From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 16 Mar 2020 19:37:57 +0100 Subject: [PATCH 1/4] Select rules for SSH and add references --- .../rule.yml | 1 + .../file_permissions_sshd_pub_key/rule.yml | 1 + .../ssh/ssh_server/disable_host_auth/rule.yml | 3 +- .../sshd_disable_empty_passwords/rule.yml | 3 +- .../ssh_server/sshd_disable_rhosts/rule.yml | 3 +- .../sshd_disable_root_login/rule.yml | 3 +- .../sshd_do_not_permit_user_env/rule.yml | 3 +- .../sshd_enable_warning_banner/rule.yml | 3 +- .../sshd_enable_x11_forwarding/rule.yml | 3 +- .../ssh_server/sshd_set_idle_timeout/rule.yml | 3 +- .../ssh_server/sshd_set_keepalive/rule.yml | 3 +- .../sshd_set_loglevel_info/rule.yml | 1 + .../sshd_set_max_auth_tries/rule.yml | 1 + .../configure_ssh_crypto_policy/rule.yml | 1 + 15 files changed, 51 insertions(+), 22 deletions(-) diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index b1b7ccabaa..108c9c5ce0 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -33,6 +33,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel8: 5.2.3 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index da3dead155..714b507db1 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -28,6 +28,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel8: 5.2.4 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index de5580b9f5..9db9fd7516 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -27,7 +27,8 @@ references: stigid@rhel6: "000236" srg@rhel6: SRG-OS-000106 disa@rhel6: 765,766 - cis: 5.2.7 + cis@rhel8: 5.2.7 + cis@rhel8: 5.2.9 cjis: 5.5.6 cui: 3.1.12 disa: "366" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index 25908a4e4d..b9bbe1e48e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -28,7 +28,8 @@ references: stigid@rhel6: "000239" srg@rhel6: SRG-OS-000106 disa@rhel6: 765,766 - cis: 5.2.9 + cis@rhel7: 5.2.9 + cis@rhel8: 5.2.11 cjis: 5.5.6 cui: 3.1.1,3.1.5 disa: "366" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index fd960a55ae..3a5d16c052 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -27,7 +27,8 @@ references: stigid@rhel6: "000234" srg@rhel6: SRG-OS-000106 disa@rhel6: 765,766 - cis: 5.2.6 + ci@rhel8s: 5.2.6 + ci@rhel8s: 5.2.8 cjis: 5.5.6 cui: 3.1.12 disa: "366" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 8b9cba960f..c6e7d7986c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -28,7 +28,8 @@ references: stigid@rhel6: "000237" srg@rhel6: SRG-OS-000109 disa@rhel6: '770' - cis: 5.2.8 + cis@rhel7: 5.2.8 + cis@rhel8: 5.2.10 cjis: 5.5.6 cui: '3.1.1,3.1.5' disa: 366,770 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index f25d2a690a..f1a09a1b8d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -23,7 +23,8 @@ references: stigid@rhel6: "000241" srg@rhel6: SRG-OS-000242 disa@rhel6: '1414' - cis: 5.2.10 + cis@rhel7: 5.2.10 + cis@rhel8: 5.2.12 cjis: 5.5.6 cui: 3.1.12 disa: "366" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index f32287ff7c..4aa26eeb90 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -25,7 +25,8 @@ identifiers: references: stigid@rhel6: "000240" srg@rhel6: SRG-OS-000023 - cis: 5.2.16 + cis@rhel7: 5.2.15 + cis@rhel8: 5.2.15 cjis: 5.5.6 cui: 3.1.9 disa: 48,50,1384,1385,1386,1387,1388 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 5d50c2ed07..5fdca265fa 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -22,7 +22,8 @@ identifiers: cce@rhel8: 82421-9 references: - cis: 5.2.4 + cis@rhel7: 5.2.4 + cis@rhel8: 5.2.6 cui: 3.1.13 disa: "366" nist: CM-6(a),AC-17(a),AC-17(2) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index 7cf263bef4..347610cd6f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -34,7 +34,8 @@ references: stigid@rhel6: "000230" srg@rhel6: SRG-OS-000163 disa@rhel6: '879' - cis: 5.2.12 + cis@rhel7: 5.2.12 + cis@rhel8: 5.2.13 cjis: 5.5.6 cui: 3.1.11 disa: 879,1133,2361 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index cc9f62b0af..65aac90ace 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -23,7 +23,8 @@ references: stigid@rhel6: "000231" srg@rhel6: SRG-OS-000126 disa@rhel6: '879' - cis: 5.2.12 + cis@rhel7: 5.2.12 + cis@rhel8: 5.2.13 cjis: 5.5.6 cui: 3.1.11 disa: 879,1133,2361 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index 26eca336b2..e9e84cdf9b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -26,6 +26,7 @@ references: cis@debian8: 9.3.2 cis@debian10: 9.3.2 cis@rhel7: 5.2.3 + cis@rhel8: 5.2.5 nist: AC-17(a),CM-6(a) ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml index 6fd7a4b6bd..1661b78773 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml @@ -21,6 +21,7 @@ references: cis@debian8: 9.3.5 cis@debian9: 9.3.5 cis@rhel7: 5.2.5 + cis@rhel8: 5.2.7 ocil_clause: 'it is commented out or not configured properly' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml index b9d8b06028..db5ce07f0e 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml @@ -23,6 +23,7 @@ identifiers: references: nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 + cis@rhel8: 5.2.20 ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 15:08:50 +0100 Subject: [PATCH 2/4] Fix typos in CIS references --- .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index 9db9fd7516..d19bfd4538 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -27,7 +27,7 @@ references: stigid@rhel6: "000236" srg@rhel6: SRG-OS-000106 disa@rhel6: 765,766 - cis@rhel8: 5.2.7 + cis@rhel7: 5.2.7 cis@rhel8: 5.2.9 cjis: 5.5.6 cui: 3.1.12 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index 3a5d16c052..5dafad7462 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -27,8 +27,8 @@ references: stigid@rhel6: "000234" srg@rhel6: SRG-OS-000106 disa@rhel6: 765,766 - ci@rhel8s: 5.2.6 - ci@rhel8s: 5.2.8 + cis@rhel7: 5.2.6 + cis@rhel8: 5.2.8 cjis: 5.5.6 cui: 3.1.12 disa: "366" From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:43:16 +0100 Subject: [PATCH 3/4] Update CIS references for sshd_config --- .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 3 ++- linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 3 ++- .../guide/services/ssh/file_permissions_sshd_config/rule.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index a9c09765d0..e53ac9d6b9 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -21,7 +21,8 @@ identifiers: cce@rhel8: 82901-0 references: - cis: 5.2.1 + cis@rhel7: 5.2.1 + cis@rhel8: 5.2.1 nist: AC-17(a),CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index 5a80d04763..ca1cc19eeb 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -21,7 +21,8 @@ identifiers: cce@rhel8: 82898-8 references: - cis: 5.2.1 + cis@rhel7: 5.2.1 + cis@rhel8: 5.2.1 nist: AC-17(a),CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index 13bdab401e..e40868dac4 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -21,7 +21,8 @@ identifiers: cce@rhel8: 82894-7 references: - cis: 5.2.1 + cis@rhel7: 5.2.1 + cis@rhel8: 5.2.1 nist: AC-17(a),CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 19 Mar 2020 13:17:03 +0100 Subject: [PATCH 4/4] Remove incorrect rule selection and its references Policy would like X11 forwarding disabled, not enabled. --- .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 5fdca265fa..4dedae6e8b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -22,8 +22,6 @@ identifiers: cce@rhel8: 82421-9 references: - cis@rhel7: 5.2.4 - cis@rhel8: 5.2.6 cui: 3.1.13 disa: "366" nist: CM-6(a),AC-17(a),AC-17(2)