Blob Blame History Raw
From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 16 Mar 2020 19:37:57 +0100
Subject: [PATCH 1/4] Select rules for SSH and add references

---
 .../rule.yml                                  |  1 +
 .../file_permissions_sshd_pub_key/rule.yml    |  1 +
 .../ssh/ssh_server/disable_host_auth/rule.yml |  3 +-
 .../sshd_disable_empty_passwords/rule.yml     |  3 +-
 .../ssh_server/sshd_disable_rhosts/rule.yml   |  3 +-
 .../sshd_disable_root_login/rule.yml          |  3 +-
 .../sshd_do_not_permit_user_env/rule.yml      |  3 +-
 .../sshd_enable_warning_banner/rule.yml       |  3 +-
 .../sshd_enable_x11_forwarding/rule.yml       |  3 +-
 .../ssh_server/sshd_set_idle_timeout/rule.yml |  3 +-
 .../ssh_server/sshd_set_keepalive/rule.yml    |  3 +-
 .../sshd_set_loglevel_info/rule.yml           |  1 +
 .../sshd_set_max_auth_tries/rule.yml          |  1 +
 .../configure_ssh_crypto_policy/rule.yml      |  1 +
 15 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index b1b7ccabaa..108c9c5ce0 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -33,6 +33,7 @@ references:
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 12,13,14,15,16,18,3,5
+    cis@rhel8: 5.2.3
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
 
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index da3dead155..714b507db1 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -28,6 +28,7 @@ references:
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 12,13,14,15,16,18,3,5
+    cis@rhel8: 5.2.4
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}'
 
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
index de5580b9f5..9db9fd7516 100644
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
@@ -27,7 +27,8 @@ references:
     stigid@rhel6: "000236"
     srg@rhel6: SRG-OS-000106
     disa@rhel6: 765,766
-    cis: 5.2.7
+    cis@rhel8: 5.2.7
+    cis@rhel8: 5.2.9
     cjis: 5.5.6
     cui: 3.1.12
     disa: "366"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
index 25908a4e4d..b9bbe1e48e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
@@ -28,7 +28,8 @@ references:
     stigid@rhel6: "000239"
     srg@rhel6: SRG-OS-000106
     disa@rhel6: 765,766
-    cis: 5.2.9
+    cis@rhel7: 5.2.9
+    cis@rhel8: 5.2.11
     cjis: 5.5.6
     cui: 3.1.1,3.1.5
     disa: "366"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
index fd960a55ae..3a5d16c052 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
@@ -27,7 +27,8 @@ references:
     stigid@rhel6: "000234"
     srg@rhel6: SRG-OS-000106
     disa@rhel6: 765,766
-    cis: 5.2.6
+    ci@rhel8s: 5.2.6
+    ci@rhel8s: 5.2.8
     cjis: 5.5.6
     cui: 3.1.12
     disa: "366"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
index 8b9cba960f..c6e7d7986c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -28,7 +28,8 @@ references:
     stigid@rhel6: "000237"
     srg@rhel6: SRG-OS-000109
     disa@rhel6: '770'
-    cis: 5.2.8
+    cis@rhel7: 5.2.8
+    cis@rhel8: 5.2.10
     cjis: 5.5.6
     cui: '3.1.1,3.1.5'
     disa: 366,770
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
index f25d2a690a..f1a09a1b8d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -23,7 +23,8 @@ references:
     stigid@rhel6: "000241"
     srg@rhel6: SRG-OS-000242
     disa@rhel6: '1414'
-    cis: 5.2.10
+    cis@rhel7: 5.2.10
+    cis@rhel8: 5.2.12
     cjis: 5.5.6
     cui: 3.1.12
     disa: "366"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index f32287ff7c..4aa26eeb90 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -25,7 +25,8 @@ identifiers:
 references:
     stigid@rhel6: "000240"
     srg@rhel6: SRG-OS-000023
-    cis: 5.2.16
+    cis@rhel7: 5.2.15
+    cis@rhel8: 5.2.15
     cjis: 5.5.6
     cui: 3.1.9
     disa: 48,50,1384,1385,1386,1387,1388
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 5d50c2ed07..5fdca265fa 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -22,7 +22,8 @@ identifiers:
     cce@rhel8: 82421-9
 
 references:
-    cis: 5.2.4
+    cis@rhel7: 5.2.4
+    cis@rhel8: 5.2.6
     cui: 3.1.13
     disa: "366"
     nist: CM-6(a),AC-17(a),AC-17(2)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 7cf263bef4..347610cd6f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -34,7 +34,8 @@ references:
     stigid@rhel6: "000230"
     srg@rhel6: SRG-OS-000163
     disa@rhel6: '879'
-    cis: 5.2.12
+    cis@rhel7: 5.2.12
+    cis@rhel8: 5.2.13
     cjis: 5.5.6
     cui: 3.1.11
     disa: 879,1133,2361
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index cc9f62b0af..65aac90ace 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -23,7 +23,8 @@ references:
     stigid@rhel6: "000231"
     srg@rhel6: SRG-OS-000126
     disa@rhel6: '879'
-    cis: 5.2.12
+    cis@rhel7: 5.2.12
+    cis@rhel8: 5.2.13
     cjis: 5.5.6
     cui: 3.1.11
     disa: 879,1133,2361
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
index 26eca336b2..e9e84cdf9b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
@@ -26,6 +26,7 @@ references:
     cis@debian8: 9.3.2
     cis@debian10: 9.3.2
     cis@rhel7: 5.2.3
+    cis@rhel8: 5.2.5
     nist: AC-17(a),CM-6(a)
 
 ocil_clause: 'it is commented out or is not enabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 6fd7a4b6bd..1661b78773 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -21,6 +21,7 @@ references:
     cis@debian8: 9.3.5
     cis@debian9: 9.3.5
     cis@rhel7: 5.2.5
+    cis@rhel8: 5.2.7
 
 ocil_clause: 'it is commented out or not configured properly'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index b9d8b06028..db5ce07f0e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -23,6 +23,7 @@ identifiers:
 
 references:
     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
+    cis@rhel8: 5.2.20
 
 ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
 
From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 15:08:50 +0100
Subject: [PATCH 2/4] Fix typos in CIS references

---
 .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml  | 2 +-
 .../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
index 9db9fd7516..d19bfd4538 100644
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
@@ -27,7 +27,7 @@ references:
     stigid@rhel6: "000236"
     srg@rhel6: SRG-OS-000106
     disa@rhel6: 765,766
-    cis@rhel8: 5.2.7
+    cis@rhel7: 5.2.7
     cis@rhel8: 5.2.9
     cjis: 5.5.6
     cui: 3.1.12
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
index 3a5d16c052..5dafad7462 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
@@ -27,8 +27,8 @@ references:
     stigid@rhel6: "000234"
     srg@rhel6: SRG-OS-000106
     disa@rhel6: 765,766
-    ci@rhel8s: 5.2.6
-    ci@rhel8s: 5.2.8
+    cis@rhel7: 5.2.6
+    cis@rhel8: 5.2.8
     cjis: 5.5.6
     cui: 3.1.12
     disa: "366"

From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:43:16 +0100
Subject: [PATCH 3/4] Update CIS references for sshd_config

---
 .../guide/services/ssh/file_groupowner_sshd_config/rule.yml    | 3 ++-
 linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml    | 3 ++-
 .../guide/services/ssh/file_permissions_sshd_config/rule.yml   | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
index a9c09765d0..e53ac9d6b9 100644
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
@@ -21,7 +21,8 @@ identifiers:
     cce@rhel8: 82901-0
 
 references:
-    cis: 5.2.1
+    cis@rhel7: 5.2.1
+    cis@rhel8: 5.2.1
     nist: AC-17(a),CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
index 5a80d04763..ca1cc19eeb 100644
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
@@ -21,7 +21,8 @@ identifiers:
     cce@rhel8: 82898-8
 
 references:
-    cis: 5.2.1
+    cis@rhel7: 5.2.1
+    cis@rhel8: 5.2.1
     nist: AC-17(a),CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
index 13bdab401e..e40868dac4 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
@@ -21,7 +21,8 @@ identifiers:
     cce@rhel8: 82894-7
 
 references:
-    cis: 5.2.1
+    cis@rhel7: 5.2.1
+    cis@rhel8: 5.2.1
     nist: AC-17(a),CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227

From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 13:17:03 +0100
Subject: [PATCH 4/4] Remove incorrect rule selection and its references

Policy would like X11 forwarding disabled, not enabled.
---
 .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 5fdca265fa..4dedae6e8b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -22,8 +22,6 @@ identifiers:
     cce@rhel8: 82421-9
 
 references:
-    cis@rhel7: 5.2.4
-    cis@rhel8: 5.2.6
     cui: 3.1.13
     disa: "366"
     nist: CM-6(a),AC-17(a),AC-17(2)