|
 |
dac76a |
From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 16 Mar 2020 19:37:57 +0100
|
|
|
dac76a |
Subject: [PATCH 1/4] Select rules for SSH and add references
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 1 +
|
|
|
dac76a |
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
|
|
dac76a |
.../ssh/ssh_server/disable_host_auth/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_disable_empty_passwords/rule.yml | 3 +-
|
|
|
dac76a |
.../ssh_server/sshd_disable_rhosts/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_disable_root_login/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_do_not_permit_user_env/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_enable_warning_banner/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_enable_x11_forwarding/rule.yml | 3 +-
|
|
|
dac76a |
.../ssh_server/sshd_set_idle_timeout/rule.yml | 3 +-
|
|
|
dac76a |
.../ssh_server/sshd_set_keepalive/rule.yml | 3 +-
|
|
|
dac76a |
.../sshd_set_loglevel_info/rule.yml | 1 +
|
|
|
dac76a |
.../sshd_set_max_auth_tries/rule.yml | 1 +
|
|
|
dac76a |
.../configure_ssh_crypto_policy/rule.yml | 1 +
|
|
|
dac76a |
15 files changed, 51 insertions(+), 22 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
|
dac76a |
index b1b7ccabaa..108c9c5ce0 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
|
dac76a |
@@ -33,6 +33,7 @@ references:
|
|
|
dac76a |
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
+ cis@rhel8: 5.2.3
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
|
dac76a |
index da3dead155..714b507db1 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
|
dac76a |
@@ -28,6 +28,7 @@ references:
|
|
|
dac76a |
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
|
|
|
dac76a |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
dac76a |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
dac76a |
+ cis@rhel8: 5.2.4
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}'
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
index de5580b9f5..9db9fd7516 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
@@ -27,7 +27,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000236"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000106
|
|
|
dac76a |
disa@rhel6: 765,766
|
|
|
dac76a |
- cis: 5.2.7
|
|
|
dac76a |
+ cis@rhel8: 5.2.7
|
|
|
dac76a |
+ cis@rhel8: 5.2.9
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.12
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
|
|
dac76a |
index 25908a4e4d..b9bbe1e48e 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
|
|
|
dac76a |
@@ -28,7 +28,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000239"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000106
|
|
|
dac76a |
disa@rhel6: 765,766
|
|
|
dac76a |
- cis: 5.2.9
|
|
|
dac76a |
+ cis@rhel7: 5.2.9
|
|
|
dac76a |
+ cis@rhel8: 5.2.11
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.1,3.1.5
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
index fd960a55ae..3a5d16c052 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
@@ -27,7 +27,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000234"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000106
|
|
|
dac76a |
disa@rhel6: 765,766
|
|
|
dac76a |
- cis: 5.2.6
|
|
|
dac76a |
+ ci@rhel8s: 5.2.6
|
|
|
dac76a |
+ ci@rhel8s: 5.2.8
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.12
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
dac76a |
index 8b9cba960f..c6e7d7986c 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
dac76a |
@@ -28,7 +28,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000237"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000109
|
|
|
dac76a |
disa@rhel6: '770'
|
|
|
dac76a |
- cis: 5.2.8
|
|
|
dac76a |
+ cis@rhel7: 5.2.8
|
|
|
dac76a |
+ cis@rhel8: 5.2.10
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: '3.1.1,3.1.5'
|
|
|
dac76a |
disa: 366,770
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
|
|
dac76a |
index f25d2a690a..f1a09a1b8d 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
|
|
|
dac76a |
@@ -23,7 +23,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000241"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000242
|
|
|
dac76a |
disa@rhel6: '1414'
|
|
|
dac76a |
- cis: 5.2.10
|
|
|
dac76a |
+ cis@rhel7: 5.2.10
|
|
|
dac76a |
+ cis@rhel8: 5.2.12
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.12
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
|
dac76a |
index f32287ff7c..4aa26eeb90 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
|
dac76a |
@@ -25,7 +25,8 @@ identifiers:
|
|
|
dac76a |
references:
|
|
|
dac76a |
stigid@rhel6: "000240"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000023
|
|
|
dac76a |
- cis: 5.2.16
|
|
|
dac76a |
+ cis@rhel7: 5.2.15
|
|
|
dac76a |
+ cis@rhel8: 5.2.15
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.9
|
|
|
dac76a |
disa: 48,50,1384,1385,1386,1387,1388
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 5d50c2ed07..5fdca265fa 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -22,7 +22,8 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82421-9
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis: 5.2.4
|
|
|
dac76a |
+ cis@rhel7: 5.2.4
|
|
|
dac76a |
+ cis@rhel8: 5.2.6
|
|
|
dac76a |
cui: 3.1.13
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
nist: CM-6(a),AC-17(a),AC-17(2)
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
|
dac76a |
index 7cf263bef4..347610cd6f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
|
dac76a |
@@ -34,7 +34,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000230"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000163
|
|
|
dac76a |
disa@rhel6: '879'
|
|
|
dac76a |
- cis: 5.2.12
|
|
|
dac76a |
+ cis@rhel7: 5.2.12
|
|
|
dac76a |
+ cis@rhel8: 5.2.13
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.11
|
|
|
dac76a |
disa: 879,1133,2361
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
|
dac76a |
index cc9f62b0af..65aac90ace 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
|
dac76a |
@@ -23,7 +23,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000231"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000126
|
|
|
dac76a |
disa@rhel6: '879'
|
|
|
dac76a |
- cis: 5.2.12
|
|
|
dac76a |
+ cis@rhel7: 5.2.12
|
|
|
dac76a |
+ cis@rhel8: 5.2.13
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.11
|
|
|
dac76a |
disa: 879,1133,2361
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
|
|
dac76a |
index 26eca336b2..e9e84cdf9b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
|
|
|
dac76a |
@@ -26,6 +26,7 @@ references:
|
|
|
dac76a |
cis@debian8: 9.3.2
|
|
|
dac76a |
cis@debian10: 9.3.2
|
|
|
dac76a |
cis@rhel7: 5.2.3
|
|
|
dac76a |
+ cis@rhel8: 5.2.5
|
|
|
dac76a |
nist: AC-17(a),CM-6(a)
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: 'it is commented out or is not enabled'
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
|
|
dac76a |
index 6fd7a4b6bd..1661b78773 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
|
|
|
dac76a |
@@ -21,6 +21,7 @@ references:
|
|
|
dac76a |
cis@debian8: 9.3.5
|
|
|
dac76a |
cis@debian9: 9.3.5
|
|
|
dac76a |
cis@rhel7: 5.2.5
|
|
|
dac76a |
+ cis@rhel8: 5.2.7
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: 'it is commented out or not configured properly'
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
|
|
dac76a |
index b9d8b06028..db5ce07f0e 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
|
|
dac76a |
@@ -23,6 +23,7 @@ identifiers:
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
|
|
dac76a |
+ cis@rhel8: 5.2.20
|
|
|
dac76a |
|
|
|
dac76a |
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
|
|
|
dac76a |
|
|
|
dac76a |
From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 15:08:50 +0100
|
|
|
dac76a |
Subject: [PATCH 2/4] Fix typos in CIS references
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 2 +-
|
|
|
dac76a |
.../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 4 ++--
|
|
|
dac76a |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
index 9db9fd7516..d19bfd4538 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
|
|
|
dac76a |
@@ -27,7 +27,7 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000236"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000106
|
|
|
dac76a |
disa@rhel6: 765,766
|
|
|
dac76a |
- cis@rhel8: 5.2.7
|
|
|
dac76a |
+ cis@rhel7: 5.2.7
|
|
|
dac76a |
cis@rhel8: 5.2.9
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.12
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
index 3a5d16c052..5dafad7462 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
|
|
|
dac76a |
@@ -27,8 +27,8 @@ references:
|
|
|
dac76a |
stigid@rhel6: "000234"
|
|
|
dac76a |
srg@rhel6: SRG-OS-000106
|
|
|
dac76a |
disa@rhel6: 765,766
|
|
|
dac76a |
- ci@rhel8s: 5.2.6
|
|
|
dac76a |
- ci@rhel8s: 5.2.8
|
|
|
dac76a |
+ cis@rhel7: 5.2.6
|
|
|
dac76a |
+ cis@rhel8: 5.2.8
|
|
|
dac76a |
cjis: 5.5.6
|
|
|
dac76a |
cui: 3.1.12
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
|
|
|
dac76a |
From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Tue, 17 Mar 2020 19:43:16 +0100
|
|
|
dac76a |
Subject: [PATCH 3/4] Update CIS references for sshd_config
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 3 ++-
|
|
|
dac76a |
linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 3 ++-
|
|
|
dac76a |
.../guide/services/ssh/file_permissions_sshd_config/rule.yml | 3 ++-
|
|
|
dac76a |
3 files changed, 6 insertions(+), 3 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
|
|
dac76a |
index a9c09765d0..e53ac9d6b9 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml
|
|
|
dac76a |
@@ -21,7 +21,8 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82901-0
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis: 5.2.1
|
|
|
dac76a |
+ cis@rhel7: 5.2.1
|
|
|
dac76a |
+ cis@rhel8: 5.2.1
|
|
|
dac76a |
nist: AC-17(a),CM-6(a),AC-6(1)
|
|
|
dac76a |
nist-csf: PR.AC-4,PR.DS-5
|
|
|
dac76a |
srg: SRG-OS-000480-GPOS-00227
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
|
|
dac76a |
index 5a80d04763..ca1cc19eeb 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml
|
|
|
dac76a |
@@ -21,7 +21,8 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82898-8
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis: 5.2.1
|
|
|
dac76a |
+ cis@rhel7: 5.2.1
|
|
|
dac76a |
+ cis@rhel8: 5.2.1
|
|
|
dac76a |
nist: AC-17(a),CM-6(a),AC-6(1)
|
|
|
dac76a |
nist-csf: PR.AC-4,PR.DS-5
|
|
|
dac76a |
srg: SRG-OS-000480-GPOS-00227
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
|
|
dac76a |
index 13bdab401e..e40868dac4 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
|
|
|
dac76a |
@@ -21,7 +21,8 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82894-7
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis: 5.2.1
|
|
|
dac76a |
+ cis@rhel7: 5.2.1
|
|
|
dac76a |
+ cis@rhel8: 5.2.1
|
|
|
dac76a |
nist: AC-17(a),CM-6(a),AC-6(1)
|
|
|
dac76a |
nist-csf: PR.AC-4,PR.DS-5
|
|
|
dac76a |
srg: SRG-OS-000480-GPOS-00227
|
|
|
dac76a |
|
|
|
dac76a |
From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 13:17:03 +0100
|
|
|
dac76a |
Subject: [PATCH 4/4] Remove incorrect rule selection and its references
|
|
|
dac76a |
|
|
|
dac76a |
Policy would like X11 forwarding disabled, not enabled.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 --
|
|
|
dac76a |
2 files changed, 1 insertion(+), 3 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
index 5fdca265fa..4dedae6e8b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
|
|
dac76a |
@@ -22,8 +22,6 @@ identifiers:
|
|
|
dac76a |
cce@rhel8: 82421-9
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
- cis@rhel7: 5.2.4
|
|
|
dac76a |
- cis@rhel8: 5.2.6
|
|
|
dac76a |
cui: 3.1.13
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
nist: CM-6(a),AC-17(a),AC-17(2)
|