From e3844b648a537ae2d28aeb66b30522363e26c8c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 19 Aug 2021 15:58:08 +0200
Subject: [PATCH 1/4] Base the RHEL9 CIS preview on RHEL8
Harness the policy files to get a RHEL9 projection of the RHEL8 CIS.
---
products/rhel9/profiles/cis.profile | 1079 +----------------
products/rhel9/profiles/cis_server_l1.profile | 19 +
.../rhel9/profiles/cis_workstation_l1.profile | 19 +
.../rhel9/profiles/cis_workstation_l2.profile | 19 +
4 files changed, 63 insertions(+), 1073 deletions(-)
create mode 100644 products/rhel9/profiles/cis_server_l1.profile
create mode 100644 products/rhel9/profiles/cis_workstation_l1.profile
create mode 100644 products/rhel9/profiles/cis_workstation_l2.profile
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 8d7816e5e2..4240f743df 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -1,1086 +1,19 @@
documentation_complete: true
metadata:
- version: 0.0.0
+ version: 1.0.1
SMEs:
- vojtapolasek
- yuumasato
reference: https://www.cisecurity.org/benchmark/red_hat_linux/
-title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark'
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server'
description: |-
- This is a draft CIS profile based on the RHEL8 CIS
+ This is a draft profile based on its RHEL8 version for experimental purposes.
+ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+ the release.
selections:
- # Necessary for dconf rules
- - dconf_db_up_to_date
-
- ### Partitioning
- - mount_option_home_nodev
-
- ## 1.1 Filesystem Configuration
-
- ### 1.1.1 Disable unused filesystems
-
- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
- - kernel_module_cramfs_disabled
-
- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
-
-
- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
- - kernel_module_squashfs_disabled
-
- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
- - kernel_module_udf_disabled
-
- ### 1.1.2 Ensure /tmp is configured (Scored)
- - partition_for_tmp
-
- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
- - mount_option_tmp_nodev
-
- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
- - mount_option_tmp_nosuid
-
- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
- - mount_option_tmp_noexec
-
- ### 1.1.6 Ensure separate partition exists for /var (Scored)
- - partition_for_var
-
- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
- - partition_for_var_tmp
-
- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_nodev
-
- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_nosuid
-
- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
- - mount_option_var_tmp_noexec
-
- ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
- - partition_for_var_log
-
- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
- - partition_for_var_log_audit
-
- ### 1.1.13 Ensure separate partition exists for /home (Scored)
- - partition_for_home
-
- ### 1.1.14 Ensure nodev option set on /home partition (Scored)
- - mount_option_home_nodev
-
- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_nodev
-
- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_nosuid
-
- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
- - mount_option_dev_shm_noexec
-
- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
- - mount_option_nodev_removable_partitions
-
- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
- - mount_option_nosuid_removable_partitions
-
- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
- - mount_option_noexec_removable_partitions
-
- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
- - dir_perms_world_writable_sticky_bits
-
- ### 1.1.22 Disable Automounting (Scored)
- - service_autofs_disabled
-
- ### 1.1.23 Disable USB Storage (Scored)
- - kernel_module_usb-storage_disabled
-
- ## 1.2 Configure Software Updates
-
- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
-
- ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
- - service_rhnsd_disabled
-
- ### 1.2.3 Ensure GPG keys are configured (Not Scored)
- - ensure_redhat_gpgkey_installed
-
- ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
- - ensure_gpgcheck_globally_activated
-
- ### 1.2.5 Ensure package manager repositories are configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
-
- ## 1.3 Configure sudo
-
- ### 1.3.1 Ensure sudo is installed (Scored)
- - package_sudo_installed
-
- ### 1.3.2 Ensure sudo commands use pty (Scored)
- - sudo_add_use_pty
-
- ### 1.3.3 Ensure sudo log file exists (Scored)
- - sudo_custom_logfile
-
- ## 1.4 Filesystem Integrity Checking
-
- ### 1.4.1 Ensure AIDE is installed (Scored)
- - package_aide_installed
-
- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
- - aide_periodic_cron_checking
-
- ## Secure Boot Settings
-
- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
- #### chown root:root /boot/grub2/grub.cfg
- - file_owner_grub2_cfg
- - file_groupowner_grub2_cfg
-
- #### chmod og-rwx /boot/grub2/grub.cfg
- - file_permissions_grub2_cfg
-
- #### chown root:root /boot/grub2/grubenv
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
- #### chmod og-rwx /boot/grub2/grubenv
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
- ### 1.5.2 Ensure bootloader password is set (Scored)
- - grub2_password
-
- ### 1.5.3 Ensure authentication required for single user mode (Scored)
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
- - require_singleuser_auth
-
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
- - require_emergency_target_auth
-
- ## 1.6 Additional Process Hardening
-
- ### 1.6.1 Ensure core dumps are restricted (Scored)
- #### * hard core 0
- - disable_users_coredumps
-
- #### fs.suid_dumpable = 0
- - sysctl_fs_suid_dumpable
-
- #### ProcessSizeMax=0
- - coredump_disable_backtraces
-
- #### Storage=none
- - coredump_disable_storage
-
- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
- - sysctl_kernel_randomize_va_space
-
- ## 1.7 Mandatory Access Control
-
- ### 1.7.1 Configure SELinux
-
- #### 1.7.1.1 Ensure SELinux is installed (Scored)
- - package_libselinux_installed
-
- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
- - grub2_enable_selinux
-
- #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
- - var_selinux_policy_name=targeted
- - selinux_policytype
-
- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
- - var_selinux_state=enforcing
- - selinux_state
-
- #### 1.7.1.5 Ensure no unconfied services exist (Scored)
- - selinux_confinement_of_daemons
-
- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
- - package_setroubleshoot_removed
-
- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
- - package_mcstrans_removed
-
- ## Warning Banners
-
- ### 1.8.1 Command Line Warning Baners
-
- #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
- - banner_etc_motd
-
- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
- - banner_etc_issue
-
- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
-
- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
- # chmod u-x,go-wx /etc/motd
- - file_permissions_etc_motd
-
- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
- # chmod u-x,go-wx /etc/issue
- - file_permissions_etc_issue
-
- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
- # Previously addressed via 'rpm_verify_permissions' rule
-
- ### 1.8.2 Ensure GDM login banner is configured (Scored)
- #### banner-message-enable=true
- - dconf_gnome_banner_enabled
-
- #### banner-message-text='<banner message>'
- - dconf_gnome_login_banner_text
-
- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
- - security_patches_up_to_date
-
- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
- - var_system_crypto_policy=future
- - configure_crypto_policy
-
- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
- # Previously addressed via 'configure_crypto_policy' rule
-
- # Services
-
- ## 2.1 inetd Services
-
- ### 2.1.1 Ensure xinetd is not installed (Scored)
- - package_xinetd_removed
-
- ## 2.2 Special Purpose Services
-
- ### 2.2.1 Time Synchronization
-
- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
- - package_chrony_installed
-
- #### 2.2.1.2 Ensure chrony is configured (Scored)
- - service_chronyd_enabled
- - chronyd_specify_remote_server
- - chronyd_run_as_chrony_user
-
- ### 2.2.2 Ensure X Window System is not installed (Scored)
- - package_xorg-x11-server-common_removed
- - xwindows_runlevel_target
-
- ### 2.2.3 Ensure rsync service is not enabled (Scored)
- - service_rsyncd_disabled
-
- ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
- - service_avahi-daemon_disabled
-
- ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
- - service_snmpd_disabled
-
- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
- - package_squid_removed
-
- ### 2.2.7 Ensure Samba is not enabled (Scored)
- - service_smb_disabled
-
- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
- - service_dovecot_disabled
-
- ### 2.2.9 Ensure HTTP server is not enabled (Scored)
- - service_httpd_disabled
-
- ### 2.2.10 Ensure FTP Server is not enabled (Scored)
- - service_vsftpd_disabled
-
- ### 2.2.11 Ensure DNS Server is not enabled (Scored)
- - service_named_disabled
-
- ### 2.2.12 Ensure NFS is not enabled (Scored)
- - service_nfs_disabled
-
- ### 2.2.13 Ensure RPC is not enabled (Scored)
- - service_rpcbind_disabled
-
- ### 2.2.14 Ensure LDAP service is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
-
- ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
- - service_dhcpd_disabled
-
- ### 2.2.16 Ensure CUPS is not enabled (Scored)
- - service_cups_disabled
-
- ### 2.2.17 Ensure NIS Server is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
-
- ### 2.2.18 Ensure mail transfer agent is configured for
- ### local-only mode (Scored)
- - postfix_network_listening_disabled
-
- ## 2.3 Service Clients
-
- ### 2.3.1 Ensure NIS Client is not installed (Scored)
- - package_ypbind_removed
-
- ### 2.3.2 Ensure telnet client is not installed (Scored)
- - package_telnet_removed
-
- ### Ensure LDAP client is not installed
- - package_openldap-clients_removed
-
- # 3 Network Configuration
-
- ## 3.1 Network Parameters (Host Only)
-
- ### 3.1.1 Ensure IP forwarding is disabled (Scored)
- #### net.ipv4.ip_forward = 0
- - sysctl_net_ipv4_ip_forward
-
- #### net.ipv6.conf.all.forwarding = 0
- - sysctl_net_ipv6_conf_all_forwarding
-
- ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
- #### net.ipv4.conf.all.send_redirects = 0
- - sysctl_net_ipv4_conf_all_send_redirects
-
- #### net.ipv4.conf.default.send_redirects = 0
- - sysctl_net_ipv4_conf_default_send_redirects
-
- ## 3.2 Network Parameters (Host and Router)
-
- ### 3.2.1 Ensure source routed packets are not accepted (Scored)
- #### net.ipv4.conf.all.accept_source_route = 0
- - sysctl_net_ipv4_conf_all_accept_source_route
-
- #### net.ipv4.conf.default.accept_source_route = 0
- - sysctl_net_ipv4_conf_default_accept_source_route
-
- #### net.ipv6.conf.all.accept_source_route = 0
- - sysctl_net_ipv6_conf_all_accept_source_route
-
- #### net.ipv6.conf.default.accept_source_route = 0
- - sysctl_net_ipv6_conf_default_accept_source_route
-
- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
- #### net.ipv4.conf.all.accept_redirects = 0
- - sysctl_net_ipv4_conf_all_accept_redirects
-
- #### net.ipv4.conf.default.accept_redirects
- - sysctl_net_ipv4_conf_default_accept_redirects
-
- #### net.ipv6.conf.all.accept_redirects = 0
- - sysctl_net_ipv6_conf_all_accept_redirects
-
- #### net.ipv6.conf.defaults.accept_redirects = 0
- - sysctl_net_ipv6_conf_default_accept_redirects
-
- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
- #### net.ipv4.conf.all.secure_redirects = 0
- - sysctl_net_ipv4_conf_all_secure_redirects
-
- #### net.ipv4.cof.default.secure_redirects = 0
- - sysctl_net_ipv4_conf_default_secure_redirects
-
- ### 3.2.4 Ensure suspicious packets are logged (Scored)
- #### net.ipv4.conf.all.log_martians = 1
- - sysctl_net_ipv4_conf_all_log_martians
-
- #### net.ipv4.conf.default.log_martians = 1
- - sysctl_net_ipv4_conf_default_log_martians
-
- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-
- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-
- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
- #### net.ipv4.conf.all.rp_filter = 1
- - sysctl_net_ipv4_conf_all_rp_filter
-
- #### net.ipv4.conf.default.rp_filter = 1
- - sysctl_net_ipv4_conf_default_rp_filter
-
- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
- - sysctl_net_ipv4_tcp_syncookies
-
- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
- #### net.ipv6.conf.all.accept_ra = 0
- - sysctl_net_ipv6_conf_all_accept_ra
-
- #### net.ipv6.conf.default.accept_ra = 0
- - sysctl_net_ipv6_conf_default_accept_ra
-
- ## 3.3 Uncommon Network Protocols
-
- ### 3.3.1 Ensure DCCP is disabled (Scored)
- - kernel_module_dccp_disabled
-
- ### Ensure SCTP is disabled (Scored)
- - kernel_module_sctp_disabled
-
- ### 3.3.3 Ensure RDS is disabled (Scored)
- - kernel_module_rds_disabled
-
- ### 3.3.4 Ensure TIPC is disabled (Scored)
- - kernel_module_tipc_disabled
-
- ## 3.4 Firewall Configuration
-
- ### 3.4.1 Ensure Firewall software is installed
-
- #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
- ##### firewalld
- - package_firewalld_installed
-
- ##### nftables
- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
-
- ##### iptables
- #- package_iptables_installed
-
- ### 3.4.2 Configure firewalld
-
- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
- - service_firewalld_enabled
-
- #### 3.4.2.2 Ensure iptables is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
-
- #### 3.4.2.3 Ensure nftables is not enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
-
- #### 3.4.2.4 Ensure default zone is set (Scored)
- - set_firewalld_default_zone
-
- #### 3.4.2.5 Ensure network interfaces are assigned to
- #### appropriate zone (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
-
- #### 3.4.2.6 Ensure unnecessary services and ports are not
- #### accepted (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
-
- ### 3.4.3 Configure nftables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
-
- #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
-
- #### 3.4.3.2 Ensure a table exists (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
-
- #### 3.4.3.3 Ensure base chains exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
-
- #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
-
- #### 3.4.3.5 Ensure outbound and established connections are
- #### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
-
- #### 3.4.3.6 Ensure default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
-
- #### 3.4.3.7 Ensure nftables service is enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
-
- #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
-
- ### 3.4.4 Configure iptables
-
- #### 3.4.4.1 Configure IPv4 iptables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
-
- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
-
- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
-
- ##### 3.4.4.1.3 Ensure outbound and established connections are
- ##### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
-
- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
-
- #### 3.4.4.2 Configure IPv6 ip6tables
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
-
- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
-
- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
-
- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
- ##### configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
-
- ## 3.5 Ensure wireless interfaces are disabled (Scored)
- - wireless_disable_interfaces
-
- ## 3.6 Disable IPv6 (Not Scored)
- - kernel_module_ipv6_option_disabled
-
- # Logging and Auditing
-
- ## 4.1 Configure System Accounting (auditd)
-
- ### 4.1.1 Ensure auditing is enabled
-
- #### 4.1.1.1 Ensure auditd is installed (Scored)
- - package_audit_installed
-
- #### 4.1.1.2 Ensure auditd service is enabled (Scored)
- - service_auditd_enabled
-
- #### 4.1.1.3 Ensure auditing for processes that start prior to audit
- #### is enabled (Scored)
- - grub2_audit_argument
-
- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
- - grub2_audit_backlog_limit_argument
-
- ### 4.1.2 Configure Data Retention
-
- #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
- - auditd_data_retention_max_log_file
-
- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
- - auditd_data_retention_max_log_file_action
-
- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
- - var_auditd_space_left_action=email
- - auditd_data_retention_space_left_action
-
- ##### action_mail_acct = root
- - var_auditd_action_mail_acct=root
- - auditd_data_retention_action_mail_acct
-
- ##### admin_space_left_action = halt
- - var_auditd_admin_space_left_action=halt
- - auditd_data_retention_admin_space_left_action
-
- ### 4.1.3 Ensure changes to system administration scope
- ### (sudoers) is collected (Scored)
- - audit_rules_sysadmin_actions
-
- ### 4.1.4 Ensure login and logout events are collected (Scored)
- - audit_rules_login_events_faillock
- - audit_rules_login_events_lastlog
-
- ### 4.1.5 Ensure session initiation information is collected (Scored)
- - audit_rules_session_events
-
- ### 4.1.6 Ensure events that modify date and time information
- ### are collected (Scored)
- #### adjtimex
- - audit_rules_time_adjtimex
-
- #### settimeofday
- - audit_rules_time_settimeofday
-
- #### stime
- - audit_rules_time_stime
-
- #### clock_settime
- - audit_rules_time_clock_settime
-
- #### -w /etc/localtime -p wa
- - audit_rules_time_watch_localtime
-
- ### 4.1.7 Ensure events that modify the system's Mandatory
- ### Access Control are collected (Scored)
- #### -w /etc/selinux/ -p wa
- - audit_rules_mac_modification
-
- #### -w /usr/share/selinux/ -p wa
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
-
- ### 4.1.8 Ensure events that modify the system's network
- ### enironment are collected (Scored)
- - audit_rules_networkconfig_modification
-
- ### 4.1.9 Ensure discretionary access control permission modification
- ### events are collected (Scored)
- - audit_rules_dac_modification_chmod
- - audit_rules_dac_modification_fchmod
- - audit_rules_dac_modification_fchmodat
- - audit_rules_dac_modification_chown
- - audit_rules_dac_modification_fchown
- - audit_rules_dac_modification_fchownat
- - audit_rules_dac_modification_lchown
- - audit_rules_dac_modification_setxattr
- - audit_rules_dac_modification_lsetxattr
- - audit_rules_dac_modification_fsetxattr
- - audit_rules_dac_modification_removexattr
- - audit_rules_dac_modification_lremovexattr
- - audit_rules_dac_modification_fremovexattr
-
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
- ### collected (Scored)
- - audit_rules_unsuccessful_file_modification_creat
- - audit_rules_unsuccessful_file_modification_open
- - audit_rules_unsuccessful_file_modification_openat
- - audit_rules_unsuccessful_file_modification_truncate
- - audit_rules_unsuccessful_file_modification_ftruncate
- # Opinionated selection
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
-
- ### 4.1.11 Ensure events that modify user/group information are
- ### collected (Scored)
- - audit_rules_usergroup_modification_passwd
- - audit_rules_usergroup_modification_group
- - audit_rules_usergroup_modification_gshadow
- - audit_rules_usergroup_modification_shadow
- - audit_rules_usergroup_modification_opasswd
-
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
- - audit_rules_media_export
-
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
- - audit_rules_privileged_commands
-
- ### 4.1.14 Ensure file deletion events by users are collected
- ### (Scored)
- - audit_rules_file_deletion_events_unlink
- - audit_rules_file_deletion_events_unlinkat
- - audit_rules_file_deletion_events_rename
- - audit_rules_file_deletion_events_renameat
- # Opinionated selection
- - audit_rules_file_deletion_events_rmdir
-
- ### 4.1.15 Ensure kernel module loading and unloading is collected
- ### (Scored)
- - audit_rules_kernel_module_loading
-
- ### 4.1.16 Ensure system administrator actions (sudolog) are
- ### collected (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
- ### 4.1.17 Ensure the audit configuration is immutable (Scored)
- - audit_rules_immutable
-
- ## 4.2 Configure Logging
-
- ### 4.2.1 Configure rsyslog
-
- #### 4.2.1.1 Ensure rsyslog is installed (Scored)
- - package_rsyslog_installed
-
- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
- - service_rsyslog_enabled
-
- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
- - rsyslog_files_permissions
-
- #### 4.2.1.4 Ensure logging is configured (Not Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
-
- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
- #### log host (Scored)
- - rsyslog_remote_loghost
-
- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
- #### designated log hosts (Not Scored)
- - rsyslog_nolisten
-
- ### 4.2.2 Configure journald
-
- #### 4.2.2.1 Ensure journald is configured to send logs to
- #### rsyslog (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
-
- #### 4.2.2.2 Ensure journald is configured to compress large
- #### log files (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
-
-
- #### 4.2.2.3 Ensure journald is configured to write logfiles to
- #### persistent disk (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
-
- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
-
- ## 4.3 Ensure logrotate is configured (Not Scored)
-
- # 5 Access, Authentication and Authorization
-
- ## 5.1 Configure cron
-
- ### 5.1.1 Ensure cron daemon is enabled (Scored)
- - service_crond_enabled
-
-
- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
- # chown root:root /etc/crontab
- - file_owner_crontab
- - file_groupowner_crontab
- # chmod og-rwx /etc/crontab
- - file_permissions_crontab
-
- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
- # chown root:root /etc/cron.hourly
- - file_owner_cron_hourly
- - file_groupowner_cron_hourly
- # chmod og-rwx /etc/cron.hourly
- - file_permissions_cron_hourly
-
- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
- # chown root:root /etc/cron.daily
- - file_owner_cron_daily
- - file_groupowner_cron_daily
- # chmod og-rwx /etc/cron.daily
- - file_permissions_cron_daily
-
- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
- # chown root:root /etc/cron.weekly
- - file_owner_cron_weekly
- - file_groupowner_cron_weekly
- # chmod og-rwx /etc/cron.weekly
- - file_permissions_cron_weekly
-
- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
- # chown root:root /etc/cron.monthly
- - file_owner_cron_monthly
- - file_groupowner_cron_monthly
- # chmod og-rwx /etc/cron.monthly
- - file_permissions_cron_monthly
-
- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
- # chown root:root /etc/cron.d
- - file_owner_cron_d
- - file_groupowner_cron_d
- # chmod og-rwx /etc/cron.d
- - file_permissions_cron_d
-
- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
-
-
- ## 5.2 SSH Server Configuration
-
- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
- # chown root:root /etc/ssh/sshd_config
- - file_owner_sshd_config
- - file_groupowner_sshd_config
-
- # chmod og-rwx /etc/ssh/sshd_config
- - file_permissions_sshd_config
-
- ### 5.2.2 Ensure SSH access is limited (Scored)
-
-
- ### 5.2.3 Ensure permissions on SSH private host key files are
- ### configured (Scored)
- # TO DO: The rule sets to 640, but benchmark wants 600
- - file_permissions_sshd_private_key
- # TO DO: check owner of private keys in /etc/ssh is root:root
-
- ### 5.2.4 Ensure permissions on SSH public host key files are configured
- ### (Scored)
- - file_permissions_sshd_pub_key
- # TO DO: check owner of pub keys in /etc/ssh is root:root
-
- # Ensure that the configuration is done the right way
- - sshd_use_directory_configuration
- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- - sshd_set_loglevel_info
-
- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
- - sshd_disable_x11_forwarding
-
- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
- - sshd_max_auth_tries_value=4
- - sshd_set_max_auth_tries
-
- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
- - sshd_disable_rhosts
-
- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
- - disable_host_auth
-
- ### 5.2.10 Ensure SSH root login is disabled (Scored)
- - sshd_disable_root_login
-
- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
- - sshd_disable_empty_passwords
-
- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
- - sshd_do_not_permit_user_env
-
- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
- # ClientAliveInterval 300
- - sshd_idle_timeout_value=5_minutes
- - sshd_set_idle_timeout
-
- # ClientAliveCountMax 0
- - var_sshd_set_keepalive=0
-
- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
- ### or less (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
-
- ### 5.2.15 Ensure SSH warning banner is configured (Scored)
- - sshd_enable_warning_banner
-
- ### 5.2.16 Ensure SSH PAM is enabled (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
-
- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
- - sshd_disable_tcp_forwarding
-
- ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
-
- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
- - sshd_set_max_sessions
- - var_sshd_max_sessions=4
-
- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
- - configure_ssh_crypto_policy
-
- ## 5.3 Configure authselect
-
-
- ### 5.3.1 Create custom authselectet profile (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
-
- ### 5.3.2 Select authselect profile (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
-
- ### 5.3.3 Ensure authselect includes with-faillock (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
-
- ## 5.4 Configure PAM
-
- ### 5.4.1 Ensure password creation requirements are configured (Scored)
- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
- - accounts_password_pam_retry
- - var_password_pam_minlen=14
- - accounts_password_pam_minlen
- - var_password_pam_minclass=4
- - accounts_password_pam_minclass
-
- ### 5.4.2 Ensure lockout for failed password attempts is
- ### configured (Scored)
- - var_accounts_passwords_pam_faillock_unlock_time=900
- - var_accounts_passwords_pam_faillock_deny=5
- - accounts_passwords_pam_faillock_unlock_time
- - accounts_passwords_pam_faillock_deny
-
- ### 5.4.3 Ensure password reuse is limited (Scored)
- - var_password_pam_unix_remember=5
- - accounts_password_pam_unix_remember
-
- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
- - set_password_hashing_algorithm_systemauth
-
- ## 5.5 User Accounts and Environment
-
- ### 5.5.1 Set Shadow Password Suite Parameters
-
- #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
- - var_accounts_maximum_age_login_defs=365
- - accounts_maximum_age_login_defs
-
- #### 5.5.1.2 Ensure minimum days between password changes is 7
- #### or more (Scored)
- - var_accounts_minimum_age_login_defs=7
- - accounts_minimum_age_login_defs
-
- #### 5.5.1.3 Ensure password expiration warning days is
- #### 7 or more (Scored)
- - var_accounts_password_warn_age_login_defs=7
- - accounts_password_warn_age_login_defs
-
- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
- # TODO: Rule doesn't check list of users
- # https://github.com/ComplianceAsCode/content/issues/5536
- - var_account_disable_post_pw_expiration=30
- - account_disable_post_pw_expiration
-
- #### 5.5.1.5 Ensure all users last password change date is
- #### in the past (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
- ### 5.5.2 Ensure system accounts are secured (Scored)
- - no_shelllogin_for_systemaccounts
-
- ### 5.5.3 Ensure default user shell timeout is 900 seconds
- ### or less (Scored)
- - var_accounts_tmout=15_min
- - accounts_tmout
-
- ### 5.5.4 Ensure default group for the root account is
- ### GID 0 (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
- - var_accounts_user_umask=027
- - accounts_umask_etc_bashrc
- - accounts_umask_etc_profile
-
- ## 5.6 Ensure root login is restricted to system console (Not Scored)
- - securetty_root_login_console_only
- - no_direct_root_logins
-
- ## 5.7 Ensure access to the su command is restricted (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
-
- # System Maintenance
-
- ## 6.1 System File Permissions
-
- ### 6.1.1 Audit system file permissions (Not Scored)
- - rpm_verify_permissions
- - rpm_verify_ownership
-
- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
- # chown root:root /etc/passwd
- - file_owner_etc_passwd
- - file_groupowner_etc_passwd
-
- # chmod 644 /etc/passwd
- - file_permissions_etc_passwd
-
- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
- # chown root:root /etc/shadow
- - file_owner_etc_shadow
- - file_groupowner_etc_shadow
-
- # chmod o-rwx,g-wx /etc/shadow
- - file_permissions_etc_shadow
-
- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
- # chown root:root /etc/group
- - file_owner_etc_group
- - file_groupowner_etc_group
-
- # chmod 644 /etc/group
- - file_permissions_etc_group
-
- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
- # chown root:root /etc/gshadow
- - file_owner_etc_gshadow
- - file_groupowner_etc_gshadow
-
- # chmod o-rwx,g-rw /etc/gshadow
- - file_permissions_etc_gshadow
-
- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
- # chown root:root /etc/passwd-
- - file_owner_backup_etc_passwd
- - file_groupowner_backup_etc_passwd
-
- # chmod 644 /etc/passwd-
- - file_permissions_backup_etc_passwd
-
- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
- # chown root:root /etc/shadow-
- - file_owner_backup_etc_shadow
- - file_groupowner_backup_etc_shadow
-
- # chmod 0000 /etc/shadow-
- - file_permissions_backup_etc_shadow
-
- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
- # chown root:root /etc/group-
- - file_owner_backup_etc_group
- - file_groupowner_backup_etc_group
-
- # chmod 644 /etc/group-
- - file_permissions_backup_etc_group
-
- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
- # chown root:root /etc/gshadow-
- - file_owner_backup_etc_gshadow
- - file_groupowner_backup_etc_gshadow
-
- # chmod 0000 /etc/gshadow-
- - file_permissions_backup_etc_gshadow
-
- ### 6.1.10 Ensure no world writable files exist (Scored)
- - file_permissions_unauthorized_world_writable
-
- ### 6.1.11 Ensure no unowned files or directories exist (Scored)
- - no_files_unowned_by_user
-
- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
- - file_permissions_ungroupowned
-
- ### 6.1.13 Audit SUID executables (Not Scored)
- - file_permissions_unauthorized_suid
-
- ### 6.1.14 Audit SGID executables (Not Scored)
- - file_permissions_unauthorized_sgid
-
- ## 6.2 User and Group Settings
-
- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
- - no_legacy_plus_entries_etc_passwd
-
- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
- - no_legacy_plus_entries_etc_shadow
-
- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
- - no_legacy_plus_entries_etc_group
-
- ### 6.2.6 Ensure root is the only UID 0 account (Scored)
- - accounts_no_uid_except_zero
-
- ### 6.2.7 Ensure users' home directories permissions are 750
- ### or more restrictive (Scored)
- - file_permissions_home_dirs
-
- ### 6.2.8 Ensure users own their home directories (Scored)
- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
- - file_groupownership_home_directories
-
- ### 6.2.9 Ensure users' dot files are not group or world
- ### writable (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
-
- ### 6.2.10 Ensure no users have .forward files (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
-
- ### 6.2.11 Ensure no users have .netrc files (Scored)
- - no_netrc_files
-
- ### 6.2.12 Ensure users' .netrc Files are not group or
- ### world accessible (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
-
- ### 6.2.13 Ensure no users have .rhosts files (Scored)
- - no_rsh_trust_files
-
- ### 6.2.14 Ensure all groups in /etc/passwd exist in
- ### /etc/group (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
-
- ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
-
- ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
-
- ### 6.2.17 Ensure no duplicate user names exist (Scored)
- - account_unique_name
-
- ### 6.2.18 Ensure no duplicate group names exist (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
-
- ### 6.2.19 Ensure shadow group is empty (Scored)
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
-
- ### 6.2.20 Ensure all users' home directories exist (Scored)
- - accounts_user_interactive_home_directory_exists
+ - cis_rhel8:all:l2_server
diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile
new file mode 100644
index 0000000000..18314d9c46
--- /dev/null
+++ b/products/rhel9/profiles/cis_server_l1.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server'
+
+description: |-
+ This is a draft profile based on its RHEL8 version for experimental purposes.
+ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+ the release.
+
+selections:
+ - cis_rhel8:all:l1_server
diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile
new file mode 100644
index 0000000000..3ce1c80089
--- /dev/null
+++ b/products/rhel9/profiles/cis_workstation_l1.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation'
+
+description: |-
+ This is a draft profile based on its RHEL8 version for experimental purposes.
+ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+ the release.
+
+selections:
+ - cis_rhel8:all:l1_workstation
diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile
new file mode 100644
index 0000000000..84d76b801f
--- /dev/null
+++ b/products/rhel9/profiles/cis_workstation_l2.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0.1
+ SMEs:
+ - vojtapolasek
+ - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation'
+
+description: |-
+ This is a draft profile based on its RHEL8 version for experimental purposes.
+ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+ the release.
+
+selections:
+ - cis_rhel8:all:l2_workstation
From 11c06fcbc1c75bcc17a765d611449af66efcf3e0 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 20 Aug 2021 17:35:21 +0200
Subject: [PATCH 2/4] Add RHEL9 CIS kickstarts
Those are based on their RHEL8 counterparts
---
products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg | 6 +-
.../kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 133 ++++++++++++++++
.../ssg-rhel9-cis_workstation_l1-ks.cfg | 133 ++++++++++++++++
.../ssg-rhel9-cis_workstation_l2-ks.cfg | 143 ++++++++++++++++++
4 files changed, 412 insertions(+), 3 deletions(-)
create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
index 47685726dd..88290ff977 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
@@ -1,6 +1,6 @@
-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 9 Server
+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 9 Server
# Version: 0.0.1
-# Date: 2021-07-13
+# Date: 2021-08-12
#
# Based on:
# https://pykickstart.readthedocs.io/en/latest/
@@ -124,7 +124,7 @@ logvol swap --name=lv_swap --vgname=VolGroup --size=2016
# Harden installation with CIS profile
# For more details and configuration options see
-# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
%addon com_redhat_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_cis
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
new file mode 100644
index 0000000000..d8d24e4394
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
@@ -0,0 +1,133 @@
+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_cis_server_l1
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
new file mode 100644
index 0000000000..fb6d0ab9a4
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
@@ -0,0 +1,133 @@
+# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg
new file mode 100644
index 0000000000..037de3a1b9
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg
@@ -0,0 +1,143 @@
+# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
From 6775cda905bce1f01cc8e89245f7f5d3f53a5b8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 23 Aug 2021 10:16:50 +0200
Subject: [PATCH 3/4] Add CCEs
to rules that freshly made it into the RHEL9 CIS draft.
---
.../ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 +
.../services/ssh/ssh_server/sshd_set_maxstartups/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 +
.../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 6 ------
7 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index ee54a53dfd..059d25cc7c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82419-3
cce@rhel8: CCE-82420-1
+ cce@rhel9: CCE-86923-0
cce@sle12: CCE-83077-8
cce@sle15: CCE-83270-9
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
index 7aec7ffb2c..5a1bf4906e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-90714-7
cce@rhel8: CCE-90718-8
+ cce@rhel9: CCE-87872-8
references:
cis@rhel7: 5.3.21
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index 62b6f55e00..cf6c38d6f7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83476-2
cce@rhel8: CCE-83478-8
+ cce@rhel9: CCE-86354-8
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
index 8cc56eb876..0eae61281f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83479-6
cce@rhel8: CCE-83480-4
+ cce@rhel9: CCE-89176-2
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index c94de8fa3e..151ad1ebe2 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -22,6 +22,7 @@ severity: unknown
identifiers:
cce@rhel7: CCE-80199-3
cce@rhel8: CCE-85914-0
+ cce@rhel9: CCE-88059-1
references:
cis-csc: 11,3,9
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index bc4fdcc7e0..d9c0be8ccf 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83431-7
cce@rhel8: CCE-85912-4
+ cce@rhel9: CCE-85925-6
references:
cis-csc: 12,13,14,15,16,18,3,5
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 6c33c2e85f..e80f25156e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -50,7 +50,6 @@ CCE-85921-5
CCE-85922-3
CCE-85923-1
CCE-85924-9
-CCE-85925-6
CCE-85926-4
CCE-85927-2
CCE-85928-0
@@ -458,7 +457,6 @@ CCE-86350-6
CCE-86351-4
CCE-86352-2
CCE-86353-0
-CCE-86354-8
CCE-86355-5
CCE-86356-3
CCE-86357-1
@@ -1016,7 +1014,6 @@ CCE-86919-8
CCE-86920-6
CCE-86921-4
CCE-86922-2
-CCE-86923-0
CCE-86924-8
CCE-86925-5
CCE-86926-3
@@ -1947,7 +1944,6 @@ CCE-87868-6
CCE-87869-4
CCE-87870-2
CCE-87871-0
-CCE-87872-8
CCE-87873-6
CCE-87874-4
CCE-87875-1
@@ -2132,7 +2128,6 @@ CCE-88055-9
CCE-88056-7
CCE-88057-5
CCE-88058-3
-CCE-88059-1
CCE-88060-9
CCE-88061-7
CCE-88062-5
@@ -3226,7 +3221,6 @@ CCE-89171-3
CCE-89172-1
CCE-89173-9
CCE-89174-7
-CCE-89176-2
CCE-89177-0
CCE-89178-8
CCE-89179-6
From 6835e3d0d26ac210f2d376fdad647bb37cb22c8d Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 24 Aug 2021 10:43:22 +0200
Subject: [PATCH 4/4] Increase partition size for CIS kickstarts
---
products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 2 +-
products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +-
products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 2 +-
products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
index d8d24e4394..1abcf90304 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
logvol swap --name=lv_swap --vgname=VolGroup --size=2016
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
index fb6d0ab9a4..e18e86f474 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
logvol swap --name=lv_swap --vgname=VolGroup --size=2016