From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 20 Mar 2020 11:50:25 +0100
Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding
---
rhel7/profiles/cis.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 486fcf9a33..53d3819822 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -558,7 +558,6 @@ selections:
- sshd_set_loglevel_info
### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
- - sshd_enable_x11_forwarding
### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
- sshd_set_max_auth_tries
From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:00:23 +0100
Subject: [PATCH 2/4] Add a few more selections to rhel7 profile
- Rule for libselinux installed
- Rule for service tftp disabled
- Rule for kernel module RDS disabled
---
rhel7/profiles/cis.profile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 53d3819822..a9c78dc140 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -172,6 +172,7 @@ selections:
- selinux_confinement_of_daemons
### 1.6.2 Ensure SELinux is installed (Scored)
+ - package_libselinux_installed
## 1.7 Warning Banners
#### 1.7.1.1 Ensure message of the day is configured properly (Scored)
@@ -205,6 +206,7 @@ selections:
### 2.1.4 Ensure echo services are not enabled (Scored)
### 2.1.5 Ensure time services are not enabled (Scored)
### 2.1.6 Ensure tftp server is not enabled (Scored)
+ - service_tftp_disabled
### 2.1.7 Ensure xinetd is not enabled (Scored)
- service_xinetd_disabled
@@ -363,6 +365,7 @@ selections:
- kernel_module_sctp_disabled
### 3.5.3 Ensure RDS is disabled (Not Scored)
+ - kernel_module_rds_disabled
### 3.5.4 Ensure TIPC is disabled (Not Scored)
- kernel_module_tipc_disabled
From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:16:48 +0100
Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references
---
.../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +-
.../services/ntp/chronyd_specify_remote_server/rule.yml | 1 +
.../guide/services/ntp/package_chrony_installed/rule.yml | 1 +
linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 +
rhel7/profiles/cis.profile | 5 ++++-
5 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
index cd641ce0cb..2e5596b972 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -24,7 +24,7 @@ severity: medium
platform: chrony
references:
- cis@rhel7: 2.2.1.2
+ cis@rhel7: 2.2.1.3
cis@rhel8: 2.2.1.2
identifiers:
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index bc8815b068..ea4c955c8e 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -25,6 +25,7 @@ identifiers:
cce@rhel8: 82873-1
references:
+ cis@rhel7: 2.2.1.3
cis@rhel8: 2.2.1.2
ocil_clause: 'a remote time server is not configured'
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 2549f48b71..f6dc1f427f 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel8: 82874-9
references:
+ cis@rhel7: 2.2.1.1
cis@rhel8: 2.2.1.1
{{{ complete_ocil_entry_package(package="chrony") }}}
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 7b3a0a2a13..94269dfd54 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel8: 82875-6
references:
+ cis@rhel7: 2.2.1.3
cis@rhel8: 2.2.1.2
ocil_clause: 'the chronyd process is not running'
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index a9c78dc140..108a728bbf 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -213,13 +213,16 @@ selections:
## 2.2 Special Purpose Services
#### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
- - service_chronyd_or_ntpd_enabled
+ - package_chrony_installed
#### 2.2.1.2 Ensure ntp is configured (Scored)
# restrict is not checkec by rules below
- chronyd_or_ntpd_specify_remote_server
#### 2.2.1.3 Ensure chrony is configured (Scored)
+ - service_chronyd_enabled
+ - chronyd_specify_remote_server
+ - chronyd_run_as_chrony_user
### 2.2.2 Ensure X Window System is not installed (Scored)
- package_xorg-x11-server-common_removed
From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:17:16 +0100
Subject: [PATCH 4/4] Select rules for backup account files
Select rules to check permissions and owner of important backup account
files.
---
rhel7/profiles/cis.profile | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 108a728bbf..0fc919950f 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -689,9 +689,24 @@ selections:
- file_permissions_etc_gshadow
### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+ - file_owner_backup_etc_passwd
+ - file_groupowner_backup_etc_passwd
+ - file_permissions_backup_etc_passwd
+
### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+ - file_owner_backup_etc_shadow
+ - file_groupowner_backup_etc_shadow
+ - file_permissions_backup_etc_shadow
+
### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+ - file_owner_backup_etc_group
+ - file_groupowner_backup_etc_group
+ - file_permissions_backup_etc_group
+
### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+ - file_owner_backup_etc_gshadow
+ - file_groupowner_backup_etc_gshadow
+ - file_permissions_backup_etc_gshadow
### 6.1.10 Ensure no world writable files exist (Scored)
- file_permissions_unauthorized_world_writable