From c06a414187f3792413bfc86366e1578d2d22275d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 25 Mar 2020 09:48:24 +0100 Subject: [PATCH 1/3] Select newly developed rules in rhel7 CIS --- rhel7/profiles/cis.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index affcf70ce2..06f0a8e3dd 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -300,6 +300,7 @@ selections: - package_telnet_removed ### 2.3.5 Ensure LDAP client is not installed (Scored) + - package_openldap-clients_removed # 3 Network Configuration ## 3.1 Network Parameters (Host Only) From ec2add9b21d7555134d736a57d729ffa1a537cff Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 25 Mar 2020 09:51:14 +0100 Subject: [PATCH 2/3] Select rule to disable wireless interfaces Inspired by rhel8 benchmark. Updated references as well. --- .../wireless_software/wireless_disable_interfaces/rule.yml | 1 + rhel7/profiles/cis.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index 76d94fe8f1..f364fbdce6 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -31,7 +31,8 @@ identifiers: references: stigid@rhel6: "000293" stigid@rhel7: "041010" - cis: 4.3.1 + cis@rhel7: "3.7" + cis@rhel8: "3.5" cui: 3.1.16 disa: 85,2418 nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 06f0a8e3dd..d34d617579 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -393,6 +393,7 @@ selections: ### 3.6.4 Ensure outbound and established connections are configured (Not Scored) ### 3.6.5 Ensure firewall rules exist for all open ports (Scored) ## 3.7 Ensure wireless interfaces are disabled (Not Scored) + - wireless_disable_interfaces # 4 Logging and Auditing ## 4.1 Configure System Accounting (auditd) From 76f98f39cf9f90009c30e09d9c995402a5b46847 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 25 Mar 2020 10:52:58 +0100 Subject: [PATCH 3/3] Comment out not applicable requirements --- rhel7/profiles/cis.profile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index d34d617579..76506c9369 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -216,8 +216,8 @@ selections: - package_chrony_installed #### 2.2.1.2 Ensure ntp is configured (Scored) - # restrict is not checkec by rules below - - chronyd_or_ntpd_specify_remote_server + # This requirement is not applicable + # This profile opts to use chrony rather than ntp #### 2.2.1.3 Ensure chrony is configured (Scored) - service_chronyd_enabled @@ -517,6 +517,8 @@ selections: #### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) #### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored) #### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) + # Whole section 4.2.2.X is not applicable + # This profile opts to use rsyslog rather than syslog-ng ### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) - package_rsyslog_installed