skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   c957b4e696e5ecf0a69844b2dd37d073e4d34868
  2.   SOURCES
  3.   scap-security-guide-0.1.50-chrony_references_PR_5331.patch
Blob Blame History Raw 
From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 20 Mar 2020 11:50:25 +0100
Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding

---
 rhel7/profiles/cis.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 486fcf9a33..53d3819822 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -558,7 +558,6 @@ selections:
     - sshd_set_loglevel_info
 
     ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
-    - sshd_enable_x11_forwarding
 
     ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
     - sshd_set_max_auth_tries

From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:00:23 +0100
Subject: [PATCH 2/4] Add a few more selections to rhel7 profile

- Rule for libselinux installed
- Rule for service tftp disabled
- Rule for kernel module RDS disabled
---
 rhel7/profiles/cis.profile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 53d3819822..a9c78dc140 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -172,6 +172,7 @@ selections:
     - selinux_confinement_of_daemons
 
     ### 1.6.2 Ensure SELinux is installed (Scored)
+    - package_libselinux_installed
 
     ## 1.7 Warning Banners
     #### 1.7.1.1 Ensure message of the day is configured properly (Scored)
@@ -205,6 +206,7 @@ selections:
     ### 2.1.4 Ensure echo services are not enabled (Scored)
     ### 2.1.5 Ensure time services are not enabled (Scored)
     ### 2.1.6 Ensure tftp server is not enabled (Scored)
+    - service_tftp_disabled
 
     ### 2.1.7 Ensure xinetd is not enabled (Scored)
     - service_xinetd_disabled
@@ -363,6 +365,7 @@ selections:
     - kernel_module_sctp_disabled
 
     ### 3.5.3 Ensure RDS is disabled (Not Scored)
+    - kernel_module_rds_disabled
 
     ### 3.5.4 Ensure TIPC is disabled (Not Scored)
     - kernel_module_tipc_disabled

From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:16:48 +0100
Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references

---
 .../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml   | 2 +-
 .../services/ntp/chronyd_specify_remote_server/rule.yml      | 1 +
 .../guide/services/ntp/package_chrony_installed/rule.yml     | 1 +
 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 +
 rhel7/profiles/cis.profile                                   | 5 ++++-
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
index cd641ce0cb..2e5596b972 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml
@@ -24,7 +24,7 @@ severity: medium
 platform: chrony
 
 references:
-    cis@rhel7: 2.2.1.2
+    cis@rhel7: 2.2.1.3
     cis@rhel8: 2.2.1.2
 
 identifiers:
diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
index bc8815b068..ea4c955c8e 100644
--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel8: 82873-1
 
 references:
+    cis@rhel7: 2.2.1.3
     cis@rhel8: 2.2.1.2
 
 ocil_clause: 'a remote time server is not configured'
diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
index 2549f48b71..f6dc1f427f 100644
--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel8: 82874-9
 
 references:
+    cis@rhel7: 2.2.1.1
     cis@rhel8: 2.2.1.1
 
 {{{ complete_ocil_entry_package(package="chrony") }}}
diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
index 7b3a0a2a13..94269dfd54 100644
--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel8: 82875-6
 
 references:
+    cis@rhel7: 2.2.1.3
     cis@rhel8: 2.2.1.2
 
 ocil_clause: 'the chronyd process is not running'
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index a9c78dc140..108a728bbf 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -213,13 +213,16 @@ selections:
 
     ## 2.2 Special Purpose Services
     #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
-    - service_chronyd_or_ntpd_enabled
+    - package_chrony_installed
 
     #### 2.2.1.2 Ensure ntp is configured (Scored)
     # restrict is not checkec by rules below
     - chronyd_or_ntpd_specify_remote_server
 
     #### 2.2.1.3 Ensure chrony is configured (Scored)
+    - service_chronyd_enabled
+    - chronyd_specify_remote_server
+    - chronyd_run_as_chrony_user
 
     ### 2.2.2 Ensure X Window System is not installed (Scored)
     - package_xorg-x11-server-common_removed

From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 23 Mar 2020 15:17:16 +0100
Subject: [PATCH 4/4] Select rules for backup account files

Select rules to check permissions and owner of important backup account
files.
---
 rhel7/profiles/cis.profile | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 108a728bbf..0fc919950f 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -689,9 +689,24 @@ selections:
     - file_permissions_etc_gshadow
 
     ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+    - file_owner_backup_etc_passwd
+    - file_groupowner_backup_etc_passwd
+    - file_permissions_backup_etc_passwd
+
     ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+    - file_owner_backup_etc_shadow
+    - file_groupowner_backup_etc_shadow
+    - file_permissions_backup_etc_shadow
+
     ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+    - file_owner_backup_etc_group
+    - file_groupowner_backup_etc_group
+    - file_permissions_backup_etc_group
+
     ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+    - file_owner_backup_etc_gshadow
+    - file_groupowner_backup_etc_gshadow
+    - file_permissions_backup_etc_gshadow
 
     ### 6.1.10 Ensure no world writable files exist (Scored)
     - file_permissions_unauthorized_world_writable

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation