|
 |
dac76a |
From c06a414187f3792413bfc86366e1578d2d22275d Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Wed, 25 Mar 2020 09:48:24 +0100
|
|
|
dac76a |
Subject: [PATCH 1/3] Select newly developed rules in rhel7 CIS
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 1 +
|
|
|
dac76a |
1 file changed, 1 insertion(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index affcf70ce2..06f0a8e3dd 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -300,6 +300,7 @@ selections:
|
|
|
dac76a |
- package_telnet_removed
|
|
|
dac76a |
|
|
|
dac76a |
### 2.3.5 Ensure LDAP client is not installed (Scored)
|
|
|
dac76a |
+ - package_openldap-clients_removed
|
|
|
dac76a |
|
|
|
dac76a |
# 3 Network Configuration
|
|
|
dac76a |
## 3.1 Network Parameters (Host Only)
|
|
|
dac76a |
|
|
|
dac76a |
From ec2add9b21d7555134d736a57d729ffa1a537cff Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Wed, 25 Mar 2020 09:51:14 +0100
|
|
|
dac76a |
Subject: [PATCH 2/3] Select rule to disable wireless interfaces
|
|
|
dac76a |
|
|
|
dac76a |
Inspired by rhel8 benchmark.
|
|
|
dac76a |
Updated references as well.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../wireless_software/wireless_disable_interfaces/rule.yml | 1 +
|
|
|
dac76a |
rhel7/profiles/cis.profile | 1 +
|
|
|
dac76a |
2 files changed, 2 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
|
|
dac76a |
index 76d94fe8f1..f364fbdce6 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
|
|
|
dac76a |
@@ -31,7 +31,8 @@ identifiers:
|
|
|
dac76a |
references:
|
|
|
dac76a |
stigid@rhel6: "000293"
|
|
|
dac76a |
stigid@rhel7: "041010"
|
|
|
dac76a |
- cis: 4.3.1
|
|
|
dac76a |
+ cis@rhel7: "3.7"
|
|
|
dac76a |
+ cis@rhel8: "3.5"
|
|
|
dac76a |
cui: 3.1.16
|
|
|
dac76a |
disa: 85,2418
|
|
|
dac76a |
nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 06f0a8e3dd..d34d617579 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -393,6 +393,7 @@ selections:
|
|
|
dac76a |
### 3.6.4 Ensure outbound and established connections are configured (Not Scored)
|
|
|
dac76a |
### 3.6.5 Ensure firewall rules exist for all open ports (Scored)
|
|
|
dac76a |
## 3.7 Ensure wireless interfaces are disabled (Not Scored)
|
|
|
dac76a |
+ - wireless_disable_interfaces
|
|
|
dac76a |
|
|
|
dac76a |
# 4 Logging and Auditing
|
|
|
dac76a |
## 4.1 Configure System Accounting (auditd)
|
|
|
dac76a |
|
|
|
dac76a |
From 76f98f39cf9f90009c30e09d9c995402a5b46847 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Wed, 25 Mar 2020 10:52:58 +0100
|
|
|
dac76a |
Subject: [PATCH 3/3] Comment out not applicable requirements
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 6 ++++--
|
|
|
dac76a |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index d34d617579..76506c9369 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -216,8 +216,8 @@ selections:
|
|
|
dac76a |
- package_chrony_installed
|
|
|
dac76a |
|
|
|
dac76a |
#### 2.2.1.2 Ensure ntp is configured (Scored)
|
|
|
dac76a |
- # restrict is not checkec by rules below
|
|
|
dac76a |
- - chronyd_or_ntpd_specify_remote_server
|
|
|
dac76a |
+ # This requirement is not applicable
|
|
|
dac76a |
+ # This profile opts to use chrony rather than ntp
|
|
|
dac76a |
|
|
|
dac76a |
#### 2.2.1.3 Ensure chrony is configured (Scored)
|
|
|
dac76a |
- service_chronyd_enabled
|
|
|
dac76a |
@@ -517,6 +517,8 @@ selections:
|
|
|
dac76a |
#### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
|
|
|
dac76a |
#### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
|
|
|
dac76a |
#### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)
|
|
|
dac76a |
+ # Whole section 4.2.2.X is not applicable
|
|
|
dac76a |
+ # This profile opts to use rsyslog rather than syslog-ng
|
|
|
dac76a |
|
|
|
dac76a |
### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
|
|
|
dac76a |
- package_rsyslog_installed
|