Blob Blame History Raw
From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 29 Jun 2021 14:37:28 +0100
Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files
 per-benchmark

---
 products/rhel8/profiles/cis.profile           | 1080 +----------------
 products/rhel8/profiles/cis_server_l1.profile |   22 +
 .../rhel8/profiles/cis_workstation_l1.profile |   22 +
 .../rhel8/profiles/cis_workstation_l2.profile |   22 +
 4 files changed, 72 insertions(+), 1074 deletions(-)
 create mode 100644 products/rhel8/profiles/cis_server_l1.profile
 create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile
 create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile

diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile
index c22ae86d076..4a00c24e0f7 100644
--- a/products/rhel8/profiles/cis.profile
+++ b/products/rhel8/profiles/cis.profile
@@ -1,1090 +1,22 @@
 documentation_complete: true
 
 metadata:
-    version: 1.0.0
+    version: 1.0.1
     SMEs:
         - vojtapolasek
         - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server'
 
 description: |-
-    This profile defines a baseline that aligns to the Center for Internet Security®
-    Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+    This profile defines a baseline that aligns to the "Level 2 - Server"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
 
     This profile includes Center for Internet Security®
     Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
 
 selections:
-    # Necessary for dconf rules
-    - dconf_db_up_to_date
-
-    ### Partitioning
-    - mount_option_home_nodev
-
-    ## 1.1 Filesystem Configuration
-
-    ### 1.1.1 Disable unused filesystems
-
-    #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
-    - kernel_module_cramfs_disabled
-
-    #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
-
-
-    #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
-    - kernel_module_squashfs_disabled
-
-    #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
-    - kernel_module_udf_disabled
-
-    ### 1.1.2 Ensure /tmp is configured (Scored)
-    - partition_for_tmp
-
-    ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
-    - mount_option_tmp_nodev
-
-    ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
-    - mount_option_tmp_nosuid
-
-    ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
-    - mount_option_tmp_noexec
-
-    ### 1.1.6 Ensure separate partition exists for /var (Scored)
-    - partition_for_var
-
-    ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
-    - partition_for_var_tmp
-
-    ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_nodev
-
-    ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_nosuid
-
-    ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_noexec
-
-    ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
-    - partition_for_var_log
-
-    ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
-    - partition_for_var_log_audit
-
-    ### 1.1.13 Ensure separate partition exists for /home (Scored)
-    - partition_for_home
-
-    ### 1.1.14 Ensure nodev option set on /home partition (Scored)
-    - mount_option_home_nodev
-
-    ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_nodev
-
-    ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_nosuid
-
-    ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_noexec
-
-    ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
-    - mount_option_nodev_removable_partitions
-
-    ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
-    - mount_option_nosuid_removable_partitions
-
-    ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
-    - mount_option_noexec_removable_partitions
-
-    ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
-    - dir_perms_world_writable_sticky_bits
-
-    ### 1.1.22 Disable Automounting (Scored)
-    - service_autofs_disabled
-
-    ### 1.1.23 Disable USB Storage (Scored)
-    - kernel_module_usb-storage_disabled
-
-    ## 1.2 Configure Software Updates
-
-    ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
-
-    ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
-    - service_rhnsd_disabled
-
-    ### 1.2.3 Ensure GPG keys are configured (Not Scored)
-    - ensure_redhat_gpgkey_installed
-
-    ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
-    - ensure_gpgcheck_globally_activated
-
-    ### 1.2.5 Ensure package manager repositories are configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
-
-    ## 1.3 Configure sudo
-
-    ### 1.3.1 Ensure sudo is installed (Scored)
-    - package_sudo_installed
-
-    ### 1.3.2 Ensure sudo commands use pty (Scored)
-    - sudo_add_use_pty
-
-    ### 1.3.3 Ensure sudo log file exists (Scored)
-    - sudo_custom_logfile
-
-    ## 1.4 Filesystem Integrity Checking
-
-    ### 1.4.1 Ensure AIDE is installed (Scored)
-    - package_aide_installed
-
-    ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
-    - aide_periodic_cron_checking
-
-    ## Secure Boot Settings
-
-    ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
-    #### chown root:root /boot/grub2/grub.cfg
-    - file_owner_grub2_cfg
-    - file_groupowner_grub2_cfg
-
-    #### chmod og-rwx /boot/grub2/grub.cfg
-    - file_permissions_grub2_cfg
-
-    #### chown root:root /boot/grub2/grubenv
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
-    #### chmod og-rwx /boot/grub2/grubenv
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
-    ### 1.5.2 Ensure bootloader password is set (Scored)
-    - grub2_password
-
-    ### 1.5.3 Ensure authentication required for single user mode (Scored)
-    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
-    - require_singleuser_auth
-
-    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-    - require_emergency_target_auth
-
-    ## 1.6 Additional Process Hardening
-
-    ### 1.6.1 Ensure core dumps are restricted (Scored)
-    #### * hard core 0
-    - disable_users_coredumps
-
-    #### fs.suid_dumpable = 0
-    - sysctl_fs_suid_dumpable
-
-    #### ProcessSizeMax=0
-    - coredump_disable_backtraces
-
-    #### Storage=none
-    - coredump_disable_storage
-
-    ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
-    - sysctl_kernel_randomize_va_space
-
-    ## 1.7 Mandatory Access Control
-
-    ### 1.7.1 Configure SELinux
-
-    #### 1.7.1.1 Ensure SELinux is installed (Scored)
-    - package_libselinux_installed
-
-    #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
-    - grub2_enable_selinux
-
-    #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
-    - var_selinux_policy_name=targeted
-    - selinux_policytype
- 
-    #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
-    - var_selinux_state=enforcing
-    - selinux_state
-
-    #### 1.7.1.5 Ensure no unconfied services exist (Scored)
-    - selinux_confinement_of_daemons
-
-    #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
-    - package_setroubleshoot_removed
-
-    #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
-    - package_mcstrans_removed
-
-    ## Warning Banners
-
-    ### 1.8.1 Command Line Warning Baners
-
-    #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
-    - banner_etc_motd
-
-    #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
-    - banner_etc_issue
-
-    #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
-
-    #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
-    # chmod u-x,go-wx /etc/motd
-    - file_permissions_etc_motd
-
-    #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
-    # chmod u-x,go-wx /etc/issue
-    - file_permissions_etc_issue
-
-    #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
-    # Previously addressed via 'rpm_verify_permissions' rule
-
-    ### 1.8.2 Ensure GDM login banner is configured (Scored)
-    #### banner-message-enable=true
-    - dconf_gnome_banner_enabled
-
-    #### banner-message-text='<banner message>'
-    - dconf_gnome_login_banner_text
-
-    ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
-    - security_patches_up_to_date
-
-    ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
-    - var_system_crypto_policy=future
-    - configure_crypto_policy
-
-    ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
-    # Previously addressed via 'configure_crypto_policy' rule
-
-    # Services
-
-    ## 2.1 inetd Services
-
-    ### 2.1.1 Ensure xinetd is not installed (Scored)
-    - package_xinetd_removed
-
-    ## 2.2 Special Purpose Services
-
-    ### 2.2.1 Time Synchronization
-
-    #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
-    - package_chrony_installed
-
-    #### 2.2.1.2 Ensure chrony is configured (Scored)
-    - service_chronyd_enabled
-    - chronyd_specify_remote_server
-    - chronyd_run_as_chrony_user
-
-    ### 2.2.2 Ensure X Window System is not installed (Scored)
-    - package_xorg-x11-server-common_removed
-    - xwindows_runlevel_target
-
-    ### 2.2.3 Ensure rsync service is not enabled (Scored)
-    - service_rsyncd_disabled
-
-    ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
-    - service_avahi-daemon_disabled
-
-    ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
-    - service_snmpd_disabled
-
-    ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
-    - package_squid_removed
-
-    ### 2.2.7 Ensure Samba is not enabled (Scored)
-    - service_smb_disabled
-
-    ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
-    - service_dovecot_disabled
-
-    ### 2.2.9 Ensure HTTP server is not enabled (Scored)
-    - service_httpd_disabled
-
-    ### 2.2.10 Ensure FTP Server is not enabled (Scored)
-    - service_vsftpd_disabled
-
-    ### 2.2.11 Ensure DNS Server is not enabled (Scored)
-    - service_named_disabled
-
-    ### 2.2.12 Ensure NFS is not enabled (Scored)
-    - service_nfs_disabled
-
-    ### 2.2.13 Ensure RPC is not enabled (Scored)
-    - service_rpcbind_disabled
-
-    ### 2.2.14 Ensure LDAP service is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
-
-    ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
-    - service_dhcpd_disabled
-
-    ### 2.2.16 Ensure CUPS is not enabled (Scored)
-    - service_cups_disabled
-
-    ### 2.2.17 Ensure NIS Server is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
-
-    ### 2.2.18 Ensure mail transfer agent is configured for
-    ###        local-only mode (Scored)
-    - postfix_network_listening_disabled
-
-    ## 2.3 Service Clients
-
-    ### 2.3.1 Ensure NIS Client is not installed (Scored)
-    - package_ypbind_removed
-
-    ### 2.3.2 Ensure telnet client is not installed (Scored)
-    - package_telnet_removed
-
-    ### Ensure LDAP client is not installed
-    - package_openldap-clients_removed
-
-    # 3 Network Configuration
-
-    ## 3.1 Network Parameters (Host Only)
-
-    ### 3.1.1 Ensure IP forwarding is disabled (Scored)
-    #### net.ipv4.ip_forward = 0
-    - sysctl_net_ipv4_ip_forward
-
-    #### net.ipv6.conf.all.forwarding = 0
-    - sysctl_net_ipv6_conf_all_forwarding
-
-    ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
-    #### net.ipv4.conf.all.send_redirects = 0
-    - sysctl_net_ipv4_conf_all_send_redirects
-
-    #### net.ipv4.conf.default.send_redirects = 0
-    - sysctl_net_ipv4_conf_default_send_redirects
-
-    ## 3.2 Network Parameters (Host and Router)
-
-    ### 3.2.1 Ensure source routed packets are not accepted (Scored)
-    #### net.ipv4.conf.all.accept_source_route = 0
-    - sysctl_net_ipv4_conf_all_accept_source_route
-
-    #### net.ipv4.conf.default.accept_source_route = 0
-    - sysctl_net_ipv4_conf_default_accept_source_route
-
-    #### net.ipv6.conf.all.accept_source_route = 0
-    - sysctl_net_ipv6_conf_all_accept_source_route
-
-    #### net.ipv6.conf.default.accept_source_route = 0
-    - sysctl_net_ipv6_conf_default_accept_source_route
-
-    ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
-    #### net.ipv4.conf.all.accept_redirects = 0
-    - sysctl_net_ipv4_conf_all_accept_redirects
-
-    #### net.ipv4.conf.default.accept_redirects
-    - sysctl_net_ipv4_conf_default_accept_redirects
-
-    #### net.ipv6.conf.all.accept_redirects = 0
-    - sysctl_net_ipv6_conf_all_accept_redirects
-
-    #### net.ipv6.conf.defaults.accept_redirects = 0
-    - sysctl_net_ipv6_conf_default_accept_redirects
-
-    ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
-    #### net.ipv4.conf.all.secure_redirects = 0
-    - sysctl_net_ipv4_conf_all_secure_redirects
-
-    #### net.ipv4.cof.default.secure_redirects = 0
-    - sysctl_net_ipv4_conf_default_secure_redirects
-
-    ### 3.2.4 Ensure suspicious packets are logged (Scored)
-    #### net.ipv4.conf.all.log_martians = 1
-    - sysctl_net_ipv4_conf_all_log_martians
-
-    #### net.ipv4.conf.default.log_martians = 1
-    - sysctl_net_ipv4_conf_default_log_martians
-
-    ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
-    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-
-    ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
-    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-
-    ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
-    #### net.ipv4.conf.all.rp_filter = 1
-    - sysctl_net_ipv4_conf_all_rp_filter
-    
-    #### net.ipv4.conf.default.rp_filter = 1
-    - sysctl_net_ipv4_conf_default_rp_filter
-
-    ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
-    - sysctl_net_ipv4_tcp_syncookies
-
-    ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
-    #### net.ipv6.conf.all.accept_ra = 0
-    - sysctl_net_ipv6_conf_all_accept_ra
-
-    #### net.ipv6.conf.default.accept_ra = 0
-    - sysctl_net_ipv6_conf_default_accept_ra
-
-    ## 3.3 Uncommon Network Protocols
-
-    ### 3.3.1 Ensure DCCP is disabled (Scored)
-    - kernel_module_dccp_disabled
-
-    ### Ensure SCTP is disabled (Scored)
-    - kernel_module_sctp_disabled
-
-    ### 3.3.3 Ensure RDS is disabled (Scored)
-    - kernel_module_rds_disabled
-
-    ### 3.3.4 Ensure TIPC is disabled (Scored)
-    - kernel_module_tipc_disabled
-
-    ## 3.4 Firewall Configuration
-
-    ### 3.4.1 Ensure Firewall software is installed
-
-    #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
-    ##### firewalld
-    - package_firewalld_installed
-
-    ##### nftables
-    #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
-
-    ##### iptables
-    #- package_iptables_installed
-
-    ### 3.4.2 Configure firewalld
-
-    #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
-    - service_firewalld_enabled
-
-    #### 3.4.2.2 Ensure iptables is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
-
-    #### 3.4.2.3 Ensure nftables is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
-
-    #### 3.4.2.4 Ensure default zone is set (Scored)
-    - set_firewalld_default_zone
-
-    #### 3.4.2.5 Ensure network interfaces are assigned to
-    ####         appropriate zone (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
-
-    #### 3.4.2.6 Ensure unnecessary services and ports are not
-    ####         accepted (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
-
-    ### 3.4.3 Configure nftables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
-
-    #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
-
-    #### 3.4.3.2 Ensure a table exists (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
-
-    #### 3.4.3.3 Ensure base chains exist (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
-
-    #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
-
-    #### 3.4.3.5 Ensure outbound and established connections are
-    ####         configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
-
-    #### 3.4.3.6 Ensure default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
-
-    #### 3.4.3.7 Ensure nftables service is enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
-
-    #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
-
-    ### 3.4.4 Configure iptables
-
-    #### 3.4.4.1 Configure IPv4 iptables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
-
-    ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
-
-    ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
-
-    ##### 3.4.4.1.3 Ensure outbound and established connections are
-    #####           configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
-
-    ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
-
-    #### 3.4.4.2 Configure IPv6 ip6tables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
-
-    ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
-
-    ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
-
-    ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
-    #####           configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
-
-    ## 3.5 Ensure wireless interfaces are disabled (Scored)
-    - wireless_disable_interfaces
-
-    ## 3.6 Disable IPv6 (Not Scored)
-    - kernel_module_ipv6_option_disabled
-
-    # Logging and Auditing
-
-    ## 4.1 Configure System Accounting (auditd)
-
-    ### 4.1.1 Ensure auditing is enabled
-
-    #### 4.1.1.1 Ensure auditd is installed (Scored)
-    - package_audit_installed
-
-    #### 4.1.1.2 Ensure auditd service is enabled (Scored)
-    - service_auditd_enabled
-
-    #### 4.1.1.3 Ensure auditing for processes that start prior to audit
-    ####         is enabled (Scored)
-    - grub2_audit_argument
-
-    #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
-    - grub2_audit_backlog_limit_argument
-
-    ### 4.1.2 Configure Data Retention
-
-    #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
-    - auditd_data_retention_max_log_file
-
-    #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
-    - auditd_data_retention_max_log_file_action
-
-    #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
-    - var_auditd_space_left_action=email
-    - auditd_data_retention_space_left_action
-
-    ##### action_mail_acct = root
-    - var_auditd_action_mail_acct=root
-    - auditd_data_retention_action_mail_acct
-
-    ##### admin_space_left_action = halt
-    - var_auditd_admin_space_left_action=halt
-    - auditd_data_retention_admin_space_left_action 
-
-    ### 4.1.3 Ensure changes to system administration scope
-    ###       (sudoers) is collected (Scored)
-    - audit_rules_sysadmin_actions
-
-    ### 4.1.4 Ensure login and logout events are collected (Scored)
-    - audit_rules_login_events_faillock
-    - audit_rules_login_events_lastlog
-
-    ### 4.1.5 Ensure session initiation information is collected (Scored)
-    - audit_rules_session_events
-
-    ### 4.1.6 Ensure events that modify date and time information
-    ###       are collected (Scored)
-    #### adjtimex
-    - audit_rules_time_adjtimex
-
-    #### settimeofday
-    - audit_rules_time_settimeofday
-
-    #### stime
-    - audit_rules_time_stime
-
-    #### clock_settime
-    - audit_rules_time_clock_settime
-
-    #### -w /etc/localtime -p wa
-    - audit_rules_time_watch_localtime
-
-    ### 4.1.7 Ensure events that modify the system's Mandatory
-    ###       Access Control are collected (Scored)
-    #### -w /etc/selinux/ -p wa
-    - audit_rules_mac_modification
-
-    #### -w /usr/share/selinux/ -p wa
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
-
-    ### 4.1.8 Ensure events that modify the system's network
-    ###       enironment are collected (Scored)
-    - audit_rules_networkconfig_modification
-
-    ### 4.1.9 Ensure discretionary access control permission modification
-    ###       events are collected (Scored)
-    - audit_rules_dac_modification_chmod
-    - audit_rules_dac_modification_fchmod
-    - audit_rules_dac_modification_fchmodat
-    - audit_rules_dac_modification_chown
-    - audit_rules_dac_modification_fchown
-    - audit_rules_dac_modification_fchownat
-    - audit_rules_dac_modification_lchown
-    - audit_rules_dac_modification_setxattr
-    - audit_rules_dac_modification_lsetxattr
-    - audit_rules_dac_modification_fsetxattr
-    - audit_rules_dac_modification_removexattr
-    - audit_rules_dac_modification_lremovexattr
-    - audit_rules_dac_modification_fremovexattr
-    
-    ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
-    ###        collected (Scored)
-    - audit_rules_unsuccessful_file_modification_creat
-    - audit_rules_unsuccessful_file_modification_open
-    - audit_rules_unsuccessful_file_modification_openat
-    - audit_rules_unsuccessful_file_modification_truncate
-    - audit_rules_unsuccessful_file_modification_ftruncate
-    # Opinionated selection
-    - audit_rules_unsuccessful_file_modification_open_by_handle_at
-
-    ### 4.1.11 Ensure events that modify user/group information are
-    ###        collected (Scored)
-    - audit_rules_usergroup_modification_passwd
-    - audit_rules_usergroup_modification_group
-    - audit_rules_usergroup_modification_gshadow
-    - audit_rules_usergroup_modification_shadow
-    - audit_rules_usergroup_modification_opasswd
-
-    ### 4.1.12 Ensure successful file system mounts are collected (Scored)
-    - audit_rules_media_export
-
-    ### 4.1.13 Ensure use of privileged commands is collected (Scored)
-    - audit_rules_privileged_commands
-
-    ### 4.1.14 Ensure file deletion events by users are collected
-    ###        (Scored)
-    - audit_rules_file_deletion_events_unlink
-    - audit_rules_file_deletion_events_unlinkat
-    - audit_rules_file_deletion_events_rename
-    - audit_rules_file_deletion_events_renameat
-    # Opinionated selection
-    - audit_rules_file_deletion_events_rmdir
-
-    ### 4.1.15 Ensure kernel module loading and unloading is collected
-    ###        (Scored)
-    - audit_rules_kernel_module_loading
-
-    ### 4.1.16 Ensure system administrator actions (sudolog) are
-    ###        collected (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
-    ### 4.1.17 Ensure the audit configuration is immutable (Scored)
-    - audit_rules_immutable
-
-    ## 4.2 Configure Logging
-
-    ### 4.2.1 Configure rsyslog
-
-    #### 4.2.1.1 Ensure rsyslog is installed (Scored)
-    - package_rsyslog_installed
-
-    #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
-    - service_rsyslog_enabled
-
-    #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
-    - rsyslog_files_permissions
-
-    #### 4.2.1.4 Ensure logging is configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
-
-    #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
-    ####         log host (Scored)   
-    - rsyslog_remote_loghost
-
-    #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
-    ####         designated log hosts (Not Scored)
-    - rsyslog_nolisten
-
-    ### 4.2.2 Configure journald
-
-    #### 4.2.2.1 Ensure journald is configured to send logs to
-    ####         rsyslog (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
-
-    #### 4.2.2.2 Ensure journald is configured to compress large
-    ####         log files (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
-
-
-    #### 4.2.2.3 Ensure journald is configured to write logfiles to
-    ####         persistent disk (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
-
-    ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
-
-    ## 4.3 Ensure logrotate is configured (Not Scored)
-
-    # 5 Access, Authentication and Authorization
-
-    ## 5.1 Configure cron
-
-    ### 5.1.1 Ensure cron daemon is enabled (Scored)
-    - service_crond_enabled
-
-
-    ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
-    # chown root:root /etc/crontab
-    - file_owner_crontab
-    - file_groupowner_crontab
-    # chmod og-rwx /etc/crontab
-    - file_permissions_crontab
-
-    ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
-    # chown root:root /etc/cron.hourly
-    - file_owner_cron_hourly
-    - file_groupowner_cron_hourly
-    # chmod og-rwx /etc/cron.hourly
-    - file_permissions_cron_hourly
-
-    ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
-    # chown root:root /etc/cron.daily
-    - file_owner_cron_daily
-    - file_groupowner_cron_daily
-    # chmod og-rwx /etc/cron.daily
-    - file_permissions_cron_daily
-
-    ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
-    # chown root:root /etc/cron.weekly
-    - file_owner_cron_weekly
-    - file_groupowner_cron_weekly
-    # chmod og-rwx /etc/cron.weekly
-    - file_permissions_cron_weekly
-
-    ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
-    # chown root:root /etc/cron.monthly
-    - file_owner_cron_monthly
-    - file_groupowner_cron_monthly
-    # chmod og-rwx /etc/cron.monthly
-    - file_permissions_cron_monthly
-
-    ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
-    # chown root:root /etc/cron.d
-    - file_owner_cron_d
-    - file_groupowner_cron_d
-    # chmod og-rwx /etc/cron.d
-    - file_permissions_cron_d
-
-    ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
-
-
-    ## 5.2 SSH Server Configuration
-
-    ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
-    # chown root:root /etc/ssh/sshd_config
-    - file_owner_sshd_config
-    - file_groupowner_sshd_config
-
-    # chmod og-rwx /etc/ssh/sshd_config
-    - file_permissions_sshd_config
-
-    ### 5.2.2 Ensure SSH access is limited (Scored) 
-
-
-    ### 5.2.3 Ensure permissions on SSH private host key files are
-    ###       configured (Scored)
-    # TO DO: The rule sets to 640, but benchmark wants 600
-    - file_permissions_sshd_private_key
-    # TO DO: check owner of private keys in /etc/ssh is root:root
-
-    ### 5.2.4 Ensure permissions on SSH public host key files are configured
-    ###      (Scored)
-    - file_permissions_sshd_pub_key
-    # TO DO: check owner of pub keys in /etc/ssh is root:root
-
-    ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
-    - sshd_set_loglevel_info
-
-    ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
-    - sshd_disable_x11_forwarding
-
-    ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
-    - sshd_max_auth_tries_value=4
-    - sshd_set_max_auth_tries
-
-    ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
-    - sshd_disable_rhosts
-
-    ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
-    - disable_host_auth
-
-    ### 5.2.10 Ensure SSH root login is disabled (Scored)
-    - sshd_disable_root_login
-
-    ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
-    - sshd_disable_empty_passwords
-
-    ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
-    - sshd_do_not_permit_user_env
-
-    ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
-    # ClientAliveInterval 300
-    - sshd_idle_timeout_value=5_minutes
-    - sshd_set_idle_timeout
-
-    # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
-    - sshd_set_keepalive_0
-
-    ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
-    ###        or less (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
-
-    ### 5.2.15 Ensure SSH warning banner is configured (Scored)
-    - sshd_enable_warning_banner
-
-    ### 5.2.16 Ensure SSH PAM is enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
-
-    ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
-    - sshd_disable_tcp_forwarding
-
-    ### 5.2.18 Ensure SSH MaxStartups is configured (Scored)
-    - sshd_set_maxstartups
-    - var_sshd_set_maxstartups=10:30:60
-
-    ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
-    - sshd_set_max_sessions
-    - var_sshd_max_sessions=4
-
-    ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
-    - configure_ssh_crypto_policy
-
-    ## 5.3 Configure authselect
-
-
-    ### 5.3.1 Create custom authselectet profile (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
-
-    ### 5.3.2 Select authselect profile (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
-
-    ### 5.3.3 Ensure authselect includes with-faillock (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
-
-    ## 5.4 Configure PAM
-
-    ### 5.4.1 Ensure password creation requirements are configured (Scored)
-    # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
-    - accounts_password_pam_retry
-    - var_password_pam_minlen=14
-    - accounts_password_pam_minlen
-    - var_password_pam_minclass=4
-    - accounts_password_pam_minclass
-
-    ### 5.4.2 Ensure lockout for failed password attempts is
-    ###       configured (Scored)
-    - var_accounts_passwords_pam_faillock_unlock_time=900
-    - var_accounts_passwords_pam_faillock_deny=5
-    - accounts_passwords_pam_faillock_unlock_time
-    - accounts_passwords_pam_faillock_deny
-
-    ### 5.4.3 Ensure password reuse is limited (Scored)
-    - var_password_pam_unix_remember=5
-    - accounts_password_pam_unix_remember
-
-    ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
-    - set_password_hashing_algorithm_systemauth
-
-    ## 5.5 User Accounts and Environment
-
-    ### 5.5.1 Set Shadow Password Suite Parameters
-
-    #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
-    - var_accounts_maximum_age_login_defs=365
-    - accounts_maximum_age_login_defs
-
-    #### 5.5.1.2 Ensure minimum days between password changes is 7
-    ####         or more (Scored)
-    - var_accounts_minimum_age_login_defs=7
-    - accounts_minimum_age_login_defs
-
-    #### 5.5.1.3 Ensure password expiration warning days is
-    ####         7 or more (Scored)
-    - var_accounts_password_warn_age_login_defs=7
-    - accounts_password_warn_age_login_defs
-
-    #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
-    # TODO: Rule doesn't check list of users
-    # https://github.com/ComplianceAsCode/content/issues/5536
-    - var_account_disable_post_pw_expiration=30
-    - account_disable_post_pw_expiration
-
-    #### 5.5.1.5 Ensure all users last password change date is
-    ####         in the past (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
-    ### 5.5.2 Ensure system accounts are secured (Scored)
-    - no_shelllogin_for_systemaccounts
-
-    ### 5.5.3 Ensure default user shell timeout is 900 seconds
-    ###       or less (Scored)
-    - var_accounts_tmout=15_min
-    - accounts_tmout
-
-    ### 5.5.4 Ensure default group for the root account is
-    ###       GID 0 (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
-    ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
-    - var_accounts_user_umask=027
-    - accounts_umask_etc_bashrc
-    - accounts_umask_etc_profile
-
-    ## 5.6 Ensure root login is restricted to system console (Not Scored)
-    - securetty_root_login_console_only
-    - no_direct_root_logins
-
-    ## 5.7 Ensure access to the su command is restricted (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
-
-    # System Maintenance
-
-    ## 6.1 System File Permissions
-
-    ### 6.1.1 Audit system file permissions (Not Scored)
-    - rpm_verify_permissions
-    - rpm_verify_ownership
-    
-    ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
-    # chown root:root /etc/passwd
-    - file_owner_etc_passwd
-    - file_groupowner_etc_passwd
-
-    # chmod 644 /etc/passwd
-    - file_permissions_etc_passwd
-
-    ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
-    # chown root:root /etc/shadow
-    - file_owner_etc_shadow
-    - file_groupowner_etc_shadow
-
-    # chmod o-rwx,g-wx /etc/shadow
-    - file_permissions_etc_shadow
-
-    ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
-    # chown root:root /etc/group
-    - file_owner_etc_group
-    - file_groupowner_etc_group
-
-    # chmod 644 /etc/group
-    - file_permissions_etc_group
-
-    ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
-    # chown root:root /etc/gshadow
-    - file_owner_etc_gshadow
-    - file_groupowner_etc_gshadow
-
-    # chmod o-rwx,g-rw /etc/gshadow
-    - file_permissions_etc_gshadow
-
-    ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
-    # chown root:root /etc/passwd-
-    - file_owner_backup_etc_passwd
-    - file_groupowner_backup_etc_passwd
-
-    # chmod 644 /etc/passwd-
-    - file_permissions_backup_etc_passwd
-
-    ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
-    # chown root:root /etc/shadow-
-    - file_owner_backup_etc_shadow
-    - file_groupowner_backup_etc_shadow
-
-    # chmod 0000 /etc/shadow-
-    - file_permissions_backup_etc_shadow
-
-    ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
-    # chown root:root /etc/group-
-    - file_owner_backup_etc_group
-    - file_groupowner_backup_etc_group
-
-    # chmod 644 /etc/group-
-    - file_permissions_backup_etc_group
-    
-    ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
-    # chown root:root /etc/gshadow-
-    - file_owner_backup_etc_gshadow
-    - file_groupowner_backup_etc_gshadow
-
-    # chmod 0000 /etc/gshadow-
-    - file_permissions_backup_etc_gshadow
-
-    ### 6.1.10 Ensure no world writable files exist (Scored)
-    - file_permissions_unauthorized_world_writable
-
-    ### 6.1.11 Ensure no unowned files or directories exist (Scored)
-    - no_files_unowned_by_user
-
-    ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
-    - file_permissions_ungroupowned
-
-    ### 6.1.13 Audit SUID executables (Not Scored)
-    - file_permissions_unauthorized_suid
-
-    ### 6.1.14 Audit SGID executables (Not Scored)
-    - file_permissions_unauthorized_sgid
-
-    ## 6.2 User and Group Settings
-
-    ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
-    - no_legacy_plus_entries_etc_passwd
-
-    ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
-    - no_legacy_plus_entries_etc_shadow
-
-    ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
-    - no_legacy_plus_entries_etc_group
-
-    ### 6.2.6 Ensure root is the only UID 0 account (Scored)
-    - accounts_no_uid_except_zero
-
-    ### 6.2.7 Ensure users' home directories permissions are 750
-    ###       or more restrictive (Scored)
-    - file_permissions_home_dirs
-
-    ### 6.2.8 Ensure users own their home directories (Scored)
-    # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
-    - file_groupownership_home_directories
-
-    ### 6.2.9 Ensure users' dot files are not group or world
-    ###       writable (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
-
-    ### 6.2.10 Ensure no users have .forward files (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
-
-    ### 6.2.11 Ensure no users have .netrc files (Scored)
-    - no_netrc_files
-
-    ### 6.2.12 Ensure users' .netrc Files are not group or
-    ###        world accessible (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
-
-    ### 6.2.13 Ensure no users have .rhosts files (Scored)
-    - no_rsh_trust_files
-
-    ### 6.2.14 Ensure all groups in /etc/passwd exist in
-    ###        /etc/group (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
-
-    ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
-    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5502
-
-    ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
-    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5501
-
-    ### 6.2.17 Ensure no duplicate user names exist (Scored)
-    - account_unique_name
-
-    ### 6.2.18 Ensure no duplicate group names exist (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
-
-    ### 6.2.19 Ensure shadow group is empty (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
-
-    ### 6.2.20 Ensure all users' home directories exist (Scored)
-    - accounts_user_interactive_home_directory_exists
+    - cis_rhel8:all:l2_server
diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile
new file mode 100644
index 00000000000..7b4518e15a5
--- /dev/null
+++ b/products/rhel8/profiles/cis_server_l1.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 1 - Server"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+    - cis_rhel8:all:l1_server
diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile
new file mode 100644
index 00000000000..230e4c2f0ba
--- /dev/null
+++ b/products/rhel8/profiles/cis_workstation_l1.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 1 - Workstation"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+    - cis_rhel8:all:l1_workstation
diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile
new file mode 100644
index 00000000000..c0d1698c2f0
--- /dev/null
+++ b/products/rhel8/profiles/cis_workstation_l2.profile
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 2 - Workstation"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
+
+selections:
+    - cis_rhel8:all:l2_workstation

From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 1 Jul 2021 16:35:19 +0100
Subject: [PATCH 02/55] Add CIS control file for RHEL 8

---
 controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 758 insertions(+)
 create mode 100644 controls/cis_rhel8.yml

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
new file mode 100644
index 00000000000..a84bb078e34
--- /dev/null
+++ b/controls/cis_rhel8.yml
@@ -0,0 +1,758 @@
+policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
+title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
+id: cis_rhel8
+version: '1.0.1'
+source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux
+levels:
+  - id: l1_server
+  - id: l2_server
+    inherits_from:
+      - l1_server
+  - id: l1_workstation
+  - id: l2_workstation
+    inherits_from:
+      - l1_workstation
+
+controls:
+  - id: reload_dconf_db
+    title: Reload Dconf database
+    levels:
+      - l1_server
+      - l1_workstation
+    notes: <-
+      This is a helper rule to reload Dconf datbase correctly.
+    automated: yes
+    rules:
+      - dconf_db_up_to_date
+
+  - id: 1.1.1.1
+    title: Ensure mounting of cramfs filesystems is disabled (Automated)
+    levels:
+      - l1_workstation
+      - l1_server
+    automated: yes
+    rules:
+      - kernel_module_cramfs_disabled
+
+  - id: 1.1.1.2
+    title: Ensure mounting of vFAT filesystems is limited (Manual)
+    levels:
+      - l2_workstation
+      - l2_server
+    automated: no
+    related_rules:
+      - kernel_module_vfat_disabled
+
+  - id: 1.1.1.3
+    title: Ensure mounting of squashfs filesystems is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - kernel_module_squashfs_disabled
+
+  - id: 1.1.1.4
+    title: Ensure mounting of udf filesystems is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - kernel_module_udf_disabled
+
+  - id: 1.1.2
+    title: Ensure /tmp is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - partition_for_tmp
+
+  - id: 1.1.3
+    title: Ensure nodev option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_tmp_nodev
+
+  - id: 1.1.4
+    title: Ensure nosuid option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_tmp_nosuid
+
+  - id: 1.1.5
+    title: Ensure noexec option set on /tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_tmp_noexec
+
+  - id: 1.1.6
+    title: Ensure separate partition exists for /var (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - partition_for_var
+
+  - id: 1.1.7
+    title: Ensure separate partition exists for /var/tmp (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - partition_for_var_tmp
+
+  - id: 1.1.8
+    title: Ensure nodev option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_var_tmp_nodev
+
+  - id: 1.1.9
+    title: Ensure nosuid option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_var_tmp_nosuid
+
+  - id: 1.1.10
+    title: Ensure noexec option set on /var/tmp partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_var_tmp_noexec
+
+  - id: 1.1.11
+    title: Ensure separate partition exists for /var/log (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - partition_for_var_log
+
+  - id: 1.1.12
+    title: Ensure separate partition exists for /var/log/audit (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - partition_for_var_log_audit
+
+  - id: 1.1.13
+    title: Ensure separate partition exists for /home (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - partition_for_home
+
+  - id: 1.1.18
+    title: Ensure nodev option set on /home partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_home_nodev
+
+  - id: 1.1.15
+    title: Ensure nodev option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_dev_shm_nodev
+
+  - id: 1.1.16
+    title: Ensure nosuid option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_dev_shm_nosuid
+
+  - id: 1.1.17
+    title: Ensure noexec option set on /dev/shm partition (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - mount_option_dev_shm_noexec
+
+  - id: 1.1.18
+    title: Ensure nodev option set on removable media partitions (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    rules:
+      - mount_option_nodev_removable_partitions
+
+  - id: 1.1.19
+    title: Ensure nosuid option set on removable media partitions (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    rules:
+      - mount_option_nosuid_removable_partitions
+
+  - id: 1.1.20
+    title: Ensure noexec option set on removable media partitions (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    rules:
+      - mount_option_noexec_removable_partitions
+
+  - id: 1.1.22
+    title: Disable Automounting (Automated)
+    levels:
+      - l1_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - service_autofs_disabled
+
+  - id: 1.1.23
+    title: Disable USB Storage (Automated)
+    levels:
+      - l1_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_usb-storage_disabled
+
+  - id: 1.2.1
+    title: Ensure Red Hat Subscription Manager connection is configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 1.2.2
+    title: Disable the rhnsd Daemon (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - service_rhnsd_disabled
+
+  - id: 1.2.3
+    title: Ensure GPG keys are configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - ensure_redhat_gpgkey_installed
+
+  - id: 1.2.4
+    title: Ensure gpgcheck is globally activated (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - ensure_gpgcheck_globally_activated
+
+  - id: 1.2.5
+    title: Ensure package manager repositories are configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 1.3.1
+    title: Ensure sudo is installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_sudo_installed
+
+  - id: 1.3.2
+    title: Ensure sudo commands use pty (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sudo_add_use_pty
+
+  - id: 1.3.3
+    title: Ensure sudo log file exists (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sudo_custom_logfile
+
+  - id: 1.4.1
+    title: Ensure AIDE is installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_aide_installed
+
+  - id: 1.4.2
+    title: Ensure filesystem integrity is regularly checked (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - aide_periodic_cron_checking
+
+  - id: 1.5.1
+    title: Ensure permissions on bootloader config are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_owner_grub2_cfg
+      - file_groupowner_grub2_cfg
+      - file_permissions_grub2_cfg
+
+  - id: 1.5.1
+    title: Ensure bootloader password is set (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - grub2_password
+
+  - id: 1.5.3
+    title: Ensure authentication required for single user mode (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - require_singleuser_auth
+      - require_emergency_target_auth
+
+  - id: 1.6.1
+    title: Ensure core dumps are restricted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - disable_users_coredumps
+      - sysctl_fs_suid_dumpable
+      - coredump_disable_backtraces
+      - coredump_disable_storage
+
+  - id: 1.6.2
+    title: Ensure address space layout randomization (ASLR) is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_kernel_randomize_va_space
+
+  - id: 1.7.1.1
+    title: Ensure SELinux is installed (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - package_libselinux_installed
+
+  - id: 1.7.1.1
+    title: Ensure SELinux is installed (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - package_libselinux_installed
+
+  - id: 1.7.1.2
+    title: Ensure SELinux is not disabled in bootloader configuration (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - grub2_enable_selinux
+
+  - id: 1.7.1.3
+    title: Ensure SELinux policy is configured (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - var_selinux_policy_name=targeted
+      - selinux_policytype
+
+  - id: 1.7.1.4
+    title: Ensure the SELinux state is enforcing (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - var_selinux_state=enforcing
+      - selinux_state
+
+  - id: 1.7.1.5
+    title: Ensure no unconfined services exist (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - selinux_confinement_of_daemons
+
+  - id: 1.7.1.6
+    title: Ensure SETroubleshoot is not installed (Automated)
+    levels:
+      - l2_server
+    automated: yes
+    rules:
+      - package_setroubleshoot_removed
+
+  - id: 1.7.1.7
+    title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - package_mcstrans_removed
+
+  - id: 1.8.1.1
+    title: Ensure message of the day is configured properly (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - banner_etc_motd
+
+  - id: 1.8.1.2
+    title: Ensure local login warning banner is configured properly (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - banner_etc_issue
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5225
+  - id: 1.8.1.3
+    title: Ensure remote login warning banner is configured properly (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 1.8.1.4
+    title: Ensure permissions on /etc/motd are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_permissions_etc_motd
+
+  - id: 1.8.1.5
+    title: Ensure permissions on /etc/issue are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_permissions_etc_issue
+
+  - id: 1.8.2
+    title: Ensure GDM login banner is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - dconf_gnome_banner_enabled
+      - dconf_gnome_login_banner_text
+
+  - id: 1.9
+    title: Ensure updates, patches, and additional security software are installed (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - security_patches_up_to_date
+
+  - id: 1.10
+    title: Ensure system-wide crypto policy is not legacy (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - configure_crypto_policy
+
+  # This rule works in conjunction with the configure_crypto_policy above.
+  # If a system is remediated to CIS Level 1, just the rule above will apply
+  # and will enforce the default value for var_system_crypto_policy (DEFAULT).
+  # If the system is remediated to Level 2 then this rule will be selected,
+  # and the value applied by the rule above will will be overridden to
+  # FUTURE through the var_system_crypto_policy variable.
+  - id: 1.11
+    title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - var_system_crypto_policy=future
+
+  - id: 2.1.1
+    title: Ensure xinetd is not installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_xinetd_removed
+
+  - id: 2.2.1.1
+    title: Ensure time synchronization is in use (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - package_chrony_installed
+
+  - id: 2.1.1
+    title: Ensure chrony is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_chronyd_enabled
+      - chronyd_specify_remote_server
+      - chronyd_run_as_chrony_user
+
+  - id: 2.2.2
+    title: Ensure chrony is configured (Automated)
+    levels:
+      - l1_server
+    automated: yes
+    rules:
+      - package_xorg-x11-server-common_removed
+      - xwindows_runlevel_target
+
+  - id: 2.2.3
+    title: Ensure rsync service is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_rsyncd_disabled
+
+  - id: 2.2.4
+    title: Ensure Avahi Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_avahi-daemon_disabled
+
+  - id: 2.2.5
+    title: Ensure SNMP Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_snmpd_disabled
+
+  - id: 2.2.6
+    title: Ensure HTTP Proxy Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_squid_removed
+
+  - id: 2.2.7
+    title: Ensure Samba is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_smb_disabled
+
+  - id: 2.2.8
+    title: Ensure IMAP and POP3 server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_dovecot_disabled
+
+  - id: 2.2.9
+    title: Ensure HTTP server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_httpd_disabled
+
+  - id: 2.2.10
+    title: Ensure FTP Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_vsftpd_disabled
+
+  - id: 2.2.11
+    title: Ensure DNS Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_named_disabled
+
+  - id: 2.2.12
+    title: Ensure NFS is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_nfs_disabled
+
+  - id: 2.2.13
+    title: Ensure RPC is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_rpcbind_disabled
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5231
+  - id: 2.2.14
+    title: Ensure RPC is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 2.2.15
+    title: Ensure DHCP Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_dhcpd_disabled
+
+  - id: 2.2.16
+    title: Ensure CUPS is not enabled (Automated)
+    levels:
+      - l1_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - service_cups_disabled
+
+    # NEEDS RULE
+    # https://github.com/ComplianceAsCode/content/issues/5232
+  - id: 2.2.17
+    title: Ensure NIS Server is not enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 2.2.18
+    title: Ensure mail transfer agent is configured for local-only mode (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - postfix_network_listening_disabled
+
+  - id: 2.3.1
+    title: Ensure NIS Client is not installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_ypbind_removed
+
+  - id: 2.3.2
+    title: Ensure telnet client is not installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_telnet_removed
+
+  - id: 2.3.3
+    title: Ensure LDAP client is not installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_openldap-clients_removed

From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 2 Jul 2021 20:47:49 +0100
Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file

---
 controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 726 insertions(+), 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a84bb078e34..b63dc6cf9e1 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -712,8 +712,8 @@ controls:
     rules:
       - service_cups_disabled
 
-    # NEEDS RULE
-    # https://github.com/ComplianceAsCode/content/issues/5232
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5232
   - id: 2.2.17
     title: Ensure NIS Server is not enabled (Automated)
     levels:
@@ -756,3 +756,727 @@ controls:
     automated: yes
     rules:
       - package_openldap-clients_removed
+
+  - id: 3.1.1
+    title: Ensure IP forwarding is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_ip_forward
+      - sysctl_net_ipv6_conf_all_forwarding
+
+  - id: 3.1.2
+    title: Ensure packet redirect sending is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_send_redirects
+      - sysctl_net_ipv4_conf_default_send_redirects
+
+  - id: 3.2.1
+    title: Ensure source routed packets are not accepted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_accept_source_route
+      - sysctl_net_ipv4_conf_default_accept_source_route
+      - sysctl_net_ipv6_conf_all_accept_source_route
+      - sysctl_net_ipv6_conf_default_accept_source_route
+
+  - id: 3.2.2
+    title: Ensure ICMP redirects are not accepted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_accept_redirects
+      - sysctl_net_ipv4_conf_default_accept_redirects
+      - sysctl_net_ipv6_conf_all_accept_redirects
+      - sysctl_net_ipv6_conf_default_accept_redirects
+
+  - id: 3.2.3
+    title: Ensure secure ICMP redirects are not accepted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_secure_redirects
+      - sysctl_net_ipv4_conf_default_secure_redirects
+
+  - id: 3.2.4
+    title: Ensure suspicious packets are logged (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_log_martians
+      - sysctl_net_ipv4_conf_default_log_martians
+
+  - id: 3.2.5
+    title: Ensure broadcast ICMP requests are ignored (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+
+  - id: 3.2.6
+    title: Ensure bogus ICMP responses are ignored (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+
+  - id: 3.2.7
+    title: Ensure Reverse Path Filtering is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_conf_all_rp_filter
+      - sysctl_net_ipv4_conf_default_rp_filter
+
+  - id: 3.2.8
+    title: Ensure TCP SYN Cookies is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_tcp_syncookies
+
+  - id: 3.2.8
+    title: Ensure TCP SYN Cookies is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv4_tcp_syncookies
+
+  - id: 3.2.9
+    title: Ensure IPv6 router advertisements are not accepted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sysctl_net_ipv6_conf_all_accept_ra
+      - sysctl_net_ipv6_conf_default_accept_ra
+
+  - id: 3.3.1
+    title: Ensure DCCP is disabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_dccp_disabled
+
+  - id: 3.3.2
+    title: Ensure SCTP is disabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_sctp_disabled
+
+  - id: 3.3.3
+    title: Ensure RDS is disabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_rds_disabled
+
+  - id: 3.3.4
+    title: Ensure TIPC is disabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_tipc_disabled
+
+  # NEEDS RULE
+  # This rule is currently quite opinionated and expects firewalld
+  # as the installed firewall package. But, as per the CIS control,
+  # this rule should also be satisfied by nftables or iptables.
+  - id: 3.4.1.1
+    title: Ensure a Firewall package is installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_firewalld_installed
+
+  - id: 3.4.2.1
+    title: Ensure firewalld service is enabled and running (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_firewalld_enabled
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5238
+  - id: 3.4.2.2
+    title: Ensure iptables service is not enabled with firewalld (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5239
+  - id: 3.4.2.3
+    title: Ensure nftables is not enabled with firewalld (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.2.4
+    title: Ensure firewalld default zone is set (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - set_firewalld_default_zone
+
+  - id: 3.4.2.5
+    title: Ensure network interfaces are assigned to appropriate zone (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.2.6
+    title: Ensure firewalld drops unnecessary services and ports (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.3.1
+    title: Ensure iptables are flushed with nftables (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5244
+  - id: 3.4.3.2
+    title: Ensure an nftables table exists (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5245
+  - id: 3.4.3.3
+    title: Ensure nftables base chains exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5246
+  - id: 3.4.3.4
+    title: Ensure nftables loopback traffic is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.3.5
+    title: Ensure nftables outbound and established connections are configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5248
+  - id: 3.4.3.6
+    title: Ensure nftables default deny firewall policy (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5249
+  - id: 3.4.3.7
+    title: Ensure nftables service is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5250
+  - id: 3.4.3.8
+    title: Ensure nftables rules are permanent (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5252
+  - id: 3.4.4.1.1
+    title: Ensure iptables default deny firewall policy (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5253
+  - id: 3.4.4.1.2
+    title: Ensure iptables loopback traffic is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.4.1.3
+    title: Ensure iptables outbound and established connections are configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5255
+  - id: 3.4.4.1.4
+    title: Ensure iptables firewall rules exist for all open ports (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7190
+  - id: 3.4.4.1.5
+    title: Ensure iptables is enabled and active (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5257
+  - id: 3.4.4.2.1
+    title: Ensure ip6tables default deny firewall policy (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5258
+  - id: 3.4.4.2.2
+    title: Ensure ip6tables loopback traffic is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.4.4.2.3
+    title: Ensure ip6tables outbound and established connections are configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7191
+  - id: 3.4.4.2.4
+    title: Ensure ip6tables firewall rules exist for all open ports (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7192
+  - id: 3.4.4.2.5
+    title: Ensure ip6tables is enabled and active (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 3.5
+    title: Ensure wireless interfaces are disabled (Automated)
+    levels:
+      - l1_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - wireless_disable_interfaces
+
+  - id: 3.6
+    title: Disable IPv6 (Manual)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - kernel_module_ipv6_option_disabled
+
+  - id: 4.1.1.1
+    title: Ensure auditd is installed (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - package_audit_installed
+
+  - id: 4.1.1.2
+    title: Ensure auditd service is enabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - service_auditd_enabled
+
+  - id: 4.1.1.3
+    title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - grub2_audit_argument
+
+  - id: 4.1.1.4
+    title: Ensure audit_backlog_limit is sufficient (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - grub2_audit_backlog_limit_argument
+
+  - id: 4.1.2.1
+    title: Ensure audit log storage size is configured (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - auditd_data_retention_max_log_file
+
+  - id: 4.1.2.2
+    title: Ensure audit logs are not automatically deleted (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - auditd_data_retention_max_log_file_action
+
+  - id: 4.1.2.3
+    title: Ensure system is disabled when audit logs are full (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - auditd_data_retention_action_mail_acct
+      - auditd_data_retention_admin_space_left_action
+      - auditd_data_retention_space_left_action
+      - var_auditd_action_mail_acct=root
+      - var_auditd_admin_space_left_action=halt
+      - var_auditd_space_left_action=email
+
+  - id: 4.1.3
+    title: Ensure changes to system administration scope (sudoers) is collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_sysadmin_actions
+
+  - id: 4.1.4
+    title: Ensure login and logout events are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_login_events_faillock
+      - audit_rules_login_events_lastlog
+
+  - id: 4.1.5
+    title: Ensure session initiation information is collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_session_events
+
+  - id: 4.1.6
+    title: Ensure events that modify date and time information are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_time_adjtimex
+      - audit_rules_time_clock_settime
+      - audit_rules_time_settimeofday
+      - audit_rules_time_stime
+      - audit_rules_time_watch_localtime
+
+  # NEEDS RULE
+  # -w /usr/share/selinux/ -p wa
+  # https://github.com/ComplianceAsCode/content/issues/5264
+  - id: 4.1.7
+    title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_mac_modification
+
+  - id: 4.1.8
+    title: Ensure events that modify the system's network environment are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_networkconfig_modification
+
+  - id: 4.1.9
+    title: Ensure discretionary access control permission modification events are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_dac_modification_chmod
+      - audit_rules_dac_modification_chown
+      - audit_rules_dac_modification_fchmod
+      - audit_rules_dac_modification_fchmodat
+      - audit_rules_dac_modification_fchown
+      - audit_rules_dac_modification_fchownat
+      - audit_rules_dac_modification_fremovexattr
+      - audit_rules_dac_modification_fsetxattr
+      - audit_rules_dac_modification_lchown
+      - audit_rules_dac_modification_lremovexattr
+      - audit_rules_dac_modification_lsetxattr
+      - audit_rules_dac_modification_removexattr
+      - audit_rules_dac_modification_setxattr
+
+  - id: 4.1.10
+    title: Ensure unsuccessful unauthorized file access attempts are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_unsuccessful_file_modification_creat
+      - audit_rules_unsuccessful_file_modification_ftruncate
+      - audit_rules_unsuccessful_file_modification_open
+      - audit_rules_unsuccessful_file_modification_openat
+      - audit_rules_unsuccessful_file_modification_truncate
+      # Opinionated selection
+      - audit_rules_unsuccessful_file_modification_open_by_handle_at
+
+  - id: 4.1.11
+    title: Ensure events that modify user/group information are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_usergroup_modification_group
+      - audit_rules_usergroup_modification_gshadow
+      - audit_rules_usergroup_modification_opasswd
+      - audit_rules_usergroup_modification_passwd
+      - audit_rules_usergroup_modification_shadow
+
+  - id: 4.1.12
+    title: Ensure successful file system mounts are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_media_export
+
+  - id: 4.1.13
+    title: Ensure use of privileged commands is collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_privileged_commands
+
+  - id: 4.1.14
+    title: Ensure file deletion events by users are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_file_deletion_events_rename
+      - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_unlink
+      - audit_rules_file_deletion_events_unlinkat
+      # Opinionated selection
+      - audit_rules_file_deletion_events_rmdir
+
+  - id: 4.1.15
+    title: Ensure kernel module loading and unloading is collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_kernel_module_loading
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5516
+  - id: 4.1.16
+    title: Ensure system administrator actions (sudolog) are collected (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: no
+
+  - id: 4.1.17
+    title: Ensure the audit configuration is immutable (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - audit_rules_immutable
+
+  - id: 4.2.1.1
+    title: Ensure rsyslog is installed (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - package_rsyslog_installed
+
+  - id: 4.2.1.2
+    title: Ensure rsyslog Service is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_rsyslog_enabled
+
+  - id: 4.2.1.3
+    title: Ensure rsyslog default file permissions configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - rsyslog_files_permissions
+
+  - id: 4.2.1.4
+    title: Ensure logging is configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 4.2.1.5
+    title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - rsyslog_remote_loghost
+
+  - id: 4.2.1.6
+    title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - rsyslog_nolisten
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5520
+  - id: 4.2.2.1
+    title: Ensure journald is configured to send logs to rsyslog (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5521
+  - id: 4.2.2.2
+    title: Ensure journald is configured to compress large log files (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5522
+  - id: 4.2.2.3
+    title: Ensure journald is configured to write logfiles to persistent disk (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5523
+  - id: 4.2.3
+    title: Ensure permissions on all logfiles are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 4.3
+    title: Ensure logrotate is configured (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no

From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:08:31 +0100
Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file

---
 controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 460 insertions(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index b63dc6cf9e1..85c821bc60d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1480,3 +1480,463 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
+
+  - id: 5.1.1
+    title: Ensure cron daemon is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - service_crond_enabled
+
+  - id: 5.1.2
+    title: Ensure permissions on /etc/crontab are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_crontab
+      - file_owner_crontab
+      - file_permissions_crontab
+
+  - id: 5.1.3
+    title: Ensure permissions on /etc/cron.hourly are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_cron_hourly
+      - file_owner_cron_hourly
+      - file_permissions_cron_hourly
+
+  - id: 5.1.4
+    title: Ensure permissions on /etc/cron.daily are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_cron_daily
+      - file_owner_cron_daily
+      - file_permissions_cron_daily
+
+  - id: 5.1.5
+    title: Ensure permissions on /etc/cron.weekly are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_cron_weekly
+      - file_owner_cron_weekly
+      - file_permissions_cron_weekly
+
+  - id: 5.1.6
+    title: Ensure permissions on /etc/cron.monthly are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_cron_monthly
+      - file_owner_cron_monthly
+      - file_permissions_cron_monthly
+
+  - id: 5.1.7
+    title: Ensure permissions on /etc/cron.d are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_cron_d
+      - file_owner_cron_d
+      - file_permissions_cron_d
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7195
+  - id: 5.1.8
+    title: Ensure at/cron is restricted to authorized users (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 5.2.1
+    title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_sshd_config
+      - file_owner_sshd_config
+      - file_permissions_sshd_config
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7196
+  - id: 5.2.2
+    title: Ensure SSH access is limited (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # TODO
+  # Rule sets permissions to 0640 but benchmark wants it to be 0600
+  #
+  # TODO
+  # Check owner of private keys in /etc/ssh is root:root
+  - id: 5.2.3
+    title: Ensure permissions on SSH private host key files are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      -  file_permissions_sshd_private_key
+
+  # TODO
+  # Check owner of public keys in /etc/ssh is root:root
+  - id: 5.2.4
+    title: Ensure permissions on SSH public host key files are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      -  file_permissions_sshd_pub_key
+
+  - id: 5.2.5
+    title: Ensure SSH LogLevel is appropriate (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      -  sshd_set_loglevel_info
+
+  - id: 5.2.6
+    title: Ensure SSH X11 forwarding is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      -  sshd_disable_x11_forwarding
+
+  - id: 5.2.7
+    title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_max_auth_tries_value=4
+      - sshd_set_max_auth_tries
+
+  - id: 5.2.8
+    title: Ensure SSH IgnoreRhosts is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_disable_rhosts
+
+  - id: 5.2.9
+    title: Ensure SSH HostbasedAuthentication is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - disable_host_auth
+
+  - id: 5.2.10
+    title: Ensure SSH root login is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_disable_root_login
+
+  - id: 5.2.11
+    title: Ensure SSH PermitEmptyPasswords is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_disable_empty_passwords
+
+  - id: 5.2.12
+    title: Ensure SSH PermitUserEnvironment is disabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_do_not_permit_user_env
+
+  - id: 5.2.13
+    title: Ensure SSH Idle Timeout Interval is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_idle_timeout_value=5_minutes
+      - sshd_set_idle_timeout
+      - sshd_set_keepalive_0
+      - var_sshd_set_keepalive=0
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5525
+  - id: 5.2.14
+    title: Ensure SSH LoginGraceTime is set to one minute or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 5.2.15
+    title: Ensure SSH warning banner is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_enable_warning_banner
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5526
+  - id: 5.2.16
+    title: Ensure SSH PAM is enabled (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 5.2.17
+    title: Ensure SSH AllowTcpForwarding is disabled (Automated)
+    levels:
+      - l2_server
+      - l2_workstation
+    automated: yes
+    rules:
+      - sshd_disable_tcp_forwarding
+
+  - id: 5.2.18
+    title: Ensure SSH MaxStartups is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_set_maxstartups
+
+  - id: 5.2.19
+    title: Ensure SSH MaxSessions is set to 4 or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - sshd_set_max_sessions
+      - var_sshd_max_sessions=4
+
+  - id: 5.2.20
+    title: Ensure system-wide crypto policy is not over-ridden (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - configure_ssh_crypto_policy
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5530
+  - id: 5.3.1
+    title: Create custom authselect profile (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5531
+  - id: 5.3.2
+    title: Select authselect profile (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5532
+  - id: 5.3.2
+    title: Ensure authselect includes with-faillock (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE: try_first_pass
+  # https://github.com/ComplianceAsCode/content/issues/5533
+  - id: 5.4.1
+    title: Ensure password creation requirements are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_password_pam_minclass
+      - accounts_password_pam_minlen
+      - accounts_password_pam_retry
+      - var_password_pam_minclass=4
+      - var_password_pam_minlen=14
+
+  - id: 5.4.2
+    title: Ensure lockout for failed password attempts is configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_passwords_pam_faillock_deny
+      - accounts_passwords_pam_faillock_unlock_time
+      - var_accounts_passwords_pam_faillock_deny=5
+      - var_accounts_passwords_pam_faillock_unlock_time=900
+
+  - id: 5.4.3
+    title: Ensure password reuse is limited (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_password_pam_unix_remember
+      - var_password_pam_unix_remember=5
+
+  - id: 5.4.4
+    title: Ensure password hashing algorithm is SHA-512 (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - set_password_hashing_algorithm_systemauth
+
+  - id: 5.5.1.1
+    title: Ensure password expiration is 365 days or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_maximum_age_login_defs
+      - var_accounts_maximum_age_login_defs=365
+
+  - id: 5.5.1.2
+    title: Ensure minimum days between password changes is 7 or more (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_minimum_age_login_defs
+      - var_accounts_minimum_age_login_defs=7
+
+  - id: 5.5.1.3
+    title: Ensure password expiration warning days is 7 or more (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_password_warn_age_login_defs
+      - var_accounts_password_warn_age_login_defs=7
+
+  # TODO
+  # Rule doesn't check list of users
+  - id: 5.5.1.4
+    title: Ensure inactive password lock is 30 days or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - account_disable_post_pw_expiration
+      - var_account_disable_post_pw_expiration=30
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5537
+  - id: 5.5.1.5
+    title: Ensure all users last password change date is in the past (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 5.5.2
+    title: Ensure system accounts are secured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_shelllogin_for_systemaccounts
+
+  - id: 5.5.3
+    title: Ensure default user shell timeout is 900 seconds or less (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_tmout
+      - var_accounts_tmout=15_min
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5539
+  - id: 5.5.4
+    title: Ensure default group for the root account is GID 0 (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 5.5.5
+    title: Ensure default user umask is 027 or more restrictive (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_umask_etc_bashrc
+      - accounts_umask_etc_profile
+      - var_accounts_user_umask=027
+
+  - id: 5.6
+    title: Ensure root login is restricted to system console (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - no_direct_root_logins
+      - securetty_root_login_console_only
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5541
+  - id: 5.7
+    title: Ensure access to the su command is restricted (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no

From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:33:15 +0100
Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file

---
 controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 325 insertions(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 85c821bc60d..bc77e25d122 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1940,3 +1940,328 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
+
+  - id: 6.1.1
+    title: Audit system file permissions (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    related_rules:
+      - rpm_verify_permissions
+      - rpm_verify_ownership
+
+  - id: 6.1.2
+    title: Ensure permissions on /etc/passwd are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_etc_passwd
+      - file_owner_etc_passwd
+      - file_permissions_etc_passwd
+
+  - id: 6.1.3
+    title: Ensure permissions on /etc/passwd- are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_backup_etc_passwd
+      - file_owner_backup_etc_passwd
+      - file_permissions_backup_etc_passwd
+
+  - id: 6.1.4
+    title: Ensure permissions on /etc/shadow are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_owner_etc_shadow
+      - file_groupowner_etc_shadow
+      - file_permissions_etc_shadow
+
+  - id: 6.1.5
+    title: Ensure permissions on /etc/shadow- are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_backup_etc_shadow
+      - file_owner_backup_etc_shadow
+      - file_permissions_backup_etc_shadow
+
+  - id: 6.1.6
+    title: Ensure permissions on /etc/gshadow are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_etc_gshadow
+      - file_owner_etc_gshadow
+      - file_permissions_etc_gshadow
+
+  - id: 6.1.7
+    title: Ensure permissions on /etc/gshadow- are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_backup_etc_gshadow
+      - file_owner_backup_etc_gshadow
+      - file_permissions_backup_etc_gshadow
+
+  - id: 6.1.8
+    title: Ensure permissions on /etc/group are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_etc_group
+      - file_owner_etc_group
+      - file_permissions_etc_group
+
+  - id: 6.1.9
+    title: Ensure permissions on /etc/group- are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupowner_backup_etc_group
+      - file_owner_backup_etc_group
+      - file_permissions_backup_etc_group
+
+  - id: 6.1.10
+    title: Ensure no world writable files exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_permissions_unauthorized_world_writable
+
+  - id: 6.1.11
+    title: Ensure no unowned files or directories exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_files_unowned_by_user
+
+  - id: 6.1.12
+    title: Ensure no ungrouped files or directories exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_permissions_ungroupowned
+
+  - id: 6.1.13
+    title: Audit SUID executables (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    rules:
+      - file_permissions_unauthorized_suid
+
+  - id: 6.1.14
+    title: Audit SGID executables (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+    rules:
+      - file_permissions_unauthorized_sgid
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7197
+  - id: 6.2.1
+    title: Ensure password fields are not empty (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.2
+    title: Ensure no legacy "+" entries exist in /etc/passwd (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_legacy_plus_entries_etc_passwd
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7198
+  - id: 6.2.3
+    title: Ensure root PATH Integrity (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.4
+    title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_legacy_plus_entries_etc_shadow
+
+  - id: 6.2.5
+    title: Ensure no legacy "+" entries exist in /etc/group (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_legacy_plus_entries_etc_group
+
+  - id: 6.2.6
+    title: Ensure root is the only UID 0 account (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_no_uid_except_zero
+
+  - id: 6.2.7
+    title: Ensure users' home directories permissions are 750 or more restrictive (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_permissions_home_dirs
+
+  # NEEDS RULE (for user ownership)
+  # https://github.com/ComplianceAsCode/content/issues/5507
+  - id: 6.2.8
+    title: Ensure users own their home directories (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - file_groupownership_home_directories
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5506
+  - id: 6.2.9
+    title: Ensure users' dot files are not group or world writable (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5505
+  - id: 6.2.10
+    title: Ensure no users have .forward files (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.11
+    title: Ensure no users have .netrc files (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_netrc_files
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5504
+  - id: 6.2.12
+    title: Ensure users' .netrc Files are not group or world accessible (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.13
+    title: Ensure no users have .rhosts files (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - no_rsh_trust_files
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5503
+  - id: 6.2.14
+    title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5502
+  - id: 6.2.15
+    title: Ensure no duplicate UIDs exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5501
+  - id: 6.2.16
+    title: Ensure no duplicate GIDs exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.17
+    title: Ensure no duplicate user names exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - account_unique_name
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5500
+  - id: 6.2.18
+    title: Ensure no duplicate group names exist (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/5499
+  - id: 6.2.19
+    title: Ensure shadow group is empty (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
+  - id: 6.2.20
+    title: Ensure shadow group is empty (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - accounts_user_interactive_home_directory_exists

From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sat, 3 Jul 2021 12:36:01 +0100
Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint

---
 controls/cis_rhel8.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index bc77e25d122..161a2aac58e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1,3 +1,4 @@
+---
 policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
 title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
 id: cis_rhel8
@@ -1597,7 +1598,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      -  file_permissions_sshd_private_key
+      - file_permissions_sshd_private_key
 
   # TODO
   # Check owner of public keys in /etc/ssh is root:root
@@ -1608,7 +1609,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      -  file_permissions_sshd_pub_key
+      - file_permissions_sshd_pub_key
 
   - id: 5.2.5
     title: Ensure SSH LogLevel is appropriate (Automated)
@@ -1617,7 +1618,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      -  sshd_set_loglevel_info
+      - sshd_set_loglevel_info
 
   - id: 5.2.6
     title: Ensure SSH X11 forwarding is disabled (Automated)
@@ -1626,7 +1627,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      -  sshd_disable_x11_forwarding
+      - sshd_disable_x11_forwarding
 
   - id: 5.2.7
     title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)

From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 9 Jul 2021 00:11:57 +0100
Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR

---
 controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 161a2aac58e..c93d6128ca4 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -170,7 +170,7 @@ controls:
     rules:
       - partition_for_home
 
-  - id: 1.1.18
+  - id: 1.1.14
     title: Ensure nodev option set on /home partition (Automated)
     levels:
       - l1_server
@@ -212,7 +212,7 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
-    rules:
+    related_rules:
       - mount_option_nodev_removable_partitions
 
   - id: 1.1.19
@@ -221,7 +221,7 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
-    rules:
+    related_rules:
       - mount_option_nosuid_removable_partitions
 
   - id: 1.1.20
@@ -230,9 +230,18 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
-    rules:
+    related_rules:
       - mount_option_noexec_removable_partitions
 
+  - id: 1.1.21
+    title: Ensure sticky bit is set on all world-writable directories (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: yes
+    rules:
+      - dir_perms_world_writable_sticky_bits
+
   - id: 1.1.22
     title: Disable Automounting (Automated)
     levels:
@@ -348,7 +357,7 @@ controls:
       - file_groupowner_grub2_cfg
       - file_permissions_grub2_cfg
 
-  - id: 1.5.1
+  - id: 1.5.2
     title: Ensure bootloader password is set (Automated)
     levels:
       - l1_server
@@ -356,6 +365,7 @@ controls:
     automated: yes
     rules:
       - grub2_password
+      - grub2_uefi_password
 
   - id: 1.5.3
     title: Ensure authentication required for single user mode (Automated)
@@ -397,15 +407,6 @@ controls:
     rules:
       - package_libselinux_installed
 
-  - id: 1.7.1.1
-    title: Ensure SELinux is installed (Automated)
-    levels:
-      - l2_server
-      - l2_workstation
-    automated: yes
-    rules:
-      - package_libselinux_installed
-
   - id: 1.7.1.2
     title: Ensure SELinux is not disabled in bootloader configuration (Automated)
     levels:
@@ -469,6 +470,7 @@ controls:
     automated: yes
     rules:
       - banner_etc_motd
+      - login_banner_text=usgcb_default
 
   - id: 1.8.1.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -478,6 +480,7 @@ controls:
     automated: yes
     rules:
       - banner_etc_issue
+      - login_banner_text=usgcb_default
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5225
@@ -495,6 +498,8 @@ controls:
       - l1_workstation
     automated: yes
     rules:
+      - file_groupowner_etc_motd
+      - file_owner_etc_motd
       - file_permissions_etc_motd
 
   - id: 1.8.1.5
@@ -504,8 +509,19 @@ controls:
       - l1_workstation
     automated: yes
     rules:
+      - file_groupowner_etc_issue
+      - file_owner_etc_issue
       - file_permissions_etc_issue
 
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7225
+  - id: 1.8.1.6
+    title: Ensure permissions on /etc/issue.net are configured (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    automated: no
+
   - id: 1.8.2
     title: Ensure GDM login banner is configured (Automated)
     levels:
@@ -515,6 +531,7 @@ controls:
     rules:
       - dconf_gnome_banner_enabled
       - dconf_gnome_login_banner_text
+      - login_banner_text=usgcb_default
 
   - id: 1.9
     title: Ensure updates, patches, and additional security software are installed (Manual)

From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 14:21:02 +0100
Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional
 on merge of #7226)

---
 controls/cis_rhel8.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c93d6128ca4..9140711fb66 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -550,6 +550,7 @@ controls:
     automated: yes
     rules:
       - configure_crypto_policy
+      - var_system_crypto_policy=default
 
   # This rule works in conjunction with the configure_crypto_policy above.
   # If a system is remediated to CIS Level 1, just the rule above will apply

From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 14:34:41 +0100
Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules

---
 controls/cis_rhel8.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 9140711fb66..782dc7666f3 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -585,7 +585,7 @@ controls:
     related_rules:
       - package_chrony_installed
 
-  - id: 2.1.1
+  - id: 2.2.1.2
     title: Ensure chrony is configured (Automated)
     levels:
       - l1_server
@@ -597,13 +597,12 @@ controls:
       - chronyd_run_as_chrony_user
 
   - id: 2.2.2
-    title: Ensure chrony is configured (Automated)
+    title: Ensure X Window System is not installed (Automated)
     levels:
       - l1_server
     automated: yes
     rules:
-      - package_xorg-x11-server-common_removed
-      - xwindows_runlevel_target
+      - xwindows_remove_packages
 
   - id: 2.2.3
     title: Ensure rsync service is not enabled (Automated)
@@ -639,7 +638,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      - package_squid_removed
+      - package_squid_disabled
 
   - id: 2.2.7
     title: Ensure Samba is not enabled (Automated)
@@ -707,7 +706,7 @@ controls:
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5231
   - id: 2.2.14
-    title: Ensure RPC is not enabled (Automated)
+    title: Ensure LDAP server is not enabled (Automated)
     levels:
       - l1_server
       - l1_workstation
@@ -748,6 +747,7 @@ controls:
     automated: yes
     rules:
       - postfix_network_listening_disabled
+      - var_postfix_inet_interfaces=loopback-only
 
   - id: 2.3.1
     title: Ensure NIS Client is not installed (Automated)

From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 16 Jul 2021 15:03:09 +0100
Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules

---
 controls/cis_rhel8.yml | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 782dc7666f3..1d34337411f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -785,6 +785,7 @@ controls:
     rules:
       - sysctl_net_ipv4_ip_forward
       - sysctl_net_ipv6_conf_all_forwarding
+      - sysctl_net_ipv6_conf_all_forwarding_value=disabled
 
   - id: 3.1.2
     title: Ensure packet redirect sending is disabled (Automated)
@@ -804,9 +805,13 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_conf_all_accept_source_route
+      - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
       - sysctl_net_ipv4_conf_default_accept_source_route
+      - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
       - sysctl_net_ipv6_conf_all_accept_source_route
+      - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
       - sysctl_net_ipv6_conf_default_accept_source_route
+      - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
 
   - id: 3.2.2
     title: Ensure ICMP redirects are not accepted (Automated)
@@ -816,9 +821,13 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_conf_all_accept_redirects
+      - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
       - sysctl_net_ipv4_conf_default_accept_redirects
+      - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
       - sysctl_net_ipv6_conf_all_accept_redirects
+      - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
       - sysctl_net_ipv6_conf_default_accept_redirects
+      - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
 
   - id: 3.2.3
     title: Ensure secure ICMP redirects are not accepted (Automated)
@@ -828,7 +837,9 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_conf_all_secure_redirects
+      - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
       - sysctl_net_ipv4_conf_default_secure_redirects
+      - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
 
   - id: 3.2.4
     title: Ensure suspicious packets are logged (Automated)
@@ -838,7 +849,9 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_conf_all_log_martians
+      - sysctl_net_ipv4_conf_all_log_martians_value=enabled
       - sysctl_net_ipv4_conf_default_log_martians
+      - sysctl_net_ipv4_conf_default_log_martians_value=enabled
 
   - id: 3.2.5
     title: Ensure broadcast ICMP requests are ignored (Automated)
@@ -848,6 +861,7 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+      - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
 
   - id: 3.2.6
     title: Ensure bogus ICMP responses are ignored (Automated)
@@ -857,6 +871,7 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+      - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
 
   - id: 3.2.7
     title: Ensure Reverse Path Filtering is enabled (Automated)
@@ -866,7 +881,9 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_conf_all_rp_filter
+      - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
       - sysctl_net_ipv4_conf_default_rp_filter
+      - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
 
   - id: 3.2.8
     title: Ensure TCP SYN Cookies is enabled (Automated)
@@ -876,15 +893,7 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv4_tcp_syncookies
-
-  - id: 3.2.8
-    title: Ensure TCP SYN Cookies is enabled (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    automated: yes
-    rules:
-      - sysctl_net_ipv4_tcp_syncookies
+      - sysctl_net_ipv4_tcp_syncookies_value=enabled
 
   - id: 3.2.9
     title: Ensure IPv6 router advertisements are not accepted (Automated)
@@ -894,7 +903,9 @@ controls:
     automated: yes
     rules:
       - sysctl_net_ipv6_conf_all_accept_ra
+      - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
       - sysctl_net_ipv6_conf_default_accept_ra
+      - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
 
   - id: 3.3.1
     title: Ensure DCCP is disabled (Automated)

From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 20 Jul 2021 08:43:10 +0100
Subject: [PATCH 11/55] Update controls/cis_rhel8.yml

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 1d34337411f..2acf9aef28d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -638,7 +638,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      - package_squid_disabled
+      - service_squid_disabled
 
   - id: 2.2.7
     title: Ensure Samba is not enabled (Automated)

From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 30 Jul 2021 22:13:25 +0100
Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2acf9aef28d..e63fc57ddea 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -351,7 +351,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # This rule, as implemented here, does not check for a user.cfg file
     rules:
       - file_owner_grub2_cfg
       - file_groupowner_grub2_cfg

From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 30 Jul 2021 22:19:14 +0100
Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1

---
 controls/cis_rhel8.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e63fc57ddea..2163655d9d3 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -353,8 +353,11 @@ controls:
       - l1_workstation
     automated: partially  # This rule, as implemented here, does not check for a user.cfg file
     rules:
-      - file_owner_grub2_cfg
+      - file_groupowner_efi_grub2_cfg
       - file_groupowner_grub2_cfg
+      - file_owner_efi_grub2_cfg
+      - file_owner_grub2_cfg
+      - file_permissions_efi_grub2_cfg
       - file_permissions_grub2_cfg
 
   - id: 1.5.2

From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:11:38 +0100
Subject: [PATCH 14/55] Update controls/cis_rhel8.yml

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2163655d9d3..aa9c2b6c809 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1655,7 +1655,7 @@ controls:
   - id: 5.2.6
     title: Ensure SSH X11 forwarding is disabled (Automated)
     levels:
-      - l1_server
+      - l2_server
       - l1_workstation
     automated: yes
     rules:

From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:22:44 +0100
Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action

---
 controls/cis_rhel8.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index aa9c2b6c809..af874fd789e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1234,6 +1234,7 @@ controls:
     automated: yes
     rules:
       - auditd_data_retention_max_log_file_action
+      - var_auditd_max_log_file_action=keep_logs
 
   - id: 4.1.2.3
     title: Ensure system is disabled when audit logs are full (Automated)

From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:31:20 +0100
Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6

---
 controls/cis_rhel8.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index af874fd789e..af1314325ab 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1225,6 +1225,7 @@ controls:
     automated: yes
     rules:
       - auditd_data_retention_max_log_file
+      - var_auditd_max_log_file=6
 
   - id: 4.1.2.2
     title: Ensure audit logs are not automatically deleted (Automated)

From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:36:48 +0100
Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not
 directly align with CIS

---
 controls/cis_rhel8.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index af1314325ab..a81a9ef4605 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1284,11 +1284,10 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: yes
+    automated: partial  # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
     rules:
       - audit_rules_time_adjtimex
       - audit_rules_time_clock_settime
-      - audit_rules_time_settimeofday
       - audit_rules_time_stime
       - audit_rules_time_watch_localtime
 

From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:37:25 +0100
Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve
 full automation

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a81a9ef4605..cba86f40c9e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1299,7 +1299,7 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: yes
+    automated: partial
     rules:
       - audit_rules_mac_modification
 

From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:38:54 +0100
Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not
 align with the benchmark

---
 controls/cis_rhel8.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cba86f40c9e..6e8c5cf10f0 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1345,8 +1345,6 @@ controls:
       - audit_rules_unsuccessful_file_modification_open
       - audit_rules_unsuccessful_file_modification_openat
       - audit_rules_unsuccessful_file_modification_truncate
-      # Opinionated selection
-      - audit_rules_unsuccessful_file_modification_open_by_handle_at
 
   - id: 4.1.11
     title: Ensure events that modify user/group information are collected (Automated)

From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:41:13 +0100
Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation
 key

---
 controls/cis_rhel8.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 6e8c5cf10f0..829f0515cb0 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1284,7 +1284,7 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: partial  # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
+    automated: partially  # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
     rules:
       - audit_rules_time_adjtimex
       - audit_rules_time_clock_settime
@@ -1299,7 +1299,7 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: partial
+    automated: partially
     rules:
       - audit_rules_mac_modification
 

From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:42:57 +0100
Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not
 align exactly with the benchmark

---
 controls/cis_rhel8.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 829f0515cb0..76a7c8bbfa9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1373,8 +1373,9 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: yes
-    rules:
+    automated: no
+    related_rules:
+      # The rule below is almost correct but cannot be used as it does not set the perm=x flag.
       - audit_rules_privileged_commands
 
   - id: 4.1.14

From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:44:03 +0100
Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not
 align with the benchmark

---
 controls/cis_rhel8.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 76a7c8bbfa9..e6a53516666 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1389,8 +1389,6 @@ controls:
       - audit_rules_file_deletion_events_renameat
       - audit_rules_file_deletion_events_unlink
       - audit_rules_file_deletion_events_unlinkat
-      # Opinionated selection
-      - audit_rules_file_deletion_events_rmdir
 
   - id: 4.1.15
     title: Ensure kernel module loading and unloading is collected (Automated)

From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:47:53 +0100
Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does
 not align with the benchmark

---
 controls/cis_rhel8.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e6a53516666..327400abd65 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1435,14 +1435,15 @@ controls:
     rules:
       - service_rsyslog_enabled
 
+  # NEEDS RULE
+  # The rsyslog_files_permissions rule is not sufficient
+  # https://github.com/ComplianceAsCode/content/issues/7332
   - id: 4.2.1.3
     title: Ensure rsyslog default file permissions configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
-      - rsyslog_files_permissions
+    automated: no
 
   - id: 4.2.1.4
     title: Ensure logging is configured (Manual)

From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:52:17 +0100
Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align
 perfectly with the benchmark

---
 controls/cis_rhel8.yml | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 327400abd65..f5a8ce45848 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1452,14 +1452,15 @@ controls:
       - l1_workstation
     automated: no
 
+  # NEEDS RULE
+  # The rsyslog_remote_loghost rule is not sufficient
+  # https://github.com/ComplianceAsCode/content/issues/7333
   - id: 4.2.1.5
     title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
-      - rsyslog_remote_loghost
+    automated: no
 
   - id: 4.2.1.6
     title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
@@ -1617,19 +1618,15 @@ controls:
       - l1_workstation
     automated: no
 
-  # TODO
-  # Rule sets permissions to 0640 but benchmark wants it to be 0600
-  #
-  # TODO
-  # Check owner of private keys in /etc/ssh is root:root
+  # NEEDS RULE
+  # The file_permissions_sshd_private_key rule is not aligned with the benchmark
+  # https://github.com/ComplianceAsCode/content/issues/7334
   - id: 5.2.3
     title: Ensure permissions on SSH private host key files are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
-      - file_permissions_sshd_private_key
+    automated: no
 
   # TODO
   # Check owner of public keys in /etc/ssh is root:root

From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:53:10 +0100
Subject: [PATCH 25/55] 5.2.4 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index f5a8ce45848..0e3fa99d32e 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1635,7 +1635,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially
     rules:
       - file_permissions_sshd_pub_key
 

From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 4 Aug 2021 16:55:32 +0100
Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used
 properly

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0e3fa99d32e..439b3265fe9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1721,7 +1721,7 @@ controls:
     rules:
       - sshd_idle_timeout_value=5_minutes
       - sshd_set_idle_timeout
-      - sshd_set_keepalive_0
+      - sshd_set_keepalive
       - var_sshd_set_keepalive=0
 
   # NEEDS RULE

From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 08:47:24 +0100
Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely
 with CIS benchmark

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 439b3265fe9..92ac0dd85c5 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -595,9 +595,9 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      - service_chronyd_enabled
       - chronyd_specify_remote_server
       - chronyd_run_as_chrony_user
+      - var_multiple_time_servers=rhel
 
   - id: 2.2.2
     title: Ensure X Window System is not installed (Automated)

From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 08:54:14 +0100
Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file

---
 controls/cis_rhel8.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 92ac0dd85c5..565974817f1 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1645,7 +1645,12 @@ controls:
       - l1_server
       - l1_workstation
     automated: yes
+    # The CIS benchmark is not opinionated about which loglevel is selected
+    # here. Here, this profile uses VERBOSE by default, as it allows for
+    # the capture of login and logout activity as well as key fingerprints.
     rules:
+      - sshd_set_loglevel_verbose
+    related_rules:
       - sshd_set_loglevel_info
 
   - id: 5.2.6

From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:00:17 +0100
Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses
 wrong path)

---
 controls/cis_rhel8.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 565974817f1..53f024fffea 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1738,14 +1738,16 @@ controls:
       - l1_workstation
     automated: no
 
+  # NEEDS RULE
+  # The current sshd_enable_warning_banner rule uses /etc/issue instead
+  # of the /etc/issue.net that the benchmark expects.
+  # 
   - id: 5.2.15
     title: Ensure SSH warning banner is configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
-      - sshd_enable_warning_banner
+    automated: no
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5526

From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:00:48 +0100
Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups
 rule in RHEL 8 CIS profile

---
 controls/cis_rhel8.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 53f024fffea..3345a37d098 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1775,6 +1775,7 @@ controls:
     automated: yes
     rules:
       - sshd_set_maxstartups
+      - var_sshd_set_maxstartups=10:30:60
 
   - id: 5.2.19
     title: Ensure SSH MaxSessions is set to 4 or less (Automated)

From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:19:43 +0100
Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits
 for vs the one in the control title

---
 controls/cis_rhel8.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 3345a37d098..3b6219f3296 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1777,6 +1777,13 @@ controls:
       - sshd_set_maxstartups
       - var_sshd_set_maxstartups=10:30:60
 
+  # The title of this control does not appear to match the suggested audit and
+  # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
+  # value from the audit and remediation sections of the benchmark rather than
+  # from the title.
+  #
+  # An upstream ticket has been opened about this issue:
+  # https://workbench.cisecurity.org/community/14/tickets/13414
   - id: 5.2.19
     title: Ensure SSH MaxSessions is set to 4 or less (Automated)
     levels:
@@ -1785,7 +1792,7 @@ controls:
     automated: yes
     rules:
       - sshd_set_max_sessions
-      - var_sshd_max_sessions=4
+      - var_sshd_max_sessions=10
 
   - id: 5.2.20
     title: Ensure system-wide crypto policy is not over-ridden (Automated)

From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:20:45 +0100
Subject: [PATCH 32/55] Fix rule ID for 5.3.3

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 3b6219f3296..55c8378529d 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1823,7 +1823,7 @@ controls:
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5532
-  - id: 5.3.2
+  - id: 5.3.3
     title: Ensure authselect includes with-faillock (Automated)
     levels:
       - l1_server

From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:23:40 +0100
Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2

---
 controls/cis_rhel8.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 55c8378529d..c7f651994d6 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1845,17 +1845,14 @@ controls:
       - var_password_pam_minclass=4
       - var_password_pam_minlen=14
 
+  # NEEDS RULE
+  # https://github.com/ComplianceAsCode/content/issues/7337
   - id: 5.4.2
     title: Ensure lockout for failed password attempts is configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
-      - accounts_passwords_pam_faillock_deny
-      - accounts_passwords_pam_faillock_unlock_time
-      - var_accounts_passwords_pam_faillock_deny=5
-      - var_accounts_passwords_pam_faillock_unlock_time=900
+    automated: no
 
   - id: 5.4.3
     title: Ensure password reuse is limited (Automated)

From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:29:15 +0100
Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated

---
 controls/cis_rhel8.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c7f651994d6..10816e1ba35 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1830,14 +1830,15 @@ controls:
       - l1_workstation
     automated: no
 
-  # NEEDS RULE: try_first_pass
+  # NEEDS RULE
+  # try_first_pass
   # https://github.com/ComplianceAsCode/content/issues/5533
   - id: 5.4.1
     title: Ensure password creation requirements are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially
     rules:
       - accounts_password_pam_minclass
       - accounts_password_pam_minlen

From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:37:15 +0100
Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited"
 rule from RHEL 7

---
 controls/cis_rhel8.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 10816e1ba35..0ea36362832 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1861,9 +1861,15 @@ controls:
       - l1_server
       - l1_workstation
     automated: yes
-    rules:
-      - accounts_password_pam_unix_remember
-      - var_password_pam_unix_remember=5
+    notes: |-
+      Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation.
+      See here for more details about pam_unix.so:
+      https://bugzilla.redhat.com/show_bug.cgi?id=1778929
+    rules:
+      - accounts_password_pam_pwhistory_remember_password_auth
+      - accounts_password_pam_pwhistory_remember_system_auth
+      - var_password_pam_remember_control_flag=required
+      - var_password_pam_remember=5
 
   - id: 5.4.4
     title: Ensure password hashing algorithm is SHA-512 (Automated)

From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:41:13 +0100
Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0ea36362832..be46d870965 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1876,7 +1876,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark.
     rules:
       - set_password_hashing_algorithm_systemauth
 

From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:42:57 +0100
Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index be46d870965..e41c2eb4dae 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1885,7 +1885,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control.
     rules:
       - accounts_maximum_age_login_defs
       - var_accounts_maximum_age_login_defs=365

From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:44:17 +0100
Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e41c2eb4dae..0b2b3d04621 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1895,7 +1895,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control.
     rules:
       - accounts_minimum_age_login_defs
       - var_accounts_minimum_age_login_defs=7

From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:47:22 +0100
Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 0b2b3d04621..70312f6399a 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1905,7 +1905,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control.
     rules:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7

From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Thu, 5 Aug 2021 09:47:54 +0100
Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated

---
 controls/cis_rhel8.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 70312f6399a..42dbf14c816 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1910,14 +1910,12 @@ controls:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7
 
-  # TODO
-  # Rule doesn't check list of users
   - id: 5.5.1.4
     title: Ensure inactive password lock is 30 days or less (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control.
     rules:
       - account_disable_post_pw_expiration
       - var_account_disable_post_pw_expiration=30

From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 15:17:53 +0100
Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 42dbf14c816..e8e340e0c36 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1724,7 +1724,7 @@ controls:
       - l1_workstation
     automated: yes
     rules:
-      - sshd_idle_timeout_value=5_minutes
+      - sshd_idle_timeout_value=15_minutes
       - sshd_set_idle_timeout
       - sshd_set_keepalive
       - var_sshd_set_keepalive=0

From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:12:47 +0100
Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated

---
 controls/cis_rhel8.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e8e340e0c36..2d534d95072 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1929,12 +1929,15 @@ controls:
       - l1_workstation
     automated: no
 
+  # NEEDS RULE
+  # We are missing the component of this control which locks non-root system accounts
+  # https://github.com/ComplianceAsCode/content/issues/7352
   - id: 5.5.2
     title: Ensure system accounts are secured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially
     rules:
       - no_shelllogin_for_systemaccounts
 

From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:17:13 +0100
Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated

---
 controls/cis_rhel8.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 2d534d95072..784af3e0fe9 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1946,7 +1946,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark
     rules:
       - accounts_tmout
       - var_accounts_tmout=15_min

From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:21:39 +0100
Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated

---
 controls/cis_rhel8.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 784af3e0fe9..045e219d90f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1965,9 +1965,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: partially  # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark
     rules:
       - accounts_umask_etc_bashrc
+      - accounts_umask_etc_login_defs
       - accounts_umask_etc_profile
       - var_accounts_user_umask=027
 

From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:23:32 +0100
Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by
 use_pam_wheel_for_su

---
 controls/cis_rhel8.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 045e219d90f..84a3269afc6 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1989,7 +1989,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: no
+    automated: partially
+    rules:
+      - use_pam_wheel_for_su
 
   - id: 6.1.1
     title: Audit system file permissions (Manual)

From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:31:56 +0100
Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3

---
 controls/cis_rhel8.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 84a3269afc6..d02f2cbbf86 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2154,14 +2154,15 @@ controls:
     rules:
       - no_legacy_plus_entries_etc_passwd
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/7198
   - id: 6.2.3
     title: Ensure root PATH Integrity (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: no
+    automated: yes
+    rules:
+      - accounts_root_path_dirs_no_write
+      - root_path_no_dot
 
   - id: 6.2.4
     title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)

From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:34:47 +0100
Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without
 OVAL checks or remediations

---
 controls/cis_rhel8.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index d02f2cbbf86..a3f3d4e6d4f 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2196,8 +2196,8 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
+    automated: no  # The rule below exists, but does not have any OVAL checks or remediations.
+    related_rules:
       - file_permissions_home_dirs
 
   # NEEDS RULE (for user ownership)
@@ -2207,7 +2207,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
+    automated: no  # The rule below exists, but does not have any OVAL checks or remediations.
     rules:
       - file_groupownership_home_directories
 

From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:35:23 +0100
Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL
 checks or remediations

---
 controls/cis_rhel8.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a3f3d4e6d4f..cfefd245300 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2311,10 +2311,10 @@ controls:
     automated: no
 
   - id: 6.2.20
-    title: Ensure shadow group is empty (Automated)
+    title: Ensure all users' home directories exist (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: yes
-    rules:
+    automated: no  # The rule below exists, but does not have any OVAL checks or remediations.
+    related_rules:
       - accounts_user_interactive_home_directory_exists

From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Fri, 6 Aug 2021 16:38:11 +0100
Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because
 it also checks for finit_module syscall

---
 controls/cis_rhel8.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cfefd245300..e8d3f24ccbb 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1397,7 +1397,11 @@ controls:
       - l2_workstation
     automated: yes
     rules:
-      - audit_rules_kernel_module_loading
+      - audit_rules_kernel_module_loading_delete
+      - audit_rules_kernel_module_loading_init
+      - audit_rules_privileged_commands_insmod
+      - audit_rules_privileged_commands_modprobe
+      - audit_rules_privileged_commands_rmmod
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5516

From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Mon, 9 Aug 2021 11:49:56 +0100
Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control
 is not automated

---
 controls/cis_rhel8.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index e8d3f24ccbb..a624d06cb56 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2128,7 +2128,7 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
-    rules:
+    related_rules:
       - file_permissions_unauthorized_suid
 
   - id: 6.1.14
@@ -2137,7 +2137,7 @@ controls:
       - l1_server
       - l1_workstation
     automated: no
-    rules:
+    related_rules:
       - file_permissions_unauthorized_sgid
 
   # NEEDS RULE
@@ -2212,7 +2212,7 @@ controls:
       - l1_server
       - l1_workstation
     automated: no  # The rule below exists, but does not have any OVAL checks or remediations.
-    rules:
+    related_rules:
       - file_groupownership_home_directories
 
   # NEEDS RULE

From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 10 Aug 2021 09:12:18 +0100
Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream
 Draft Benchmark 1.1.0

---
 controls/cis_rhel8.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a624d06cb56..bff2200ce12 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1782,11 +1782,11 @@ controls:
       - var_sshd_set_maxstartups=10:30:60
 
   # The title of this control does not appear to match the suggested audit and
-  # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
-  # value from the audit and remediation sections of the benchmark rather than
-  # from the title.
+  # remediation in the CIS Benchmark version 1.0.1
+  #
+  # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0
+  # which confirms that '4' is the intended value for this control.
   #
-  # An upstream ticket has been opened about this issue:
   # https://workbench.cisecurity.org/community/14/tickets/13414
   - id: 5.2.19
     title: Ensure SSH MaxSessions is set to 4 or less (Automated)
@@ -1796,7 +1796,7 @@ controls:
     automated: yes
     rules:
       - sshd_set_max_sessions
-      - var_sshd_max_sessions=10
+      - var_sshd_max_sessions=4
 
   - id: 5.2.20
     title: Ensure system-wide crypto policy is not over-ridden (Automated)

From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Wed, 11 Aug 2021 10:37:23 +0100
Subject: [PATCH 52/55] Control to disable IPv6 should not be automated

---
 controls/cis_rhel8.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index bff2200ce12..29d972427cf 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1177,9 +1177,7 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    automated: yes
-    rules:
-      - kernel_module_ipv6_option_disabled
+    automated: no
 
   - id: 4.1.1.1
     title: Ensure auditd is installed (Automated)

From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:09:48 +0100
Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8

---
 .../accounts-session/root_paths/root_path_no_dot/rule.yml     | 1 +
 .../uefi/file_groupowner_efi_grub2_cfg/rule.yml               | 1 +
 .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml   | 1 +
 .../uefi/file_permissions_efi_grub2_cfg/rule.yml              | 1 +
 shared/references/cce-redhat-avail.txt                        | 4 ----
 5 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index 24a0feaf0aa..748d9d9d188 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -21,6 +21,7 @@ severity: unknown
 
 identifiers:
     cce@rhel7: CCE-80199-3
+    cce@rhel8: CCE-85914-0
 
 references:
     cis-csc: 11,3,9
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
index 288b6706b03..f44e85a059a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-83430-9
+    cce@rhel8: CCE-85915-7
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
index edcda693591..a9468d00ddc 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
@@ -23,6 +23,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-83429-1
+    cce@rhel8: CCE-85913-2
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index 6e636a7caf7..bc4fdcc7e04 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-83431-7
+    cce@rhel8: CCE-85912-4
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 3b24e19da06..179412e8961 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -42,10 +42,6 @@ CCE-85907-4
 CCE-85908-2
 CCE-85909-0
 CCE-85911-6
-CCE-85912-4
-CCE-85913-2
-CCE-85914-0
-CCE-85915-7
 CCE-85916-5
 CCE-85917-3
 CCE-85918-1

From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:15:15 +0100
Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules

---
 .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml   | 1 +
 .../disabling_xwindows/xwindows_remove_packages/rule.yml         | 1 +
 .../root_logins/use_pam_wheel_for_su/rule.yml                    | 1 +
 .../root_paths/accounts_root_path_dirs_no_write/rule.yml         | 1 +
 .../accounts-session/root_paths/root_path_no_dot/rule.yml        | 1 +
 .../user_umask/accounts_umask_etc_login_defs/rule.yml            | 1 +
 6 files changed, 6 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index 2ffb01a3983..ee54a53dfd4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -27,6 +27,7 @@ identifiers:
 
 references:
     cis@rhel7: 5.3.5
+    cis@rhel8: 5.2.5
     disa: CCI-000067
     nerc-cip: CIP-007-3 R7.1
     nist: AC-17(a),AC-17(1),CM-6(a)
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
index c548b1e3ea2..935766db26d 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -41,6 +41,7 @@ identifiers:
 
 references:
     cis@rhel7: 2.2.2
+    cis@rhel8: 2.2.2
     disa: CCI-000366
     nist: CM-6(b)
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index 984a8cf333e..616a0aa0052 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -24,6 +24,7 @@ identifiers:
 
 references:
     cis@rhel7: "5.7"
+    cis@rhel8: 5.7
     cis@sle15: '5.6'
     cis@ubuntu2004: '5.6'
     ospp: FMT_SMF_EXT.1.1
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
index 81c30174c71..057701075e5 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
@@ -23,6 +23,7 @@ identifiers:
 references:
     cis-csc: 11,3,9
     cis@rhel7: 6.2.10
+    cis@rhel8: 6.2.3
     cis@sle15: 6.2.4
     cis@ubuntu2004: 6.2.3
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index 748d9d9d188..c94de8fa3e6 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -26,6 +26,7 @@ identifiers:
 references:
     cis-csc: 11,3,9
     cis@rhel7: 6.2.10
+    cis@rhel8: 6.2.3
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
     disa: CCI-000366
     isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 46e81737199..51f8e51fa6a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -25,6 +25,7 @@ references:
     anssi: BP28(R35)
     cis-csc: 11,18,3,9
     cis@rhel7: 5.5.5
+    cis@rhel8: 5.5.5
     cis@ubuntu2004: 5.4.4
     cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05
     disa: CCI-000366

From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 17 Aug 2021 13:25:45 +0100
Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an
 integer

---
 .../root_logins/use_pam_wheel_for_su/rule.yml                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index 616a0aa0052..08677cbb7dc 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -24,7 +24,7 @@ identifiers:
 
 references:
     cis@rhel7: "5.7"
-    cis@rhel8: 5.7
+    cis@rhel8: "5.7"
     cis@sle15: '5.6'
     cis@ubuntu2004: '5.6'
     ospp: FMT_SMF_EXT.1.1