From c06a414187f3792413bfc86366e1578d2d22275d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 25 Mar 2020 09:48:24 +0100
Subject: [PATCH 1/3] Select newly developed rules in rhel7 CIS
---
rhel7/profiles/cis.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index affcf70ce2..06f0a8e3dd 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -300,6 +300,7 @@ selections:
- package_telnet_removed
### 2.3.5 Ensure LDAP client is not installed (Scored)
+ - package_openldap-clients_removed
# 3 Network Configuration
## 3.1 Network Parameters (Host Only)
From ec2add9b21d7555134d736a57d729ffa1a537cff Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 25 Mar 2020 09:51:14 +0100
Subject: [PATCH 2/3] Select rule to disable wireless interfaces
Inspired by rhel8 benchmark.
Updated references as well.
---
.../wireless_software/wireless_disable_interfaces/rule.yml | 1 +
rhel7/profiles/cis.profile | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
index 76d94fe8f1..f364fbdce6 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -31,7 +31,8 @@ identifiers:
references:
stigid@rhel6: "000293"
stigid@rhel7: "041010"
- cis: 4.3.1
+ cis@rhel7: "3.7"
+ cis@rhel8: "3.5"
cui: 3.1.16
disa: 85,2418
nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 06f0a8e3dd..d34d617579 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -393,6 +393,7 @@ selections:
### 3.6.4 Ensure outbound and established connections are configured (Not Scored)
### 3.6.5 Ensure firewall rules exist for all open ports (Scored)
## 3.7 Ensure wireless interfaces are disabled (Not Scored)
+ - wireless_disable_interfaces
# 4 Logging and Auditing
## 4.1 Configure System Accounting (auditd)
From 76f98f39cf9f90009c30e09d9c995402a5b46847 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 25 Mar 2020 10:52:58 +0100
Subject: [PATCH 3/3] Comment out not applicable requirements
---
rhel7/profiles/cis.profile | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index d34d617579..76506c9369 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -216,8 +216,8 @@ selections:
- package_chrony_installed
#### 2.2.1.2 Ensure ntp is configured (Scored)
- # restrict is not checkec by rules below
- - chronyd_or_ntpd_specify_remote_server
+ # This requirement is not applicable
+ # This profile opts to use chrony rather than ntp
#### 2.2.1.3 Ensure chrony is configured (Scored)
- service_chronyd_enabled
@@ -517,6 +517,8 @@ selections:
#### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
#### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
#### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)
+ # Whole section 4.2.2.X is not applicable
+ # This profile opts to use rsyslog rather than syslog-ng
### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
- package_rsyslog_installed