From 06a1519f5121eb7a2fbf39d31fec3e951191ad57 Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Tue, 24 Sep 2019 14:31:03 +0200
Subject: [PATCH] Added RHEL7 CCEs for rules audit_rules_for_ospp and
installed_OS_is_vendor_supported
---
.../system/auditing/policy_rules/audit_rules_for_ospp/rule.yml | 1 +
.../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 +
3 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
index bebb86f93d..18a6f2f49a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
@@ -37,6 +37,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82370-8
cce@rhel8: 82309-6
references:
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
index 82d9c22726..6a4ff9bc0e 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -28,6 +28,7 @@ warnings:
severity: high
identifiers:
+ cce@rhel7: 82371-6
cce@rhel8: 80947-5
references:
From a22ef605871ed199454eaed3aae02cb033a04b04 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Wed, 30 Oct 2019 15:36:29 +0100
Subject: [PATCH 1/5] Add missing CCEs to rules from ncp profile.
---
.../package_pcsc-lite_installed/rule.yml | 1 +
.../sebool_cron_can_relabel/rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_daemons_dump_core/rule.yml | 3 +
.../sebool_daemons_use_tcp_wrapper/rule.yml | 3 +
.../sebool_daemons_use_tty/rule.yml | 3 +
.../sebool_deny_execmem/rule.yml | 3 +
.../sebool_deny_ptrace/rule.yml | 3 +
.../sebool_domain_fd_use/rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_gpg_web_anon_write/rule.yml | 3 +
.../sebool_guest_exec_content/rule.yml | 3 +
.../sebool_kerberos_enabled/rule.yml | 3 +
.../sebool_logadm_exec_content/rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_logging_syslogd_use_tty/rule.yml | 3 +
.../sebool_login_console_enabled/rule.yml | 3 +
.../sebool_mmap_low_allowed/rule.yml | 3 +
.../sebool_mock_enable_homedirs/rule.yml | 3 +
.../sebool_mount_anyfile/rule.yml | 3 +
.../sebool_polyinstantiation_enabled/rule.yml | 3 +
.../sebool_secadm_exec_content/rule.yml | 3 +
.../sebool_secure_mode/rule.yml | 3 +
.../sebool_secure_mode_insmod/rule.yml | 3 +
.../sebool_secure_mode_policyload/rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_selinuxuser_execheap/rule.yml | 1 +
.../sebool_selinuxuser_execmod/rule.yml | 1 +
.../sebool_selinuxuser_execstack/rule.yml | 1 +
.../rule.yml | 3 +
.../sebool_selinuxuser_ping/rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_selinuxuser_share_music/rule.yml | 3 +
.../sebool_selinuxuser_tcp_server/rule.yml | 3 +
.../sebool_selinuxuser_udp_server/rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_ssh_chroot_rw_homedirs/rule.yml | 3 +
.../sebool_ssh_keysign/rule.yml | 3 +
.../sebool_ssh_sysadm_login/rule.yml | 3 +
.../sebool_staff_exec_content/rule.yml | 3 +
.../sebool_sysadm_exec_content/rule.yml | 3 +
.../sebool_unconfined_login/rule.yml | 3 +
.../sebool_use_ecryptfs_home_dirs/rule.yml | 3 +
.../sebool_user_exec_content/rule.yml | 3 +
.../sebool_xdm_bind_vnc_tcp_port/rule.yml | 3 +
.../sebool_xdm_exec_bootloader/rule.yml | 3 +
.../sebool_xdm_sysadm_login/rule.yml | 3 +
.../sebool_xdm_write_home/rule.yml | 3 +
.../sebool_xguest_connect_network/rule.yml | 3 +
.../sebool_xguest_exec_content/rule.yml | 3 +
.../sebool_xguest_mount_media/rule.yml | 3 +
.../sebool_xguest_use_bluetooth/rule.yml | 3 +
.../rule.yml | 3 +
.../sebool_xserver_execmem/rule.yml | 3 +
.../sebool_xserver_object_manager/rule.yml | 3 +
58 files changed, 163 insertions(+), 57 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index ac9e4f8a17..f7d2cb64b2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -14,6 +14,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82347-6
cce@rhel8: 80993-9
references:
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml
index e7a65fcacb..8cb1b590d2 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82284-1
+
{{{ complete_ocil_entry_sebool_disabled(sebool="cron_can_relabel") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml
index 79db9b1d33..3af5c04e41 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82285-8
+
{{{ complete_ocil_entry_sebool_disabled(sebool="cron_system_cronjob_use_shares") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml
index ec48f00f8d..e29b865fae 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82286-6
+
{{{ complete_ocil_entry_sebool_enabled(sebool="cron_userdomain_transition") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml
index a92c190617..67ff95568e 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82287-4
+
{{{ complete_ocil_entry_sebool_disabled(sebool="daemons_dump_core") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml
index eff77b941a..cae4936565 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82288-2
+
{{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tcp_wrapper") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml
index 9517982a88..3e8749669f 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82289-0
+
{{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tty") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
index 489a75feb6..81f490af40 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82290-8
+
{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml
index 5213001969..b60ef6cc0c 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82291-6
+
{{{ complete_ocil_entry_sebool_disabled(sebool="deny_ptrace") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml
index 02b0281f60..7ebcdc08f1 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82292-4
+
{{{ complete_ocil_entry_sebool_enabled(sebool="domain_fd_use") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml
index aed06f6e60..b55f7449c3 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82293-2
+
{{{ complete_ocil_entry_sebool_disabled(sebool="domain_kernel_load_modules") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml
index 9879943020..bd3aef8967 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82294-0
+
{{{ complete_ocil_entry_sebool_disabled(sebool="gpg_web_anon_write") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml
index 0cd25b2abf..604add7c40 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82295-7
+
{{{ complete_ocil_entry_sebool_disabled(sebool="guest_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml
index 4e046cef2e..9f4eea0835 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82296-5
+
{{{ complete_ocil_entry_sebool_enabled(sebool="kerberos_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml
index 09e5b17eee..5c6812d5fc 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82298-1
+
{{{ complete_ocil_entry_sebool_enabled(sebool="logadm_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml
index 84c05ea067..21a1476843 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82299-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="logging_syslogd_can_sendmail") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml
index 4600b4d2a4..faa4b66598 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82300-5
+
{{{ complete_ocil_entry_sebool_enabled(sebool="logging_syslogd_use_tty") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml
index f06a939af2..65d8b21785 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82301-3
+
{{{ complete_ocil_entry_sebool_enabled(sebool="login_console_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml
index e9b55edff6..f3fb149cd6 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82302-1
+
{{{ complete_ocil_entry_sebool_disabled(sebool="mmap_low_allowed") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml
index 4222d2b1dd..7f6303b37d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82303-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="mock_enable_homedirs") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml
index e172deda7e..ee010438d9 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82304-7
+
{{{ complete_ocil_entry_sebool_enabled(sebool="mount_anyfile") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
index 32b48441c6..9bd370ac94 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82305-4
+
{{{ complete_ocil_entry_sebool_disabled(sebool="polyinstantiation_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml
index 6699164b3a..5e404adfe8 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82306-2
+
{{{ complete_ocil_entry_sebool_enabled(sebool="secadm_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml
index 19ff0ff859..c021a016cd 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82307-0
+
{{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
index 020ade04d0..45513725d8 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml
@@ -16,4 +16,7 @@ references:
severity: medium
+identifiers:
+ cce@rhel7: 82308-8
+
{{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml
index 4dc1dd57f9..5259ec3776 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82310-4
+
{{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_policyload") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml
index 7389882aba..4d76582d9d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82311-2
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_direct_dri_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
index 3b5276d8d8..bfef9808ed 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
@@ -14,6 +14,7 @@ rationale: ""
severity: medium
identifiers:
+ cce@rhel7: 82312-0
cce@rhel8: 80949-1
references:
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
index 97d65d0175..f8f65b4d20 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml
@@ -14,6 +14,7 @@ rationale: ""
severity: medium
identifiers:
+ cce@rhel7: 82313-8
cce@rhel8: 80950-9
references:
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
index d6ed7c355b..785a3e9d06 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
@@ -15,6 +15,7 @@ rationale: ""
severity: medium
identifiers:
+ cce@rhel7: 82314-6
cce@rhel8: 80951-7
references:
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml
index c12f9b0b84..18cfd17a78 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82317-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_mysql_connect_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml
index d8d6d69f98..25a4cb4c20 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82318-7
+
{{{ complete_ocil_entry_sebool_enabled(sebool="selinuxuser_ping") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml
index f17f6b3cf4..fedba937e5 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82319-5
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_postgresql_connect_enabled") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml
index 14218b5015..8d30bc437d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82320-3
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_rw_noexattrfile") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml
index cf7cd9ec7c..221e925b9b 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82321-1
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_share_music") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml
index e6a8407c13..cfc17033f8 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82322-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_tcp_server") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml
index 69a650a1c6..c773cfaa7b 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82323-7
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_udp_server") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml
index 062b060180..f2005f056c 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82324-5
+
{{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_use_ssh_chroot") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml
index 1a3dd18dce..64085cfd8b 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82325-2
+
{{{ complete_ocil_entry_sebool_disabled(sebool="ssh_chroot_rw_homedirs") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml
index 5ed8effd7f..ea48425f03 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82326-0
+
{{{ complete_ocil_entry_sebool_disabled(sebool="ssh_keysign") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
index 26db5e0b28..6a4f49c410 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml
@@ -16,4 +16,7 @@ references:
severity: medium
+identifiers:
+ cce@rhel7: 82327-8
+
{{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml
index deddaa989f..473fe953fe 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82328-6
+
{{{ complete_ocil_entry_sebool_enabled(sebool="staff_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml
index 63c36e8822..65c3d85d62 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82329-4
+
{{{ complete_ocil_entry_sebool_enabled(sebool="sysadm_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml
index de1f78e8dc..88a8b842af 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82330-2
+
{{{ complete_ocil_entry_sebool_enabled(sebool="unconfined_login") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml
index 9d51a610ca..6e5983fd3a 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82331-0
+
{{{ complete_ocil_entry_sebool_disabled(sebool="use_ecryptfs_home_dirs") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml
index 5c32b74fab..394b49cade 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82332-8
+
{{{ complete_ocil_entry_sebool_enabled(sebool="user_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml
index d39d6eb97d..19a1ee23cc 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82333-6
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xdm_bind_vnc_tcp_port") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml
index 52f90382e4..dca18f3744 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82334-4
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xdm_exec_bootloader") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml
index 42acdebfbc..fed51e91ec 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82335-1
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xdm_sysadm_login") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml
index c601c4ef66..fca878f48d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82336-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xdm_write_home") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml
index da71e2e0aa..0d6c2be3d8 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82337-7
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xguest_connect_network") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml
index 0713368404..4a94acd4bf 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82338-5
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xguest_exec_content") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml
index 171b21bb76..a106a6e148 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82339-3
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xguest_mount_media") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml
index 28ef740608..9162facb68 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml
@@ -14,4 +14,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82340-1
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xguest_use_bluetooth") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml
index 793bca2fab..954456203c 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82341-9
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xserver_clients_write_xshm") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml
index 2f73f30596..cc4ccc0342 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82342-7
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xserver_execmem") }}}
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml
index 31c10d6459..2f4bc25fe3 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml
@@ -13,4 +13,7 @@ rationale: ""
severity: medium
+identifiers:
+ cce@rhel7: 82346-8
+
{{{ complete_ocil_entry_sebool_disabled(sebool="xserver_object_manager") }}}
From 7f41b550251afb65fec04a1ada7a59432816fa52 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Wed, 30 Oct 2019 15:49:44 +0100
Subject: [PATCH 2/5] Add missing CCEs to rules from rhelh-stig profile.
---
.../guide/system/software/gnome/package_gdm_removed/rule.yml | 3 +++
.../guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
index 012dbebb38..57b3c00454 100644
--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
@@ -18,6 +18,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel7: 82348-4
+
references:
nist: AC-17(8).1(ii)
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
index 0f20412886..3dbf1b4499 100644
--- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel7: 82349-2
+
ocil_clause: 'nopasswd is set for any users beyond vdsm'
ocil: |-
diff --git From 9bd0bbf84484fa02c1c53953aa48bb01bed41663 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Wed, 30 Oct 2019 15:54:44 +0100
Subject: [PATCH 3/5] Add missing CCEs to rules from anssi_nt28_high profile.
---
.../services/deprecated/package_telnetd_removed/rule.yml | 3 +++
.../system/bootloader-grub2/grub2_enable_iommu_force/rule.yml | 3 +++
.../permissions/files/file_permissions_systemmap/rule.yml | 3 +++
.../software/disk_partitioning/partition_for_var_tmp/rule.yml | 3 +++
5 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml
index a08170f2c4..bdbbe8437a 100644
--- a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml
+++ b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml
@@ -8,6 +8,9 @@ rationale: 'telnet allows clear text communications, and does not protect any da
severity: high
+identifiers:
+ cce@rhel7: 82352-6
+
references:
anssi: NT007(R03)
nist: AC-17(8),CM-7
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index 785ebe4a69..baade9c13e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -12,5 +12,8 @@ rationale: |-
severity: unknown
+identifiers:
+ cce@rhel7: 82351-8
+
references:
anssi: NT28(R11)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
index 0cf14df579..3c313824d3 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
severity: unknown
+identifiers:
+ cce@rhel7: 82350-0
+
references:
anssi: NT28(R13)
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index 32a15afc45..65d7d8060b 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
severity: low
+identifiers:
+ cce@rhel7: 82353-4
+
references:
cis: 1.1.7
anssi: NT28(R12)
From fd0aee12ebdced5f1d0507cd7ee1a8a0a470c401 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Wed, 30 Oct 2019 15:57:35 +0100
Subject: [PATCH 4/5] Add missing CCEs to rules from C2S profile.
---
.../services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 2a20218c3c..9bdc4bb57a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -14,6 +14,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel7: 82354-2
+
references:
cis@debian8: 9.3.5
cis@rhel7: 5.2.5
From aa2b6ca11b84700b1b0c4a9d034cd33b594ebdbe Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Wed, 30 Oct 2019 16:00:18 +0100
Subject: [PATCH 5/5] Add missing CCEs to rules from e8 profile.
---
.../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +++
.../services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 3 +++
.../audit_rules_execution_seunshare/rule.yml | 1 +
.../auditd_freq/rule.yml | 1 +
.../auditd_local_events/rule.yml | 1 +
.../auditd_log_format/rule.yml | 1 +
.../auditd_name_format/rule.yml | 1 +
.../auditd_write_logs/rule.yml | 1 +
9 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
index 39e87e86bf..d4b61cedb9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
@@ -23,6 +23,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel7: 82363-3
+
references:
cis@debian: 9.3.11
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
index 16259017d8..7f0d75c53d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel7: 82364-1
+
ocil_clause: 'MACs option is commented out or not using strong hash algorithms'
ocil: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
index 1d25819675..ae64febdf5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml
@@ -31,6 +31,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82362-5
cce@rhel8: 80933-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_freq/rule.yml b/linux_os/guide/system/auditing/auditd_freq/rule.yml
index b0a89910f1..38a356dad9 100644
--- a/linux_os/guide/system/auditing/auditd_freq/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_freq/rule.yml
@@ -15,6 +15,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82358-3
cce@rhel8: 82258-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/auditd_local_events/rule.yml
index 9d24add817..3db55f6594 100644
--- a/linux_os/guide/system/auditing/auditd_local_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_local_events/rule.yml
@@ -14,6 +14,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82355-9
cce@rhel8: 82233-8
references:
diff --git a/linux_os/guide/system/auditing/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/auditd_log_format/rule.yml
index a10e86113d..75c63e1d5b 100644
--- a/linux_os/guide/system/auditing/auditd_log_format/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_log_format/rule.yml
@@ -15,6 +15,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82357-5
cce@rhel8: 82201-5
references:
diff --git a/linux_os/guide/system/auditing/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/auditd_name_format/rule.yml
index fecae8163f..6673dd050c 100644
--- a/linux_os/guide/system/auditing/auditd_name_format/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_name_format/rule.yml
@@ -16,6 +16,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82359-1
cce@rhel8: 82897-0
references:
diff --git a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml
index 2f2d0fa258..261bee9695 100644
--- a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml
@@ -14,6 +14,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel7: 82356-7
cce@rhel8: 82366-6
references: