From 06a1519f5121eb7a2fbf39d31fec3e951191ad57 Mon Sep 17 00:00:00 2001 From: Matus Marhefka Date: Tue, 24 Sep 2019 14:31:03 +0200 Subject: [PATCH] Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported --- .../system/auditing/policy_rules/audit_rules_for_ospp/rule.yml | 1 + .../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml index bebb86f93d..18a6f2f49a 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml @@ -37,6 +37,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82370-8 cce@rhel8: 82309-6 references: diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index 82d9c22726..6a4ff9bc0e 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -28,6 +28,7 @@ warnings: severity: high identifiers: + cce@rhel7: 82371-6 cce@rhel8: 80947-5 references: From a22ef605871ed199454eaed3aae02cb033a04b04 Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Wed, 30 Oct 2019 15:36:29 +0100 Subject: [PATCH 1/5] Add missing CCEs to rules from ncp profile. --- .../package_pcsc-lite_installed/rule.yml | 1 + .../sebool_cron_can_relabel/rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../sebool_daemons_dump_core/rule.yml | 3 + .../sebool_daemons_use_tcp_wrapper/rule.yml | 3 + .../sebool_daemons_use_tty/rule.yml | 3 + .../sebool_deny_execmem/rule.yml | 3 + .../sebool_deny_ptrace/rule.yml | 3 + .../sebool_domain_fd_use/rule.yml | 3 + .../rule.yml | 3 + .../sebool_gpg_web_anon_write/rule.yml | 3 + .../sebool_guest_exec_content/rule.yml | 3 + .../sebool_kerberos_enabled/rule.yml | 3 + .../sebool_logadm_exec_content/rule.yml | 3 + .../rule.yml | 3 + .../sebool_logging_syslogd_use_tty/rule.yml | 3 + .../sebool_login_console_enabled/rule.yml | 3 + .../sebool_mmap_low_allowed/rule.yml | 3 + .../sebool_mock_enable_homedirs/rule.yml | 3 + .../sebool_mount_anyfile/rule.yml | 3 + .../sebool_polyinstantiation_enabled/rule.yml | 3 + .../sebool_secadm_exec_content/rule.yml | 3 + .../sebool_secure_mode/rule.yml | 3 + .../sebool_secure_mode_insmod/rule.yml | 3 + .../sebool_secure_mode_policyload/rule.yml | 3 + .../rule.yml | 3 + .../sebool_selinuxuser_execheap/rule.yml | 1 + .../sebool_selinuxuser_execmod/rule.yml | 1 + .../sebool_selinuxuser_execstack/rule.yml | 1 + .../rule.yml | 3 + .../sebool_selinuxuser_ping/rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../sebool_selinuxuser_share_music/rule.yml | 3 + .../sebool_selinuxuser_tcp_server/rule.yml | 3 + .../sebool_selinuxuser_udp_server/rule.yml | 3 + .../rule.yml | 3 + .../sebool_ssh_chroot_rw_homedirs/rule.yml | 3 + .../sebool_ssh_keysign/rule.yml | 3 + .../sebool_ssh_sysadm_login/rule.yml | 3 + .../sebool_staff_exec_content/rule.yml | 3 + .../sebool_sysadm_exec_content/rule.yml | 3 + .../sebool_unconfined_login/rule.yml | 3 + .../sebool_use_ecryptfs_home_dirs/rule.yml | 3 + .../sebool_user_exec_content/rule.yml | 3 + .../sebool_xdm_bind_vnc_tcp_port/rule.yml | 3 + .../sebool_xdm_exec_bootloader/rule.yml | 3 + .../sebool_xdm_sysadm_login/rule.yml | 3 + .../sebool_xdm_write_home/rule.yml | 3 + .../sebool_xguest_connect_network/rule.yml | 3 + .../sebool_xguest_exec_content/rule.yml | 3 + .../sebool_xguest_mount_media/rule.yml | 3 + .../sebool_xguest_use_bluetooth/rule.yml | 3 + .../rule.yml | 3 + .../sebool_xserver_execmem/rule.yml | 3 + .../sebool_xserver_object_manager/rule.yml | 3 + 58 files changed, 163 insertions(+), 57 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml index ac9e4f8a17..f7d2cb64b2 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82347-6 cce@rhel8: 80993-9 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml index e7a65fcacb..8cb1b590d2 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82284-1 + {{{ complete_ocil_entry_sebool_disabled(sebool="cron_can_relabel") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml index 79db9b1d33..3af5c04e41 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82285-8 + {{{ complete_ocil_entry_sebool_disabled(sebool="cron_system_cronjob_use_shares") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml index ec48f00f8d..e29b865fae 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82286-6 + {{{ complete_ocil_entry_sebool_enabled(sebool="cron_userdomain_transition") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml index a92c190617..67ff95568e 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82287-4 + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_dump_core") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml index eff77b941a..cae4936565 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82288-2 + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tcp_wrapper") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml index 9517982a88..3e8749669f 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82289-0 + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tty") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml index 489a75feb6..81f490af40 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82290-8 + {{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml index 5213001969..b60ef6cc0c 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82291-6 + {{{ complete_ocil_entry_sebool_disabled(sebool="deny_ptrace") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml index 02b0281f60..7ebcdc08f1 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82292-4 + {{{ complete_ocil_entry_sebool_enabled(sebool="domain_fd_use") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml index aed06f6e60..b55f7449c3 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82293-2 + {{{ complete_ocil_entry_sebool_disabled(sebool="domain_kernel_load_modules") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml index 9879943020..bd3aef8967 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82294-0 + {{{ complete_ocil_entry_sebool_disabled(sebool="gpg_web_anon_write") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml index 0cd25b2abf..604add7c40 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82295-7 + {{{ complete_ocil_entry_sebool_disabled(sebool="guest_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml index 4e046cef2e..9f4eea0835 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82296-5 + {{{ complete_ocil_entry_sebool_enabled(sebool="kerberos_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml index 09e5b17eee..5c6812d5fc 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82298-1 + {{{ complete_ocil_entry_sebool_enabled(sebool="logadm_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml index 84c05ea067..21a1476843 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82299-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="logging_syslogd_can_sendmail") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml index 4600b4d2a4..faa4b66598 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82300-5 + {{{ complete_ocil_entry_sebool_enabled(sebool="logging_syslogd_use_tty") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml index f06a939af2..65d8b21785 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82301-3 + {{{ complete_ocil_entry_sebool_enabled(sebool="login_console_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml index e9b55edff6..f3fb149cd6 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82302-1 + {{{ complete_ocil_entry_sebool_disabled(sebool="mmap_low_allowed") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml index 4222d2b1dd..7f6303b37d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82303-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="mock_enable_homedirs") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml index e172deda7e..ee010438d9 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82304-7 + {{{ complete_ocil_entry_sebool_enabled(sebool="mount_anyfile") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml index 32b48441c6..9bd370ac94 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82305-4 + {{{ complete_ocil_entry_sebool_disabled(sebool="polyinstantiation_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml index 6699164b3a..5e404adfe8 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82306-2 + {{{ complete_ocil_entry_sebool_enabled(sebool="secadm_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml index 19ff0ff859..c021a016cd 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82307-0 + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml index 020ade04d0..45513725d8 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml @@ -16,4 +16,7 @@ references: severity: medium +identifiers: + cce@rhel7: 82308-8 + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml index 4dc1dd57f9..5259ec3776 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82310-4 + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_policyload") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml index 7389882aba..4d76582d9d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82311-2 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_direct_dri_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml index 3b5276d8d8..bfef9808ed 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml @@ -14,6 +14,7 @@ rationale: "" severity: medium identifiers: + cce@rhel7: 82312-0 cce@rhel8: 80949-1 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml index 97d65d0175..f8f65b4d20 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml @@ -14,6 +14,7 @@ rationale: "" severity: medium identifiers: + cce@rhel7: 82313-8 cce@rhel8: 80950-9 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml index d6ed7c355b..785a3e9d06 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml @@ -15,6 +15,7 @@ rationale: "" severity: medium identifiers: + cce@rhel7: 82314-6 cce@rhel8: 80951-7 references: diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml index c12f9b0b84..18cfd17a78 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82317-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_mysql_connect_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml index d8d6d69f98..25a4cb4c20 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82318-7 + {{{ complete_ocil_entry_sebool_enabled(sebool="selinuxuser_ping") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml index f17f6b3cf4..fedba937e5 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82319-5 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_postgresql_connect_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml index 14218b5015..8d30bc437d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82320-3 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_rw_noexattrfile") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml index cf7cd9ec7c..221e925b9b 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82321-1 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_share_music") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml index e6a8407c13..cfc17033f8 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82322-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_tcp_server") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml index 69a650a1c6..c773cfaa7b 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82323-7 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_udp_server") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml index 062b060180..f2005f056c 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82324-5 + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_use_ssh_chroot") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml index 1a3dd18dce..64085cfd8b 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82325-2 + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_chroot_rw_homedirs") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml index 5ed8effd7f..ea48425f03 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82326-0 + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_keysign") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml index 26db5e0b28..6a4f49c410 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml @@ -16,4 +16,7 @@ references: severity: medium +identifiers: + cce@rhel7: 82327-8 + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml index deddaa989f..473fe953fe 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82328-6 + {{{ complete_ocil_entry_sebool_enabled(sebool="staff_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml index 63c36e8822..65c3d85d62 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82329-4 + {{{ complete_ocil_entry_sebool_enabled(sebool="sysadm_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml index de1f78e8dc..88a8b842af 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82330-2 + {{{ complete_ocil_entry_sebool_enabled(sebool="unconfined_login") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml index 9d51a610ca..6e5983fd3a 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82331-0 + {{{ complete_ocil_entry_sebool_disabled(sebool="use_ecryptfs_home_dirs") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml index 5c32b74fab..394b49cade 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82332-8 + {{{ complete_ocil_entry_sebool_enabled(sebool="user_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml index d39d6eb97d..19a1ee23cc 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82333-6 + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_bind_vnc_tcp_port") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml index 52f90382e4..dca18f3744 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82334-4 + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_exec_bootloader") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml index 42acdebfbc..fed51e91ec 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82335-1 + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_sysadm_login") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml index c601c4ef66..fca878f48d 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82336-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_write_home") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml index da71e2e0aa..0d6c2be3d8 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82337-7 + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_connect_network") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml index 0713368404..4a94acd4bf 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82338-5 + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_exec_content") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml index 171b21bb76..a106a6e148 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82339-3 + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_mount_media") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml index 28ef740608..9162facb68 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml @@ -14,4 +14,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82340-1 + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_use_bluetooth") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml index 793bca2fab..954456203c 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82341-9 + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_clients_write_xshm") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml index 2f73f30596..cc4ccc0342 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82342-7 + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_execmem") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml index 31c10d6459..2f4bc25fe3 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml @@ -13,4 +13,7 @@ rationale: "" severity: medium +identifiers: + cce@rhel7: 82346-8 + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_object_manager") }}} From 7f41b550251afb65fec04a1ada7a59432816fa52 Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Wed, 30 Oct 2019 15:49:44 +0100 Subject: [PATCH 2/5] Add missing CCEs to rules from rhelh-stig profile. --- .../guide/system/software/gnome/package_gdm_removed/rule.yml | 3 +++ .../guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml index 012dbebb38..57b3c00454 100644 --- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml @@ -18,6 +18,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: 82348-4 + references: nist: AC-17(8).1(ii) srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml index 0f20412886..3dbf1b4499 100644 --- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml @@ -16,6 +16,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: 82349-2 + ocil_clause: 'nopasswd is set for any users beyond vdsm' ocil: |- diff --git From 9bd0bbf84484fa02c1c53953aa48bb01bed41663 Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Wed, 30 Oct 2019 15:54:44 +0100 Subject: [PATCH 3/5] Add missing CCEs to rules from anssi_nt28_high profile. --- .../services/deprecated/package_telnetd_removed/rule.yml | 3 +++ .../system/bootloader-grub2/grub2_enable_iommu_force/rule.yml | 3 +++ .../permissions/files/file_permissions_systemmap/rule.yml | 3 +++ .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 3 +++ 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml index a08170f2c4..bdbbe8437a 100644 --- a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml +++ b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml @@ -8,6 +8,9 @@ rationale: 'telnet allows clear text communications, and does not protect any da severity: high +identifiers: + cce@rhel7: 82352-6 + references: anssi: NT007(R03) nist: AC-17(8),CM-7 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml index 785ebe4a69..baade9c13e 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml @@ -12,5 +12,8 @@ rationale: |- severity: unknown +identifiers: + cce@rhel7: 82351-8 + references: anssi: NT28(R11) diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml index 0cf14df579..3c313824d3 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml @@ -13,6 +13,9 @@ rationale: |- severity: unknown +identifiers: + cce@rhel7: 82350-0 + references: anssi: NT28(R13) diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index 32a15afc45..65d7d8060b 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -16,6 +16,9 @@ rationale: |- severity: low +identifiers: + cce@rhel7: 82353-4 + references: cis: 1.1.7 anssi: NT28(R12) From fd0aee12ebdced5f1d0507cd7ee1a8a0a470c401 Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Wed, 30 Oct 2019 15:57:35 +0100 Subject: [PATCH 4/5] Add missing CCEs to rules from C2S profile. --- .../services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml index 2a20218c3c..9bdc4bb57a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml @@ -14,6 +14,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: 82354-2 + references: cis@debian8: 9.3.5 cis@rhel7: 5.2.5 From aa2b6ca11b84700b1b0c4a9d034cd33b594ebdbe Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Wed, 30 Oct 2019 16:00:18 +0100 Subject: [PATCH 5/5] Add missing CCEs to rules from e8 profile. --- .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +++ .../services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 3 +++ .../audit_rules_execution_seunshare/rule.yml | 1 + .../auditd_freq/rule.yml | 1 + .../auditd_local_events/rule.yml | 1 + .../auditd_log_format/rule.yml | 1 + .../auditd_name_format/rule.yml | 1 + .../auditd_write_logs/rule.yml | 1 + 9 files changed, 12 insertions(+), 8 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml index 39e87e86bf..d4b61cedb9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml @@ -23,6 +23,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: 82363-3 + references: cis@debian: 9.3.11 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index 16259017d8..7f0d75c53d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -19,6 +19,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: 82364-1 + ocil_clause: 'MACs option is commented out or not using strong hash algorithms' ocil: |- diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml index 1d25819675..ae64febdf5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml @@ -31,6 +31,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82362-5 cce@rhel8: 80933-5 references: diff --git a/linux_os/guide/system/auditing/auditd_freq/rule.yml b/linux_os/guide/system/auditing/auditd_freq/rule.yml index b0a89910f1..38a356dad9 100644 --- a/linux_os/guide/system/auditing/auditd_freq/rule.yml +++ b/linux_os/guide/system/auditing/auditd_freq/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82358-3 cce@rhel8: 82258-5 references: diff --git a/linux_os/guide/system/auditing/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/auditd_local_events/rule.yml index 9d24add817..3db55f6594 100644 --- a/linux_os/guide/system/auditing/auditd_local_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_local_events/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82355-9 cce@rhel8: 82233-8 references: diff --git a/linux_os/guide/system/auditing/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/auditd_log_format/rule.yml index a10e86113d..75c63e1d5b 100644 --- a/linux_os/guide/system/auditing/auditd_log_format/rule.yml +++ b/linux_os/guide/system/auditing/auditd_log_format/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82357-5 cce@rhel8: 82201-5 references: diff --git a/linux_os/guide/system/auditing/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/auditd_name_format/rule.yml index fecae8163f..6673dd050c 100644 --- a/linux_os/guide/system/auditing/auditd_name_format/rule.yml +++ b/linux_os/guide/system/auditing/auditd_name_format/rule.yml @@ -16,6 +16,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82359-1 cce@rhel8: 82897-0 references: diff --git a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml index 2f2d0fa258..261bee9695 100644 --- a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml +++ b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel7: 82356-7 cce@rhel8: 82366-6 references: