|
 |
dac76a |
From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Fri, 20 Mar 2020 11:50:25 +0100
|
|
|
dac76a |
Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 1 -
|
|
|
dac76a |
1 file changed, 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 486fcf9a33..53d3819822 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -558,7 +558,6 @@ selections:
|
|
|
dac76a |
- sshd_set_loglevel_info
|
|
|
dac76a |
|
|
|
dac76a |
### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
|
|
|
dac76a |
- - sshd_enable_x11_forwarding
|
|
|
dac76a |
|
|
|
dac76a |
### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
|
|
|
dac76a |
- sshd_set_max_auth_tries
|
|
|
dac76a |
|
|
|
dac76a |
From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 23 Mar 2020 15:00:23 +0100
|
|
|
dac76a |
Subject: [PATCH 2/4] Add a few more selections to rhel7 profile
|
|
|
dac76a |
|
|
|
dac76a |
- Rule for libselinux installed
|
|
|
dac76a |
- Rule for service tftp disabled
|
|
|
dac76a |
- Rule for kernel module RDS disabled
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 3 +++
|
|
|
dac76a |
1 file changed, 3 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 53d3819822..a9c78dc140 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -172,6 +172,7 @@ selections:
|
|
|
dac76a |
- selinux_confinement_of_daemons
|
|
|
dac76a |
|
|
|
dac76a |
### 1.6.2 Ensure SELinux is installed (Scored)
|
|
|
dac76a |
+ - package_libselinux_installed
|
|
|
dac76a |
|
|
|
dac76a |
## 1.7 Warning Banners
|
|
|
dac76a |
#### 1.7.1.1 Ensure message of the day is configured properly (Scored)
|
|
|
dac76a |
@@ -205,6 +206,7 @@ selections:
|
|
|
dac76a |
### 2.1.4 Ensure echo services are not enabled (Scored)
|
|
|
dac76a |
### 2.1.5 Ensure time services are not enabled (Scored)
|
|
|
dac76a |
### 2.1.6 Ensure tftp server is not enabled (Scored)
|
|
|
dac76a |
+ - service_tftp_disabled
|
|
|
dac76a |
|
|
|
dac76a |
### 2.1.7 Ensure xinetd is not enabled (Scored)
|
|
|
dac76a |
- service_xinetd_disabled
|
|
|
dac76a |
@@ -363,6 +365,7 @@ selections:
|
|
|
dac76a |
- kernel_module_sctp_disabled
|
|
|
dac76a |
|
|
|
dac76a |
### 3.5.3 Ensure RDS is disabled (Not Scored)
|
|
|
dac76a |
+ - kernel_module_rds_disabled
|
|
|
dac76a |
|
|
|
dac76a |
### 3.5.4 Ensure TIPC is disabled (Not Scored)
|
|
|
dac76a |
- kernel_module_tipc_disabled
|
|
|
dac76a |
|
|
|
dac76a |
From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 23 Mar 2020 15:16:48 +0100
|
|
|
dac76a |
Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +-
|
|
|
dac76a |
.../services/ntp/chronyd_specify_remote_server/rule.yml | 1 +
|
|
|
dac76a |
.../guide/services/ntp/package_chrony_installed/rule.yml | 1 +
|
|
|
dac76a |
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 +
|
|
|
dac76a |
rhel7/profiles/cis.profile | 5 ++++-
|
|
|
dac76a |
5 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
|
|
dac76a |
index cd641ce0cb..2e5596b972 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
|
|
|
dac76a |
@@ -24,7 +24,7 @@ severity: medium
|
|
|
dac76a |
platform: chrony
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis@rhel7: 2.2.1.2
|
|
|
dac76a |
+ cis@rhel7: 2.2.1.3
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
index bc8815b068..ea4c955c8e 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
|
|
|
dac76a |
@@ -25,6 +25,7 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82873-1
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
+ cis@rhel7: 2.2.1.3
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: 'a remote time server is not configured'
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
index 2549f48b71..f6dc1f427f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
|
|
|
dac76a |
@@ -21,6 +21,7 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82874-9
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
+ cis@rhel7: 2.2.1.1
|
|
|
dac76a |
cis@rhel8: 2.2.1.1
|
|
|
dac76a |
|
|
|
dac76a |
{{{ complete_ocil_entry_package(package="chrony") }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
index 7b3a0a2a13..94269dfd54 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
|
|
|
dac76a |
@@ -24,6 +24,7 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82875-6
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
+ cis@rhel7: 2.2.1.3
|
|
|
dac76a |
cis@rhel8: 2.2.1.2
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: 'the chronyd process is not running'
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index a9c78dc140..108a728bbf 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -213,13 +213,16 @@ selections:
|
|
|
dac76a |
|
|
|
dac76a |
## 2.2 Special Purpose Services
|
|
|
dac76a |
#### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
|
|
|
dac76a |
- - service_chronyd_or_ntpd_enabled
|
|
|
dac76a |
+ - package_chrony_installed
|
|
|
dac76a |
|
|
|
dac76a |
#### 2.2.1.2 Ensure ntp is configured (Scored)
|
|
|
dac76a |
# restrict is not checkec by rules below
|
|
|
dac76a |
- chronyd_or_ntpd_specify_remote_server
|
|
|
dac76a |
|
|
|
dac76a |
#### 2.2.1.3 Ensure chrony is configured (Scored)
|
|
|
dac76a |
+ - service_chronyd_enabled
|
|
|
dac76a |
+ - chronyd_specify_remote_server
|
|
|
dac76a |
+ - chronyd_run_as_chrony_user
|
|
|
dac76a |
|
|
|
dac76a |
### 2.2.2 Ensure X Window System is not installed (Scored)
|
|
|
dac76a |
- package_xorg-x11-server-common_removed
|
|
|
dac76a |
|
|
|
dac76a |
From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 23 Mar 2020 15:17:16 +0100
|
|
|
dac76a |
Subject: [PATCH 4/4] Select rules for backup account files
|
|
|
dac76a |
|
|
|
dac76a |
Select rules to check permissions and owner of important backup account
|
|
|
dac76a |
files.
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 15 +++++++++++++++
|
|
|
dac76a |
1 file changed, 15 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 108a728bbf..0fc919950f 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -689,9 +689,24 @@ selections:
|
|
|
dac76a |
- file_permissions_etc_gshadow
|
|
|
dac76a |
|
|
|
dac76a |
### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
|
|
|
dac76a |
+ - file_owner_backup_etc_passwd
|
|
|
dac76a |
+ - file_groupowner_backup_etc_passwd
|
|
|
dac76a |
+ - file_permissions_backup_etc_passwd
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
|
|
|
dac76a |
+ - file_owner_backup_etc_shadow
|
|
|
dac76a |
+ - file_groupowner_backup_etc_shadow
|
|
|
dac76a |
+ - file_permissions_backup_etc_shadow
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
|
|
|
dac76a |
+ - file_owner_backup_etc_group
|
|
|
dac76a |
+ - file_groupowner_backup_etc_group
|
|
|
dac76a |
+ - file_permissions_backup_etc_group
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
|
|
|
dac76a |
+ - file_owner_backup_etc_gshadow
|
|
|
dac76a |
+ - file_groupowner_backup_etc_gshadow
|
|
|
dac76a |
+ - file_permissions_backup_etc_gshadow
|
|
|
dac76a |
|
|
|
dac76a |
### 6.1.10 Ensure no world writable files exist (Scored)
|
|
|
dac76a |
- file_permissions_unauthorized_world_writable
|