Blame SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch

c99e83
From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001
c99e83
From: Shawn Wells <shawn@redhat.com>
c99e83
Date: Sun, 29 Mar 2020 00:58:02 -0400
c99e83
Subject: [PATCH 01/20] update CIS RHEL8 profile
c99e83
c99e83
---
c99e83
 .../service_crond_enabled/rule.yml            |   2 +-
c99e83
 .../r_services/no_rsh_trust_files/rule.yml    |   8 +-
c99e83
 .../rule.yml                                  |   2 +-
c99e83
 .../account_unique_name/rule.yml              |  11 +-
c99e83
 .../accounts_maximum_age_login_defs/rule.yml  |   2 +-
c99e83
 .../accounts_minimum_age_login_defs/rule.yml  |   1 +
c99e83
 .../rule.yml                                  |   1 +
c99e83
 .../var_accounts_maximum_age_login_defs.var   |   1 +
c99e83
 .../password_storage/no_netrc_files/rule.yml  |   4 +-
c99e83
 .../accounts_no_uid_except_zero/rule.yml      |   2 +-
c99e83
 .../no_direct_root_logins/rule.yml            |   2 +-
c99e83
 .../rule.yml                                  |   1 +
c99e83
 .../accounts-session/accounts_tmout/rule.yml  |   1 +
c99e83
 .../rule.yml                                  |   1 +
c99e83
 .../rule.yml                                  |   1 +
c99e83
 .../file_permissions_home_dirs/rule.yml       |   4 +-
c99e83
 .../rsyslog_files_permissions/rule.yml        |   2 +-
c99e83
 .../ensure_logrotate_activated/rule.yml       |   1 +
c99e83
 .../package_rsyslog_installed/rule.yml        |   2 +-
c99e83
 .../rsyslog_nolisten/rule.yml                 |   2 +
c99e83
 .../rsyslog_remote_loghost/rule.yml           |   4 +-
c99e83
 .../logging/service_rsyslog_enabled/rule.yml  |   2 +-
c99e83
 rhel8/profiles/cis.profile                    | 141 ++++++++++++------
c99e83
 shared/references/cce-redhat-avail.txt        |   2 -
c99e83
 24 files changed, 137 insertions(+), 63 deletions(-)
c99e83
c99e83
diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
c99e83
index a1f82cf5c9..09d1a92a55 100644
c99e83
--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
c99e83
+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
c99e83
@@ -24,7 +24,7 @@ identifiers:
c99e83
 references:
c99e83
     stigid@rhel6: "000224"
c99e83
     srg@rhel6: SRG-OS-999999
c99e83
-    cis: 5.1.1
c99e83
+    cis@rhel8: 5.1.1
c99e83
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
c99e83
     nist: CM-6(a)
c99e83
     nist-csf: PR.IP-1,PR.PT-3
c99e83
diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
c99e83
index 2ccf4127b7..ec2fa6c012 100644
c99e83
--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
c99e83
+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
c99e83
@@ -12,9 +12,9 @@ description: |-
c99e83
     
$ rm ~/.rhosts
c99e83
 
c99e83
 rationale: |-
c99e83
-    Trust files are convenient, but when
c99e83
-    used in conjunction with the R-services, they can allow
c99e83
-    unauthenticated access to a system.
c99e83
+    This action is only meaningful if <tt>.rhosts</tt> support is permitted
c99e83
+    through PAM. Trust files are convenient, but when used in conjunction with
c99e83
+    the R-services, they can allow unauthenticated access to a system.
c99e83
 
c99e83
 severity: high
c99e83
 
c99e83
@@ -26,7 +26,7 @@ identifiers:
c99e83
 references:
c99e83
     stigid@rhel6: "000019"
c99e83
     srg@rhel6: SRG-OS-000248
c99e83
-    cis: 6.2.14
c99e83
+    cis@rhel8: 6.2.13
c99e83
     disa: "1436"
c99e83
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
c99e83
     nist: CM-7(a),CM-7(b),CM-6(a)
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
c99e83
index fff30d70c7..7a1538392a 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
c99e83
@@ -43,7 +43,7 @@ references:
c99e83
     stigid@rhel6: "000062"
c99e83
     srg@rhel6: SRG-OS-000120
c99e83
     disa@rhel6: '803'
c99e83
-    cis: 6.3.1
c99e83
+    cis@rhel8: 5.4.4
c99e83
     cjis: 5.6.2.2
c99e83
     cui: 3.13.11
c99e83
     disa: "196"
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
index 2cdafc0609..35652a410b 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
@@ -2,9 +2,15 @@ documentation_complete: true
c99e83
 
c99e83
 title: 'Ensure All Accounts on the System Have Unique Names'
c99e83
 
c99e83
-description: 'Change usernames, or delete accounts, so each has a unique name.'
c99e83
+description: |-
c99e83
+    Although the <tt>useradd</tt> utility prevents creation of duplicate user
c99e83
+    names, it is possible for a malicious administrator to manually edit the
c99e83
+    <tt>/etc/passwd</tt> file and change the user name.
c99e83
 
c99e83
-rationale: 'Unique usernames allow for accountability on the system.'
c99e83
+rationale: |-
c99e83
+    If a user is assigned a duplicate user name, the new user will be able to
c99e83
+    create and have access to files with the first UID for that username as
c99e83
+    defined in <tt>/etc/passwd</tt>.
c99e83
 
c99e83
 severity: medium
c99e83
 
c99e83
@@ -19,6 +25,7 @@ references:
c99e83
     cjis: 5.5.2
c99e83
     disa: 770,804
c99e83
     pcidss: Req-8.1.1
c99e83
+    cis@rhel8: 6.2.17
c99e83
 
c99e83
 ocil_clause: 'a line is returned'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
c99e83
index af1ea13d8f..c2c4aa11bc 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
c99e83
@@ -34,7 +34,7 @@ references:
c99e83
     stigid@rhel6: "000053"
c99e83
     srg@rhel6: SRG-OS-000076
c99e83
     disa@rhel6: '180'
c99e83
-    cis: 5.4.1.1
c99e83
+    cis@rhel8: 5.5.1.1
c99e83
     cjis: 5.6.2.1
c99e83
     cui: 3.5.6
c99e83
     disa: "199"
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
c99e83
index 2de12efb3e..6147d672a4 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
c99e83
@@ -44,6 +44,7 @@ references:
c99e83
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
c99e83
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
c99e83
     cis-csc: 1,12,15,16,5
c99e83
+    cis@rhel8: 5.5.1.2
c99e83
 
c99e83
 ocil_clause: 'it is not equal to or greater than the required value'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
c99e83
index 3a5c00708d..2a1005bd20 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
c99e83
@@ -33,6 +33,7 @@ references:
c99e83
     cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
c99e83
     iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
c99e83
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8
c99e83
+    cis@rhel8: 5.5.1.3
c99e83
 
c99e83
 ocil_clause: 'it is not set to the required value'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
c99e83
index 731f8f475f..11eb238c5d 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var
c99e83
@@ -9,6 +9,7 @@ type: number
c99e83
 interactive: false
c99e83
 
c99e83
 options:
c99e83
+    365: 365
c99e83
     120: 120
c99e83
     180: 180
c99e83
     60: 60
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
c99e83
index 01454a7274..8547893201 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
c99e83
@@ -11,8 +11,7 @@ description: |-
c99e83
 
c99e83
 rationale: |-
c99e83
     Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt>
c99e83
-    files. DoD policy requires passwords be encrypted in storage and not used
c99e83
-    in access scripts.
c99e83
+    files. 
c99e83
 
c99e83
 severity: medium
c99e83
 
c99e83
@@ -24,6 +23,7 @@ identifiers:
c99e83
 references:
c99e83
     stigid@rhel6: "000347"
c99e83
     srg@rhel6: SRG-OS-000073
c99e83
+    cis@rhel8: 6.2.11
c99e83
     disa: "196"
c99e83
     nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7)
c99e83
     nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
c99e83
index 0b61daf925..14f9140687 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
c99e83
@@ -31,7 +31,7 @@ references:
c99e83
     stigid@ol7: "020310"
c99e83
     stigid@rhel6: "000032"
c99e83
     srg@rhel6: SRG-OS-999999
c99e83
-    cis: 6.2.5
c99e83
+    cis@rhel8: 6.2.6
c99e83
     cui: 3.1.1,3.1.5
c99e83
     disa: "366"
c99e83
     nist: IA-2,AC-6(5),IA-4(b)
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
c99e83
index 1d08bde4d9..9e00f3aad6 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml
c99e83
@@ -33,7 +33,7 @@ identifiers:
c99e83
     cce@ocp4: 82698-2
c99e83
 
c99e83
 references:
c99e83
-    cis: "5.5"
c99e83
+    cis@rhel8: "5.6"
c99e83
     cui: 3.1.1,3.1.6
c99e83
     hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
c99e83
     nist: IA-2,CM-6(a)
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
c99e83
index ae8ba133b7..0c26ac3240 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml
c99e83
@@ -35,6 +35,7 @@ references:
c99e83
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
c99e83
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
c99e83
     cis-csc: 12,13,14,15,16,18,3,5
c99e83
+    cis@rhel8: "5.6"
c99e83
     srg: SRG-OS-000324-GPOS-00125
c99e83
 
c99e83
 ocil_clause: 'root login over virtual console devices is permitted'
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
c99e83
index 787f2264de..f09006b72b 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
c99e83
@@ -38,6 +38,7 @@ references:
c99e83
     cobit5: DSS05.04,DSS05.10,DSS06.10
c99e83
     iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
c99e83
     cis-csc: 1,12,15,16
c99e83
+    cis@rhel8: 5.5.3
c99e83
     anssi: NT28(R29)
c99e83
 
c99e83
 ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
c99e83
index e7e9a751a4..bedf3a0b19 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
c99e83
@@ -27,6 +27,7 @@ references:
c99e83
     disa: "366"
c99e83
     srg: SRG-OS-000480-GPOS-00227
c99e83
     stigid@rhel7: "020620"
c99e83
+    cis@rhel8: 6.2.20
c99e83
 
c99e83
 ocil_clause: 'users home directory does not exist'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
c99e83
index d58884235e..1c5ac8d099 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
c99e83
@@ -26,6 +26,7 @@ references:
c99e83
     disa: "366"
c99e83
     srg: SRG-OS-000480-GPOS-00227
c99e83
     stigid@rhel7: "020650"
c99e83
+    cis@rhel8: 6.2.8
c99e83
 
c99e83
 ocil_clause: 'the group ownership is incorrect'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
c99e83
index 8812f9d123..27c190b5b1 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml
c99e83
@@ -22,11 +22,12 @@ rationale: |-
c99e83
     to one another's home directories, this can be provided using
c99e83
     groups or ACLs.
c99e83
 
c99e83
-severity: unknown
c99e83
+severity: medium
c99e83
 
c99e83
 identifiers:
c99e83
     cce@rhel6: 26981-1
c99e83
     cce@rhel7: 80201-7
c99e83
+    cce@rhel8: 84274-0
c99e83
 
c99e83
 references:
c99e83
     disa: "225"
c99e83
@@ -37,6 +38,7 @@ references:
c99e83
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
c99e83
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
c99e83
     cis-csc: 12,13,14,15,16,18,3,5
c99e83
+    cis@rhel8: 6.2.7
c99e83
 
c99e83
 ocil_clause: 'the user home directory is group-writable or world-readable'
c99e83
 
c99e83
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
c99e83
index 4c1e69020b..aa6e0905ae 100644
c99e83
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml
c99e83
@@ -31,7 +31,7 @@ references:
c99e83
     anssi: NT28(R36)
c99e83
     stigid@rhel6: "000135"
c99e83
     srg@rhel6: SRG-OS-000206
c99e83
-    cis: 4.2.1.3
c99e83
+    cis@rhel8: 4.2.1.3
c99e83
     disa: "1314"
c99e83
     nist: CM-6(a),AC-6(1)
c99e83
     pcidss: Req-10.5.1,Req-10.5.2
c99e83
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
index def9566692..2c41a3b9ef 100644
c99e83
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
@@ -35,6 +35,7 @@ references:
c99e83
     cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
c99e83
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
c99e83
     cis-csc: 1,14,15,16,3,5,6
c99e83
+    cis@rhel8: 4.3
c99e83
     anssi: NT28(R43),NT12(R18)
c99e83
 
c99e83
 ocil_clause: 'logrotate is not configured to run daily'
c99e83
diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
c99e83
index 9f00dd9704..00fecf8a3c 100644
c99e83
--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
c99e83
@@ -18,7 +18,7 @@ identifiers:
c99e83
 references:
c99e83
     cis@debian8: 5.1.1
c99e83
     anssi: NT28(R5),NT28(R46)
c99e83
-    cis: 4.2.3
c99e83
+    cis@rhel8: 4.2.1.1
c99e83
     disa: 1311,1312
c99e83
     hipaa: 164.312(a)(2)(ii)
c99e83
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
c99e83
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
c99e83
index 8a5a15e1da..14e729252c 100644
c99e83
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
c99e83
@@ -26,6 +26,7 @@ severity: medium
c99e83
 identifiers:
c99e83
     cce@rhel6: 26803-7
c99e83
     cce@rhel7: 80192-8
c99e83
+    cce@rhel8: 84275-7
c99e83
 
c99e83
 references:
c99e83
     stigid@ol7: "031010"
c99e83
@@ -39,3 +40,4 @@ references:
c99e83
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
c99e83
     cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
c99e83
     stigid@rhel7: "031010"
c99e83
+    cis@rhel8: 4.2.1.6
c99e83
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
c99e83
index 7b70b0c186..da28b99561 100644
c99e83
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
c99e83
@@ -46,8 +46,8 @@ references:
c99e83
     anssi: NT28(R7),NT28(R43),NT12(R5)
c99e83
     stigid@rhel6: "000136"
c99e83
     srg@rhel6: SRG-OS-000043,SRG-OS-000215
c99e83
-    cis: 4.2.1.4
c99e83
-    disa: 136,366,1348,1851
c99e83
+    cis@rhel8: 4.2.1.5
c99e83
+    disa: 366,1348,136,1851
c99e83
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii)
c99e83
     iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1
c99e83
     nist: CM-6(a),AU-4(1),AU-9(2)
c99e83
diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
c99e83
index ce8347c686..92fd6bc4d8 100644
c99e83
--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
c99e83
@@ -20,7 +20,7 @@ identifiers:
c99e83
 references:
c99e83
     cis@debian8: 5.1.2
c99e83
     anssi: NT28(R5),NT28(R46)
c99e83
-    cis: 4.2.1.1
c99e83
+    cis@rhel8: 4.2.1.2
c99e83
     disa: 1311,1312,1557,1851
c99e83
     hipaa: 164.312(a)(2)(ii)
c99e83
     iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index cc0c2a5b9a..528f17d696 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -602,87 +602,88 @@ selections:
c99e83
 
c99e83
     ### 4.1.9 Ensure discretionary access control permission modification
c99e83
     ###       events are collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
c99e83
     
c99e83
     ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
c99e83
     ###        collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
c99e83
 
c99e83
     ### 4.1.11 Ensure events that modify user/group information are
c99e83
     ###        collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
c99e83
 
c99e83
     ### 4.1.12 Ensure successful file system mounts are collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
c99e83
 
c99e83
     ### 4.1.13 Ensure use of privileged commands is collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
c99e83
 
c99e83
     ### 4.1.14 Ensure file deletion events by users are collected
c99e83
     ###        (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
c99e83
 
c99e83
     ### 4.1.15 Ensure kernel module loading and unloading is collected
c99e83
     ###        (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
c99e83
 
c99e83
     ### 4.1.16 Ensure system administrator actions (sudolog) are
c99e83
     ###        collected (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
c99e83
 
c99e83
     ### 4.1.17 Ensure the audit configuration is immutable (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
c99e83
 
c99e83
     ## 4.2 Configure Logging
c99e83
 
c99e83
     ### 4.2.1 Configure rsyslog
c99e83
 
c99e83
     #### 4.2.1.1 Ensure rsyslog is installed (Scored)
c99e83
-
c99e83
+    - package_rsyslog_installed
c99e83
 
c99e83
     #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
c99e83
-
c99e83
+    - service_rsyslog_enabled
c99e83
 
c99e83
     #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
c99e83
-
c99e83
+    - rsyslog_files_permissions
c99e83
 
c99e83
     #### 4.2.1.4 Ensure logging is configured (Not Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
c99e83
 
c99e83
     #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
c99e83
     ####         log host (Scored)   
c99e83
-
c99e83
+    - rsyslog_remote_loghost
c99e83
 
c99e83
     #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
c99e83
     ####         designated log hosts (Not Scored)
c99e83
-
c99e83
+    - rsyslog_nolisten
c99e83
 
c99e83
     ### 4.2.2 Configure journald
c99e83
 
c99e83
     #### 4.2.2.1 Ensure journald is configured to send logs to
c99e83
     ####         rsyslog (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
c99e83
 
c99e83
     #### 4.2.2.2 Ensure journald is configured to compress large
c99e83
     ####         log files (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
c99e83
 
c99e83
 
c99e83
     #### 4.2.2.3 Ensure journald is configured to write logfiles to
c99e83
     ####         persistent disk (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
c99e83
 
c99e83
     ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
c99e83
 
c99e83
     ## 4.3 Ensure logrotate is conifgured (Not Scored)
c99e83
-
c99e83
+    - ensure_logrotate_activated
c99e83
 
c99e83
     # 5 Access, Authentication and Authorization
c99e83
 
c99e83
     ## 5.1 Configure cron
c99e83
 
c99e83
-
c99e83
     ### 5.1.1 Ensure cron daemon is enabled (Scored)
c99e83
+    - service_crond_enabled
c99e83
 
c99e83
 
c99e83
     ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
c99e83
@@ -790,19 +791,19 @@ selections:
c99e83
 
c99e83
     ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
c99e83
     ###        or less (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
c99e83
 
c99e83
     ### 5.2.15 Ensure SSH warning banner is configured (Scored)
c99e83
     - sshd_enable_warning_banner
c99e83
 
c99e83
     ### 5.2.16 Ensure SSH PAM is enabled (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
c99e83
 
c99e83
     ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
c99e83
     - sshd_disable_tcp_forwarding
c99e83
 
c99e83
     ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
c99e83
 
c99e83
     ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
c99e83
     - sshd_set_max_sessions
c99e83
@@ -815,69 +816,75 @@ selections:
c99e83
 
c99e83
 
c99e83
     ### 5.3.1 Create custom authselectet profile (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
c99e83
 
c99e83
     ### 5.3.2 Select authselect profile (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
c99e83
 
c99e83
     ### 5.3.3 Ensure authselect includes with-faillock (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
c99e83
 
c99e83
     ## 5.4 Configure PAM
c99e83
 
c99e83
     ### 5.4.1 Ensure password creation requirements are configured (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
c99e83
 
c99e83
     ### 5.4.2 Ensure lockout for failed password attempts is
c99e83
     ###       configured (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
c99e83
 
c99e83
     ### 5.4.3 Ensure password reuse is limited (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
c99e83
 
c99e83
     ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
c99e83
-
c99e83
+    - set_password_hashing_algorithm_systemauth
c99e83
 
c99e83
     ## 5.5 User Accounts and Environment
c99e83
 
c99e83
     ### 5.5.1 Set Shadow Password Suite Parameters
c99e83
 
c99e83
     #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
c99e83
-
c99e83
+    - var_accounts_maximum_age_login_defs=365
c99e83
+    - accounts_maximum_age_login_defs
c99e83
 
c99e83
     #### 5.5.1.2 Ensure minimum days between password changes is 7
c99e83
     ####         or more (Scored)
c99e83
-
c99e83
+    - var_accounts_minimum_age_login_defs=7
c99e83
+    - accounts_minimum_age_login_defs
c99e83
 
c99e83
     #### 5.5.1.3 Ensure password expiration warning days is
c99e83
     ####         7 or more (Scored)
c99e83
-
c99e83
+    - var_accounts_password_warn_age_login_defs=7
c99e83
+    - accounts_password_warn_age_login_defs
c99e83
 
c99e83
     #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
c99e83
 
c99e83
     #### 5.5.1.5 Ensure all users last password change date is
c99e83
     ####         in the past (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
c99e83
 
c99e83
     ### 5.5.2 Ensure system accounts are secured (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
c99e83
 
c99e83
     ### 5.5.3 Ensure default user shell timeout is 900 seconds
c99e83
     ###       or less (Scored)
c99e83
-
c99e83
+    - var_accounts_tmout=15_min
c99e83
+    - accounts_tmout
c99e83
 
c99e83
     ### 5.5.4 Ensure default group for the root account is
c99e83
     ###       GID 0 (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
c99e83
 
c99e83
     ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
c99e83
-
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
c99e83
 
c99e83
     ## 5.6 Ensure root login is restricted to system console (Not Scored)
c99e83
-
c99e83
+    - securetty_root_login_console_only
c99e83
+    - no_direct_root_logins
c99e83
 
c99e83
     ## 5.7 Ensure access to the su command is restricted (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
c99e83
 
c99e83
     # System Maintenance
c99e83
 
c99e83
@@ -971,8 +978,58 @@ selections:
c99e83
     ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
c99e83
     - no_legacy_plus_entries_etc_passwd
c99e83
 
c99e83
-    ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
c99e83
+    ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
c99e83
     - no_legacy_plus_entries_etc_shadow
c99e83
 
c99e83
-    ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
c99e83
+    ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
c99e83
     - no_legacy_plus_entries_etc_group
c99e83
+
c99e83
+    ### 6.2.6 Ensure root is the only UID 0 account (Scored)
c99e83
+    - accounts_no_uid_except_zero
c99e83
+
c99e83
+    ### 6.2.7 Ensure users' home directories permissions are 750
c99e83
+    ###       or more restrictive (Scored)
c99e83
+    - file_permissions_home_dirs
c99e83
+
c99e83
+    ### 6.2.8 Ensure users own their home directories (Scored)
c99e83
+    # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
c99e83
+    - file_groupownership_home_directories
c99e83
+
c99e83
+    ### 6.2.9 Ensure users' dot files are not group or world
c99e83
+    ###       writable (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
c99e83
+
c99e83
+    ### 6.2.10 Ensure no users have .forward files (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
c99e83
+
c99e83
+    ### 6.2.11 Ensure no users have .netrc files (Scored)
c99e83
+    - no_netrc_files
c99e83
+
c99e83
+    ### 6.2.12 Ensure users' .netrc Files are not group or
c99e83
+    ###        world accessible (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
c99e83
+
c99e83
+    ### 6.2.13 Ensure no users have .rhosts files (Scored)
c99e83
+    - no_rsh_trust_files
c99e83
+
c99e83
+    ### 6.2.14 Ensure all groups in /etc/passwd exist in
c99e83
+    ###        /etc/group (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
c99e83
+
c99e83
+    ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
c99e83
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5502
c99e83
+
c99e83
+    ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
c99e83
+    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5501
c99e83
+
c99e83
+    ### 6.2.17 Ensure no duplicate user names exist (Scored)
c99e83
+    - account_unique_name
c99e83
+
c99e83
+    ### 6.2.18 Ensure no duplicate group names exist (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
c99e83
+
c99e83
+    ### 6.2.19 Ensure shadow group is empty (Scored)
c99e83
+    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
c99e83
+
c99e83
+    ### 6.2.20 Ensure all users' home directories exist (Scored)
c99e83
+    - accounts_user_interactive_home_directory_exists
c99e83
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
c99e83
index feb31b0395..9e7bd35178 100644
c99e83
--- a/shared/references/cce-redhat-avail.txt
c99e83
+++ b/shared/references/cce-redhat-avail.txt
c99e83
@@ -901,8 +901,6 @@ CCE-84270-8
c99e83
 CCE-84271-6
c99e83
 CCE-84272-4
c99e83
 CCE-84273-2
c99e83
-CCE-84274-0
c99e83
-CCE-84275-7
c99e83
 CCE-84276-5
c99e83
 CCE-84277-3
c99e83
 CCE-84278-1
c99e83
c99e83
From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001
c99e83
From: Shawn Wells <shawn@shawndwells.io>
c99e83
Date: Sat, 25 Apr 2020 18:52:21 -0400
c99e83
Subject: [PATCH 02/20] misc cis8 updates
c99e83
c99e83
---
c99e83
 .../accounts_users_home_files_ownership/rule.yml                | 1 +
c99e83
 .../logging/log_rotation/ensure_logrotate_activated/rule.yml    | 2 +-
c99e83
 2 files changed, 2 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
c99e83
index a9c73e46ac..8e225cdc64 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
c99e83
@@ -24,6 +24,7 @@ references:
c99e83
     stigid@ol7: "020660"
c99e83
     disa: "366"
c99e83
     srg: SRG-OS-000480-GPOS-00227
c99e83
+    cis@rhel8: 6.2.8
c99e83
     stigid@rhel7: "020660"
c99e83
 
c99e83
 ocil_clause: 'the user ownership is incorrect'
c99e83
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
index 2c41a3b9ef..6e569edfa9 100644
c99e83
--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml
c99e83
@@ -35,7 +35,7 @@ references:
c99e83
     cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
c99e83
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
c99e83
     cis-csc: 1,14,15,16,3,5,6
c99e83
-    cis@rhel8: 4.3
c99e83
+    cis@rhel8: "4.3"
c99e83
     anssi: NT28(R43),NT12(R18)
c99e83
 
c99e83
 ocil_clause: 'logrotate is not configured to run daily'
c99e83
c99e83
From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 22:32:44 +0200
c99e83
Subject: [PATCH 03/20] Add auxiliary rule for dconf settings
c99e83
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 ++
c99e83
 1 file changed, 2 insertions(+)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 528f17d696..202db7f693 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -8,6 +8,8 @@ description: |-
c99e83
     09-30-2019.
c99e83
 
c99e83
 selections:
c99e83
+    # Necessary for dconf rules
c99e83
+    - dconf_db_up_to_date
c99e83
 
c99e83
     ### Partitioning
c99e83
     - mount_option_home_nodev
c99e83
c99e83
From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 22:43:20 +0200
c99e83
Subject: [PATCH 04/20] Update time synchonization rule selections
c99e83
c99e83
In RHEL8, only chrony is available
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 6 ++++--
c99e83
 1 file changed, 4 insertions(+), 2 deletions(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 202db7f693..762d4a04e3 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -256,10 +256,12 @@ selections:
c99e83
     ### 2.2.1 Time Synchronization
c99e83
 
c99e83
     #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
c99e83
-    - service_chronyd_or_ntpd_enabled
c99e83
+    - package_chrony_installed
c99e83
 
c99e83
     #### 2.2.1.2 Ensure chrony is configured (Scored)
c99e83
-    - chronyd_or_ntpd_specify_remote_server
c99e83
+    - service_chronyd_enabled
c99e83
+    - chronyd_specify_remote_server
c99e83
+    - chronyd_run_as_chrony_user
c99e83
 
c99e83
     ### 2.2.2 Ensure X Window System is not installed (Scored)
c99e83
     - package_xorg-x11-server-common_removed
c99e83
c99e83
From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 22:49:55 +0200
c99e83
Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects
c99e83
c99e83
Fixes: #5234
c99e83
Fixes: #5235
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 4 ++--
c99e83
 1 file changed, 2 insertions(+), 2 deletions(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 762d4a04e3..3a8e19259b 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -371,14 +371,14 @@ selections:
c99e83
     - sysctl_net_ipv6_conf_all_accept_redirects
c99e83
 
c99e83
     #### net.ipv6.conf.defaults.accept_redirects = 0
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234
c99e83
+    - sysctl_net_ipv6_conf_default_accept_redirects
c99e83
 
c99e83
     ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
c99e83
     #### net.ipv4.conf.all.secure_redirects = 0
c99e83
     - sysctl_net_ipv4_conf_all_secure_redirects
c99e83
 
c99e83
     #### net.ipv4.cof.default.secure_redirects = 0
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235
c99e83
+    - sysctl_net_ipv4_conf_default_secure_redirects
c99e83
 
c99e83
     ### 3.2.4 Ensure suspicious packets are logged (Scored)
c99e83
     #### net.ipv4.conf.all.log_martians = 1
c99e83
c99e83
From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:02:09 +0200
c99e83
Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS
c99e83
c99e83
Fixes: #5509
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 14 +++++++++++++-
c99e83
 1 file changed, 13 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 3a8e19259b..a990de4565 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -606,7 +606,19 @@ selections:
c99e83
 
c99e83
     ### 4.1.9 Ensure discretionary access control permission modification
c99e83
     ###       events are collected (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509
c99e83
+    - audit_rules_dac_modification_chmod
c99e83
+    - audit_rules_dac_modification_fchmod
c99e83
+    - audit_rules_dac_modification_fchmodat
c99e83
+    - audit_rules_dac_modification_chown
c99e83
+    - audit_rules_dac_modification_fchown
c99e83
+    - audit_rules_dac_modification_fchownat
c99e83
+    - audit_rules_dac_modification_lchown
c99e83
+    - audit_rules_dac_modification_setxattr
c99e83
+    - audit_rules_dac_modification_lsetxattr
c99e83
+    - audit_rules_dac_modification_fsetxattr
c99e83
+    - audit_rules_dac_modification_removexattr
c99e83
+    - audit_rules_dac_modification_lremovexattr
c99e83
+    - audit_rules_dac_modification_fremovexattr
c99e83
     
c99e83
     ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
c99e83
     ###        collected (Scored)
c99e83
c99e83
From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:07:34 +0200
c99e83
Subject: [PATCH 07/20] Select rules for unsuccessful modification
c99e83
c99e83
Fixes: #5510
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 8 +++++++-
c99e83
 1 file changed, 7 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index a990de4565..db54d9ece5 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -622,7 +622,13 @@ selections:
c99e83
     
c99e83
     ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
c99e83
     ###        collected (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510
c99e83
+    - audit_rules_unsuccessful_file_modification_creat
c99e83
+    - audit_rules_unsuccessful_file_modification_open
c99e83
+    - audit_rules_unsuccessful_file_modification_openat
c99e83
+    - audit_rules_unsuccessful_file_modification_truncate
c99e83
+    - audit_rules_unsuccessful_file_modification_ftruncate
c99e83
+    # Opinionated selection
c99e83
+    - audit_rules_unsuccessful_file_modification_open_by_handle_at
c99e83
 
c99e83
     ### 4.1.11 Ensure events that modify user/group information are
c99e83
     ###        collected (Scored)
c99e83
c99e83
From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:10:45 +0200
c99e83
Subject: [PATCH 08/20] Select rules for user/group modification
c99e83
c99e83
Fixes: #5511
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 6 +++++-
c99e83
 1 file changed, 5 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index db54d9ece5..f8ec16b9a8 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -632,7 +632,11 @@ selections:
c99e83
 
c99e83
     ### 4.1.11 Ensure events that modify user/group information are
c99e83
     ###        collected (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511
c99e83
+    - audit_rules_usergroup_modification_passwd
c99e83
+    - audit_rules_usergroup_modification_group
c99e83
+    - audit_rules_usergroup_modification_gshadow
c99e83
+    - audit_rules_usergroup_modification_shadow
c99e83
+    - audit_rules_usergroup_modification_opasswd
c99e83
 
c99e83
     ### 4.1.12 Ensure successful file system mounts are collected (Scored)
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
c99e83
c99e83
From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:12:58 +0200
c99e83
Subject: [PATCH 09/20] Audit successful system mounts
c99e83
c99e83
Fixes: #5512
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 +-
c99e83
 1 file changed, 1 insertion(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index f8ec16b9a8..e4f5313e3e 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -639,7 +639,7 @@ selections:
c99e83
     - audit_rules_usergroup_modification_opasswd
c99e83
 
c99e83
     ### 4.1.12 Ensure successful file system mounts are collected (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512
c99e83
+    - audit_rules_media_export
c99e83
 
c99e83
     ### 4.1.13 Ensure use of privileged commands is collected (Scored)
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
c99e83
c99e83
From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:14:21 +0200
c99e83
Subject: [PATCH 10/20] Audit privileged commands
c99e83
c99e83
Fixes: #5513
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 +-
c99e83
 1 file changed, 1 insertion(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index e4f5313e3e..087dd79bb5 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -642,7 +642,7 @@ selections:
c99e83
     - audit_rules_media_export
c99e83
 
c99e83
     ### 4.1.13 Ensure use of privileged commands is collected (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513
c99e83
+    - audit_rules_privileged_commands
c99e83
 
c99e83
     ### 4.1.14 Ensure file deletion events by users are collected
c99e83
     ###        (Scored)
c99e83
c99e83
From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:15:49 +0200
c99e83
Subject: [PATCH 11/20] Audit file deletion events
c99e83
c99e83
Fixes: #5514
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 7 ++++++-
c99e83
 1 file changed, 6 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 087dd79bb5..ca42f24190 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -646,7 +646,12 @@ selections:
c99e83
 
c99e83
     ### 4.1.14 Ensure file deletion events by users are collected
c99e83
     ###        (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514
c99e83
+    - audit_rules_file_deletion_events_unlink
c99e83
+    - audit_rules_file_deletion_events_unlinkat
c99e83
+    - audit_rules_file_deletion_events_rename
c99e83
+    - audit_rules_file_deletion_events_renameat
c99e83
+    # Opinionated selection
c99e83
+    - audit_rules_file_deletion_events_rmdir
c99e83
 
c99e83
     ### 4.1.15 Ensure kernel module loading and unloading is collected
c99e83
     ###        (Scored)
c99e83
c99e83
From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:16:33 +0200
c99e83
Subject: [PATCH 12/20] Audit kernel module loads
c99e83
c99e83
Fixes: #5515
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 +-
c99e83
 1 file changed, 1 insertion(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index ca42f24190..5e214941ec 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -655,7 +655,7 @@ selections:
c99e83
 
c99e83
     ### 4.1.15 Ensure kernel module loading and unloading is collected
c99e83
     ###        (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515
c99e83
+    - audit_rules_kernel_module_loading
c99e83
 
c99e83
     ### 4.1.16 Ensure system administrator actions (sudolog) are
c99e83
     ###        collected (Scored)
c99e83
c99e83
From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:17:52 +0200
c99e83
Subject: [PATCH 13/20] Audit rules should be immutable
c99e83
c99e83
Fixes: #5517
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 +-
c99e83
 1 file changed, 1 insertion(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 5e214941ec..a0fdd69869 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -662,7 +662,7 @@ selections:
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
c99e83
 
c99e83
     ### 4.1.17 Ensure the audit configuration is immutable (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517
c99e83
+    - audit_rules_immutable
c99e83
 
c99e83
     ## 4.2 Configure Logging
c99e83
 
c99e83
c99e83
From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:31:10 +0200
c99e83
Subject: [PATCH 14/20] Select rules for password requirements
c99e83
c99e83
Related to: #5533
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 7 ++++++-
c99e83
 1 file changed, 6 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index a0fdd69869..a55c3291a9 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -858,7 +858,12 @@ selections:
c99e83
     ## 5.4 Configure PAM
c99e83
 
c99e83
     ### 5.4.1 Ensure password creation requirements are configured (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533
c99e83
+    # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
c99e83
+    - accounts_password_pam_retry
c99e83
+    - var_password_pam_minlen=14
c99e83
+    - accounts_password_pam_minlen
c99e83
+    - var_password_pam_minclass=4
c99e83
+    - accounts_password_pam_minclass
c99e83
 
c99e83
     ### 5.4.2 Ensure lockout for failed password attempts is
c99e83
     ###       configured (Scored)
c99e83
c99e83
From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:35:50 +0200
c99e83
Subject: [PATCH 15/20] Configure password lockout
c99e83
c99e83
Fixes: #5534
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 5 ++++-
c99e83
 1 file changed, 4 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index a55c3291a9..6e10c2efcb 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -867,7 +867,10 @@ selections:
c99e83
 
c99e83
     ### 5.4.2 Ensure lockout for failed password attempts is
c99e83
     ###       configured (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534
c99e83
+    - var_accounts_passwords_pam_faillock_unlock_time=900
c99e83
+    - var_accounts_passwords_pam_faillock_deny=5
c99e83
+    - accounts_passwords_pam_faillock_unlock_time
c99e83
+    - accounts_passwords_pam_faillock_deny
c99e83
 
c99e83
     ### 5.4.3 Ensure password reuse is limited (Scored)
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
c99e83
c99e83
From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:38:58 +0200
c99e83
Subject: [PATCH 16/20] Configure password reuse
c99e83
c99e83
Fixes: #5535
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 3 ++-
c99e83
 1 file changed, 2 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 6e10c2efcb..2fa85d8676 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -873,7 +873,8 @@ selections:
c99e83
     - accounts_passwords_pam_faillock_deny
c99e83
 
c99e83
     ### 5.4.3 Ensure password reuse is limited (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535
c99e83
+    - var_password_pam_unix_remember=5
c99e83
+    - accounts_password_pam_unix_remember
c99e83
 
c99e83
     ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
c99e83
     - set_password_hashing_algorithm_systemauth
c99e83
c99e83
From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:43:04 +0200
c99e83
Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting
c99e83
c99e83
Related to: #5536
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 5 ++++-
c99e83
 1 file changed, 4 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 2fa85d8676..e0fd5e1492 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -898,7 +898,10 @@ selections:
c99e83
     - accounts_password_warn_age_login_defs
c99e83
 
c99e83
     #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536
c99e83
+    # TODO: Rule doesn't check list of users
c99e83
+    # https://github.com/ComplianceAsCode/content/issues/5536
c99e83
+    - var_account_disable_post_pw_expiration=30
c99e83
+    - account_disable_post_pw_expiration
c99e83
 
c99e83
     #### 5.5.1.5 Ensure all users last password change date is
c99e83
     ####         in the past (Scored)
c99e83
c99e83
From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:46:48 +0200
c99e83
Subject: [PATCH 18/20] No shelllogin for system accounts
c99e83
c99e83
Fixes: #5538
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 2 +-
c99e83
 1 file changed, 1 insertion(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index e0fd5e1492..0431fb0d45 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -908,7 +908,7 @@ selections:
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
c99e83
 
c99e83
     ### 5.5.2 Ensure system accounts are secured (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538
c99e83
+    - no_shelllogin_for_systemaccounts
c99e83
 
c99e83
     ### 5.5.3 Ensure default user shell timeout is 900 seconds
c99e83
     ###       or less (Scored)
c99e83
c99e83
From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 23:54:07 +0200
c99e83
Subject: [PATCH 19/20] Partially cover umask requirements
c99e83
c99e83
Related to: #5540
c99e83
---
c99e83
 rhel8/profiles/cis.profile | 4 +++-
c99e83
 1 file changed, 3 insertions(+), 1 deletion(-)
c99e83
c99e83
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
c99e83
index 0431fb0d45..f332ee5462 100644
c99e83
--- a/rhel8/profiles/cis.profile
c99e83
+++ b/rhel8/profiles/cis.profile
c99e83
@@ -920,7 +920,9 @@ selections:
c99e83
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
c99e83
 
c99e83
     ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
c99e83
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540
c99e83
+    - var_accounts_user_umask=027
c99e83
+    - accounts_umask_etc_bashrc
c99e83
+    - accounts_umask_etc_profile
c99e83
 
c99e83
     ## 5.6 Ensure root login is restricted to system console (Not Scored)
c99e83
     - securetty_root_login_console_only
c99e83
c99e83
From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001
c99e83
From: Watson Sato <wsato@redhat.com>
c99e83
Date: Tue, 19 May 2020 22:31:16 +0200
c99e83
Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and
c99e83
 OCIL
c99e83
c99e83
---
c99e83
 .../account_unique_name/rule.yml              | 19 +++++++++----------
c99e83
 1 file changed, 9 insertions(+), 10 deletions(-)
c99e83
c99e83
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
index 35652a410b..909f1b6657 100644
c99e83
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
c99e83
@@ -3,14 +3,13 @@ documentation_complete: true
c99e83
 title: 'Ensure All Accounts on the System Have Unique Names'
c99e83
 
c99e83
 description: |-
c99e83
-    Although the <tt>useradd</tt> utility prevents creation of duplicate user
c99e83
-    names, it is possible for a malicious administrator to manually edit the
c99e83
-    <tt>/etc/passwd</tt> file and change the user name.
c99e83
+    Ensure accounts on the system have unique names.
c99e83
 
c99e83
-rationale: |-
c99e83
-    If a user is assigned a duplicate user name, the new user will be able to
c99e83
-    create and have access to files with the first UID for that username as
c99e83
-    defined in <tt>/etc/passwd</tt>.
c99e83
+    To ensure all accounts have unique names, run the following command:
c99e83
+    
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
c99e83
+    If a username is returned, change or delete the username.
c99e83
+
c99e83
+rationale: 'Unique usernames allow for accountability on the system.'
c99e83
 
c99e83
 severity: medium
c99e83
 
c99e83
@@ -30,6 +29,6 @@ references:
c99e83
 ocil_clause: 'a line is returned'
c99e83
 
c99e83
 ocil: |-
c99e83
-    Run the following command to check for duplicate account names:
c99e83
-    
$ sudo pwck -qr
c99e83
-    If there are no duplicate names, no line will be returned.
c99e83
+    To verify all accounts have unique names, run the following command:
c99e83
+    
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
c99e83
+    No output should be returned.