From 6b015c09b43ecac4226c5bcf974794a1b2a8d557 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 17:27:09 +0100 Subject: [PATCH 1/8] Add rule for permissions of /etc/motd --- .../file_permissions_etc_motd/rule.yml | 33 +++++++++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml new file mode 100644 index 0000000000..6d81eb43d1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Verify permissions on Message of the Day Banner' + +description: |- + {{{ describe_file_permissions(file="/etc/motd", perms="0644") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper permissions will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83337-6 + cce@rhel8: 83338-4 + +references: + cis@rhel7: 1.7.1.4 + cis@rhel8: 1.8.1.4 + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' + +ocil: '{{{ ocil_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/motd + filemode: '0644' From 9448111043016e27bc319cfc6606361edd235f38 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 17:47:09 +0100 Subject: [PATCH 2/8] Add rule for permissions of /etc/issue --- .../file_permissions_etc_issue/rule.yml | 33 +++++++++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml new file mode 100644 index 0000000000..323c3b93b6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Verify permissions on System Login Banner' + +description: |- + {{{ describe_file_permissions(file="/etc/issue", perms="0644") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper permissions will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83347-5 + cce@rhel8: 83348-3 + +references: + cis@rhel7: 1.7.1.5 + cis@rhel8: 1.8.1.5 + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' + +ocil: '{{{ ocil_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' + +template: + name: file_permissions + vars: + filepath: /etc/issue + filemode: '0644' From 927265b500b38a9ba0eefd94ecce5de4c8fc3ac2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:12:48 +0100 Subject: [PATCH 3/8] Select rules for /etc/crontab permissions --- .../services/cron_and_at/file_groupowner_crontab/rule.yml | 3 ++- .../guide/services/cron_and_at/file_owner_crontab/rule.yml | 3 ++- .../services/cron_and_at/file_permissions_crontab/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 8df80cb535..29d0c882b4 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82223-9 references: - cis: 5.1.2 + cis@rhel7: 5.1.2 + cis@rhel8: 5.1.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index a10a283a86..6ac696229f 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82224-7 references: - cis: 5.1.2 + cis@rhel7: 5.1.2 + cis@rhel8: 5.1.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 126bffd0bb..f587ab67ef 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82206-4 references: - cis: 5.1.2 + cis@rhel7: 5.1.2 + cis@rhel8: 5.1.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From 51d320c401981dd06d097bb2850c9a7aa6977059 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:16:22 +0100 Subject: [PATCH 4/8] Select rules for /etc/cron.hourly permissions --- .../cron_and_at/file_groupowner_cron_hourly/rule.yml | 3 ++- .../services/cron_and_at/file_owner_cron_hourly/rule.yml | 3 ++- .../cron_and_at/file_permissions_cron_hourly/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index c3545bca73..514dc5510e 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82227-0 references: - cis: 5.1.3 + cis@rhel7: 5.1.3 + cis@rhel8: 5.1.3 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index 298a03bbec..2b4a8c6047 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82209-8 references: - cis: 5.1.3 + cis@rhel7: 5.1.3 + cis@rhel8: 5.1.3 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index 1d06872cf4..e726d64966 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82230-4 references: - cis: 5.1.3 + cis@rhel7: 5.1.3 + cis@rhel8: 5.1.3 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From 94cd82ae26481d8d7343fcc65e6b2f5e88cefd3b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:18:41 +0100 Subject: [PATCH 5/8] Select rules for /etc/cron.daily permissions --- .../cron_and_at/file_groupowner_cron_daily/rule.yml | 3 ++- .../services/cron_and_at/file_owner_cron_daily/rule.yml | 3 ++- .../cron_and_at/file_permissions_cron_daily/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index 53e1800074..38e4fdde5e 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82234-6 references: - cis: 5.1.4 + cis@rhel7: 5.1.4 + cis@rhel8: 5.1.4 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index ed6e76e419..86625ac049 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82237-9 references: - cis: 5.1.4 + cis@rhel7: 5.1.4 + cis@rhel8: 5.1.4 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index 4313ffb6ab..6e57b028cd 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82240-3 references: - cis: 5.1.4 + cis@rhel7: 5.1.4 + cis@rhel8: 5.1.4 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From a8d0f1253631913f27bcb9f6d70b46234feda723 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:21:12 +0100 Subject: [PATCH 6/8] Select rules for /etc/cron.weekly permissions --- .../cron_and_at/file_groupowner_cron_weekly/rule.yml | 3 ++- .../services/cron_and_at/file_owner_cron_weekly/rule.yml | 3 ++- .../cron_and_at/file_permissions_cron_weekly/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index de1ac8c656..4760ea55f6 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82244-5 references: - cis: 5.1.5 + cis@rhel7: 5.1.5 + cis@rhel8: 5.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index f5bba63516..e5e3de8cd1 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82247-8 references: - cis: 5.1.5 + cis@rhel7: 5.1.5 + cis@rhel8: 5.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 523ea17731..daf345338a 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82253-6 references: - cis: 5.1.5 + cis@rhel7: 5.1.5 + cis@rhel8: 5.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From 35176b1486c57bfd6a981a8719de65f09d200380 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:25:12 +0100 Subject: [PATCH 7/8] Select rules for /etc/cron.monthly permissions --- .../cron_and_at/file_groupowner_cron_monthly/rule.yml | 3 ++- .../services/cron_and_at/file_owner_cron_monthly/rule.yml | 3 ++- .../cron_and_at/file_permissions_cron_monthly/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index a664d78b0a..2a11340ec4 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82256-9 references: - cis: 5.1.6 + cis@rhel7: 5.1.6 + cis@rhel8: 5.1.6 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index 35f2bc19ed..76c671aa06 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82260-1 references: - cis: 5.1.6 + cis@rhel7: 5.1.6 + cis@rhel8: 5.1.6 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index b4d1863633..cc186ff7a1 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82263-5 references: - cis: 5.1.6 + cis@rhel7: 5.1.6 + cis@rhel8: 5.1.6 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 From 5b839624790399a1dbca16478fef9b3e628df1d4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 19:27:55 +0100 Subject: [PATCH 8/8] Select rules for /etc/cron.d permissions --- .../services/cron_and_at/file_groupowner_cron_d/rule.yml | 3 ++- .../guide/services/cron_and_at/file_owner_cron_d/rule.yml | 3 ++- .../services/cron_and_at/file_permissions_cron_d/rule.yml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 3add79db18..6b1a3faf05 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82268-4 references: - cis: 5.1.7 + cis@rhel7: 5.1.7 + cis@rhel8: 5.1.7 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 8778109761..88586a0268 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82272-6 references: - cis: 5.1.7 + cis@rhel7: 5.1.7 + cis@rhel8: 5.1.7 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index cd0dc6167a..f904dce932 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -20,7 +20,8 @@ identifiers: cce@rhel8: 82277-5 references: - cis: 5.1.7 + cis@rhel7: 5.1.7 + cis@rhel8: 5.1.7 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227