From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 29 Jun 2021 14:37:28 +0100 Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files per-benchmark --- products/rhel8/profiles/cis.profile | 1080 +---------------- products/rhel8/profiles/cis_server_l1.profile | 22 + .../rhel8/profiles/cis_workstation_l1.profile | 22 + .../rhel8/profiles/cis_workstation_l2.profile | 22 + 4 files changed, 72 insertions(+), 1074 deletions(-) create mode 100644 products/rhel8/profiles/cis_server_l1.profile create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile index c22ae86d076..4a00c24e0f7 100644 --- a/products/rhel8/profiles/cis.profile +++ b/products/rhel8/profiles/cis.profile @@ -1,1090 +1,22 @@ documentation_complete: true metadata: - version: 1.0.0 + version: 1.0.1 SMEs: - vojtapolasek - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ -title: 'CIS Red Hat Enterprise Linux 8 Benchmark' +title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server' description: |- - This profile defines a baseline that aligns to the Center for Internet Security® - Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. + This profile defines a baseline that aligns to the "Level 2 - Server" + configuration from the Center for Internet Security® Red Hat Enterprise + Linux 8 Benchmark™, v1.0.1, released 2021-05-19. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. selections: - # Necessary for dconf rules - - dconf_db_up_to_date - - ### Partitioning - - mount_option_home_nodev - - ## 1.1 Filesystem Configuration - - ### 1.1.1 Disable unused filesystems - - #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) - - kernel_module_cramfs_disabled - - #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) - - - #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) - - kernel_module_squashfs_disabled - - #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) - - kernel_module_udf_disabled - - ### 1.1.2 Ensure /tmp is configured (Scored) - - partition_for_tmp - - ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) - - mount_option_tmp_nodev - - ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) - - mount_option_tmp_nosuid - - ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) - - mount_option_tmp_noexec - - ### 1.1.6 Ensure separate partition exists for /var (Scored) - - partition_for_var - - ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) - - partition_for_var_tmp - - ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) - - mount_option_var_tmp_nodev - - ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) - - mount_option_var_tmp_nosuid - - ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) - - mount_option_var_tmp_noexec - - ### 1.1.11 Ensure separate partition exists for /var/log (Scored) - - partition_for_var_log - - ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) - - partition_for_var_log_audit - - ### 1.1.13 Ensure separate partition exists for /home (Scored) - - partition_for_home - - ### 1.1.14 Ensure nodev option set on /home partition (Scored) - - mount_option_home_nodev - - ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) - - mount_option_dev_shm_nodev - - ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) - - mount_option_dev_shm_nosuid - - ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) - - mount_option_dev_shm_noexec - - ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) - - mount_option_nodev_removable_partitions - - ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) - - mount_option_nosuid_removable_partitions - - ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) - - mount_option_noexec_removable_partitions - - ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) - - dir_perms_world_writable_sticky_bits - - ### 1.1.22 Disable Automounting (Scored) - - service_autofs_disabled - - ### 1.1.23 Disable USB Storage (Scored) - - kernel_module_usb-storage_disabled - - ## 1.2 Configure Software Updates - - ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 - - ### 1.2.2 Disable the rhnsd Daemon (Not Scored) - - service_rhnsd_disabled - - ### 1.2.3 Ensure GPG keys are configured (Not Scored) - - ensure_redhat_gpgkey_installed - - ### 1.2.4 Ensure gpgcheck is globally activated (Scored) - - ensure_gpgcheck_globally_activated - - ### 1.2.5 Ensure package manager repositories are configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 - - ## 1.3 Configure sudo - - ### 1.3.1 Ensure sudo is installed (Scored) - - package_sudo_installed - - ### 1.3.2 Ensure sudo commands use pty (Scored) - - sudo_add_use_pty - - ### 1.3.3 Ensure sudo log file exists (Scored) - - sudo_custom_logfile - - ## 1.4 Filesystem Integrity Checking - - ### 1.4.1 Ensure AIDE is installed (Scored) - - package_aide_installed - - ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) - - aide_periodic_cron_checking - - ## Secure Boot Settings - - ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) - #### chown root:root /boot/grub2/grub.cfg - - file_owner_grub2_cfg - - file_groupowner_grub2_cfg - - #### chmod og-rwx /boot/grub2/grub.cfg - - file_permissions_grub2_cfg - - #### chown root:root /boot/grub2/grubenv - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 - - #### chmod og-rwx /boot/grub2/grubenv - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 - - ### 1.5.2 Ensure bootloader password is set (Scored) - - grub2_password - - ### 1.5.3 Ensure authentication required for single user mode (Scored) - #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - - require_singleuser_auth - - #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - - require_emergency_target_auth - - ## 1.6 Additional Process Hardening - - ### 1.6.1 Ensure core dumps are restricted (Scored) - #### * hard core 0 - - disable_users_coredumps - - #### fs.suid_dumpable = 0 - - sysctl_fs_suid_dumpable - - #### ProcessSizeMax=0 - - coredump_disable_backtraces - - #### Storage=none - - coredump_disable_storage - - ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled - - sysctl_kernel_randomize_va_space - - ## 1.7 Mandatory Access Control - - ### 1.7.1 Configure SELinux - - #### 1.7.1.1 Ensure SELinux is installed (Scored) - - package_libselinux_installed - - #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) - - grub2_enable_selinux - - #### 1.7.1.3 Ensure SELinux policy is configured (Scored) - - var_selinux_policy_name=targeted - - selinux_policytype - - #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) - - var_selinux_state=enforcing - - selinux_state - - #### 1.7.1.5 Ensure no unconfied services exist (Scored) - - selinux_confinement_of_daemons - - #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) - - package_setroubleshoot_removed - - #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) - - package_mcstrans_removed - - ## Warning Banners - - ### 1.8.1 Command Line Warning Baners - - #### 1.8.1.1 Ensure message of the day is configured properly (Scored) - - banner_etc_motd - - #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) - - banner_etc_issue - - #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 - - #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) - # chmod u-x,go-wx /etc/motd - - file_permissions_etc_motd - - #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) - # chmod u-x,go-wx /etc/issue - - file_permissions_etc_issue - - #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) - # Previously addressed via 'rpm_verify_permissions' rule - - ### 1.8.2 Ensure GDM login banner is configured (Scored) - #### banner-message-enable=true - - dconf_gnome_banner_enabled - - #### banner-message-text='' - - dconf_gnome_login_banner_text - - ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) - - security_patches_up_to_date - - ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) - - var_system_crypto_policy=future - - configure_crypto_policy - - ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) - # Previously addressed via 'configure_crypto_policy' rule - - # Services - - ## 2.1 inetd Services - - ### 2.1.1 Ensure xinetd is not installed (Scored) - - package_xinetd_removed - - ## 2.2 Special Purpose Services - - ### 2.2.1 Time Synchronization - - #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) - - package_chrony_installed - - #### 2.2.1.2 Ensure chrony is configured (Scored) - - service_chronyd_enabled - - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - - ### 2.2.2 Ensure X Window System is not installed (Scored) - - package_xorg-x11-server-common_removed - - xwindows_runlevel_target - - ### 2.2.3 Ensure rsync service is not enabled (Scored) - - service_rsyncd_disabled - - ### 2.2.4 Ensure Avahi Server is not enabled (Scored) - - service_avahi-daemon_disabled - - ### 2.2.5 Ensure SNMP Server is not enabled (Scored) - - service_snmpd_disabled - - ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) - - package_squid_removed - - ### 2.2.7 Ensure Samba is not enabled (Scored) - - service_smb_disabled - - ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) - - service_dovecot_disabled - - ### 2.2.9 Ensure HTTP server is not enabled (Scored) - - service_httpd_disabled - - ### 2.2.10 Ensure FTP Server is not enabled (Scored) - - service_vsftpd_disabled - - ### 2.2.11 Ensure DNS Server is not enabled (Scored) - - service_named_disabled - - ### 2.2.12 Ensure NFS is not enabled (Scored) - - service_nfs_disabled - - ### 2.2.13 Ensure RPC is not enabled (Scored) - - service_rpcbind_disabled - - ### 2.2.14 Ensure LDAP service is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 - - ### 2.2.15 Ensure DHCP Server is not enabled (Scored) - - service_dhcpd_disabled - - ### 2.2.16 Ensure CUPS is not enabled (Scored) - - service_cups_disabled - - ### 2.2.17 Ensure NIS Server is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 - - ### 2.2.18 Ensure mail transfer agent is configured for - ### local-only mode (Scored) - - postfix_network_listening_disabled - - ## 2.3 Service Clients - - ### 2.3.1 Ensure NIS Client is not installed (Scored) - - package_ypbind_removed - - ### 2.3.2 Ensure telnet client is not installed (Scored) - - package_telnet_removed - - ### Ensure LDAP client is not installed - - package_openldap-clients_removed - - # 3 Network Configuration - - ## 3.1 Network Parameters (Host Only) - - ### 3.1.1 Ensure IP forwarding is disabled (Scored) - #### net.ipv4.ip_forward = 0 - - sysctl_net_ipv4_ip_forward - - #### net.ipv6.conf.all.forwarding = 0 - - sysctl_net_ipv6_conf_all_forwarding - - ### 3.1.2 Ensure packet redirect sending is disabled (Scored) - #### net.ipv4.conf.all.send_redirects = 0 - - sysctl_net_ipv4_conf_all_send_redirects - - #### net.ipv4.conf.default.send_redirects = 0 - - sysctl_net_ipv4_conf_default_send_redirects - - ## 3.2 Network Parameters (Host and Router) - - ### 3.2.1 Ensure source routed packets are not accepted (Scored) - #### net.ipv4.conf.all.accept_source_route = 0 - - sysctl_net_ipv4_conf_all_accept_source_route - - #### net.ipv4.conf.default.accept_source_route = 0 - - sysctl_net_ipv4_conf_default_accept_source_route - - #### net.ipv6.conf.all.accept_source_route = 0 - - sysctl_net_ipv6_conf_all_accept_source_route - - #### net.ipv6.conf.default.accept_source_route = 0 - - sysctl_net_ipv6_conf_default_accept_source_route - - ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) - #### net.ipv4.conf.all.accept_redirects = 0 - - sysctl_net_ipv4_conf_all_accept_redirects - - #### net.ipv4.conf.default.accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - #### net.ipv6.conf.all.accept_redirects = 0 - - sysctl_net_ipv6_conf_all_accept_redirects - - #### net.ipv6.conf.defaults.accept_redirects = 0 - - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) - #### net.ipv4.conf.all.secure_redirects = 0 - - sysctl_net_ipv4_conf_all_secure_redirects - - #### net.ipv4.cof.default.secure_redirects = 0 - - sysctl_net_ipv4_conf_default_secure_redirects - - ### 3.2.4 Ensure suspicious packets are logged (Scored) - #### net.ipv4.conf.all.log_martians = 1 - - sysctl_net_ipv4_conf_all_log_martians - - #### net.ipv4.conf.default.log_martians = 1 - - sysctl_net_ipv4_conf_default_log_martians - - ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - #### net.ipv4.conf.all.rp_filter = 1 - - sysctl_net_ipv4_conf_all_rp_filter - - #### net.ipv4.conf.default.rp_filter = 1 - - sysctl_net_ipv4_conf_default_rp_filter - - ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) - - sysctl_net_ipv4_tcp_syncookies - - ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) - #### net.ipv6.conf.all.accept_ra = 0 - - sysctl_net_ipv6_conf_all_accept_ra - - #### net.ipv6.conf.default.accept_ra = 0 - - sysctl_net_ipv6_conf_default_accept_ra - - ## 3.3 Uncommon Network Protocols - - ### 3.3.1 Ensure DCCP is disabled (Scored) - - kernel_module_dccp_disabled - - ### Ensure SCTP is disabled (Scored) - - kernel_module_sctp_disabled - - ### 3.3.3 Ensure RDS is disabled (Scored) - - kernel_module_rds_disabled - - ### 3.3.4 Ensure TIPC is disabled (Scored) - - kernel_module_tipc_disabled - - ## 3.4 Firewall Configuration - - ### 3.4.1 Ensure Firewall software is installed - - #### 3.4.1.1 Ensure a Firewall package is installed (Scored) - ##### firewalld - - package_firewalld_installed - - ##### nftables - #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 - - ##### iptables - #- package_iptables_installed - - ### 3.4.2 Configure firewalld - - #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) - - service_firewalld_enabled - - #### 3.4.2.2 Ensure iptables is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 - - #### 3.4.2.3 Ensure nftables is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 - - #### 3.4.2.4 Ensure default zone is set (Scored) - - set_firewalld_default_zone - - #### 3.4.2.5 Ensure network interfaces are assigned to - #### appropriate zone (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 - - #### 3.4.2.6 Ensure unnecessary services and ports are not - #### accepted (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 - - ### 3.4.3 Configure nftables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 - - #### 3.4.3.1 Ensure iptables are flushed (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 - - #### 3.4.3.2 Ensure a table exists (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 - - #### 3.4.3.3 Ensure base chains exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 - - #### 3.4.3.4 Ensure loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 - - #### 3.4.3.5 Ensure outbound and established connections are - #### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 - - #### 3.4.3.6 Ensure default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 - - #### 3.4.3.7 Ensure nftables service is enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 - - #### 3.4.3.8 Ensure nftables rules are permanent (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 - - ### 3.4.4 Configure iptables - - #### 3.4.4.1 Configure IPv4 iptables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 - - ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 - - ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 - - ##### 3.4.4.1.3 Ensure outbound and established connections are - ##### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 - - ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 - - #### 3.4.4.2 Configure IPv6 ip6tables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 - - ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 - - ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 - - ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are - ##### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 - - ## 3.5 Ensure wireless interfaces are disabled (Scored) - - wireless_disable_interfaces - - ## 3.6 Disable IPv6 (Not Scored) - - kernel_module_ipv6_option_disabled - - # Logging and Auditing - - ## 4.1 Configure System Accounting (auditd) - - ### 4.1.1 Ensure auditing is enabled - - #### 4.1.1.1 Ensure auditd is installed (Scored) - - package_audit_installed - - #### 4.1.1.2 Ensure auditd service is enabled (Scored) - - service_auditd_enabled - - #### 4.1.1.3 Ensure auditing for processes that start prior to audit - #### is enabled (Scored) - - grub2_audit_argument - - #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) - - grub2_audit_backlog_limit_argument - - ### 4.1.2 Configure Data Retention - - #### 4.1.2.1 Ensure audit log storage size is configured (Scored) - - auditd_data_retention_max_log_file - - #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) - - auditd_data_retention_max_log_file_action - - #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) - - var_auditd_space_left_action=email - - auditd_data_retention_space_left_action - - ##### action_mail_acct = root - - var_auditd_action_mail_acct=root - - auditd_data_retention_action_mail_acct - - ##### admin_space_left_action = halt - - var_auditd_admin_space_left_action=halt - - auditd_data_retention_admin_space_left_action - - ### 4.1.3 Ensure changes to system administration scope - ### (sudoers) is collected (Scored) - - audit_rules_sysadmin_actions - - ### 4.1.4 Ensure login and logout events are collected (Scored) - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - ### 4.1.5 Ensure session initiation information is collected (Scored) - - audit_rules_session_events - - ### 4.1.6 Ensure events that modify date and time information - ### are collected (Scored) - #### adjtimex - - audit_rules_time_adjtimex - - #### settimeofday - - audit_rules_time_settimeofday - - #### stime - - audit_rules_time_stime - - #### clock_settime - - audit_rules_time_clock_settime - - #### -w /etc/localtime -p wa - - audit_rules_time_watch_localtime - - ### 4.1.7 Ensure events that modify the system's Mandatory - ### Access Control are collected (Scored) - #### -w /etc/selinux/ -p wa - - audit_rules_mac_modification - - #### -w /usr/share/selinux/ -p wa - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 - - ### 4.1.8 Ensure events that modify the system's network - ### enironment are collected (Scored) - - audit_rules_networkconfig_modification - - ### 4.1.9 Ensure discretionary access control permission modification - ### events are collected (Scored) - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_fremovexattr - - ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are - ### collected (Scored) - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - # Opinionated selection - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - ### 4.1.11 Ensure events that modify user/group information are - ### collected (Scored) - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - ### 4.1.12 Ensure successful file system mounts are collected (Scored) - - audit_rules_media_export - - ### 4.1.13 Ensure use of privileged commands is collected (Scored) - - audit_rules_privileged_commands - - ### 4.1.14 Ensure file deletion events by users are collected - ### (Scored) - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - # Opinionated selection - - audit_rules_file_deletion_events_rmdir - - ### 4.1.15 Ensure kernel module loading and unloading is collected - ### (Scored) - - audit_rules_kernel_module_loading - - ### 4.1.16 Ensure system administrator actions (sudolog) are - ### collected (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 - - ### 4.1.17 Ensure the audit configuration is immutable (Scored) - - audit_rules_immutable - - ## 4.2 Configure Logging - - ### 4.2.1 Configure rsyslog - - #### 4.2.1.1 Ensure rsyslog is installed (Scored) - - package_rsyslog_installed - - #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) - - service_rsyslog_enabled - - #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) - - rsyslog_files_permissions - - #### 4.2.1.4 Ensure logging is configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 - - #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote - #### log host (Scored) - - rsyslog_remote_loghost - - #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on - #### designated log hosts (Not Scored) - - rsyslog_nolisten - - ### 4.2.2 Configure journald - - #### 4.2.2.1 Ensure journald is configured to send logs to - #### rsyslog (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 - - #### 4.2.2.2 Ensure journald is configured to compress large - #### log files (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 - - - #### 4.2.2.3 Ensure journald is configured to write logfiles to - #### persistent disk (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 - - ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 - - ## 4.3 Ensure logrotate is configured (Not Scored) - - # 5 Access, Authentication and Authorization - - ## 5.1 Configure cron - - ### 5.1.1 Ensure cron daemon is enabled (Scored) - - service_crond_enabled - - - ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) - # chown root:root /etc/crontab - - file_owner_crontab - - file_groupowner_crontab - # chmod og-rwx /etc/crontab - - file_permissions_crontab - - ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) - # chown root:root /etc/cron.hourly - - file_owner_cron_hourly - - file_groupowner_cron_hourly - # chmod og-rwx /etc/cron.hourly - - file_permissions_cron_hourly - - ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) - # chown root:root /etc/cron.daily - - file_owner_cron_daily - - file_groupowner_cron_daily - # chmod og-rwx /etc/cron.daily - - file_permissions_cron_daily - - ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) - # chown root:root /etc/cron.weekly - - file_owner_cron_weekly - - file_groupowner_cron_weekly - # chmod og-rwx /etc/cron.weekly - - file_permissions_cron_weekly - - ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) - # chown root:root /etc/cron.monthly - - file_owner_cron_monthly - - file_groupowner_cron_monthly - # chmod og-rwx /etc/cron.monthly - - file_permissions_cron_monthly - - ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) - # chown root:root /etc/cron.d - - file_owner_cron_d - - file_groupowner_cron_d - # chmod og-rwx /etc/cron.d - - file_permissions_cron_d - - ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) - - - ## 5.2 SSH Server Configuration - - ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) - # chown root:root /etc/ssh/sshd_config - - file_owner_sshd_config - - file_groupowner_sshd_config - - # chmod og-rwx /etc/ssh/sshd_config - - file_permissions_sshd_config - - ### 5.2.2 Ensure SSH access is limited (Scored) - - - ### 5.2.3 Ensure permissions on SSH private host key files are - ### configured (Scored) - # TO DO: The rule sets to 640, but benchmark wants 600 - - file_permissions_sshd_private_key - # TO DO: check owner of private keys in /etc/ssh is root:root - - ### 5.2.4 Ensure permissions on SSH public host key files are configured - ### (Scored) - - file_permissions_sshd_pub_key - # TO DO: check owner of pub keys in /etc/ssh is root:root - - ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) - - sshd_set_loglevel_info - - ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) - - sshd_disable_x11_forwarding - - ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries - - ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) - - sshd_disable_rhosts - - ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) - - disable_host_auth - - ### 5.2.10 Ensure SSH root login is disabled (Scored) - - sshd_disable_root_login - - ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) - - sshd_disable_empty_passwords - - ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) - - sshd_do_not_permit_user_env - - ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) - # ClientAliveInterval 300 - - sshd_idle_timeout_value=5_minutes - - sshd_set_idle_timeout - - # ClientAliveCountMax 0 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 - - ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute - ### or less (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 - - ### 5.2.15 Ensure SSH warning banner is configured (Scored) - - sshd_enable_warning_banner - - ### 5.2.16 Ensure SSH PAM is enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 - - ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) - - sshd_disable_tcp_forwarding - - ### 5.2.18 Ensure SSH MaxStartups is configured (Scored) - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 - - ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) - - sshd_set_max_sessions - - var_sshd_max_sessions=4 - - ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) - - configure_ssh_crypto_policy - - ## 5.3 Configure authselect - - - ### 5.3.1 Create custom authselectet profile (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 - - ### 5.3.2 Select authselect profile (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 - - ### 5.3.3 Ensure authselect includes with-faillock (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 - - ## 5.4 Configure PAM - - ### 5.4.1 Ensure password creation requirements are configured (Scored) - # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 - - accounts_password_pam_retry - - var_password_pam_minlen=14 - - accounts_password_pam_minlen - - var_password_pam_minclass=4 - - accounts_password_pam_minclass - - ### 5.4.2 Ensure lockout for failed password attempts is - ### configured (Scored) - - var_accounts_passwords_pam_faillock_unlock_time=900 - - var_accounts_passwords_pam_faillock_deny=5 - - accounts_passwords_pam_faillock_unlock_time - - accounts_passwords_pam_faillock_deny - - ### 5.4.3 Ensure password reuse is limited (Scored) - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - - ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) - - set_password_hashing_algorithm_systemauth - - ## 5.5 User Accounts and Environment - - ### 5.5.1 Set Shadow Password Suite Parameters - - #### 5.5.1 Ensure password expiration is 365 days or less (Scored) - - var_accounts_maximum_age_login_defs=365 - - accounts_maximum_age_login_defs - - #### 5.5.1.2 Ensure minimum days between password changes is 7 - #### or more (Scored) - - var_accounts_minimum_age_login_defs=7 - - accounts_minimum_age_login_defs - - #### 5.5.1.3 Ensure password expiration warning days is - #### 7 or more (Scored) - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_warn_age_login_defs - - #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) - # TODO: Rule doesn't check list of users - # https://github.com/ComplianceAsCode/content/issues/5536 - - var_account_disable_post_pw_expiration=30 - - account_disable_post_pw_expiration - - #### 5.5.1.5 Ensure all users last password change date is - #### in the past (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 - - ### 5.5.2 Ensure system accounts are secured (Scored) - - no_shelllogin_for_systemaccounts - - ### 5.5.3 Ensure default user shell timeout is 900 seconds - ### or less (Scored) - - var_accounts_tmout=15_min - - accounts_tmout - - ### 5.5.4 Ensure default group for the root account is - ### GID 0 (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 - - ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) - - var_accounts_user_umask=027 - - accounts_umask_etc_bashrc - - accounts_umask_etc_profile - - ## 5.6 Ensure root login is restricted to system console (Not Scored) - - securetty_root_login_console_only - - no_direct_root_logins - - ## 5.7 Ensure access to the su command is restricted (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 - - # System Maintenance - - ## 6.1 System File Permissions - - ### 6.1.1 Audit system file permissions (Not Scored) - - rpm_verify_permissions - - rpm_verify_ownership - - ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) - # chown root:root /etc/passwd - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - # chmod 644 /etc/passwd - - file_permissions_etc_passwd - - ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) - # chown root:root /etc/shadow - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - # chmod o-rwx,g-wx /etc/shadow - - file_permissions_etc_shadow - - ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) - # chown root:root /etc/group - - file_owner_etc_group - - file_groupowner_etc_group - - # chmod 644 /etc/group - - file_permissions_etc_group - - ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) - # chown root:root /etc/gshadow - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - # chmod o-rwx,g-rw /etc/gshadow - - file_permissions_etc_gshadow - - ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) - # chown root:root /etc/passwd- - - file_owner_backup_etc_passwd - - file_groupowner_backup_etc_passwd - - # chmod 644 /etc/passwd- - - file_permissions_backup_etc_passwd - - ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) - # chown root:root /etc/shadow- - - file_owner_backup_etc_shadow - - file_groupowner_backup_etc_shadow - - # chmod 0000 /etc/shadow- - - file_permissions_backup_etc_shadow - - ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) - # chown root:root /etc/group- - - file_owner_backup_etc_group - - file_groupowner_backup_etc_group - - # chmod 644 /etc/group- - - file_permissions_backup_etc_group - - ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) - # chown root:root /etc/gshadow- - - file_owner_backup_etc_gshadow - - file_groupowner_backup_etc_gshadow - - # chmod 0000 /etc/gshadow- - - file_permissions_backup_etc_gshadow - - ### 6.1.10 Ensure no world writable files exist (Scored) - - file_permissions_unauthorized_world_writable - - ### 6.1.11 Ensure no unowned files or directories exist (Scored) - - no_files_unowned_by_user - - ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) - - file_permissions_ungroupowned - - ### 6.1.13 Audit SUID executables (Not Scored) - - file_permissions_unauthorized_suid - - ### 6.1.14 Audit SGID executables (Not Scored) - - file_permissions_unauthorized_sgid - - ## 6.2 User and Group Settings - - ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) - - no_legacy_plus_entries_etc_passwd - - ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) - - no_legacy_plus_entries_etc_shadow - - ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) - - no_legacy_plus_entries_etc_group - - ### 6.2.6 Ensure root is the only UID 0 account (Scored) - - accounts_no_uid_except_zero - - ### 6.2.7 Ensure users' home directories permissions are 750 - ### or more restrictive (Scored) - - file_permissions_home_dirs - - ### 6.2.8 Ensure users own their home directories (Scored) - # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 - - file_groupownership_home_directories - - ### 6.2.9 Ensure users' dot files are not group or world - ### writable (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 - - ### 6.2.10 Ensure no users have .forward files (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 - - ### 6.2.11 Ensure no users have .netrc files (Scored) - - no_netrc_files - - ### 6.2.12 Ensure users' .netrc Files are not group or - ### world accessible (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 - - ### 6.2.13 Ensure no users have .rhosts files (Scored) - - no_rsh_trust_files - - ### 6.2.14 Ensure all groups in /etc/passwd exist in - ### /etc/group (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 - - ### 6.2.15 Ensure no duplicate UIDs exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 - - ### 6.2.16 Ensure no duplicate GIDs exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 - - ### 6.2.17 Ensure no duplicate user names exist (Scored) - - account_unique_name - - ### 6.2.18 Ensure no duplicate group names exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 - - ### 6.2.19 Ensure shadow group is empty (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 - - ### 6.2.20 Ensure all users' home directories exist (Scored) - - accounts_user_interactive_home_directory_exists + - cis_rhel8:all:l2_server diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile new file mode 100644 index 00000000000..7b4518e15a5 --- /dev/null +++ b/products/rhel8/profiles/cis_server_l1.profile @@ -0,0 +1,22 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Server" + configuration from the Center for Internet Security® Red Hat Enterprise + Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + +selections: + - cis_rhel8:all:l1_server diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile new file mode 100644 index 00000000000..230e4c2f0ba --- /dev/null +++ b/products/rhel8/profiles/cis_workstation_l1.profile @@ -0,0 +1,22 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 1 - Workstation" + configuration from the Center for Internet Security® Red Hat Enterprise + Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + +selections: + - cis_rhel8:all:l1_workstation diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile new file mode 100644 index 00000000000..c0d1698c2f0 --- /dev/null +++ b/products/rhel8/profiles/cis_workstation_l2.profile @@ -0,0 +1,22 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation' + +description: |- + This profile defines a baseline that aligns to the "Level 2 - Workstation" + configuration from the Center for Internet Security® Red Hat Enterprise + Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + +selections: + - cis_rhel8:all:l2_workstation From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 1 Jul 2021 16:35:19 +0100 Subject: [PATCH 02/55] Add CIS control file for RHEL 8 --- controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 758 insertions(+) create mode 100644 controls/cis_rhel8.yml diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml new file mode 100644 index 00000000000..a84bb078e34 --- /dev/null +++ b/controls/cis_rhel8.yml @@ -0,0 +1,758 @@ +policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' +title: 'CIS Benchmark for Red Hat Enterprise Linux 8' +id: cis_rhel8 +version: '1.0.1' +source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux +levels: + - id: l1_server + - id: l2_server + inherits_from: + - l1_server + - id: l1_workstation + - id: l2_workstation + inherits_from: + - l1_workstation + +controls: + - id: reload_dconf_db + title: Reload Dconf database + levels: + - l1_server + - l1_workstation + notes: <- + This is a helper rule to reload Dconf datbase correctly. + automated: yes + rules: + - dconf_db_up_to_date + + - id: 1.1.1.1 + title: Ensure mounting of cramfs filesystems is disabled (Automated) + levels: + - l1_workstation + - l1_server + automated: yes + rules: + - kernel_module_cramfs_disabled + + - id: 1.1.1.2 + title: Ensure mounting of vFAT filesystems is limited (Manual) + levels: + - l2_workstation + - l2_server + automated: no + related_rules: + - kernel_module_vfat_disabled + + - id: 1.1.1.3 + title: Ensure mounting of squashfs filesystems is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - kernel_module_squashfs_disabled + + - id: 1.1.1.4 + title: Ensure mounting of udf filesystems is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - kernel_module_udf_disabled + + - id: 1.1.2 + title: Ensure /tmp is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - partition_for_tmp + + - id: 1.1.3 + title: Ensure nodev option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_tmp_nodev + + - id: 1.1.4 + title: Ensure nosuid option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_tmp_nosuid + + - id: 1.1.5 + title: Ensure noexec option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_tmp_noexec + + - id: 1.1.6 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - partition_for_var + + - id: 1.1.7 + title: Ensure separate partition exists for /var/tmp (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - partition_for_var_tmp + + - id: 1.1.8 + title: Ensure nodev option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_var_tmp_nodev + + - id: 1.1.9 + title: Ensure nosuid option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_var_tmp_nosuid + + - id: 1.1.10 + title: Ensure noexec option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_var_tmp_noexec + + - id: 1.1.11 + title: Ensure separate partition exists for /var/log (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - partition_for_var_log + + - id: 1.1.12 + title: Ensure separate partition exists for /var/log/audit (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - partition_for_var_log_audit + + - id: 1.1.13 + title: Ensure separate partition exists for /home (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - partition_for_home + + - id: 1.1.18 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_home_nodev + + - id: 1.1.15 + title: Ensure nodev option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_dev_shm_nodev + + - id: 1.1.16 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_dev_shm_nosuid + + - id: 1.1.17 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - mount_option_dev_shm_noexec + + - id: 1.1.18 + title: Ensure nodev option set on removable media partitions (Manual) + levels: + - l1_server + - l1_workstation + automated: no + rules: + - mount_option_nodev_removable_partitions + + - id: 1.1.19 + title: Ensure nosuid option set on removable media partitions (Manual) + levels: + - l1_server + - l1_workstation + automated: no + rules: + - mount_option_nosuid_removable_partitions + + - id: 1.1.20 + title: Ensure noexec option set on removable media partitions (Manual) + levels: + - l1_server + - l1_workstation + automated: no + rules: + - mount_option_noexec_removable_partitions + + - id: 1.1.22 + title: Disable Automounting (Automated) + levels: + - l1_server + - l2_workstation + automated: yes + rules: + - service_autofs_disabled + + - id: 1.1.23 + title: Disable USB Storage (Automated) + levels: + - l1_server + - l2_workstation + automated: yes + rules: + - kernel_module_usb-storage_disabled + + - id: 1.2.1 + title: Ensure Red Hat Subscription Manager connection is configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 1.2.2 + title: Disable the rhnsd Daemon (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - service_rhnsd_disabled + + - id: 1.2.3 + title: Ensure GPG keys are configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - ensure_redhat_gpgkey_installed + + - id: 1.2.4 + title: Ensure gpgcheck is globally activated (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - ensure_gpgcheck_globally_activated + + - id: 1.2.5 + title: Ensure package manager repositories are configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 1.3.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_sudo_installed + + - id: 1.3.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sudo_add_use_pty + + - id: 1.3.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sudo_custom_logfile + + - id: 1.4.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_aide_installed + + - id: 1.4.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - aide_periodic_cron_checking + + - id: 1.5.1 + title: Ensure permissions on bootloader config are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + + - id: 1.5.1 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - grub2_password + + - id: 1.5.3 + title: Ensure authentication required for single user mode (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - require_singleuser_auth + - require_emergency_target_auth + + - id: 1.6.1 + title: Ensure core dumps are restricted (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - disable_users_coredumps + - sysctl_fs_suid_dumpable + - coredump_disable_backtraces + - coredump_disable_storage + + - id: 1.6.2 + title: Ensure address space layout randomization (ASLR) is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_kernel_randomize_va_space + + - id: 1.7.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - package_libselinux_installed + + - id: 1.7.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - package_libselinux_installed + + - id: 1.7.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - grub2_enable_selinux + + - id: 1.7.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.7.1.4 + title: Ensure the SELinux state is enforcing (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.7.1.5 + title: Ensure no unconfined services exist (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - selinux_confinement_of_daemons + + - id: 1.7.1.6 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l2_server + automated: yes + rules: + - package_setroubleshoot_removed + + - id: 1.7.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - package_mcstrans_removed + + - id: 1.8.1.1 + title: Ensure message of the day is configured properly (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - banner_etc_motd + + - id: 1.8.1.2 + title: Ensure local login warning banner is configured properly (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - banner_etc_issue + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5225 + - id: 1.8.1.3 + title: Ensure remote login warning banner is configured properly (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 1.8.1.4 + title: Ensure permissions on /etc/motd are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_etc_motd + + - id: 1.8.1.5 + title: Ensure permissions on /etc/issue are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_etc_issue + + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + + - id: 1.9 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - security_patches_up_to_date + + - id: 1.10 + title: Ensure system-wide crypto policy is not legacy (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - configure_crypto_policy + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply + # and will enforce the default value for var_system_crypto_policy (DEFAULT). + # If the system is remediated to Level 2 then this rule will be selected, + # and the value applied by the rule above will will be overridden to + # FUTURE through the var_system_crypto_policy variable. + - id: 1.11 + title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - var_system_crypto_policy=future + + - id: 2.1.1 + title: Ensure xinetd is not installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_xinetd_removed + + - id: 2.2.1.1 + title: Ensure time synchronization is in use (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - package_chrony_installed + + - id: 2.1.1 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + + - id: 2.2.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + automated: yes + rules: + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target + + - id: 2.2.3 + title: Ensure rsync service is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_rsyncd_disabled + + - id: 2.2.4 + title: Ensure Avahi Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_avahi-daemon_disabled + + - id: 2.2.5 + title: Ensure SNMP Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_snmpd_disabled + + - id: 2.2.6 + title: Ensure HTTP Proxy Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_squid_removed + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_smb_disabled + + - id: 2.2.8 + title: Ensure IMAP and POP3 server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_dovecot_disabled + + - id: 2.2.9 + title: Ensure HTTP server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_httpd_disabled + + - id: 2.2.10 + title: Ensure FTP Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_vsftpd_disabled + + - id: 2.2.11 + title: Ensure DNS Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_named_disabled + + - id: 2.2.12 + title: Ensure NFS is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_nfs_disabled + + - id: 2.2.13 + title: Ensure RPC is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_rpcbind_disabled + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5231 + - id: 2.2.14 + title: Ensure RPC is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 2.2.15 + title: Ensure DHCP Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_dhcpd_disabled + + - id: 2.2.16 + title: Ensure CUPS is not enabled (Automated) + levels: + - l1_server + - l2_workstation + automated: yes + rules: + - service_cups_disabled + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5232 + - id: 2.2.17 + title: Ensure NIS Server is not enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 2.2.18 + title: Ensure mail transfer agent is configured for local-only mode (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - postfix_network_listening_disabled + + - id: 2.3.1 + title: Ensure NIS Client is not installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_ypbind_removed + + - id: 2.3.2 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_telnet_removed + + - id: 2.3.3 + title: Ensure LDAP client is not installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_openldap-clients_removed From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 2 Jul 2021 20:47:49 +0100 Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file --- controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 726 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a84bb078e34..b63dc6cf9e1 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -712,8 +712,8 @@ controls: rules: - service_cups_disabled - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5232 + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5232 - id: 2.2.17 title: Ensure NIS Server is not enabled (Automated) levels: @@ -756,3 +756,727 @@ controls: automated: yes rules: - package_openldap-clients_removed + + - id: 3.1.1 + title: Ensure IP forwarding is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + + - id: 3.1.2 + title: Ensure packet redirect sending is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + + - id: 3.2.1 + title: Ensure source routed packets are not accepted (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route + + - id: 3.2.2 + title: Ensure ICMP redirects are not accepted (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects + + - id: 3.2.3 + title: Ensure secure ICMP redirects are not accepted (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects + + - id: 3.2.4 + title: Ensure suspicious packets are logged (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_default_log_martians + + - id: 3.2.5 + title: Ensure broadcast ICMP requests are ignored (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + + - id: 3.2.6 + title: Ensure bogus ICMP responses are ignored (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + + - id: 3.2.7 + title: Ensure Reverse Path Filtering is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter + + - id: 3.2.8 + title: Ensure TCP SYN Cookies is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_tcp_syncookies + + - id: 3.2.8 + title: Ensure TCP SYN Cookies is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv4_tcp_syncookies + + - id: 3.2.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra + + - id: 3.3.1 + title: Ensure DCCP is disabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - kernel_module_dccp_disabled + + - id: 3.3.2 + title: Ensure SCTP is disabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - kernel_module_sctp_disabled + + - id: 3.3.3 + title: Ensure RDS is disabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - kernel_module_rds_disabled + + - id: 3.3.4 + title: Ensure TIPC is disabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - kernel_module_tipc_disabled + + # NEEDS RULE + # This rule is currently quite opinionated and expects firewalld + # as the installed firewall package. But, as per the CIS control, + # this rule should also be satisfied by nftables or iptables. + - id: 3.4.1.1 + title: Ensure a Firewall package is installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_firewalld_installed + + - id: 3.4.2.1 + title: Ensure firewalld service is enabled and running (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_firewalld_enabled + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5238 + - id: 3.4.2.2 + title: Ensure iptables service is not enabled with firewalld (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5239 + - id: 3.4.2.3 + title: Ensure nftables is not enabled with firewalld (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.2.4 + title: Ensure firewalld default zone is set (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - set_firewalld_default_zone + + - id: 3.4.2.5 + title: Ensure network interfaces are assigned to appropriate zone (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.2.6 + title: Ensure firewalld drops unnecessary services and ports (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.3.1 + title: Ensure iptables are flushed with nftables (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5244 + - id: 3.4.3.2 + title: Ensure an nftables table exists (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5245 + - id: 3.4.3.3 + title: Ensure nftables base chains exist (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5246 + - id: 3.4.3.4 + title: Ensure nftables loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.3.5 + title: Ensure nftables outbound and established connections are configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5248 + - id: 3.4.3.6 + title: Ensure nftables default deny firewall policy (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5249 + - id: 3.4.3.7 + title: Ensure nftables service is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5250 + - id: 3.4.3.8 + title: Ensure nftables rules are permanent (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5252 + - id: 3.4.4.1.1 + title: Ensure iptables default deny firewall policy (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5253 + - id: 3.4.4.1.2 + title: Ensure iptables loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.4.1.3 + title: Ensure iptables outbound and established connections are configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5255 + - id: 3.4.4.1.4 + title: Ensure iptables firewall rules exist for all open ports (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7190 + - id: 3.4.4.1.5 + title: Ensure iptables is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5257 + - id: 3.4.4.2.1 + title: Ensure ip6tables default deny firewall policy (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5258 + - id: 3.4.4.2.2 + title: Ensure ip6tables loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.4.4.2.3 + title: Ensure ip6tables outbound and established connections are configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7191 + - id: 3.4.4.2.4 + title: Ensure ip6tables firewall rules exist for all open ports (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7192 + - id: 3.4.4.2.5 + title: Ensure ip6tables is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 3.5 + title: Ensure wireless interfaces are disabled (Automated) + levels: + - l1_server + - l2_workstation + automated: yes + rules: + - wireless_disable_interfaces + + - id: 3.6 + title: Disable IPv6 (Manual) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - kernel_module_ipv6_option_disabled + + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - package_audit_installed + + - id: 4.1.1.2 + title: Ensure auditd service is enabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - service_auditd_enabled + + - id: 4.1.1.3 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - grub2_audit_argument + + - id: 4.1.1.4 + title: Ensure audit_backlog_limit is sufficient (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - grub2_audit_backlog_limit_argument + + - id: 4.1.2.1 + title: Ensure audit log storage size is configured (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - auditd_data_retention_max_log_file + + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - auditd_data_retention_max_log_file_action + + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_space_left_action + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=halt + - var_auditd_space_left_action=email + + - id: 4.1.3 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_sysadmin_actions + + - id: 4.1.4 + title: Ensure login and logout events are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + + - id: 4.1.5 + title: Ensure session initiation information is collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_session_events + + - id: 4.1.6 + title: Ensure events that modify date and time information are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + # NEEDS RULE + # -w /usr/share/selinux/ -p wa + # https://github.com/ComplianceAsCode/content/issues/5264 + - id: 4.1.7 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_mac_modification + + - id: 4.1.8 + title: Ensure events that modify the system's network environment are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_networkconfig_modification + + - id: 4.1.9 + title: Ensure discretionary access control permission modification events are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + + - id: 4.1.10 + title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + # Opinionated selection + - audit_rules_unsuccessful_file_modification_open_by_handle_at + + - id: 4.1.11 + title: Ensure events that modify user/group information are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + + - id: 4.1.12 + title: Ensure successful file system mounts are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_media_export + + - id: 4.1.13 + title: Ensure use of privileged commands is collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_privileged_commands + + - id: 4.1.14 + title: Ensure file deletion events by users are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + # Opinionated selection + - audit_rules_file_deletion_events_rmdir + + - id: 4.1.15 + title: Ensure kernel module loading and unloading is collected (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_kernel_module_loading + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5516 + - id: 4.1.16 + title: Ensure system administrator actions (sudolog) are collected (Automated) + levels: + - l2_server + - l2_workstation + automated: no + + - id: 4.1.17 + title: Ensure the audit configuration is immutable (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - audit_rules_immutable + + - id: 4.2.1.1 + title: Ensure rsyslog is installed (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - package_rsyslog_installed + + - id: 4.2.1.2 + title: Ensure rsyslog Service is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_rsyslog_enabled + + - id: 4.2.1.3 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - rsyslog_files_permissions + + - id: 4.2.1.4 + title: Ensure logging is configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - rsyslog_remote_loghost + + - id: 4.2.1.6 + title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - rsyslog_nolisten + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5520 + - id: 4.2.2.1 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5521 + - id: 4.2.2.2 + title: Ensure journald is configured to compress large log files (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5522 + - id: 4.2.2.3 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5523 + - id: 4.2.3 + title: Ensure permissions on all logfiles are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 4.3 + title: Ensure logrotate is configured (Manual) + levels: + - l1_server + - l1_workstation + automated: no From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Sat, 3 Jul 2021 12:08:31 +0100 Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file --- controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 460 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index b63dc6cf9e1..85c821bc60d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1480,3 +1480,463 @@ controls: - l1_server - l1_workstation automated: no + + - id: 5.1.1 + title: Ensure cron daemon is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - service_crond_enabled + + - id: 5.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 5.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 5.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 5.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 5.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 5.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7195 + - id: 5.1.8 + title: Ensure at/cron is restricted to authorized users (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 5.2.1 + title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7196 + - id: 5.2.2 + title: Ensure SSH access is limited (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # TODO + # Rule sets permissions to 0640 but benchmark wants it to be 0600 + # + # TODO + # Check owner of private keys in /etc/ssh is root:root + - id: 5.2.3 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_sshd_private_key + + # TODO + # Check owner of public keys in /etc/ssh is root:root + - id: 5.2.4 + title: Ensure permissions on SSH public host key files are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_sshd_pub_key + + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_set_loglevel_info + + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_disable_x11_forwarding + + - id: 5.2.7 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + - id: 5.2.8 + title: Ensure SSH IgnoreRhosts is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_disable_rhosts + + - id: 5.2.9 + title: Ensure SSH HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - disable_host_auth + + - id: 5.2.10 + title: Ensure SSH root login is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_disable_root_login + + - id: 5.2.11 + title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_disable_empty_passwords + + - id: 5.2.12 + title: Ensure SSH PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_do_not_permit_user_env + + - id: 5.2.13 + title: Ensure SSH Idle Timeout Interval is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive_0 + - var_sshd_set_keepalive=0 + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5525 + - id: 5.2.14 + title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_enable_warning_banner + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5526 + - id: 5.2.16 + title: Ensure SSH PAM is enabled (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 5.2.17 + title: Ensure SSH AllowTcpForwarding is disabled (Automated) + levels: + - l2_server + - l2_workstation + automated: yes + rules: + - sshd_disable_tcp_forwarding + + - id: 5.2.18 + title: Ensure SSH MaxStartups is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_set_maxstartups + + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - sshd_set_max_sessions + - var_sshd_max_sessions=4 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - configure_ssh_crypto_policy + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5530 + - id: 5.3.1 + title: Create custom authselect profile (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5531 + - id: 5.3.2 + title: Select authselect profile (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5532 + - id: 5.3.2 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE: try_first_pass + # https://github.com/ComplianceAsCode/content/issues/5533 + - id: 5.4.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + + - id: 5.4.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_unlock_time=900 + + - id: 5.4.3 + title: Ensure password reuse is limited (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_password_pam_unix_remember + - var_password_pam_unix_remember=5 + + - id: 5.4.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - set_password_hashing_algorithm_systemauth + + - id: 5.5.1.1 + title: Ensure password expiration is 365 days or less (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + + - id: 5.5.1.2 + title: Ensure minimum days between password changes is 7 or more (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + + - id: 5.5.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + + # TODO + # Rule doesn't check list of users + - id: 5.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5537 + - id: 5.5.1.5 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 5.5.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_shelllogin_for_systemaccounts + + - id: 5.5.3 + title: Ensure default user shell timeout is 900 seconds or less (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_tmout + - var_accounts_tmout=15_min + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5539 + - id: 5.5.4 + title: Ensure default group for the root account is GID 0 (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 5.5.5 + title: Ensure default user umask is 027 or more restrictive (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + - id: 5.6 + title: Ensure root login is restricted to system console (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - no_direct_root_logins + - securetty_root_login_console_only + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5541 + - id: 5.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + automated: no From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Sat, 3 Jul 2021 12:33:15 +0100 Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file --- controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 325 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 85c821bc60d..bc77e25d122 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1940,3 +1940,328 @@ controls: - l1_server - l1_workstation automated: no + + - id: 6.1.1 + title: Audit system file permissions (Manual) + levels: + - l1_server + - l1_workstation + automated: no + related_rules: + - rpm_verify_permissions + - rpm_verify_ownership + + - id: 6.1.2 + title: Ensure permissions on /etc/passwd are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 6.1.3 + title: Ensure permissions on /etc/passwd- are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + + - id: 6.1.4 + title: Ensure permissions on /etc/shadow are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + + - id: 6.1.5 + title: Ensure permissions on /etc/shadow- are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + + - id: 6.1.6 + title: Ensure permissions on /etc/gshadow are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + + - id: 6.1.7 + title: Ensure permissions on /etc/gshadow- are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + + - id: 6.1.8 + title: Ensure permissions on /etc/group are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + + - id: 6.1.9 + title: Ensure permissions on /etc/group- are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + + - id: 6.1.10 + title: Ensure no world writable files exist (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_unauthorized_world_writable + + - id: 6.1.11 + title: Ensure no unowned files or directories exist (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_files_unowned_by_user + + - id: 6.1.12 + title: Ensure no ungrouped files or directories exist (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_ungroupowned + + - id: 6.1.13 + title: Audit SUID executables (Manual) + levels: + - l1_server + - l1_workstation + automated: no + rules: + - file_permissions_unauthorized_suid + + - id: 6.1.14 + title: Audit SGID executables (Manual) + levels: + - l1_server + - l1_workstation + automated: no + rules: + - file_permissions_unauthorized_sgid + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7197 + - id: 6.2.1 + title: Ensure password fields are not empty (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.2 + title: Ensure no legacy "+" entries exist in /etc/passwd (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_legacy_plus_entries_etc_passwd + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7198 + - id: 6.2.3 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.4 + title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_legacy_plus_entries_etc_shadow + + - id: 6.2.5 + title: Ensure no legacy "+" entries exist in /etc/group (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_legacy_plus_entries_etc_group + + - id: 6.2.6 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_no_uid_except_zero + + - id: 6.2.7 + title: Ensure users' home directories permissions are 750 or more restrictive (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_permissions_home_dirs + + # NEEDS RULE (for user ownership) + # https://github.com/ComplianceAsCode/content/issues/5507 + - id: 6.2.8 + title: Ensure users own their home directories (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - file_groupownership_home_directories + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5506 + - id: 6.2.9 + title: Ensure users' dot files are not group or world writable (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5505 + - id: 6.2.10 + title: Ensure no users have .forward files (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.11 + title: Ensure no users have .netrc files (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_netrc_files + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5504 + - id: 6.2.12 + title: Ensure users' .netrc Files are not group or world accessible (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.13 + title: Ensure no users have .rhosts files (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - no_rsh_trust_files + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5503 + - id: 6.2.14 + title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5502 + - id: 6.2.15 + title: Ensure no duplicate UIDs exist (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5501 + - id: 6.2.16 + title: Ensure no duplicate GIDs exist (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.17 + title: Ensure no duplicate user names exist (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - account_unique_name + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5500 + - id: 6.2.18 + title: Ensure no duplicate group names exist (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5499 + - id: 6.2.19 + title: Ensure shadow group is empty (Automated) + levels: + - l1_server + - l1_workstation + automated: no + + - id: 6.2.20 + title: Ensure shadow group is empty (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - accounts_user_interactive_home_directory_exists From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Sat, 3 Jul 2021 12:36:01 +0100 Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint --- controls/cis_rhel8.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bc77e25d122..161a2aac58e 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1,3 +1,4 @@ +--- policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' title: 'CIS Benchmark for Red Hat Enterprise Linux 8' id: cis_rhel8 @@ -1597,7 +1598,7 @@ controls: - l1_workstation automated: yes rules: - - file_permissions_sshd_private_key + - file_permissions_sshd_private_key # TODO # Check owner of public keys in /etc/ssh is root:root @@ -1608,7 +1609,7 @@ controls: - l1_workstation automated: yes rules: - - file_permissions_sshd_pub_key + - file_permissions_sshd_pub_key - id: 5.2.5 title: Ensure SSH LogLevel is appropriate (Automated) @@ -1617,7 +1618,7 @@ controls: - l1_workstation automated: yes rules: - - sshd_set_loglevel_info + - sshd_set_loglevel_info - id: 5.2.6 title: Ensure SSH X11 forwarding is disabled (Automated) @@ -1626,7 +1627,7 @@ controls: - l1_workstation automated: yes rules: - - sshd_disable_x11_forwarding + - sshd_disable_x11_forwarding - id: 5.2.7 title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 9 Jul 2021 00:11:57 +0100 Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR --- controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 161a2aac58e..c93d6128ca4 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -170,7 +170,7 @@ controls: rules: - partition_for_home - - id: 1.1.18 + - id: 1.1.14 title: Ensure nodev option set on /home partition (Automated) levels: - l1_server @@ -212,7 +212,7 @@ controls: - l1_server - l1_workstation automated: no - rules: + related_rules: - mount_option_nodev_removable_partitions - id: 1.1.19 @@ -221,7 +221,7 @@ controls: - l1_server - l1_workstation automated: no - rules: + related_rules: - mount_option_nosuid_removable_partitions - id: 1.1.20 @@ -230,9 +230,18 @@ controls: - l1_server - l1_workstation automated: no - rules: + related_rules: - mount_option_noexec_removable_partitions + - id: 1.1.21 + title: Ensure sticky bit is set on all world-writable directories (Automated) + levels: + - l1_server + - l1_workstation + automated: yes + rules: + - dir_perms_world_writable_sticky_bits + - id: 1.1.22 title: Disable Automounting (Automated) levels: @@ -348,7 +357,7 @@ controls: - file_groupowner_grub2_cfg - file_permissions_grub2_cfg - - id: 1.5.1 + - id: 1.5.2 title: Ensure bootloader password is set (Automated) levels: - l1_server @@ -356,6 +365,7 @@ controls: automated: yes rules: - grub2_password + - grub2_uefi_password - id: 1.5.3 title: Ensure authentication required for single user mode (Automated) @@ -397,15 +407,6 @@ controls: rules: - package_libselinux_installed - - id: 1.7.1.1 - title: Ensure SELinux is installed (Automated) - levels: - - l2_server - - l2_workstation - automated: yes - rules: - - package_libselinux_installed - - id: 1.7.1.2 title: Ensure SELinux is not disabled in bootloader configuration (Automated) levels: @@ -469,6 +470,7 @@ controls: automated: yes rules: - banner_etc_motd + - login_banner_text=usgcb_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) @@ -478,6 +480,7 @@ controls: automated: yes rules: - banner_etc_issue + - login_banner_text=usgcb_default # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5225 @@ -495,6 +498,8 @@ controls: - l1_workstation automated: yes rules: + - file_groupowner_etc_motd + - file_owner_etc_motd - file_permissions_etc_motd - id: 1.8.1.5 @@ -504,8 +509,19 @@ controls: - l1_workstation automated: yes rules: + - file_groupowner_etc_issue + - file_owner_etc_issue - file_permissions_etc_issue + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7225 + - id: 1.8.1.6 + title: Ensure permissions on /etc/issue.net are configured (Automated) + levels: + - l1_server + - l1_workstation + automated: no + - id: 1.8.2 title: Ensure GDM login banner is configured (Automated) levels: @@ -515,6 +531,7 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - login_banner_text=usgcb_default - id: 1.9 title: Ensure updates, patches, and additional security software are installed (Manual) From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 16 Jul 2021 14:21:02 +0100 Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional on merge of #7226) --- controls/cis_rhel8.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index c93d6128ca4..9140711fb66 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -550,6 +550,7 @@ controls: automated: yes rules: - configure_crypto_policy + - var_system_crypto_policy=default # This rule works in conjunction with the configure_crypto_policy above. # If a system is remediated to CIS Level 1, just the rule above will apply From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 16 Jul 2021 14:34:41 +0100 Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules --- controls/cis_rhel8.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 9140711fb66..782dc7666f3 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -585,7 +585,7 @@ controls: related_rules: - package_chrony_installed - - id: 2.1.1 + - id: 2.2.1.2 title: Ensure chrony is configured (Automated) levels: - l1_server @@ -597,13 +597,12 @@ controls: - chronyd_run_as_chrony_user - id: 2.2.2 - title: Ensure chrony is configured (Automated) + title: Ensure X Window System is not installed (Automated) levels: - l1_server automated: yes rules: - - package_xorg-x11-server-common_removed - - xwindows_runlevel_target + - xwindows_remove_packages - id: 2.2.3 title: Ensure rsync service is not enabled (Automated) @@ -639,7 +638,7 @@ controls: - l1_workstation automated: yes rules: - - package_squid_removed + - package_squid_disabled - id: 2.2.7 title: Ensure Samba is not enabled (Automated) @@ -707,7 +706,7 @@ controls: # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5231 - id: 2.2.14 - title: Ensure RPC is not enabled (Automated) + title: Ensure LDAP server is not enabled (Automated) levels: - l1_server - l1_workstation @@ -748,6 +747,7 @@ controls: automated: yes rules: - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only - id: 2.3.1 title: Ensure NIS Client is not installed (Automated) From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 16 Jul 2021 15:03:09 +0100 Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules --- controls/cis_rhel8.yml | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 782dc7666f3..1d34337411f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -785,6 +785,7 @@ controls: rules: - sysctl_net_ipv4_ip_forward - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled - id: 3.1.2 title: Ensure packet redirect sending is disabled (Automated) @@ -804,9 +805,13 @@ controls: automated: yes rules: - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - id: 3.2.2 title: Ensure ICMP redirects are not accepted (Automated) @@ -816,9 +821,13 @@ controls: automated: yes rules: - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - id: 3.2.3 title: Ensure secure ICMP redirects are not accepted (Automated) @@ -828,7 +837,9 @@ controls: automated: yes rules: - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - id: 3.2.4 title: Ensure suspicious packets are logged (Automated) @@ -838,7 +849,9 @@ controls: automated: yes rules: - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled - id: 3.2.5 title: Ensure broadcast ICMP requests are ignored (Automated) @@ -848,6 +861,7 @@ controls: automated: yes rules: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - id: 3.2.6 title: Ensure bogus ICMP responses are ignored (Automated) @@ -857,6 +871,7 @@ controls: automated: yes rules: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - id: 3.2.7 title: Ensure Reverse Path Filtering is enabled (Automated) @@ -866,7 +881,9 @@ controls: automated: yes rules: - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - id: 3.2.8 title: Ensure TCP SYN Cookies is enabled (Automated) @@ -876,15 +893,7 @@ controls: automated: yes rules: - sysctl_net_ipv4_tcp_syncookies - - - id: 3.2.8 - title: Ensure TCP SYN Cookies is enabled (Automated) - levels: - - l1_server - - l1_workstation - automated: yes - rules: - - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled - id: 3.2.9 title: Ensure IPv6 router advertisements are not accepted (Automated) @@ -894,7 +903,9 @@ controls: automated: yes rules: - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - id: 3.3.1 title: Ensure DCCP is disabled (Automated) From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 20 Jul 2021 08:43:10 +0100 Subject: [PATCH 11/55] Update controls/cis_rhel8.yml Co-authored-by: vojtapolasek --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 1d34337411f..2acf9aef28d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -638,7 +638,7 @@ controls: - l1_workstation automated: yes rules: - - package_squid_disabled + - service_squid_disabled - id: 2.2.7 title: Ensure Samba is not enabled (Automated) From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 30 Jul 2021 22:13:25 +0100 Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2acf9aef28d..e63fc57ddea 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -351,7 +351,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # This rule, as implemented here, does not check for a user.cfg file rules: - file_owner_grub2_cfg - file_groupowner_grub2_cfg From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 30 Jul 2021 22:19:14 +0100 Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1 --- controls/cis_rhel8.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e63fc57ddea..2163655d9d3 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -353,8 +353,11 @@ controls: - l1_workstation automated: partially # This rule, as implemented here, does not check for a user.cfg file rules: - - file_owner_grub2_cfg + - file_groupowner_efi_grub2_cfg - file_groupowner_grub2_cfg + - file_owner_efi_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_efi_grub2_cfg - file_permissions_grub2_cfg - id: 1.5.2 From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:11:38 +0100 Subject: [PATCH 14/55] Update controls/cis_rhel8.yml Co-authored-by: vojtapolasek --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2163655d9d3..aa9c2b6c809 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1655,7 +1655,7 @@ controls: - id: 5.2.6 title: Ensure SSH X11 forwarding is disabled (Automated) levels: - - l1_server + - l2_server - l1_workstation automated: yes rules: From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:22:44 +0100 Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action --- controls/cis_rhel8.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index aa9c2b6c809..af874fd789e 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1234,6 +1234,7 @@ controls: automated: yes rules: - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - id: 4.1.2.3 title: Ensure system is disabled when audit logs are full (Automated) From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:31:20 +0100 Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6 --- controls/cis_rhel8.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index af874fd789e..af1314325ab 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1225,6 +1225,7 @@ controls: automated: yes rules: - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - id: 4.1.2.2 title: Ensure audit logs are not automatically deleted (Automated) From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:36:48 +0100 Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not directly align with CIS --- controls/cis_rhel8.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index af1314325ab..a81a9ef4605 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1284,11 +1284,10 @@ controls: levels: - l2_server - l2_workstation - automated: yes + automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. rules: - audit_rules_time_adjtimex - audit_rules_time_clock_settime - - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_watch_localtime From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:37:25 +0100 Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve full automation --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a81a9ef4605..cba86f40c9e 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1299,7 +1299,7 @@ controls: levels: - l2_server - l2_workstation - automated: yes + automated: partial rules: - audit_rules_mac_modification From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:38:54 +0100 Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not align with the benchmark --- controls/cis_rhel8.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index cba86f40c9e..6e8c5cf10f0 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1345,8 +1345,6 @@ controls: - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_truncate - # Opinionated selection - - audit_rules_unsuccessful_file_modification_open_by_handle_at - id: 4.1.11 title: Ensure events that modify user/group information are collected (Automated) From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:41:13 +0100 Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation key --- controls/cis_rhel8.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 6e8c5cf10f0..829f0515cb0 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1284,7 +1284,7 @@ controls: levels: - l2_server - l2_workstation - automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. rules: - audit_rules_time_adjtimex - audit_rules_time_clock_settime @@ -1299,7 +1299,7 @@ controls: levels: - l2_server - l2_workstation - automated: partial + automated: partially rules: - audit_rules_mac_modification From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:42:57 +0100 Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not align exactly with the benchmark --- controls/cis_rhel8.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 829f0515cb0..76a7c8bbfa9 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1373,8 +1373,9 @@ controls: levels: - l2_server - l2_workstation - automated: yes - rules: + automated: no + related_rules: + # The rule below is almost correct but cannot be used as it does not set the perm=x flag. - audit_rules_privileged_commands - id: 4.1.14 From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:44:03 +0100 Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not align with the benchmark --- controls/cis_rhel8.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 76a7c8bbfa9..e6a53516666 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1389,8 +1389,6 @@ controls: - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - # Opinionated selection - - audit_rules_file_deletion_events_rmdir - id: 4.1.15 title: Ensure kernel module loading and unloading is collected (Automated) From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:47:53 +0100 Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does not align with the benchmark --- controls/cis_rhel8.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e6a53516666..327400abd65 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1435,14 +1435,15 @@ controls: rules: - service_rsyslog_enabled + # NEEDS RULE + # The rsyslog_files_permissions rule is not sufficient + # https://github.com/ComplianceAsCode/content/issues/7332 - id: 4.2.1.3 title: Ensure rsyslog default file permissions configured (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: - - rsyslog_files_permissions + automated: no - id: 4.2.1.4 title: Ensure logging is configured (Manual) From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:52:17 +0100 Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align perfectly with the benchmark --- controls/cis_rhel8.yml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 327400abd65..f5a8ce45848 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1452,14 +1452,15 @@ controls: - l1_workstation automated: no + # NEEDS RULE + # The rsyslog_remote_loghost rule is not sufficient + # https://github.com/ComplianceAsCode/content/issues/7333 - id: 4.2.1.5 title: Ensure rsyslog is configured to send logs to a remote log host (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: - - rsyslog_remote_loghost + automated: no - id: 4.2.1.6 title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) @@ -1617,19 +1618,15 @@ controls: - l1_workstation automated: no - # TODO - # Rule sets permissions to 0640 but benchmark wants it to be 0600 - # - # TODO - # Check owner of private keys in /etc/ssh is root:root + # NEEDS RULE + # The file_permissions_sshd_private_key rule is not aligned with the benchmark + # https://github.com/ComplianceAsCode/content/issues/7334 - id: 5.2.3 title: Ensure permissions on SSH private host key files are configured (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: - - file_permissions_sshd_private_key + automated: no # TODO # Check owner of public keys in /etc/ssh is root:root From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:53:10 +0100 Subject: [PATCH 25/55] 5.2.4 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index f5a8ce45848..0e3fa99d32e 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1635,7 +1635,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially rules: - file_permissions_sshd_pub_key From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 4 Aug 2021 16:55:32 +0100 Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used properly --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 0e3fa99d32e..439b3265fe9 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1721,7 +1721,7 @@ controls: rules: - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout - - sshd_set_keepalive_0 + - sshd_set_keepalive - var_sshd_set_keepalive=0 # NEEDS RULE From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 08:47:24 +0100 Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely with CIS benchmark --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 439b3265fe9..92ac0dd85c5 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -595,9 +595,9 @@ controls: - l1_workstation automated: yes rules: - - service_chronyd_enabled - chronyd_specify_remote_server - chronyd_run_as_chrony_user + - var_multiple_time_servers=rhel - id: 2.2.2 title: Ensure X Window System is not installed (Automated) From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 08:54:14 +0100 Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file --- controls/cis_rhel8.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 92ac0dd85c5..565974817f1 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1645,7 +1645,12 @@ controls: - l1_server - l1_workstation automated: yes + # The CIS benchmark is not opinionated about which loglevel is selected + # here. Here, this profile uses VERBOSE by default, as it allows for + # the capture of login and logout activity as well as key fingerprints. rules: + - sshd_set_loglevel_verbose + related_rules: - sshd_set_loglevel_info - id: 5.2.6 From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:00:17 +0100 Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses wrong path) --- controls/cis_rhel8.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 565974817f1..53f024fffea 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1738,14 +1738,16 @@ controls: - l1_workstation automated: no + # NEEDS RULE + # The current sshd_enable_warning_banner rule uses /etc/issue instead + # of the /etc/issue.net that the benchmark expects. + # - id: 5.2.15 title: Ensure SSH warning banner is configured (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: - - sshd_enable_warning_banner + automated: no # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5526 From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:00:48 +0100 Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups rule in RHEL 8 CIS profile --- controls/cis_rhel8.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 53f024fffea..3345a37d098 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1775,6 +1775,7 @@ controls: automated: yes rules: - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 - id: 5.2.19 title: Ensure SSH MaxSessions is set to 4 or less (Automated) From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:19:43 +0100 Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits for vs the one in the control title --- controls/cis_rhel8.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 3345a37d098..3b6219f3296 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1777,6 +1777,13 @@ controls: - sshd_set_maxstartups - var_sshd_set_maxstartups=10:30:60 + # The title of this control does not appear to match the suggested audit and + # remediation in the CIS Benchmark version 1.0.1 - this profile uses the + # value from the audit and remediation sections of the benchmark rather than + # from the title. + # + # An upstream ticket has been opened about this issue: + # https://workbench.cisecurity.org/community/14/tickets/13414 - id: 5.2.19 title: Ensure SSH MaxSessions is set to 4 or less (Automated) levels: @@ -1785,7 +1792,7 @@ controls: automated: yes rules: - sshd_set_max_sessions - - var_sshd_max_sessions=4 + - var_sshd_max_sessions=10 - id: 5.2.20 title: Ensure system-wide crypto policy is not over-ridden (Automated) From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:20:45 +0100 Subject: [PATCH 32/55] Fix rule ID for 5.3.3 --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 3b6219f3296..55c8378529d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1823,7 +1823,7 @@ controls: # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5532 - - id: 5.3.2 + - id: 5.3.3 title: Ensure authselect includes with-faillock (Automated) levels: - l1_server From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:23:40 +0100 Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2 --- controls/cis_rhel8.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 55c8378529d..c7f651994d6 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1845,17 +1845,14 @@ controls: - var_password_pam_minclass=4 - var_password_pam_minlen=14 + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/7337 - id: 5.4.2 title: Ensure lockout for failed password attempts is configured (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_unlock_time=900 + automated: no - id: 5.4.3 title: Ensure password reuse is limited (Automated) From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:29:15 +0100 Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated --- controls/cis_rhel8.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index c7f651994d6..10816e1ba35 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1830,14 +1830,15 @@ controls: - l1_workstation automated: no - # NEEDS RULE: try_first_pass + # NEEDS RULE + # try_first_pass # https://github.com/ComplianceAsCode/content/issues/5533 - id: 5.4.1 title: Ensure password creation requirements are configured (Automated) levels: - l1_server - l1_workstation - automated: yes + automated: partially rules: - accounts_password_pam_minclass - accounts_password_pam_minlen From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:37:15 +0100 Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited" rule from RHEL 7 --- controls/cis_rhel8.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 10816e1ba35..0ea36362832 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1861,9 +1861,15 @@ controls: - l1_server - l1_workstation automated: yes - rules: - - accounts_password_pam_unix_remember - - var_password_pam_unix_remember=5 + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. + See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=required + - var_password_pam_remember=5 - id: 5.4.4 title: Ensure password hashing algorithm is SHA-512 (Automated) From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:41:13 +0100 Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 0ea36362832..be46d870965 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1876,7 +1876,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark. rules: - set_password_hashing_algorithm_systemauth From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:42:57 +0100 Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index be46d870965..e41c2eb4dae 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1885,7 +1885,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control. rules: - accounts_maximum_age_login_defs - var_accounts_maximum_age_login_defs=365 From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:44:17 +0100 Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e41c2eb4dae..0b2b3d04621 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1895,7 +1895,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control. rules: - accounts_minimum_age_login_defs - var_accounts_minimum_age_login_defs=7 From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:47:22 +0100 Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 0b2b3d04621..70312f6399a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1905,7 +1905,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control. rules: - accounts_password_warn_age_login_defs - var_accounts_password_warn_age_login_defs=7 From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Thu, 5 Aug 2021 09:47:54 +0100 Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated --- controls/cis_rhel8.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 70312f6399a..42dbf14c816 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1910,14 +1910,12 @@ controls: - accounts_password_warn_age_login_defs - var_accounts_password_warn_age_login_defs=7 - # TODO - # Rule doesn't check list of users - id: 5.5.1.4 title: Ensure inactive password lock is 30 days or less (Automated) levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control. rules: - account_disable_post_pw_expiration - var_account_disable_post_pw_expiration=30 From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 15:17:53 +0100 Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 42dbf14c816..e8e340e0c36 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1724,7 +1724,7 @@ controls: - l1_workstation automated: yes rules: - - sshd_idle_timeout_value=5_minutes + - sshd_idle_timeout_value=15_minutes - sshd_set_idle_timeout - sshd_set_keepalive - var_sshd_set_keepalive=0 From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:12:47 +0100 Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated --- controls/cis_rhel8.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e8e340e0c36..2d534d95072 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1929,12 +1929,15 @@ controls: - l1_workstation automated: no + # NEEDS RULE + # We are missing the component of this control which locks non-root system accounts + # https://github.com/ComplianceAsCode/content/issues/7352 - id: 5.5.2 title: Ensure system accounts are secured (Automated) levels: - l1_server - l1_workstation - automated: yes + automated: partially rules: - no_shelllogin_for_systemaccounts From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:17:13 +0100 Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2d534d95072..784af3e0fe9 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1946,7 +1946,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark rules: - accounts_tmout - var_accounts_tmout=15_min From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:21:39 +0100 Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated --- controls/cis_rhel8.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 784af3e0fe9..045e219d90f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1965,9 +1965,10 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark rules: - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs - accounts_umask_etc_profile - var_accounts_user_umask=027 From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:23:32 +0100 Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by use_pam_wheel_for_su --- controls/cis_rhel8.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 045e219d90f..84a3269afc6 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1989,7 +1989,9 @@ controls: levels: - l1_server - l1_workstation - automated: no + automated: partially + rules: + - use_pam_wheel_for_su - id: 6.1.1 title: Audit system file permissions (Manual) From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:31:56 +0100 Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3 --- controls/cis_rhel8.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 84a3269afc6..d02f2cbbf86 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -2154,14 +2154,15 @@ controls: rules: - no_legacy_plus_entries_etc_passwd - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/7198 - id: 6.2.3 title: Ensure root PATH Integrity (Automated) levels: - l1_server - l1_workstation - automated: no + automated: yes + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot - id: 6.2.4 title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:34:47 +0100 Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without OVAL checks or remediations --- controls/cis_rhel8.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d02f2cbbf86..a3f3d4e6d4f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -2196,8 +2196,8 @@ controls: levels: - l1_server - l1_workstation - automated: yes - rules: + automated: no # The rule below exists, but does not have any OVAL checks or remediations. + related_rules: - file_permissions_home_dirs # NEEDS RULE (for user ownership) @@ -2207,7 +2207,7 @@ controls: levels: - l1_server - l1_workstation - automated: yes + automated: no # The rule below exists, but does not have any OVAL checks or remediations. rules: - file_groupownership_home_directories From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:35:23 +0100 Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL checks or remediations --- controls/cis_rhel8.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a3f3d4e6d4f..cfefd245300 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -2311,10 +2311,10 @@ controls: automated: no - id: 6.2.20 - title: Ensure shadow group is empty (Automated) + title: Ensure all users' home directories exist (Automated) levels: - l1_server - l1_workstation - automated: yes - rules: + automated: no # The rule below exists, but does not have any OVAL checks or remediations. + related_rules: - accounts_user_interactive_home_directory_exists From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Fri, 6 Aug 2021 16:38:11 +0100 Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because it also checks for finit_module syscall --- controls/cis_rhel8.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index cfefd245300..e8d3f24ccbb 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1397,7 +1397,11 @@ controls: - l2_workstation automated: yes rules: - - audit_rules_kernel_module_loading + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_insmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5516 From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Mon, 9 Aug 2021 11:49:56 +0100 Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control is not automated --- controls/cis_rhel8.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e8d3f24ccbb..a624d06cb56 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -2128,7 +2128,7 @@ controls: - l1_server - l1_workstation automated: no - rules: + related_rules: - file_permissions_unauthorized_suid - id: 6.1.14 @@ -2137,7 +2137,7 @@ controls: - l1_server - l1_workstation automated: no - rules: + related_rules: - file_permissions_unauthorized_sgid # NEEDS RULE @@ -2212,7 +2212,7 @@ controls: - l1_server - l1_workstation automated: no # The rule below exists, but does not have any OVAL checks or remediations. - rules: + related_rules: - file_groupownership_home_directories # NEEDS RULE From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 10 Aug 2021 09:12:18 +0100 Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream Draft Benchmark 1.1.0 --- controls/cis_rhel8.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a624d06cb56..bff2200ce12 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1782,11 +1782,11 @@ controls: - var_sshd_set_maxstartups=10:30:60 # The title of this control does not appear to match the suggested audit and - # remediation in the CIS Benchmark version 1.0.1 - this profile uses the - # value from the audit and remediation sections of the benchmark rather than - # from the title. + # remediation in the CIS Benchmark version 1.0.1 + # + # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0 + # which confirms that '4' is the intended value for this control. # - # An upstream ticket has been opened about this issue: # https://workbench.cisecurity.org/community/14/tickets/13414 - id: 5.2.19 title: Ensure SSH MaxSessions is set to 4 or less (Automated) @@ -1796,7 +1796,7 @@ controls: automated: yes rules: - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - var_sshd_max_sessions=4 - id: 5.2.20 title: Ensure system-wide crypto policy is not over-ridden (Automated) From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Wed, 11 Aug 2021 10:37:23 +0100 Subject: [PATCH 52/55] Control to disable IPv6 should not be automated --- controls/cis_rhel8.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bff2200ce12..29d972427cf 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1177,9 +1177,7 @@ controls: levels: - l2_server - l2_workstation - automated: yes - rules: - - kernel_module_ipv6_option_disabled + automated: no - id: 4.1.1.1 title: Ensure auditd is installed (Automated) From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 17 Aug 2021 13:09:48 +0100 Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8 --- .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + .../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 + .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + shared/references/cce-redhat-avail.txt | 4 ---- 5 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml index 24a0feaf0aa..748d9d9d188 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml @@ -21,6 +21,7 @@ severity: unknown identifiers: cce@rhel7: CCE-80199-3 + cce@rhel8: CCE-85914-0 references: cis-csc: 11,3,9 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml index 288b6706b03..f44e85a059a 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -25,6 +25,7 @@ severity: medium identifiers: cce@rhel7: CCE-83430-9 + cce@rhel8: CCE-85915-7 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml index edcda693591..a9468d00ddc 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -23,6 +23,7 @@ severity: medium identifiers: cce@rhel7: CCE-83429-1 + cce@rhel8: CCE-85913-2 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index 6e636a7caf7..bc4fdcc7e04 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-83431-7 + cce@rhel8: CCE-85912-4 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 3b24e19da06..179412e8961 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -42,10 +42,6 @@ CCE-85907-4 CCE-85908-2 CCE-85909-0 CCE-85911-6 -CCE-85912-4 -CCE-85913-2 -CCE-85914-0 -CCE-85915-7 CCE-85916-5 CCE-85917-3 CCE-85918-1 From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 17 Aug 2021 13:15:15 +0100 Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules --- .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + .../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 + .../root_logins/use_pam_wheel_for_su/rule.yml | 1 + .../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + .../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 2ffb01a3983..ee54a53dfd4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -27,6 +27,7 @@ identifiers: references: cis@rhel7: 5.3.5 + cis@rhel8: 5.2.5 disa: CCI-000067 nerc-cip: CIP-007-3 R7.1 nist: AC-17(a),AC-17(1),CM-6(a) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml index c548b1e3ea2..935766db26d 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml @@ -41,6 +41,7 @@ identifiers: references: cis@rhel7: 2.2.2 + cis@rhel8: 2.2.2 disa: CCI-000366 nist: CM-6(b) srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index 984a8cf333e..616a0aa0052 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -24,6 +24,7 @@ identifiers: references: cis@rhel7: "5.7" + cis@rhel8: 5.7 cis@sle15: '5.6' cis@ubuntu2004: '5.6' ospp: FMT_SMF_EXT.1.1 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml index 81c30174c71..057701075e5 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml @@ -23,6 +23,7 @@ identifiers: references: cis-csc: 11,3,9 cis@rhel7: 6.2.10 + cis@rhel8: 6.2.3 cis@sle15: 6.2.4 cis@ubuntu2004: 6.2.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml index 748d9d9d188..c94de8fa3e6 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml @@ -26,6 +26,7 @@ identifiers: references: cis-csc: 11,3,9 cis@rhel7: 6.2.10 + cis@rhel8: 6.2.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 disa: CCI-000366 isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index 46e81737199..51f8e51fa6a 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -25,6 +25,7 @@ references: anssi: BP28(R35) cis-csc: 11,18,3,9 cis@rhel7: 5.5.5 + cis@rhel8: 5.5.5 cis@ubuntu2004: 5.4.4 cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05 disa: CCI-000366 From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001 From: Alex Haydock Date: Tue, 17 Aug 2021 13:25:45 +0100 Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an integer --- .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index 616a0aa0052..08677cbb7dc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis@rhel7: "5.7" - cis@rhel8: 5.7 + cis@rhel8: "5.7" cis@sle15: '5.6' cis@ubuntu2004: '5.6' ospp: FMT_SMF_EXT.1.1