Blob Blame History Raw
From 6b015c09b43ecac4226c5bcf974794a1b2a8d557 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 17:27:09 +0100
Subject: [PATCH 1/8] Add rule for permissions of /etc/motd

---
 .../file_permissions_etc_motd/rule.yml        | 33 +++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
new file mode 100644
index 0000000000..6d81eb43d1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify permissions on Message of the Day Banner'
+
+description: |-
+    {{{ describe_file_permissions(file="/etc/motd", perms="0644") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper permissions will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83337-6
+    cce@rhel8: 83338-4
+
+references:
+    cis@rhel7: 1.7.1.4
+    cis@rhel8: 1.8.1.4
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}'
+
+ocil: '{{{ ocil_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/motd
+        filemode: '0644'
From 9448111043016e27bc319cfc6606361edd235f38 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 17:47:09 +0100
Subject: [PATCH 2/8] Add rule for permissions of /etc/issue

---
 .../file_permissions_etc_issue/rule.yml       | 33 +++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
new file mode 100644
index 0000000000..323c3b93b6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify permissions on System Login Banner'
+
+description: |-
+    {{{ describe_file_permissions(file="/etc/issue", perms="0644") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper permissions will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83347-5
+    cce@rhel8: 83348-3
+
+references:
+    cis@rhel7: 1.7.1.5
+    cis@rhel8: 1.8.1.5
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}'
+
+ocil: '{{{ ocil_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/issue
+        filemode: '0644'
From 927265b500b38a9ba0eefd94ecce5de4c8fc3ac2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:12:48 +0100
Subject: [PATCH 3/8] Select rules for /etc/crontab permissions

---
 .../services/cron_and_at/file_groupowner_crontab/rule.yml   | 3 ++-
 .../guide/services/cron_and_at/file_owner_crontab/rule.yml  | 3 ++-
 .../services/cron_and_at/file_permissions_crontab/rule.yml  | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
index 8df80cb535..29d0c882b4 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82223-9
 
 references:
-    cis: 5.1.2
+    cis@rhel7: 5.1.2
+    cis@rhel8: 5.1.2
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
index a10a283a86..6ac696229f 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82224-7
 
 references:
-    cis: 5.1.2
+    cis@rhel7: 5.1.2
+    cis@rhel8: 5.1.2
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
index 126bffd0bb..f587ab67ef 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82206-4
 
 references:
-    cis: 5.1.2
+    cis@rhel7: 5.1.2
+    cis@rhel8: 5.1.2
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
From 51d320c401981dd06d097bb2850c9a7aa6977059 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:16:22 +0100
Subject: [PATCH 4/8] Select rules for /etc/cron.hourly permissions

---
 .../cron_and_at/file_groupowner_cron_hourly/rule.yml        | 3 ++-
 .../services/cron_and_at/file_owner_cron_hourly/rule.yml    | 3 ++-
 .../cron_and_at/file_permissions_cron_hourly/rule.yml       | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
index c3545bca73..514dc5510e 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82227-0
 
 references:
-    cis: 5.1.3
+    cis@rhel7: 5.1.3
+    cis@rhel8: 5.1.3
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
index 298a03bbec..2b4a8c6047 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82209-8
 
 references:
-    cis: 5.1.3
+    cis@rhel7: 5.1.3
+    cis@rhel8: 5.1.3
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
index 1d06872cf4..e726d64966 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82230-4
 
 references:
-    cis: 5.1.3
+    cis@rhel7: 5.1.3
+    cis@rhel8: 5.1.3
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
From 94cd82ae26481d8d7343fcc65e6b2f5e88cefd3b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:18:41 +0100
Subject: [PATCH 5/8] Select rules for /etc/cron.daily permissions

---
 .../cron_and_at/file_groupowner_cron_daily/rule.yml         | 3 ++-
 .../services/cron_and_at/file_owner_cron_daily/rule.yml     | 3 ++-
 .../cron_and_at/file_permissions_cron_daily/rule.yml        | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
index 53e1800074..38e4fdde5e 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82234-6
 
 references:
-    cis: 5.1.4
+    cis@rhel7: 5.1.4
+    cis@rhel8: 5.1.4
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
index ed6e76e419..86625ac049 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82237-9
 
 references:
-    cis: 5.1.4
+    cis@rhel7: 5.1.4
+    cis@rhel8: 5.1.4
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
index 4313ffb6ab..6e57b028cd 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82240-3
 
 references:
-    cis: 5.1.4
+    cis@rhel7: 5.1.4
+    cis@rhel8: 5.1.4
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
From a8d0f1253631913f27bcb9f6d70b46234feda723 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:21:12 +0100
Subject: [PATCH 6/8] Select rules for /etc/cron.weekly permissions

---
 .../cron_and_at/file_groupowner_cron_weekly/rule.yml        | 3 ++-
 .../services/cron_and_at/file_owner_cron_weekly/rule.yml    | 3 ++-
 .../cron_and_at/file_permissions_cron_weekly/rule.yml       | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
index de1ac8c656..4760ea55f6 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82244-5
 
 references:
-    cis: 5.1.5
+    cis@rhel7: 5.1.5
+    cis@rhel8: 5.1.5
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
index f5bba63516..e5e3de8cd1 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82247-8
 
 references:
-    cis: 5.1.5
+    cis@rhel7: 5.1.5
+    cis@rhel8: 5.1.5
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
index 523ea17731..daf345338a 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82253-6
 
 references:
-    cis: 5.1.5
+    cis@rhel7: 5.1.5
+    cis@rhel8: 5.1.5
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
From 35176b1486c57bfd6a981a8719de65f09d200380 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:25:12 +0100
Subject: [PATCH 7/8] Select rules for /etc/cron.monthly permissions

---
 .../cron_and_at/file_groupowner_cron_monthly/rule.yml       | 3 ++-
 .../services/cron_and_at/file_owner_cron_monthly/rule.yml   | 3 ++-
 .../cron_and_at/file_permissions_cron_monthly/rule.yml      | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
index a664d78b0a..2a11340ec4 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82256-9
 
 references:
-    cis: 5.1.6
+    cis@rhel7: 5.1.6
+    cis@rhel8: 5.1.6
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
index 35f2bc19ed..76c671aa06 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82260-1
 
 references:
-    cis: 5.1.6
+    cis@rhel7: 5.1.6
+    cis@rhel8: 5.1.6
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
index b4d1863633..cc186ff7a1 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82263-5
 
 references:
-    cis: 5.1.6
+    cis@rhel7: 5.1.6
+    cis@rhel8: 5.1.6
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
From 5b839624790399a1dbca16478fef9b3e628df1d4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:27:55 +0100
Subject: [PATCH 8/8] Select rules for /etc/cron.d permissions

---
 .../services/cron_and_at/file_groupowner_cron_d/rule.yml    | 3 ++-
 .../guide/services/cron_and_at/file_owner_cron_d/rule.yml   | 3 ++-
 .../services/cron_and_at/file_permissions_cron_d/rule.yml   | 3 ++-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
index 3add79db18..6b1a3faf05 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82268-4
 
 references:
-    cis: 5.1.7
+    cis@rhel7: 5.1.7
+    cis@rhel8: 5.1.7
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
index 8778109761..88586a0268 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82272-6
 
 references:
-    cis: 5.1.7
+    cis@rhel7: 5.1.7
+    cis@rhel8: 5.1.7
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
index cd0dc6167a..f904dce932 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
     cce@rhel8: 82277-5
 
 references:
-    cis: 5.1.7
+    cis@rhel7: 5.1.7
+    cis@rhel8: 5.1.7
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227