From 6a669ccfafad0720998b882cd609470a60de3b23 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 15:54:35 +0100
Subject: [PATCH 1/2] Select rules for system file permissions
And update references for these rules
---
.../rule.yml | 3 +-
.../rule.yml | 3 +-
.../rule.yml | 3 +-
.../file_permissions_ungroupowned/rule.yml | 3 +-
.../files/no_files_unowned_by_user/rule.yml | 3 +-
.../file_groupowner_etc_group/rule.yml | 3 +-
.../file_groupowner_etc_gshadow/rule.yml | 3 +-
.../file_groupowner_etc_passwd/rule.yml | 3 +-
.../file_groupowner_etc_shadow/rule.yml | 3 +-
.../file_owner_etc_group/rule.yml | 3 +-
.../file_owner_etc_gshadow/rule.yml | 3 +-
.../file_owner_etc_passwd/rule.yml | 3 +-
.../file_owner_etc_shadow/rule.yml | 3 +-
.../file_permissions_etc_group/rule.yml | 3 +-
.../file_permissions_etc_gshadow/rule.yml | 3 +-
.../file_permissions_etc_passwd/rule.yml | 3 +-
.../file_permissions_etc_shadow/rule.yml | 3 +-
18 files changed, 74 insertions(+), 18 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
index 32c176d67f..fb00519f64 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml
@@ -31,7 +31,8 @@ identifiers:
references:
anssi: NT28(R37),NT28(R38)
- cis: 6.1.14
+ cis@rhel7: 6.1.14
+ cis@rhel8: 6.1.14
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
index ae5f1307ce..3c7898b912 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml
@@ -31,7 +31,8 @@ identifiers:
references:
anssi: NT28(R37),NT28(R38)
- cis: 6.1.13
+ cis@rhel7: 6.1.13
+ cis@rhel8: 6.1.13
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
index c70b7989c6..871da04b77 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml
@@ -28,7 +28,8 @@ identifiers:
references:
stigid@rhel6: "000282"
srg@rhel6: SRG-OS-999999
- cis: 6.1.10
+ cis@rhel7: 6.1.10
+ cis@rhel8: 6.1.10
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
index e51cd7e1ea..2fe8c27da3 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -27,7 +27,8 @@ identifiers:
references:
disa@rhel6: '224'
- cis: 6.1.12
+ cis@rhel7: 6.1.12
+ cis@rhel8: 6.1.12
disa: "02165"
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index f2fb1f2d20..a8bf12ff81 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -27,7 +27,8 @@ identifiers:
references:
disa@rhel6: '224'
- cis: 6.1.11
+ cis@rhel7: 6.1.11
+ cis@rhel8: 6.1.11
disa: "002165"
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
index 5ffa26b0f2..53301cbbf5 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000043"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.4
+ cis@rhel7: 6.1.4
+ cis@rhel8: 6.1.4
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
index 6c770216f1..c2e12377ef 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000037"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.5
+ cis@rhel7: 6.1.5
+ cis@rhel8: 6.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
index ad9814e836..86e2e6c25c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000040"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.2
+ cis@rhel7: 6.1.2
+ cis@rhel8: 6.1.2
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
index 5147551c0f..d8a9d04142 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000034"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.3
+ cis@rhel7: 6.1.3
+ cis@rhel8: 6.1.3
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
index 48cbe081be..ee0433c568 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml
@@ -18,7 +18,8 @@ identifiers:
references:
stigid@rhel6: "000042"
srg@rhel6: SRG-OS-999999
- cis: 6.1.4
+ cis@rhel7: 6.1.4
+ cis@rhel8: 6.1.4
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
index a1e65af70a..39f1b83381 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000036"
srg@rhel6: SRG-OS-999999
disa@rhel6: '366'
- cis: 6.1.5
+ cis@rhel7: 6.1.5
+ cis@rhel8: 6.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
index 9b5048001e..e19de1bba2 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml
@@ -19,7 +19,8 @@ references:
stigid@rhel6: "000039"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.2
+ cis@rhel7: 6.1.2
+ cis@rhel8: 6.1.2
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
index cf8e6e4a3e..989cb11c62 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml
@@ -22,7 +22,8 @@ references:
stigid@rhel6: "000033"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.3
+ cis@rhel7: 6.1.3
+ cis@rhel8: 6.1.3
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
index 8e5f39a13e..38ff43d62c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml
@@ -20,7 +20,8 @@ references:
stigid@rhel6: "000044"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.4
+ cis@rhel7: 6.1.4
+ cis@rhel8: 6.1.4
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index c8d8c8a73c..d1ed4475fb 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -21,7 +21,8 @@ references:
stigid@rhel6: "000038"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.5
+ cis@rhel7: 6.1.5
+ cis@rhel8: 6.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
index d72b5277f1..ac48885925 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml
@@ -22,7 +22,8 @@ references:
stigid@rhel6: "000041"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.2
+ cis@rhel7: 6.1.2
+ cis@rhel8: 6.1.2
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
index 7ec0b092f5..61f4fb6cce 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -24,7 +24,8 @@ references:
stigid@rhel6: "000035"
srg@rhel6: SRG-OS-999999
disa@rhel6: '225'
- cis: 6.1.3
+ cis@rhel7: 6.1.3
+ cis@rhel8: 6.1.3
cjis: 5.5.2.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
From b7f33f79e59d58cf6181e8fdb7879f40f54bb63a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 15:56:17 +0100
Subject: [PATCH 2/2] Update references for rpm_verification rules
These rule checks whether permission and ownership of all installed
files are according to what the vendor (package provider) expects.
These rules can contribute to the for specific permissions and
ownerships of specific files, granted the package is aligned with the
rules.
---
.../rpm_verification/rpm_verify_ownership/rule.yml | 3 ++-
.../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index 6c3c857442..1503836f75 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -35,7 +35,8 @@ references:
nist-csf@rhel6: PR.DS-6,PR.DS-8
srg@rhel6: SRG-OS-000257,SRG-OS-000258
stigid@rhel6: "000279"
- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3
+ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9
+ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9
cjis: 5.10.4.1
cui: 3.3.8,3.4.1
disa: 1494,1496
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
index d6cc546921..1b3dd500b3 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -41,7 +41,9 @@ references:
nist-csf@rhel6: PR.DS-6,PR.IP-8
srg@rhel6: SRG-OS-999999,SRG-OS-000256
stigid@rhel6: "000518"
- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3
+ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9
+ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9
+
cjis: 5.10.4.1
cui: 3.3.8,3.4.1
disa: 1494,1496