Blame SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch

dac76a
From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Mon, 16 Mar 2020 19:37:57 +0100
dac76a
Subject: [PATCH 1/4] Select rules for SSH and add references
dac76a
dac76a
---
dac76a
 .../rule.yml                                  |  1 +
dac76a
 .../file_permissions_sshd_pub_key/rule.yml    |  1 +
dac76a
 .../ssh/ssh_server/disable_host_auth/rule.yml |  3 +-
dac76a
 .../sshd_disable_empty_passwords/rule.yml     |  3 +-
dac76a
 .../ssh_server/sshd_disable_rhosts/rule.yml   |  3 +-
dac76a
 .../sshd_disable_root_login/rule.yml          |  3 +-
dac76a
 .../sshd_do_not_permit_user_env/rule.yml      |  3 +-
dac76a
 .../sshd_enable_warning_banner/rule.yml       |  3 +-
dac76a
 .../sshd_enable_x11_forwarding/rule.yml       |  3 +-
dac76a
 .../ssh_server/sshd_set_idle_timeout/rule.yml |  3 +-
dac76a
 .../ssh_server/sshd_set_keepalive/rule.yml    |  3 +-
dac76a
 .../sshd_set_loglevel_info/rule.yml           |  1 +
dac76a
 .../sshd_set_max_auth_tries/rule.yml          |  1 +
dac76a
 .../configure_ssh_crypto_policy/rule.yml      |  1 +
dac76a
 15 files changed, 51 insertions(+), 22 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
dac76a
index b1b7ccabaa..108c9c5ce0 100644
dac76a
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
dac76a
@@ -33,6 +33,7 @@ references:
dac76a
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
dac76a
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
dac76a
     cis-csc: 12,13,14,15,16,18,3,5
dac76a
+    cis@rhel8: 5.2.3
dac76a
 
dac76a
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
dac76a
 
dac76a
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
dac76a
index da3dead155..714b507db1 100644
dac76a
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
dac76a
@@ -28,6 +28,7 @@ references:
dac76a
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
dac76a
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
dac76a
     cis-csc: 12,13,14,15,16,18,3,5
dac76a
+    cis@rhel8: 5.2.4
dac76a
 
dac76a
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}'
dac76a
 
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
index de5580b9f5..9db9fd7516 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
@@ -27,7 +27,8 @@ references:
dac76a
     stigid@rhel6: "000236"
dac76a
     srg@rhel6: SRG-OS-000106
dac76a
     disa@rhel6: 765,766
dac76a
-    cis: 5.2.7
dac76a
+    cis@rhel8: 5.2.7
dac76a
+    cis@rhel8: 5.2.9
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.12
dac76a
     disa: "366"
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
dac76a
index 25908a4e4d..b9bbe1e48e 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
dac76a
@@ -28,7 +28,8 @@ references:
dac76a
     stigid@rhel6: "000239"
dac76a
     srg@rhel6: SRG-OS-000106
dac76a
     disa@rhel6: 765,766
dac76a
-    cis: 5.2.9
dac76a
+    cis@rhel7: 5.2.9
dac76a
+    cis@rhel8: 5.2.11
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.1,3.1.5
dac76a
     disa: "366"
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
index fd960a55ae..3a5d16c052 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
@@ -27,7 +27,8 @@ references:
dac76a
     stigid@rhel6: "000234"
dac76a
     srg@rhel6: SRG-OS-000106
dac76a
     disa@rhel6: 765,766
dac76a
-    cis: 5.2.6
dac76a
+    ci@rhel8s: 5.2.6
dac76a
+    ci@rhel8s: 5.2.8
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.12
dac76a
     disa: "366"
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
dac76a
index 8b9cba960f..c6e7d7986c 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
dac76a
@@ -28,7 +28,8 @@ references:
dac76a
     stigid@rhel6: "000237"
dac76a
     srg@rhel6: SRG-OS-000109
dac76a
     disa@rhel6: '770'
dac76a
-    cis: 5.2.8
dac76a
+    cis@rhel7: 5.2.8
dac76a
+    cis@rhel8: 5.2.10
dac76a
     cjis: 5.5.6
dac76a
     cui: '3.1.1,3.1.5'
dac76a
     disa: 366,770
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
dac76a
index f25d2a690a..f1a09a1b8d 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
dac76a
@@ -23,7 +23,8 @@ references:
dac76a
     stigid@rhel6: "000241"
dac76a
     srg@rhel6: SRG-OS-000242
dac76a
     disa@rhel6: '1414'
dac76a
-    cis: 5.2.10
dac76a
+    cis@rhel7: 5.2.10
dac76a
+    cis@rhel8: 5.2.12
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.12
dac76a
     disa: "366"
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
dac76a
index f32287ff7c..4aa26eeb90 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
dac76a
@@ -25,7 +25,8 @@ identifiers:
dac76a
 references:
dac76a
     stigid@rhel6: "000240"
dac76a
     srg@rhel6: SRG-OS-000023
dac76a
-    cis: 5.2.16
dac76a
+    cis@rhel7: 5.2.15
dac76a
+    cis@rhel8: 5.2.15
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.9
dac76a
     disa: 48,50,1384,1385,1386,1387,1388
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
index 5d50c2ed07..5fdca265fa 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
@@ -22,7 +22,8 @@ identifiers:
dac76a
     cce@rhel8: 82421-9
dac76a
 
dac76a
 references:
dac76a
-    cis: 5.2.4
dac76a
+    cis@rhel7: 5.2.4
dac76a
+    cis@rhel8: 5.2.6
dac76a
     cui: 3.1.13
dac76a
     disa: "366"
dac76a
     nist: CM-6(a),AC-17(a),AC-17(2)
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
dac76a
index 7cf263bef4..347610cd6f 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
dac76a
@@ -34,7 +34,8 @@ references:
dac76a
     stigid@rhel6: "000230"
dac76a
     srg@rhel6: SRG-OS-000163
dac76a
     disa@rhel6: '879'
dac76a
-    cis: 5.2.12
dac76a
+    cis@rhel7: 5.2.12
dac76a
+    cis@rhel8: 5.2.13
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.11
dac76a
     disa: 879,1133,2361
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
dac76a
index cc9f62b0af..65aac90ace 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
dac76a
@@ -23,7 +23,8 @@ references:
dac76a
     stigid@rhel6: "000231"
dac76a
     srg@rhel6: SRG-OS-000126
dac76a
     disa@rhel6: '879'
dac76a
-    cis: 5.2.12
dac76a
+    cis@rhel7: 5.2.12
dac76a
+    cis@rhel8: 5.2.13
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.11
dac76a
     disa: 879,1133,2361
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
dac76a
index 26eca336b2..e9e84cdf9b 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
dac76a
@@ -26,6 +26,7 @@ references:
dac76a
     cis@debian8: 9.3.2
dac76a
     cis@debian10: 9.3.2
dac76a
     cis@rhel7: 5.2.3
dac76a
+    cis@rhel8: 5.2.5
dac76a
     nist: AC-17(a),CM-6(a)
dac76a
 
dac76a
 ocil_clause: 'it is commented out or is not enabled'
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
dac76a
index 6fd7a4b6bd..1661b78773 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
dac76a
@@ -21,6 +21,7 @@ references:
dac76a
     cis@debian8: 9.3.5
dac76a
     cis@debian9: 9.3.5
dac76a
     cis@rhel7: 5.2.5
dac76a
+    cis@rhel8: 5.2.7
dac76a
 
dac76a
 ocil_clause: 'it is commented out or not configured properly'
dac76a
 
dac76a
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
dac76a
index b9d8b06028..db5ce07f0e 100644
dac76a
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
dac76a
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
dac76a
@@ -23,6 +23,7 @@ identifiers:
dac76a
 
dac76a
 references:
dac76a
     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
dac76a
+    cis@rhel8: 5.2.20
dac76a
 
dac76a
 ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
dac76a
 
dac76a
From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 17 Mar 2020 15:08:50 +0100
dac76a
Subject: [PATCH 2/4] Fix typos in CIS references
dac76a
dac76a
---
dac76a
 .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml  | 2 +-
dac76a
 .../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml      | 4 ++--
dac76a
 2 files changed, 3 insertions(+), 3 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
index 9db9fd7516..d19bfd4538 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
dac76a
@@ -27,7 +27,7 @@ references:
dac76a
     stigid@rhel6: "000236"
dac76a
     srg@rhel6: SRG-OS-000106
dac76a
     disa@rhel6: 765,766
dac76a
-    cis@rhel8: 5.2.7
dac76a
+    cis@rhel7: 5.2.7
dac76a
     cis@rhel8: 5.2.9
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.12
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
index 3a5d16c052..5dafad7462 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
dac76a
@@ -27,8 +27,8 @@ references:
dac76a
     stigid@rhel6: "000234"
dac76a
     srg@rhel6: SRG-OS-000106
dac76a
     disa@rhel6: 765,766
dac76a
-    ci@rhel8s: 5.2.6
dac76a
-    ci@rhel8s: 5.2.8
dac76a
+    cis@rhel7: 5.2.6
dac76a
+    cis@rhel8: 5.2.8
dac76a
     cjis: 5.5.6
dac76a
     cui: 3.1.12
dac76a
     disa: "366"
dac76a
dac76a
From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Tue, 17 Mar 2020 19:43:16 +0100
dac76a
Subject: [PATCH 3/4] Update CIS references for sshd_config
dac76a
dac76a
---
dac76a
 .../guide/services/ssh/file_groupowner_sshd_config/rule.yml    | 3 ++-
dac76a
 linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml    | 3 ++-
dac76a
 .../guide/services/ssh/file_permissions_sshd_config/rule.yml   | 3 ++-
dac76a
 3 files changed, 6 insertions(+), 3 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
dac76a
index a9c09765d0..e53ac9d6b9 100644
dac76a
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
dac76a
@@ -21,7 +21,8 @@ identifiers:
dac76a
     cce@rhel8: 82901-0
dac76a
 
dac76a
 references:
dac76a
-    cis: 5.2.1
dac76a
+    cis@rhel7: 5.2.1
dac76a
+    cis@rhel8: 5.2.1
dac76a
     nist: AC-17(a),CM-6(a),AC-6(1)
dac76a
     nist-csf: PR.AC-4,PR.DS-5
dac76a
     srg: SRG-OS-000480-GPOS-00227
dac76a
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
dac76a
index 5a80d04763..ca1cc19eeb 100644
dac76a
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
dac76a
@@ -21,7 +21,8 @@ identifiers:
dac76a
     cce@rhel8: 82898-8
dac76a
 
dac76a
 references:
dac76a
-    cis: 5.2.1
dac76a
+    cis@rhel7: 5.2.1
dac76a
+    cis@rhel8: 5.2.1
dac76a
     nist: AC-17(a),CM-6(a),AC-6(1)
dac76a
     nist-csf: PR.AC-4,PR.DS-5
dac76a
     srg: SRG-OS-000480-GPOS-00227
dac76a
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
dac76a
index 13bdab401e..e40868dac4 100644
dac76a
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
dac76a
@@ -21,7 +21,8 @@ identifiers:
dac76a
     cce@rhel8: 82894-7
dac76a
 
dac76a
 references:
dac76a
-    cis: 5.2.1
dac76a
+    cis@rhel7: 5.2.1
dac76a
+    cis@rhel8: 5.2.1
dac76a
     nist: AC-17(a),CM-6(a),AC-6(1)
dac76a
     nist-csf: PR.AC-4,PR.DS-5
dac76a
     srg: SRG-OS-000480-GPOS-00227
dac76a
dac76a
From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001
dac76a
From: Watson Sato <wsato@redhat.com>
dac76a
Date: Thu, 19 Mar 2020 13:17:03 +0100
dac76a
Subject: [PATCH 4/4] Remove incorrect rule selection and its references
dac76a
dac76a
Policy would like X11 forwarding disabled, not enabled.
dac76a
---
dac76a
 .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 --
dac76a
 2 files changed, 1 insertion(+), 3 deletions(-)
dac76a
dac76a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
index 5fdca265fa..4dedae6e8b 100644
dac76a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
dac76a
@@ -22,8 +22,6 @@ identifiers:
dac76a
     cce@rhel8: 82421-9
dac76a
 
dac76a
 references:
dac76a
-    cis@rhel7: 5.2.4
dac76a
-    cis@rhel8: 5.2.6
dac76a
     cui: 3.1.13
dac76a
     disa: "366"
dac76a
     nist: CM-6(a),AC-17(a),AC-17(2)