From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 20 Mar 2020 11:50:25 +0100 Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding --- rhel7/profiles/cis.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 486fcf9a33..53d3819822 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -558,7 +558,6 @@ selections: - sshd_set_loglevel_info ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) - - sshd_enable_x11_forwarding ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - sshd_set_max_auth_tries From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 23 Mar 2020 15:00:23 +0100 Subject: [PATCH 2/4] Add a few more selections to rhel7 profile - Rule for libselinux installed - Rule for service tftp disabled - Rule for kernel module RDS disabled --- rhel7/profiles/cis.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 53d3819822..a9c78dc140 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -172,6 +172,7 @@ selections: - selinux_confinement_of_daemons ### 1.6.2 Ensure SELinux is installed (Scored) + - package_libselinux_installed ## 1.7 Warning Banners #### 1.7.1.1 Ensure message of the day is configured properly (Scored) @@ -205,6 +206,7 @@ selections: ### 2.1.4 Ensure echo services are not enabled (Scored) ### 2.1.5 Ensure time services are not enabled (Scored) ### 2.1.6 Ensure tftp server is not enabled (Scored) + - service_tftp_disabled ### 2.1.7 Ensure xinetd is not enabled (Scored) - service_xinetd_disabled @@ -363,6 +365,7 @@ selections: - kernel_module_sctp_disabled ### 3.5.3 Ensure RDS is disabled (Not Scored) + - kernel_module_rds_disabled ### 3.5.4 Ensure TIPC is disabled (Not Scored) - kernel_module_tipc_disabled From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 23 Mar 2020 15:16:48 +0100 Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references --- .../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- .../services/ntp/chronyd_specify_remote_server/rule.yml | 1 + .../guide/services/ntp/package_chrony_installed/rule.yml | 1 + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + rhel7/profiles/cis.profile | 5 ++++- 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml index cd641ce0cb..2e5596b972 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -24,7 +24,7 @@ severity: medium platform: chrony references: - cis@rhel7: 2.2.1.2 + cis@rhel7: 2.2.1.3 cis@rhel8: 2.2.1.2 identifiers: diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml index bc8815b068..ea4c955c8e 100644 --- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel8: 82873-1 references: + cis@rhel7: 2.2.1.3 cis@rhel8: 2.2.1.2 ocil_clause: 'a remote time server is not configured' diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml index 2549f48b71..f6dc1f427f 100644 --- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: 82874-9 references: + cis@rhel7: 2.2.1.1 cis@rhel8: 2.2.1.1 {{{ complete_ocil_entry_package(package="chrony") }}} diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index 7b3a0a2a13..94269dfd54 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel8: 82875-6 references: + cis@rhel7: 2.2.1.3 cis@rhel8: 2.2.1.2 ocil_clause: 'the chronyd process is not running' diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index a9c78dc140..108a728bbf 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -213,13 +213,16 @@ selections: ## 2.2 Special Purpose Services #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) - - service_chronyd_or_ntpd_enabled + - package_chrony_installed #### 2.2.1.2 Ensure ntp is configured (Scored) # restrict is not checkec by rules below - chronyd_or_ntpd_specify_remote_server #### 2.2.1.3 Ensure chrony is configured (Scored) + - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user ### 2.2.2 Ensure X Window System is not installed (Scored) - package_xorg-x11-server-common_removed From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 23 Mar 2020 15:17:16 +0100 Subject: [PATCH 4/4] Select rules for backup account files Select rules to check permissions and owner of important backup account files. --- rhel7/profiles/cis.profile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 108a728bbf..0fc919950f 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -689,9 +689,24 @@ selections: - file_permissions_etc_gshadow ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) + - file_owner_backup_etc_passwd + - file_groupowner_backup_etc_passwd + - file_permissions_backup_etc_passwd + ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) + - file_owner_backup_etc_shadow + - file_groupowner_backup_etc_shadow + - file_permissions_backup_etc_shadow + ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) + - file_owner_backup_etc_group + - file_groupowner_backup_etc_group + - file_permissions_backup_etc_group + ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) + - file_owner_backup_etc_gshadow + - file_groupowner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow ### 6.1.10 Ensure no world writable files exist (Scored) - file_permissions_unauthorized_world_writable