no need for quoting +or for using `\n` to introduce newlines. + +This makes descriptions easier to read and edit, and removes some cases when +literal `\n` made it to the actual description. +--- + fedora/profiles/pci-dss.profile | 4 ++-- + ol7/profiles/sap.profile | 2 +- + rhel6/profiles/C2S.profile | 15 +++++++++----- + rhel6/profiles/CSCF-RHEL6-MLS.profile | 11 ++++++---- + rhel6/profiles/desktop.profile | 3 ++- + rhel6/profiles/nist-CL-IL-AL.profile | 7 ++++--- + rhel6/profiles/server.profile | 3 +-- + rhel6/profiles/usgcb-rhel6-server.profile | 3 +-- + rhel7/profiles/docker-host.profile | 11 +++++----- + rhel7/profiles/nist-800-171-cui.profile | 25 ++++++++++++++++------- + rhel7/profiles/pci-dss.profile | 4 ++-- + rhel7/profiles/rht-ccp.profile | 9 ++++---- + rhel7/profiles/stig-rhel7-disa.profile | 24 ++++++++++++---------- + rhel7/profiles/stig-rhvh-upstream.profile | 7 ++++--- + rhel8/profiles/pci-dss.profile | 4 ++-- + 15 files changed, 78 insertions(+), 54 deletions(-) + +diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile +index cfa48b6051..5e47534e81 100644 +--- a/fedora/profiles/pci-dss.profile ++++ b/fedora/profiles/pci-dss.profile +@@ -2,8 +2,8 @@ documentation_complete: true + + title: 'PCI-DSS v3 Control Baseline for Fedora' + +-description: 'Ensures PCI-DSS v3 related security configuration settings \n +- \ are applied.' ++description: |- ++ Ensures PCI-DSS v3 related security configuration settings are applied. + + selections: + - var_password_pam_unix_remember=4 +diff --git a/ol7/profiles/sap.profile b/ol7/profiles/sap.profile +index f2a017e389..199866b300 100644 +--- a/ol7/profiles/sap.profile ++++ b/ol7/profiles/sap.profile +@@ -5,7 +5,7 @@ title: 'Security Profile of Oracle Linux 7 for SAP' + description: |- + This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2. + Regardless of your system's workload all of these checks should pass. +- ++ + selections: + - package_glibc_installed + - package_uuidd_installed +diff --git a/rhel6/profiles/C2S.profile b/rhel6/profiles/C2S.profile +index 3d26cb7b43..f3a3f82590 100644 +--- a/rhel6/profiles/C2S.profile ++++ b/rhel6/profiles/C2S.profile +@@ -2,11 +2,16 @@ documentation_complete: true + + title: 'C2S for Red Hat Enterprise Linux 6' + +-description: "This profile demonstrates compliance against the \nU.S. Government Commercial Cloud Services (C2S) baseline.\n\ +- \nThis baseline was inspired by the Center for Internet Security\n(CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 -\ +- \ 06-25-2013.\nFor the SCAP Security Guide project to remain in compliance with\nCIS' terms and conditions, specifically\ +- \ Restrictions(8), note \nthere is no representation or claim that the C2S profile will\nensure a system is in compliance\ +- \ or consistency with the CIS\nbaseline." ++description: |- ++ This profile demonstrates compliance against the ++ U.S. Government Commercial Cloud Services (C2S) baseline. ++ nThis baseline was inspired by the Center for Internet Security ++ (CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. ++ For the SCAP Security Guide project to remain in compliance with ++ CIS' terms and conditions, specifically Restrictions(8), note ++ there is no representation or claim that the C2S profile will ++ ensure a system is in compliance or consistency with the CIS ++ baseline. + + selections: + - var_selinux_state=enforcing +diff --git a/rhel6/profiles/CSCF-RHEL6-MLS.profile b/rhel6/profiles/CSCF-RHEL6-MLS.profile +index dbd3a4ee88..104ebeadca 100644 +--- a/rhel6/profiles/CSCF-RHEL6-MLS.profile ++++ b/rhel6/profiles/CSCF-RHEL6-MLS.profile +@@ -2,10 +2,13 @@ documentation_complete: true + + title: 'CSCF RHEL6 MLS Core Baseline' + +-description: "This profile reflects the Centralized Super Computing Facility \n(CSCF) baseline for Red Hat Enterprise Linux\ +- \ 6. This baseline has received \ngovernment ATO through the ICD 503 process, utilizing the CNSSI 1253 cross \ndomain\ +- \ overlay. This profile should be considered in active development. \nAdditional tailoring will be needed, such as the\ +- \ creation of RBAC roles \nfor production deployment." ++description: |- ++ This profile reflects the Centralized Super Computing Facility ++ (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received ++ government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross ++ domain overlay. This profile should be considered in active development. ++ Additional tailoring will be needed, such as the creation of RBAC roles ++ for production deployment. + + selections: + - var_auditd_max_log_file_action=keep_logs +diff --git a/rhel6/profiles/desktop.profile b/rhel6/profiles/desktop.profile +index 4c24a8e44c..f800f0ffe1 100644 +--- a/rhel6/profiles/desktop.profile ++++ b/rhel6/profiles/desktop.profile +@@ -2,7 +2,8 @@ documentation_complete: true + + title: 'Desktop Baseline' + +-description: "This profile is for a desktop installation of \nRed Hat Enterprise Linux 6." ++description: |- ++ This profile is for a desktop installation of Red Hat Enterprise Linux 6. + + extends: standard + +diff --git a/rhel6/profiles/nist-CL-IL-AL.profile b/rhel6/profiles/nist-CL-IL-AL.profile +index 3117952d56..9f8718329b 100644 +--- a/rhel6/profiles/nist-CL-IL-AL.profile ++++ b/rhel6/profiles/nist-CL-IL-AL.profile +@@ -2,9 +2,10 @@ documentation_complete: true + + title: "CNSSI 1253 Low/Low/Low Control Baseline" + +-description: "This profile follows the Committee on National \nSecurity Systems Instruction (CNSSI) No. 1253, \"Security Categorization\ +- \ and \nControl Selection for National Security Systems\" on security controls to meet\nlow confidentiality, low integrity,\ +- \ and low assurance.\"" ++description: |- ++ This profile follows the Committee on National Security Systems Instruction (CNSSI) No. 1253, ++ "Security Categorization and Control Selection for National Security Systems" ++ on security controls to meet low confidentiality, low integrity, and low assurance. + + extends: standard + +diff --git a/rhel6/profiles/server.profile b/rhel6/profiles/server.profile +index bd38be4751..833a12f2e4 100644 +--- a/rhel6/profiles/server.profile ++++ b/rhel6/profiles/server.profile +@@ -3,8 +3,7 @@ documentation_complete: true + title: 'Server Baseline' + + description: |- +- This profile is for Red Hat Enterprise Linux 6 +- acting as a server. ++ This profile is for Red Hat Enterprise Linux 6 acting as a server. + + extends: standard + +diff --git a/rhel6/profiles/usgcb-rhel6-server.profile b/rhel6/profiles/usgcb-rhel6-server.profile +index 5de5ece862..893de33b17 100644 +--- a/rhel6/profiles/usgcb-rhel6-server.profile ++++ b/rhel6/profiles/usgcb-rhel6-server.profile +@@ -3,8 +3,7 @@ documentation_complete: true + title: 'United States Government Configuration Baseline (USGCB)' + + description: |- +- This profile is a working draft for a USGCB submission against +- RHEL6 Server. ++ This profile is a working draft for a USGCB submission against RHEL6 Server. + + selections: + - kernel_disable_entropy_contribution_for_solid_state_drives +diff --git a/rhel7/profiles/docker-host.profile b/rhel7/profiles/docker-host.profile +index b4de74743e..98fd5ecb51 100644 +--- a/rhel7/profiles/docker-host.profile ++++ b/rhel7/profiles/docker-host.profile +@@ -2,11 +2,12 @@ documentation_complete: false + + title: 'DRAFT - Standard Docker Host Security Profile' + +-description: "This profile contains rules to ensure standard security \n +- \ baseline of Red Hat Enterprise Linux 7 system running the docker \n +- \ \n +- \ This discussion is currently being held on open-scap-list@redhat.com \n +- \ and scap-security-guide@lists.fedorahosted.org." ++description: |- ++ This profile contains rules to ensure standard security ++ baseline of Red Hat Enterprise Linux 7 system running the docker ++ ++ This discussion is currently being held on open-scap-list@redhat.com ++ and scap-security-guide@lists.fedorahosted.org. + + selections: + - service_docker_enabled +diff --git a/rhel7/profiles/nist-800-171-cui.profile b/rhel7/profiles/nist-800-171-cui.profile +index 279d061bc9..966c2a2a75 100644 +--- a/rhel7/profiles/nist-800-171-cui.profile ++++ b/rhel7/profiles/nist-800-171-cui.profile +@@ -2,13 +2,24 @@ documentation_complete: true + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +-description: "From NIST 800-171, Section 2.2:\nSecurity requirements for protecting the confidentiality of CUI in nonfederal\ +- \ \ninformation systems and organizations have a well-defined structure that \nconsists of:\n\n(i) a basic security requirements\ +- \ section;\n(ii) a derived security requirements section.\n\nThe basic security requirements are obtained from FIPS Publication\ +- \ 200, which\nprovides the high-level and fundamental security requirements for federal\ninformation and information systems.\ +- \ The derived security requirements, which\nsupplement the basic security requirements, are taken from the security controls\n\ +- in NIST Special Publication 800-53.\n\nThis profile configures Red Hat Enterprise Linux 7 to the NIST Special\nPublication\ +- \ 800-53 controls identified for securing Controlled Unclassified\nInformation (CUI)." ++description: |- ++ From NIST 800-171, Section 2.2: ++ Security requirements for protecting the confidentiality of CUI in nonfederal ++ information systems and organizations have a well-defined structure that ++ consists of: ++ ++ (i) a basic security requirements section; ++ (ii) a derived security requirements section. ++ ++ The basic security requirements are obtained from FIPS Publication 200, which ++ provides the high-level and fundamental security requirements for federal ++ information and information systems. The derived security requirements, which ++ supplement the basic security requirements, are taken from the security controls ++ in NIST Special Publication 800-53. ++ ++ This profile configures Red Hat Enterprise Linux 7 to the NIST Special ++ Publication 800-53 controls identified for securing Controlled Unclassified ++ Information (CUI). + + extends: ospp + +diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile +index dca99e79d6..13cc6ac0d6 100644 +--- a/rhel7/profiles/pci-dss.profile ++++ b/rhel7/profiles/pci-dss.profile +@@ -2,8 +2,8 @@ documentation_complete: true + + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7' + +-description: 'Ensures PCI-DSS v3 related security configuration settings \n +- \ are applied.' ++description: |- ++ Ensures PCI-DSS v3 related security configuration settings are applied. + + selections: + - var_password_pam_unix_remember=4 +diff --git a/rhel7/profiles/rht-ccp.profile b/rhel7/profiles/rht-ccp.profile +index eb4d854807..0b44b55078 100644 +--- a/rhel7/profiles/rht-ccp.profile ++++ b/rhel7/profiles/rht-ccp.profile +@@ -2,10 +2,11 @@ documentation_complete: true + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +-description: 'This profile contains the minimum security relevant \n +- \ configuration settings recommended by Red Hat, Inc for \n +- \ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified \n +- \ Cloud Providers.' ++description: |- ++ This profile contains the minimum security relevant ++ configuration settings recommended by Red Hat, Inc for ++ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified ++ Cloud Providers. + + selections: + - var_selinux_state=enforcing +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index 7200e9dc8a..f751bc0857 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -2,17 +2,19 @@ documentation_complete: true + + title: 'DISA STIG for Red Hat Enterprise Linux 7' + +-description: "This profile contains configuration checks that align to the \n +- \ DISA STIG for Red Hat Enterprise Linux V1R4. \n +- \ \n +- \ In addition to being applicable to RHEL7, DISA recognizes this \n +- \ configuration baseline as applicable to the operating system tier of \n +- \ Red Hat technologies that are based off RHEL7, such as: \n +- \ - Red Hat Enterprise Linux Server \n +- \ - Red Hat Enterprise Linux Workstation and Desktop \n +- \ - Red Hat Virtualization Hypervisor (RHV-H) \n +- \ - Red Hat Enterprise Linux for HPC \n +- \ - Red Hat Storage" ++description: |- ++ This profile contains configuration checks that align to the \ ++ DISA STIG for Red Hat Enterprise Linux V1R4. ++ ++ In addition to being applicable to RHEL7, DISA recognizes this \ ++ configuration baseline as applicable to the operating system tier of \ ++ Red Hat technologies that are based off RHEL7, such as: ++ ++ - Red Hat Enterprise Linux Server ++ - Red Hat Enterprise Linux Workstation and Desktop ++ - Red Hat Virtualization Hypervisor (RHV-H) ++ - Red Hat Enterprise Linux for HPC ++ - Red Hat Storage + + selections: + - login_banner_text=dod_banners +diff --git a/rhel7/profiles/stig-rhvh-upstream.profile b/rhel7/profiles/stig-rhvh-upstream.profile +index 63180472c6..f764db6a6c 100644 +--- a/rhel7/profiles/stig-rhvh-upstream.profile ++++ b/rhel7/profiles/stig-rhvh-upstream.profile +@@ -2,9 +2,10 @@ documentation_complete: false + + title: 'DRAFT - STIG for Red Hat Virtualization Hypervisor' + +-description: "This is a *draft* profile for STIG. This profile is being \n +- \ developed under the DISA Vendor STIG model in coordination with \n +- \ DISA FSO." ++description: |- ++ This is a *draft* profile for STIG. This profile is being ++ developed under the DISA Vendor STIG model in coordination with ++ DISA FSO. + + extends: stig-rhel7-disa + +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index ec901d84cb..a81849ac41 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -2,8 +2,8 @@ documentation_complete: true + + title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8' + +-description: 'Ensures PCI-DSS v3 related security configuration settings \n +- \ are applied.' ++description: |- ++ Ensures PCI-DSS v3 related security configuration settings are applied. + + selections: + - var_password_pam_unix_remember=4 diff --git a/SOURCES/profile_desc2.patch b/SOURCES/profile_desc2.patch new file mode 100644 index 0000000..47026a1 --- /dev/null +++ b/SOURCES/profile_desc2.patch @@ -0,0 +1,56 @@ +From 0f3788743238ae998e646bc507cf3b0852f6c75d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 11 Jan 2019 15:36:17 +0100 +Subject: [PATCH] Fixed minor profile description issues. + +--- + rhel7/profiles/docker-host.profile | 2 +- + rhel7/profiles/nist-800-171-cui.profile | 2 +- + rhel7/profiles/stig-rhel7-disa.profile | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/rhel7/profiles/docker-host.profile b/rhel7/profiles/docker-host.profile +index 98fd5ecb51..894b78930b 100644 +--- a/rhel7/profiles/docker-host.profile ++++ b/rhel7/profiles/docker-host.profile +@@ -4,7 +4,7 @@ title: 'DRAFT - Standard Docker Host Security Profile' + + description: |- + This profile contains rules to ensure standard security +- baseline of Red Hat Enterprise Linux 7 system running the docker ++ baseline of Red Hat Enterprise Linux 7 system running docker. + + This discussion is currently being held on open-scap-list@redhat.com + and scap-security-guide@lists.fedorahosted.org. +diff --git a/rhel7/profiles/nist-800-171-cui.profile b/rhel7/profiles/nist-800-171-cui.profile +index 966c2a2a75..7230ad0654 100644 +--- a/rhel7/profiles/nist-800-171-cui.profile ++++ b/rhel7/profiles/nist-800-171-cui.profile +@@ -4,7 +4,7 @@ title: 'Unclassified Information in Non-federal Information Systems and Organiza + + description: |- + From NIST 800-171, Section 2.2: +- Security requirements for protecting the confidentiality of CUI in nonfederal ++ Security requirements for protecting the confidentiality of CUI in non-federal + information systems and organizations have a well-defined structure that + consists of: + +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index f751bc0857..01ee1dbfed 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -3,11 +3,11 @@ documentation_complete: true + title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- +- This profile contains configuration checks that align to the \ ++ This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux V1R4. + +- In addition to being applicable to RHEL7, DISA recognizes this \ +- configuration baseline as applicable to the operating system tier of \ ++ In addition to being applicable to RHEL7, DISA recognizes this ++ configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based off RHEL7, such as: + + - Red Hat Enterprise Linux Server diff --git a/SOURCES/profile_desc_typo_fix.patch b/SOURCES/profile_desc_typo_fix.patch new file mode 100644 index 0000000..404a9ba --- /dev/null +++ b/SOURCES/profile_desc_typo_fix.patch @@ -0,0 +1,42 @@ +From 8a36a32e1e6687f1169335ec441965d7f221479d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 Feb 2019 18:00:43 +0100 +Subject: [PATCH] PCI-DSS profile v3.2.1 are compliant + +--- + rhel7/profiles/pci-dss.profile | 4 ++-- + rhel8/profiles/pci-dss.profile | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile +index 9cf12ee7b9..7ba7873a81 100644 +--- a/rhel7/profiles/pci-dss.profile ++++ b/rhel7/profiles/pci-dss.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + +-title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7' ++title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' + + description: |- +- Ensures PCI-DSS v3 related security configuration settings are applied. ++ Ensures PCI-DSS v3.2.1 related security configuration settings are applied. + + selections: + - var_password_pam_unix_remember=4 +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index fb0ecfa6b8..f1a183ac5f 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + +-title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 8' ++title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' + + description: |- +- Ensures PCI-DSS v3 related security configuration settings are applied. ++ Ensures PCI-DSS v3.2.1 related security configuration settings are applied. + + selections: + - var_password_pam_unix_remember=4 diff --git a/SOURCES/remove_sshd_rhosts_rsa_selection.patch b/SOURCES/remove_sshd_rhosts_rsa_selection.patch new file mode 100644 index 0000000..ebdc7ad --- /dev/null +++ b/SOURCES/remove_sshd_rhosts_rsa_selection.patch @@ -0,0 +1,49 @@ +From 5018939a4e526250ded2053adb9c4f286e497077 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 8 Jan 2019 18:11:14 +0100 +Subject: [PATCH] Remove the sshd_disable_rhosts_rsa rule from RHEL8 and Fedora + profiles. + +The rule references a sshd configuration option that is not relevant for up-to-date RHEL>=7 systems. +--- + fedora/profiles/ospp.profile | 1 - + rhel8/profiles/hipaa.profile | 1 - + rhel8/profiles/ospp.profile | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index f6c3023e6b..4389b6d438 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -72,7 +72,6 @@ selections: + - disable_host_auth + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +- - sshd_disable_rhosts_rsa + - sshd_disable_rhosts + - sshd_disable_user_known_hosts + - var_accounts_passwords_pam_faillock_deny=3 +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index feb98007cf..48fd03b46d 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -57,7 +57,6 @@ selections: + - sshd_disable_compression + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +- - sshd_disable_rhosts_rsa + - sshd_disable_rhosts + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 9ecd2e90e5..9480206d89 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -67,7 +67,6 @@ selections: + - disable_host_auth + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +- - sshd_disable_rhosts_rsa + - sshd_disable_rhosts + - sshd_disable_user_known_hosts + - var_accounts_passwords_pam_faillock_deny=3 diff --git a/SOURCES/select_software_updates.patch b/SOURCES/select_software_updates.patch new file mode 100644 index 0000000..3b15709 --- /dev/null +++ b/SOURCES/select_software_updates.patch @@ -0,0 +1,34 @@ +From a48519159189c7b1c48bcdbd48908fbfd60e2829 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 Feb 2019 18:27:35 +0100 +Subject: [PATCH] Check for software updates in RHEL8 profiles + +--- + rhel8/profiles/ospp.profile | 1 + + rhel8/profiles/pci-dss.profile | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 4c8fe02f1..4e3302be4 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -187,6 +187,7 @@ selections: + - audit_rules_kernel_module_loading_insmod + - audit_rules_kernel_module_loading_modprobe + - audit_rules_kernel_module_loading_rmmod ++ - security_patches_up_to_date + - audit_rules_etc_passwd_open + - audit_rules_etc_passwd_openat + - audit_rules_etc_passwd_open_by_handle_at +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index ec901d84c..162de0d9d 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -112,6 +112,7 @@ selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled ++ - security_patches_up_to_date + - smartcard_auth + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs diff --git a/SOURCES/split-os-is-certified.patch b/SOURCES/split-os-is-certified.patch new file mode 100644 index 0000000..0332613 --- /dev/null +++ b/SOURCES/split-os-is-certified.patch @@ -0,0 +1,337 @@ +From 6f72c4bda4825293c39d32373040b4c049a0615b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 5 Dec 2018 10:47:34 +0100 +Subject: [PATCH] Split rule installed_OS_is certified + +Split rule installed_OS_is certified to 2 rules: + * installed OS is vendor supported (is RHEL) + * installed OS has received FIPS certification +The original intention of the rule installed_OS_is_certified was to +serve as dependency for FIPS-related checks such as +grub2_enable_FIPS_mode. Over the time new requirements have been added +to ensure Red Hat Enterprise Linux is evaluated (and not CentOS). +The rules that require FIPS certification will now depend on +'installed_OS_is_FIPS_certified'. The profiles will contain +'installed_OS_is_vendor_supported' +--- + fedora/profiles/ospp.profile | 2 +- + .../sshd_use_approved_ciphers/oval/shared.xml | 2 +- + .../sshd_use_approved_macs/oval/shared.xml | 2 +- + .../oval/shared.xml | 11 +++-- + .../installed_OS_is_FIPS_certified/rule.yml | 44 +++++++++++++++++++ + .../oval/shared.xml | 21 +++++++++ + .../rule.yml | 25 +++++------ + .../grub2_enable_fips_mode/oval/shared.xml | 2 +- + .../oval/shared.xml | 2 +- + .../aide/aide_use_fips_hashes/oval/shared.xml | 2 +- + rhel7/profiles/ospp.profile | 2 +- + rhel7/profiles/ospp42.profile | 2 +- + rhel7/profiles/stig-rhel7-disa.profile | 2 +- + rhel8/profiles/ospp.profile | 2 +- + 14 files changed, 90 insertions(+), 31 deletions(-) + rename linux_os/guide/system/software/integrity/certified-vendor/{installed_OS_is_certified => installed_OS_is_FIPS_certified}/oval/shared.xml (69%) + create mode 100644 linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml + rename linux_os/guide/system/software/integrity/certified-vendor/{installed_OS_is_certified => installed_OS_is_vendor_supported}/rule.yml (54%) + +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index c115ab6bce..0ba407bfc8 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -13,7 +13,7 @@ description: |- + similar to the one mandated by US National Security Systems. + + selections: +- - installed_OS_is_certified ++ - installed_OS_is_vendor_supported + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - service_auditd_enabled +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +index 5a4e3a1f9b..0e66bbee28 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +@@ -8,7 +8,7 @@ + Limit the ciphers to those which are FIPS-approved. + + +- ++ + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml +index 2aed2ec9ad..0e6d1e88ce 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml +@@ -9,7 +9,7 @@ + Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. + + +- ++ + + +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +similarity index 69% +rename from linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml +rename to linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +index 256c3b289c..6599c3eeee 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml +@@ -1,16 +1,15 @@ + +- ++ + +- Vendor Certified Operating System ++ FIPS 140-2 Certified Operating System + + multi_platform_rhel + multi_platform_rhosp + multi_platform_fedora + +- The operating system installed on the system is +- a certified vendor operating system and meets government +- requirements/certifications such as FIPS, NIAP, etc. ++ ++ The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. ++ + + + +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +new file mode 100644 +index 0000000000..ffdc4825d6 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml +@@ -0,0 +1,44 @@ ++documentation_complete: true ++ ++prodtype: rhel6,rhel7,rhel8,fedora,ol7 ++ ++title: 'The Installed Operating System Is FIPS 140-2 Certified' ++ ++description: |- ++ To enable processing of sensitive information the operating system must ++ provide certified cryptographic modules compliant with FIPS 140-2 ++ standard. ++ {{% if product in ["rhel6", "rhel7"] %}} ++ Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise ++ Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards. ++ {{% endif %}} ++ ++rationale: |- ++ The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS ++ PUB 140-2) is a computer security standard. The standard specifies security ++ requirements for cryptographic modules used to protect sensitive ++ unclassified information. Refer to the full FIPS 140-2 standard at ++ {{{ weblink(link="http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf") }}} ++ for further details on the requirements. ++ FIPS 140-2 validation is required by U.S. law when information systems use ++ cryptography to protect sensitive government information. In order to ++ achieve FIPS 140-2 certification, cryptographic modules are subject to ++ extensive testing by independent laboratories, accredited by National ++ Institute of Standards and Technology (NIST). ++ ++warnings: ++ - general: |- ++ There is no remediation besides switching to a different operating system. ++ ++severity: high ++ ++ocil_clause: 'the installed operating system is not FIPS 140-2 certified' ++ ++{{% if product in ["rhel6", "rhel7"] %}} ++ocil: |- ++ To verify that the installed operating system is supported or certified, run ++ the following command: ++
$ grep -i "red hat" /etc/redhat-release
++ The output should contain something similar to: ++
{{{ full_name }}}
++{{% endif %}} +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +new file mode 100644 +index 0000000000..37f55dfa8c +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +@@ -0,0 +1,21 @@ ++ ++ ++ ++ Vendor Supported Operating System ++ ++ multi_platform_rhel ++ multi_platform_rhosp ++ multi_platform_fedora ++ ++ ++ The operating system installed on the system is supported by a vendor that provides security patches. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +similarity index 54% +rename from linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml +rename to linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index bfec874ff7..6c5afede5d 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -2,26 +2,24 @@ documentation_complete: true + + prodtype: rhel6,rhel7,rhel8,fedora,ol7 + +-title: 'The Installed Operating System Is Vendor Supported and Certified' ++title: 'The Installed Operating System Is Vendor Supported' + + description: |- +- The installed operating system must be maintained and certified by a vendor. ++ The installed operating system must be maintained by a vendor. + {{% if product == "ol7" %}} + Oracle Linux is supported by Oracle Corporation. As the Oracle +- Linux vendor, Oracle Corporation is responsible for providing security patches as well +- as meeting and maintaining goverment certifications and standards. ++ Linux vendor, Oracle Corporation is responsible for providing security patches. + {{% else %}} + Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise +- Linux vendor, Red Hat, Inc. is responsible for providing security patches as well +- as meeting and maintaining goverment certifications and standards. ++ Linux vendor, Red Hat, Inc. is responsible for providing security patches. + {{% endif %}} + + + rationale: |- +- An operating system is considered "supported" if the vendor continues to provide +- security patches for the product as well as maintain government certification requirements. +- With an unsupported release, it will not be possible to resolve security issue discovered in +- the system software as well as meet government certifications. ++ An operating system is considered "supported" if the vendor continues to ++ provide security patches for the product. With an unsupported release, it ++ will not be possible to resolve any security issue discovered in the system ++ software. + + warnings: + - general: |- +@@ -29,20 +27,17 @@ warnings: + + severity: high + +-identifiers: +- cce@rhel7: 80349-4 +- + references: + disa: "366" + nist: SI-2(c) + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "020250" + +-ocil_clause: 'the installed operating system is not supported or certified' ++ocil_clause: 'the installed operating system is not supported' + + {{% if product in ["rhel6", "rhel7"] %}} + ocil: |- +- To verify that the installed operating system is supported or certified, run ++ To verify that the installed operating system is supported, run + the following command: +
$ grep -i "red hat" /etc/redhat-release
+ The output should contain something similar to: +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +index b8f84e32d3..0ce11f6eef 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +@@ -10,7 +10,7 @@ + Look for argument fips=1 in the kernel line in /etc/default/grub. + + +- ++ + + + +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +index 1483429a6a..69a42f9a11 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +@@ -14,7 +14,7 @@ + The RPM package dracut-fips should be installed. + + +- ++ + + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml +index 037b22e945..de1bba8c27 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml +@@ -9,7 +9,7 @@ + cryptographic hashes. + + +- ++ + + + +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index e0d9b02c38..d978c16a21 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -33,7 +33,7 @@ description: |- + consensus and release processes. + + selections: +- - installed_OS_is_certified ++ - installed_OS_is_vendor_supported + - login_banner_text=usgcb_default + - inactivity_timeout_value=15_minutes + - var_password_pam_minlen=15 +diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile +index dd157a6e5b..dbd19355ac 100644 +--- a/rhel7/profiles/ospp42.profile ++++ b/rhel7/profiles/ospp42.profile +@@ -13,7 +13,7 @@ description: |- + in US National Security Systems. + + selections: +- - installed_OS_is_certified ++ - installed_OS_is_vendor_supported + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - service_auditd_enabled +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index 3fe2869f69..7200e9dc8a 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -119,7 +119,7 @@ selections: + - selinux_policytype + - disable_ctrlaltdel_reboot + - accounts_umask_etc_login_defs +- - installed_OS_is_certified ++ - installed_OS_is_vendor_supported + - security_patches_up_to_date + - gid_passwd_group_same + - accounts_no_uid_except_zero +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 27613eee55..ee1dcbe227 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -8,7 +8,7 @@ description: |- + Operating Systems (Protection Profile Version 4.2). + + selections: +- - installed_OS_is_certified ++ - installed_OS_is_vendor_supported + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - service_auditd_enabled diff --git a/SOURCES/test-stable-ids.patch b/SOURCES/test-stable-ids.patch new file mode 100644 index 0000000..2a62215 --- /dev/null +++ b/SOURCES/test-stable-ids.patch @@ -0,0 +1,112 @@ +diff --git a/tests/stable_profile_ids.py b/tests/stable_profile_ids.py +index b7523862d0..7ee4e9f758 100755 +--- a/tests/stable_profile_ids.py ++++ b/tests/stable_profile_ids.py +@@ -18,13 +18,23 @@ + # xccdf_org.ssgproject.content_profile_ospp42 becomes ospp42 + + STABLE_PROFILE_IDS = { +- "FEDORA": ["standard"], ++ "FEDORA": ["standard", "ospp", "pci-dss"], + "RHEL-6": ["C2S", "CS2", "CSCF-RHEL6-MLS", "fisma-medium-rhel6-server", + "pci-dss", "rht-ccp", "stig-rhel6-disa", "usgcb-rhel6-server"], + "RHEL-7": ["C2S", "cjis", "hipaa", "nist-800-171-cui", "rht-ccp", + "ospp", "ospp42", "pci-dss", "stig-rhel7-disa"], ++ "RHEL-8": ["ospp", "pci-dss"], + } + ++ ++BENCHMARK_TO_FILE_STEM = { ++ "FEDORA": "fedora", ++ "RHEL-6": "rhel6", ++ "RHEL-7": "rhel7", ++ "RHEL-8": "rhel8", ++} ++ ++ + BENCHMARK_ID_PREFIX = "xccdf_org.ssgproject.content_benchmark_" + PROFILE_ID_PREFIX = "xccdf_org.ssgproject.content_profile_" + +@@ -40,7 +50,7 @@ def parse_args(): + return p.parse_args() + + +-def gather_profiles_from_datastream(path, profiles_per_benchmark): ++def gather_profiles_from_datastream(path, build_dir, profiles_per_benchmark): + input_tree = ssg.xml.ElementTree.parse(path) + benchmarks = ssg.xccdf.get_benchmark_id_title_map(input_tree) + if len(benchmarks) == 0: +@@ -53,6 +63,10 @@ def gather_profiles_from_datastream(path, profiles_per_benchmark): + input_tree, benchmarks) + + for bench_id, profile_id, title in benchmark_profile_pairs: ++ bench_short_id = bench_id[len(BENCHMARK_ID_PREFIX):] ++ if respective_datastream_absent(bench_short_id, build_dir): ++ continue ++ + if not bench_id.startswith(BENCHMARK_ID_PREFIX): + raise RuntimeError("Expected benchmark ID '%s' from '%s' to be " + "prefixed with '%s'." +@@ -68,30 +82,49 @@ def gather_profiles_from_datastream(path, profiles_per_benchmark): + "prefixed with '%s'." + % (profile_id, path, PROFILE_ID_PREFIX)) + +- bench_id = bench_id[len(BENCHMARK_ID_PREFIX):] + profile_id = profile_id[len(PROFILE_ID_PREFIX):] + +- profiles_per_benchmark[bench_id].append(profile_id) ++ profiles_per_benchmark[bench_short_id].append(profile_id) + + +-def main(): +- args = parse_args() ++def respective_datastream_absent(bench_id, build_dir): ++ if bench_id not in BENCHMARK_TO_FILE_STEM: ++ return True ++ ++ datastream_filename = "ssg-{stem}-ds.xml".format(stem=BENCHMARK_TO_FILE_STEM[bench_id]) ++ datastream_path = os.path.join(build_dir, datastream_filename) ++ if not os.path.isfile(datastream_path): ++ return True ++ else: ++ return False + ++ ++def check_build_dir(build_dir): + profiles_per_benchmark = defaultdict(list) +- for path in glob.glob(os.path.join(args.build_dir, "ssg-*-ds.xml")): +- gather_profiles_from_datastream(path, profiles_per_benchmark) ++ for path in glob.glob(os.path.join(build_dir, "ssg-*-ds.xml")): ++ gather_profiles_from_datastream(path, build_dir, profiles_per_benchmark) + +- for bench_id in STABLE_PROFILE_IDS.keys(): +- if bench_id not in profiles_per_benchmark: +- raise RuntimeError("Benchmark of shortened ID '%s' was not found " +- "within any of the datastreams!" % (bench_id)) ++ for bench_short_id in STABLE_PROFILE_IDS.keys(): ++ if respective_datastream_absent(bench_short_id, build_dir): ++ continue + +- for profile_id in STABLE_PROFILE_IDS[bench_id]: +- if profile_id not in profiles_per_benchmark[bench_id]: ++ if bench_short_id not in profiles_per_benchmark: ++ raise RuntimeError("Expected benchmark ID '%s' has to be " ++ "prefixed with '%s'." ++ % (bench_short_id, BENCHMARK_ID_PREFIX)) ++ ++ for profile_id in STABLE_PROFILE_IDS[bench_short_id]: ++ if profile_id not in profiles_per_benchmark[bench_short_id]: + raise RuntimeError("Profile '%s' is required to be in the " + "'%s' benchmark. It is a stable profile " + "that can't be renamed or removed!" +- % (profile_id, bench_id)) ++ % (profile_id, bench_short_id)) ++ ++ ++def main(): ++ args = parse_args() ++ ++ check_build_dir(args.build_dir) + + + if __name__ == "__main__": diff --git a/SOURCES/unselect_dropped_packages.patch b/SOURCES/unselect_dropped_packages.patch new file mode 100644 index 0000000..15e54cc --- /dev/null +++ b/SOURCES/unselect_dropped_packages.patch @@ -0,0 +1,106 @@ +From ad9445f5cb6ff61021fff881b09ff875b8a9972d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 4 Dec 2018 10:05:23 +0100 +Subject: [PATCH 1/2] Remove dropped packages rules from RHEL8 profiles + +--- + rhel8/profiles/hipaa.profile | 5 ----- + rhel8/profiles/ospp.profile | 1 - + 2 files changed, 6 deletions(-) + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 44a8a849bb..9008e96f27 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -34,22 +34,17 @@ selections: + - sshd_disable_root_login + - libreswan_approved_tunnels + - no_rsh_trust_files +- - package_rsh_removed + - package_rsh-server_removed + - package_talk_removed + - package_talk-server_removed + - package_telnet_removed + - package_telnet-server_removed + - package_xinetd_removed +- - package_ypbind_removed +- - package_ypserv_removed + - service_crond_enabled + - service_rexec_disabled + - service_rlogin_disabled +- - service_rsh_disabled + - service_telnet_disabled + - service_xinetd_disabled +- - service_ypbind_disabled + - service_zebra_disabled + - use_kerberos_security_all_exports + - disable_host_auth +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 7811f6908f..0a1ec8a6a5 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -194,7 +194,6 @@ + - audit_rules_etc_group_openat + - audit_rules_etc_group_open_by_handle_at + - package_abrt_removed +- - package_sendmail_removed + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + +From 00ff79b9cedf03abf2aec7e1ab13fed5712c8301 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 4 Dec 2018 11:05:16 +0100 +Subject: [PATCH 2/2] Smartcards auth in RHEL8 should be done via sssd + +- pam_pkcs11 was removed from RHEL8 +- piggy-backing fix: also enable pcsc-lite for Fedora +--- + fedora/templates/csv/packages_installed.csv | 1 + + rhel8/profiles/pci-dss.profile | 8 +++++++- + rhel8/templates/csv/packages_installed.csv | 1 + + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fedora/templates/csv/packages_installed.csv b/fedora/templates/csv/packages_installed.csv +index 4abfd53340..7bbf4d93e5 100644 +--- a/fedora/templates/csv/packages_installed.csv ++++ b/fedora/templates/csv/packages_installed.csv +@@ -9,6 +9,7 @@ libreswan + ntp + opensc + openssh-server ++pcsc-lite + vsftpd + postfix + screen +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index a81849ac41..3fef39b0eb 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -113,7 +113,13 @@ + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - security_patches_up_to_date +- - smartcard_auth ++ - package_opensc_installed ++ - var_smartcard_drivers=cac ++ - configure_opensc_nss_db ++ - configure_opensc_card_drivers ++ - force_opensc_card_drivers ++ - service_pcscd_enabled ++ - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf +diff --git a/rhel8/templates/csv/packages_installed.csv b/rhel8/templates/csv/packages_installed.csv +index e5c22d4bf3..248bac87b7 100644 +--- a/rhel8/templates/csv/packages_installed.csv ++++ b/rhel8/templates/csv/packages_installed.csv +@@ -9,6 +9,7 @@ libreswan + ntp + opensc + openssh-server ++pcsc-lite + vsftpd + postfix + tmux diff --git a/SOURCES/update_platform_in_crypto_policies_tests.patch b/SOURCES/update_platform_in_crypto_policies_tests.patch new file mode 100644 index 0000000..013e7b9 --- /dev/null +++ b/SOURCES/update_platform_in_crypto_policies_tests.patch @@ -0,0 +1,353 @@ +From b280b1212b64933700521891d30a7c5b09523919 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 7 Jan 2019 14:26:25 +0100 +Subject: [PATCH] Update applicable platforms in crypto policy tests + +Added Fedora and RHEL8 as applicable platforms +and ospp and standard profiles. +--- + .../rule_configure_bind_crypto_policy/absent.fail.sh | 3 ++- + .../rule_configure_bind_crypto_policy/no_config_file.fail.sh | 3 ++- + .../rule_configure_bind_crypto_policy/ok.pass.sh | 3 ++- + .../rule_configure_bind_crypto_policy/overrides.fail.sh | 3 ++- + .../rule_configure_crypto_policy/bad_symlink.fail.sh | 3 ++- + .../rule_configure_crypto_policy/missing_policy.fail.sh | 3 ++- + .../rule_configure_crypto_policy/missing_policy_file.fail.sh | 3 ++- + .../rule_configure_crypto_policy/missing_symlink.fail.sh | 3 ++- + .../{policy_set.pass.sh => policy_default_set.pass.sh} | 1 + + .../rule_configure_crypto_policy/policy_fips_set.pass.sh | 5 +++++ + .../symlink_to_wrong_policy.fail.sh | 3 ++- + .../rule_configure_crypto_policy/wrong_policy.fail.sh | 3 ++- + .../kerberos_correct_policy.pass.sh | 3 ++- + .../kerberos_missing_policy.fail.sh | 3 ++- + .../kerberos_wrong_policy.fail.sh | 3 ++- + .../line_commented.fail.sh | 3 ++- + .../line_is_there.pass.sh | 3 ++- + .../line_not_there.fail.sh | 3 ++- + .../wrong_value.fail.sh | 3 ++- + .../rule_configure_openssl_crypto_policy/nothing.fail.sh | 3 ++- + .../rule_configure_openssl_crypto_policy/ok.pass.sh | 3 ++- + .../section_not_include.fail.sh | 3 ++- + .../rule_configure_ssh_crypto_policy/absent.pass.sh | 3 ++- + .../rule_configure_ssh_crypto_policy/comment.pass.sh | 3 ++- + .../rule_configure_ssh_crypto_policy/no_config_file.pass.sh | 3 ++- + .../rule_configure_ssh_crypto_policy/overrides.fail.sh | 3 ++- + 26 files changed, 54 insertions(+), 24 deletions(-) + rename tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/{policy_set.pass.sh => policy_default_set.pass.sh} (76%) + create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_fips_set.pass.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh +index 99f603f1a..223a45ccf 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/absent.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y bind + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh +index 59e45aa26..1a7cca92e 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/no_config_file.fail.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + # We don't remediate anything if the config file is missing completely. + # remediation = none + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh +index 145e25cfa..c6f9ffbcf 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/ok.pass.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + BIND_CONF='/etc/named.conf' + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh +index 79e14c1cc..e5ec32342 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_bind_crypto_policy/overrides.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y bind + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/bad_symlink.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/bad_symlink.fail.sh +index efcea05b1..1d0ec9335 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/bad_symlink.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/bad_symlink.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/gnutls.config" + SYMLINK_TO="/tmp/some_file" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy.fail.sh +index 16943b508..1fb839110 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + sed -i "1d" /etc/crypto-policies/config +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy_file.fail.sh +index 29939bc6e..f2aadc38c 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy_file.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_policy_file.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + rm /etc/crypto-policies/state/current +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_symlink.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_symlink.fail.sh +index ccccfe6b7..e58a7a56e 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_symlink.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_symlink.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + rm -f /etc/crypto-policies/back-ends/openssl.config +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_set.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_default_set.pass.sh +similarity index 76% +rename from tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_set.pass.sh +rename to tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_default_set.pass.sh +index 821d1dffc..9c5aa6583 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_set.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_default_set.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_fedora + # profiles = xccdf_org.ssgproject.content_profile_standard + + update-crypto-policies --set "DEFAULT" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_fips_set.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_fips_set.pass.sh +new file mode 100644 +index 000000000..de1197263 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/policy_fips_set.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++update-crypto-policies --set "FIPS" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/symlink_to_wrong_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/symlink_to_wrong_policy.fail.sh +index 4fc6f5384..eb083c9a2 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/symlink_to_wrong_policy.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/symlink_to_wrong_policy.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/openssh.config" + SYMLINK_TO_FOLDER="/usr/share/crypto-policies/LEGACY/" +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/wrong_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/wrong_policy.fail.sh +index 0b0f786b1..c54cc1e80 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/wrong_policy.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/wrong_policy.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + sed -i "1s/.*/LEGACY/" /etc/crypto-policies/config +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_correct_policy.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_correct_policy.pass.sh +index dfbafea05..5c9ff5e79 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_correct_policy.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_correct_policy.pass.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + rm -f /etc/krb5.conf.d/crypto-policies + ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_missing_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_missing_policy.fail.sh +index a2bbc947f..73cd9e312 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_missing_policy.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_missing_policy.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + rm -f /etc/krb5.conf.d/crypto-policies +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_wrong_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_wrong_policy.fail.sh +index 49ad6ae5e..7aba7a49c 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_wrong_policy.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_kerberos_crypto_policy/kerberos_wrong_policy.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + rm -f /etc/krb5.conf.d/crypto-policies + ln -s /etc/crypto-policies/back-ends/openssh.config /etc/krb5.conf.d/crypto-policies +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh +index 053f60dd9..9af2825f6 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_commented.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y libreswan + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh +index bb357a0a6..2bedb24ac 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_is_there.pass.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y libreswan + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh +index 8756c09dd..ce14f1a35 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/line_not_there.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y libreswan + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh +index 75ba9f4f3..0bfabb92f 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_libreswan_crypto_policy/wrong_value.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + yum install -y libreswan + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/nothing.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/nothing.fail.sh +index 4893924f7..b2cb21be5 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/nothing.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/nothing.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + . common.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/ok.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/ok.pass.sh +index e1663c5c4..695d1d9bb 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/ok.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/ok.pass.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + . common.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/section_not_include.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/section_not_include.fail.sh +index e8acf2218..c2006df88 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/section_not_include.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_openssl_crypto_policy/section_not_include.fail.sh +@@ -1,5 +1,6 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + . common.sh + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/absent.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/absent.pass.sh +index 64ab66e82..e0db2badb 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/absent.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/absent.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + SSH_CONF="/etc/sysconfig/sshd" + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/comment.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/comment.pass.sh +index c97092eb6..b309c5016 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/comment.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/comment.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + SSH_CONF="/etc/sysconfig/sshd" + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/no_config_file.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/no_config_file.pass.sh +index 665186f1b..d90e8c65c 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/no_config_file.pass.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/no_config_file.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + SSH_CONF="/etc/sysconfig/sshd" + +diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/overrides.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/overrides.fail.sh +index 4d2ed758e..3a1822414 100644 +--- a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/overrides.fail.sh ++++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_ssh_crypto_policy/overrides.fail.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_standard ++# platform = multi_platform_fedora, Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + + SSH_CONF="/etc/sysconfig/sshd" + +-- +2.19.2 + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..e0affd9 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,411 @@ +Name: scap-security-guide +Version: 0.1.42 +Release: 11%{?dist} +Summary: Security guidance and baselines in SCAP formats +Group: Applications/System +License: BSD +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +Patch0: test-stable-ids.patch +Patch1: add-missing-kickstart-files.patch +Patch2: disable-not-in-good-shape-profiles.patch +Patch3: fips.patch +Patch4: split-os-is-certified.patch +Patch5: fips-rename_def.patch +Patch6: crypto_kerboeros_fix.patch +Patch7: crypto_uninstalled_fix.patch +Patch8: profile_desc.patch +Patch9: profile_desc2.patch +Patch10: remove_sshd_rhosts_rsa_selection.patch +Patch11: podman_backend.patch +Patch12: update_platform_in_crypto_policies_tests.patch +Patch13: bind_libreswan_scenarios.patch +Patch14: crypto_nss_fix.patch +Patch15: profile_desc_typo_fix.patch +Patch16: select_software_updates.patch +Patch17: unselect_dropped_packages.patch +Patch18: assign_cce_to_content.patch +Patch19: assign_cce_to_ospp_rules.patch +Patch20: audit_rule_order_regex.patch +Patch21: audit_parameter_position.patch +Patch22: audit_rules_path_syscall.patch +Patch23: audit_rules_etc_shadow_gshadow.patch +Patch24: audit_var_log_directory_access.patch +Patch25: audit_rule_order_remediations.patch +BuildArch: noarch + +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 +Obsoletes: openscap-content < 0:0.9.13 +Provides: openscap-content + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The Red Hat Enterprise +Linux 8 system administrator can use the oscap CLI tool from openscap-scanner +package, or the scap-workbench GUI tool from scap-workbench package to verify +that the system conforms to provided guideline. Refer to scap-security-guide(8) +manual page for further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +mkdir build + +%build +cd build +%cmake \ +-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ +-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ +-DSSG_PRODUCT_EXAMPLE:BOOL=OFF \ +-DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ +-DSSG_PRODUCT_OCP3:BOOL=OFF \ +-DSSG_PRODUCT_OL7:BOOL=OFF \ +-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ +-DSSG_PRODUCT_OSP13:BOOL=OFF \ +-DSSG_PRODUCT_RHV4:BOOL=OFF \ +-DSSG_PRODUCT_SUSE11:BOOL=OFF \ +-DSSG_PRODUCT_SUSE12:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU14:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU18:BOOL=OFF \ +-DSSG_PRODUCT_WRLINUX:BOOL=OFF \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ +%make_build + +%install +cd build +%make_install + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible +%{_datadir}/%{name}/bash +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%doc %{_docdir}/%{name}/README.md +%doc %{_docdir}/%{name}/Contributors.md + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%changelog +* Mon Mar 11 2019 Gabriel Becker - 0.1.42-11 +- Assign CCE to rules from OSPP profile which were missing the identifier. +- Fix regular expression for Audit rules ordering +- Account for Audit rules flags parameter position within syscall +- Add remediations for Audit rules file path +- Add Audit rules for modification of /etc/shadow and /etc/gshadow +- Add Ansible and Bash remediations for directory_access_var_log_audit rule +- Add a Bash remediation for Audit rules that require ordering + +* Thu Mar 07 2019 Gabriel Becker - 0.1.42-10 +- Assign CCE identifier to rules used by RHEL8 profiles. + +* Thu Feb 14 2019 Matěj Týč - 0.1.42-9 +- Fixed Crypto Policy OVAL for NSS +- Got rid of rules requiring packages dropped in RHEL8. +- Profile descriptions fixes. + +* Tue Jan 22 2019 Jan Černý - 0.1.42-8 +- Update applicable platforms in crypto policy tests + +* Mon Jan 21 2019 Jan Černý - 0.1.42-7 +- Introduce Podman backend for SSG Test suite +- Update bind and libreswan crypto policy test scenarios + +* Fri Jan 11 2019 Matěj Týč - 0.1.42-6 +- Further fix of profiles descriptions, so they don't contain literal '\'. +- Removed obsolete sshd rule from the OSPP profile. + +* Tue Jan 08 2019 Matěj Týč - 0.1.42-5 +- Fixed profiles descriptions, so they don't contain literal '\n'. +- Made the configure_kerberos_crypto_policy OVAL more robust. +- Made OVAL for libreswan and bind work as expected when those packages are not installed. + +* Wed Jan 02 2019 Matěj Týč - 0.1.42-4 +- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs. + +* Tue Dec 18 2018 Matěj Týč - 0.1.42-3 +- Added FIPS mode rule for the OSPP profile. +- Split the installed_OS_is certified rule. +- Explicitly disabled OSP13, RHV4 and Example products. + +* Mon Dec 17 2018 Gabriel Becker - 0.1.42-2 +- Add missing kickstart files for RHEL8 +- Disable profiles that are not in good shape for RHEL8 + +* Wed Dec 12 2018 Matěj Týč - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- System-wide crypto policies are introduced for RHEL8 +- Patches introduced the RHEL8 product were dropped, as it has been upstreamed. + +* Wed Oct 10 2018 Watson Yuuma Sato - 0.1.41-2 +- Fix man page and package description + +* Mon Oct 08 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles + +* Mon Aug 13 2018 Watson Sato - 0.1.40-3 +- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot +- Only build content for rhel8 products + +* Fri Aug 10 2018 Watson Sato - 0.1.40-2 +- Update build of rhel8 content + +* Fri Aug 10 2018 Watson Sato - 0.1.40-1 +- Enable build of rhel8 content + +* Fri May 18 2018 Jan Černý - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 +- Fix spec file to build using Python 3 +- Fix License because upstream changed to BSD-3 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.