From 6b015c09b43ecac4226c5bcf974794a1b2a8d557 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 17:27:09 +0100
Subject: [PATCH 1/8] Add rule for permissions of /etc/motd
---
.../file_permissions_etc_motd/rule.yml | 33 +++++++++++++++++++
3 files changed, 35 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
new file mode 100644
index 0000000000..6d81eb43d1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify permissions on Message of the Day Banner'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/motd", perms="0644") }}}
+
+rationale: |-
+ Display of a standardized and approved use notification before granting
+ access to the operating system ensures privacy and security notification
+ verbiage used is consistent with applicable federal laws, Executive Orders,
+ directives, policies, regulations, standards, and guidance.<br />
+ Proper permissions will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83337-6
+ cce@rhel8: 83338-4
+
+references:
+ cis@rhel7: 1.7.1.4
+ cis@rhel8: 1.8.1.4
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}'
+
+ocil: '{{{ ocil_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}'
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/motd
+ filemode: '0644'
From 9448111043016e27bc319cfc6606361edd235f38 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 17:47:09 +0100
Subject: [PATCH 2/8] Add rule for permissions of /etc/issue
---
.../file_permissions_etc_issue/rule.yml | 33 +++++++++++++++++++
3 files changed, 35 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
new file mode 100644
index 0000000000..323c3b93b6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify permissions on System Login Banner'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/issue", perms="0644") }}}
+
+rationale: |-
+ Display of a standardized and approved use notification before granting
+ access to the operating system ensures privacy and security notification
+ verbiage used is consistent with applicable federal laws, Executive Orders,
+ directives, policies, regulations, standards, and guidance.<br />
+ Proper permissions will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83347-5
+ cce@rhel8: 83348-3
+
+references:
+ cis@rhel7: 1.7.1.5
+ cis@rhel8: 1.8.1.5
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}'
+
+ocil: '{{{ ocil_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}'
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/issue
+ filemode: '0644'
From 927265b500b38a9ba0eefd94ecce5de4c8fc3ac2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:12:48 +0100
Subject: [PATCH 3/8] Select rules for /etc/crontab permissions
---
.../services/cron_and_at/file_groupowner_crontab/rule.yml | 3 ++-
.../guide/services/cron_and_at/file_owner_crontab/rule.yml | 3 ++-
.../services/cron_and_at/file_permissions_crontab/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
index 8df80cb535..29d0c882b4 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82223-9
references:
- cis: 5.1.2
+ cis@rhel7: 5.1.2
+ cis@rhel8: 5.1.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
index a10a283a86..6ac696229f 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82224-7
references:
- cis: 5.1.2
+ cis@rhel7: 5.1.2
+ cis@rhel8: 5.1.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
index 126bffd0bb..f587ab67ef 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82206-4
references:
- cis: 5.1.2
+ cis@rhel7: 5.1.2
+ cis@rhel8: 5.1.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
From 51d320c401981dd06d097bb2850c9a7aa6977059 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:16:22 +0100
Subject: [PATCH 4/8] Select rules for /etc/cron.hourly permissions
---
.../cron_and_at/file_groupowner_cron_hourly/rule.yml | 3 ++-
.../services/cron_and_at/file_owner_cron_hourly/rule.yml | 3 ++-
.../cron_and_at/file_permissions_cron_hourly/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
index c3545bca73..514dc5510e 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82227-0
references:
- cis: 5.1.3
+ cis@rhel7: 5.1.3
+ cis@rhel8: 5.1.3
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
index 298a03bbec..2b4a8c6047 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82209-8
references:
- cis: 5.1.3
+ cis@rhel7: 5.1.3
+ cis@rhel8: 5.1.3
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
index 1d06872cf4..e726d64966 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82230-4
references:
- cis: 5.1.3
+ cis@rhel7: 5.1.3
+ cis@rhel8: 5.1.3
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
From 94cd82ae26481d8d7343fcc65e6b2f5e88cefd3b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:18:41 +0100
Subject: [PATCH 5/8] Select rules for /etc/cron.daily permissions
---
.../cron_and_at/file_groupowner_cron_daily/rule.yml | 3 ++-
.../services/cron_and_at/file_owner_cron_daily/rule.yml | 3 ++-
.../cron_and_at/file_permissions_cron_daily/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
index 53e1800074..38e4fdde5e 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82234-6
references:
- cis: 5.1.4
+ cis@rhel7: 5.1.4
+ cis@rhel8: 5.1.4
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
index ed6e76e419..86625ac049 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82237-9
references:
- cis: 5.1.4
+ cis@rhel7: 5.1.4
+ cis@rhel8: 5.1.4
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
index 4313ffb6ab..6e57b028cd 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82240-3
references:
- cis: 5.1.4
+ cis@rhel7: 5.1.4
+ cis@rhel8: 5.1.4
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
From a8d0f1253631913f27bcb9f6d70b46234feda723 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:21:12 +0100
Subject: [PATCH 6/8] Select rules for /etc/cron.weekly permissions
---
.../cron_and_at/file_groupowner_cron_weekly/rule.yml | 3 ++-
.../services/cron_and_at/file_owner_cron_weekly/rule.yml | 3 ++-
.../cron_and_at/file_permissions_cron_weekly/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
index de1ac8c656..4760ea55f6 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82244-5
references:
- cis: 5.1.5
+ cis@rhel7: 5.1.5
+ cis@rhel8: 5.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
index f5bba63516..e5e3de8cd1 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82247-8
references:
- cis: 5.1.5
+ cis@rhel7: 5.1.5
+ cis@rhel8: 5.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
index 523ea17731..daf345338a 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82253-6
references:
- cis: 5.1.5
+ cis@rhel7: 5.1.5
+ cis@rhel8: 5.1.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
From 35176b1486c57bfd6a981a8719de65f09d200380 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:25:12 +0100
Subject: [PATCH 7/8] Select rules for /etc/cron.monthly permissions
---
.../cron_and_at/file_groupowner_cron_monthly/rule.yml | 3 ++-
.../services/cron_and_at/file_owner_cron_monthly/rule.yml | 3 ++-
.../cron_and_at/file_permissions_cron_monthly/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
index a664d78b0a..2a11340ec4 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82256-9
references:
- cis: 5.1.6
+ cis@rhel7: 5.1.6
+ cis@rhel8: 5.1.6
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
index 35f2bc19ed..76c671aa06 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82260-1
references:
- cis: 5.1.6
+ cis@rhel7: 5.1.6
+ cis@rhel8: 5.1.6
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
index b4d1863633..cc186ff7a1 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82263-5
references:
- cis: 5.1.6
+ cis@rhel7: 5.1.6
+ cis@rhel8: 5.1.6
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
From 5b839624790399a1dbca16478fef9b3e628df1d4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 Mar 2020 19:27:55 +0100
Subject: [PATCH 8/8] Select rules for /etc/cron.d permissions
---
.../services/cron_and_at/file_groupowner_cron_d/rule.yml | 3 ++-
.../guide/services/cron_and_at/file_owner_cron_d/rule.yml | 3 ++-
.../services/cron_and_at/file_permissions_cron_d/rule.yml | 3 ++-
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
index 3add79db18..6b1a3faf05 100644
--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82268-4
references:
- cis: 5.1.7
+ cis@rhel7: 5.1.7
+ cis@rhel8: 5.1.7
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
index 8778109761..88586a0268 100644
--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82272-6
references:
- cis: 5.1.7
+ cis@rhel7: 5.1.7
+ cis@rhel8: 5.1.7
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
index cd0dc6167a..f904dce932 100644
--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
@@ -20,7 +20,8 @@ identifiers:
cce@rhel8: 82277-5
references:
- cis: 5.1.7
+ cis@rhel7: 5.1.7
+ cis@rhel8: 5.1.7
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227