diff --git a/.gitignore b/.gitignore index a0b3fab..573eb37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.49.tar.bz2 +SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index c49602b..d7de47e 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -abc5640ac0b212fbea8379036830f650dd2543db SOURCES/scap-security-guide-0.1.49.tar.bz2 +1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index d26c4b2..428ede7 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -9,7 +9,6 @@ Also disable tables for profiles that are not built. rhel8/CMakeLists.txt | 2 -- rhel8/profiles/cjis.profile | 2 +- rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/hipaa.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +- rhel8/profiles/rhelh-vpp.profile | 2 +- rhel8/profiles/rht-ccp.profile | 2 +- @@ -50,16 +49,6 @@ index eb62252a4..e8f369708 100644 title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index 8d20f9019..d641b56fe 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -1,4 +1,4 @@ --documentation_complete: True -+documentation_complete: false - - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile index 1efca5f44..c3d0b0964 100644 --- a/rhel8/profiles/rhelh-stig.profile diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch new file mode 100644 index 0000000..e859c54 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch @@ -0,0 +1,71 @@ +From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 08:17:20 +0200 +Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated + +--- + .../ansible/shared.yml | 33 +++++++++++++++++++ + 1 file changed, 33 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +new file mode 100644 +index 0000000000..5d76b3c073 +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +@@ -0,0 +1,33 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: Configure daily log rotation in /etc/logrotate.conf ++ lineinfile: ++ create: yes ++ dest: "/etc/logrotate.conf" ++ regexp: "^daily$" ++ line: "daily" ++ ++- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf ++ lineinfile: ++ create: no ++ dest: "/etc/logrotate.conf" ++ regexp: "^(weekly|monthly|yearly)$" ++ state: absent ++ ++- name: Configure cron.daily if not already ++ block: ++ - name: Add shebang ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: "#!/bin/sh" ++ insertbefore: BOF ++ create: yes ++ - name: Add logrotate call ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: '/usr/sbin/logrotate /etc/logrotate.conf' ++ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' + +From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 14:48:15 +0200 +Subject: [PATCH 2/2] Add test for ensure_logrotate_activated + +Test scenario when monthly is there, but weekly is not. +--- + .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +new file mode 100644 +index 0000000000..b10362989b +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++sed -i "s/weekly/daily/g" /etc/logrotate.conf ++echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch new file mode 100644 index 0000000..a864ebf --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch @@ -0,0 +1,115 @@ +From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:49:08 +0200 +Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++ + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..a816eea390 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 4" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..b36125f5bb +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 10" >> $SSHD_CONFIG ++fi + +From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:53:50 +0200 +Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++ + .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++ + .../tests/correct_value.pass.sh | 2 +- + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +- + 4 files changed, 22 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +new file mode 100644 +index 0000000000..a7e171dfe9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++- (xccdf-var var_sshd_max_sessions) ++ ++{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +new file mode 100644 +index 0000000000..fc0a1d8b42 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_sshd_max_sessions ++ ++{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +index a816eea390..4cc6d65988 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG + else +- echo "MaxSessions 4" >> $SSHD_CONFIG ++ echo "MaxSessions 4" >> $SSHD_CONFIG + fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +index b36125f5bb..bc0c47842a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG + else +- echo "MaxSessions 10" >> $SSHD_CONFIG ++ echo "MaxSessions 10" >> $SSHD_CONFIG + fi diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch new file mode 100644 index 0000000..ff529ca --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch @@ -0,0 +1,147 @@ +From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 11:52:35 +0200 +Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line + +Very likey a copy-pasta error from bash remediation for +audit_rules_immutable +--- + .../audit_rules_system_shutdown/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index 1c9748ce9b..b56513cdcd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-f .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-f 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + + # Append '-f 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) + +From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 12:12:21 +0200 +Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown + +Along with very basic test scenarios +--- + .../ansible/shared.yml | 28 +++++++++++++++++++ + .../tests/augen_correct.pass.sh | 4 +++ + .../tests/augen_e_2_immutable.fail.sh | 3 ++ + 3 files changed, 35 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +new file mode 100644 +index 0000000000..b9e8fa87fa +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +@@ -0,0 +1,28 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Collect all files from /etc/audit/rules.d with .rules extension ++ find: ++ paths: "/etc/audit/rules.d/" ++ patterns: "*.rules" ++ register: find_rules_d ++ ++- name: Remove the -f option from all Audit config files ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^\s*(?:-f)\s+.*$' ++ state: absent ++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" ++ ++- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++ lineinfile: ++ path: "{{ item }}" ++ create: True ++ line: "-f 2" ++ loop: ++ - "/etc/audit/audit.rules" ++ - "/etc/audit/rules.d/immutable.rules" ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..0587b937e0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules ++echo "-f 2" >> /etc/audit/rules.d/immutable.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +new file mode 100644 +index 0000000000..fa5b7231df +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules + +From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 14:06:08 +0200 +Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name + +--- + .../audit_rules_immutable/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 5ac7b3dabb..1cafb744cc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -17,7 +17,7 @@ + state: absent + loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + +-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: "{{ item }}" + create: True + +From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 11:02:56 +0200 +Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix + +--- + .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index b56513cdcd..a349bb1ca1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -4,16 +4,8 @@ + # + # /etc/audit/audit.rules, (for auditctl case) + # /etc/audit/rules.d/*.rules (for augenrules case) +-# +-# files to check if '-f .*' setting is present in that '*.rules' file already. +-# If found, delete such occurrence since auditctl(8) manual page instructs the +-# '-f 2' rule should be placed as the last rule in the configuration + find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +-# Append '-f 2' requirement at the end of both: +-# * /etc/audit/audit.rules file (for auditctl case) +-# * /etc/audit/rules.d/immutable.rules (for augenrules case) +- + for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" + do + echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch new file mode 100644 index 0000000..2b5acdc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch @@ -0,0 +1,49 @@ +From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 21 May 2020 18:16:43 +0200 +Subject: [PATCH] Attribute content to CIS + +And update the description a bit. +--- + rhel7/profiles/cis.profile | 8 +++++--- + rhel8/profiles/cis.profile | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 0826a49547..829c388133 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 7 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released +- 12-27-2017. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index f332ee5462..868b9f21a6 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 8 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released +- 09-30-2019. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch new file mode 100644 index 0000000..3c4f3b1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch @@ -0,0 +1,274 @@ +From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 12:17:48 +0200 +Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 + +--- + rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + 2 files changed, 250 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +new file mode 100644 +index 0000000000..14c82c4231 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2020-05-25 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg +new file mode 100644 +index 0000000000..861db36f18 +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2020-05-25 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch new file mode 100644 index 0000000..e6dc9cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch @@ -0,0 +1,76 @@ +From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 22 May 2020 14:12:18 +0200 +Subject: [PATCH] Add missing CCEs for RHEL8 + +--- + .../password_storage/no_netrc_files/rule.yml | 1 + + .../accounts_user_interactive_home_directory_exists/rule.yml | 1 + + .../file_groupownership_home_directories/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 3 --- + 4 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 8547893201..1bd1f5742e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27225-2 + cce@rhel7: 80211-6 ++ cce@rhel8: 83444-0 + cce@ocp4: 82667-7 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index bedf3a0b19..e69bc9d736 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: 80529-1 ++ cce@rhel8: 83424-2 + + references: + stigid@ol7: "020620" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 1c5ac8d099..f931f6d160 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80532-5 ++ cce@rhel8: 83434-1 + + references: + stigid@ol7: "020650" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 2f0d2a526b..45d03a2c1d 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -95,7 +95,6 @@ CCE-83411-9 + CCE-83421-8 + CCE-83422-6 + CCE-83423-4 +-CCE-83424-2 + CCE-83425-9 + CCE-83426-7 + CCE-83427-5 +@@ -105,7 +104,6 @@ CCE-83430-9 + CCE-83431-7 + CCE-83432-5 + CCE-83433-3 +-CCE-83434-1 + CCE-83435-8 + CCE-83436-6 + CCE-83437-4 +@@ -115,7 +113,6 @@ CCE-83440-8 + CCE-83441-6 + CCE-83442-4 + CCE-83443-2 +-CCE-83444-0 + CCE-83445-7 + CCE-83446-5 + CCE-83447-3 diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch new file mode 100644 index 0000000..b435b97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch @@ -0,0 +1,103 @@ +From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 13:30:24 +0200 +Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +index e9a29a24d5..6fbb7c72a5 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +@@ -3,13 +3,9 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Test for existence of /etc/securetty +- stat: +- path: /etc/securetty +- register: securetty_empty ++ + + - name: "Direct root Logins Not Allowed" + copy: + dest: /etc/securetty + content: "" +- when: securetty_empty.stat.size > 1 + +From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:21:38 +0200 +Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8 + +--- + shared/templates/template_ANSIBLE_sebool | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool +index 29f37081be..38d7c7c350 100644 +--- a/shared/templates/template_ANSIBLE_sebool ++++ b/shared/templates/template_ANSIBLE_sebool +@@ -13,11 +13,17 @@ + {{% else %}} + - (xccdf-var var_{{{ SEBOOLID }}}) + ++{{% if product == "rhel8" %}} ++- name: Ensure python3-libsemanage installed ++ package: ++ name: python3-libsemanage ++ state: present ++{{% else %}} + - name: Ensure libsemanage-python installed + package: + name: libsemanage-python + state: present +- ++{{% endif %}} + - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly + seboolean: + name: {{{ SEBOOLID }}} + +From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:57:05 +0200 +Subject: [PATCH 3/3] add tests for no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++ + 3 files changed, 9 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +new file mode 100644 +index 0000000000..17251f6a98 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo > /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +new file mode 100644 +index 0000000000..c764814b26 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -f /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..43ac341e87 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "something" > /etc/securetty diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch new file mode 100644 index 0000000..5c6664f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch @@ -0,0 +1,308 @@ +From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 26 May 2020 17:49:21 +0200 +Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation. + +Affected rules: + - selinux_policytype + - selinux_state +--- + .../selinux/selinux_policytype/ansible/shared.yml | 9 ++------- + .../selinux/selinux_policytype/bash/shared.sh | 5 +++-- + .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++ + .../selinux/selinux_state/ansible/shared.yml | 9 ++------- + .../system/selinux/selinux_state/bash/shared.sh | 5 +++-- + .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++ + .../tests/selinux_permissive.fail.sh | 10 ++++++++++ + shared/macros-ansible.jinja | 11 +++++++++++ + shared/macros-bash.jinja | 15 +++++++++++++++ + 9 files changed, 61 insertions(+), 18 deletions(-) + create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 5c70cc9f7f..9f8cf66dfb 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_policy_name) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUXTYPE=' +- line: "SELINUXTYPE={{ var_selinux_policy_name }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index d0fbbf4446..2b5ce31b12 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,7 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_policy_name + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +new file mode 100644 +index 0000000000..1a6eb94953 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE ++else ++ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE ++fi +diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +index b465ac6729..1c1560a86c 100644 +--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_state) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUX=' +- line: "SELINUX={{ var_selinux_state }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index 58193b5504..a402a861d7 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,10 +1,11 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_state + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} + + fixfiles onboot + fixfiles -f relabel +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +new file mode 100644 +index 0000000000..180dd80791 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +new file mode 100644 +index 0000000000..3db1e56b5f +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE ++else ++ echo 'SELINUX=permissive' >> $SELINUX_FILE ++fi +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 6798a25d1f..01d3155b37 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}" + {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} + {{%- endmacro %}} + ++{{# ++ High level macro to set a parameter in /etc/selinux/config. ++ Parameters: ++ - msg: the name for the Ansible task ++ - parameter: parameter to be set in the configuration file ++ - value: value of the parameter ++#}} ++{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{%- endmacro %}} ++ + {{# + Generates an Ansible task that puts 'contents' into a file at 'filepath' + Parameters: +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 3a94fe5dd8..2531d1c52d 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -86,6 +86,21 @@ populate {{{ name }}} + }}} + {{%- endmacro -%}} + ++{{%- macro bash_selinux_config_set(parameter, value) -%}} ++{{{ set_config_file( ++ path="/etc/selinux/config", ++ parameter=parameter, ++ value=value, ++ create=true, ++ insert_after="", ++ insert_before="", ++ insensitive=true, ++ separator="=", ++ separator_regex="\s*=\s*", ++ prefix_regex="^\s*") ++ }}} ++{{%- endmacro -%}} ++ + {{# + # Install a package + # Uses the right command based on pkg_manger proprerty defined in product.yaml. + +From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 27 May 2020 18:48:57 +0200 +Subject: [PATCH 2/2] Remediation requires reboot. + +Update OVAL check to disallow spaces. +Removed selinuxtype_minimum test scenario since breaks the system. +--- + .../selinux/selinux_policytype/ansible/shared.yml | 2 +- + .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++ + .../system/selinux/selinux_policytype/oval/shared.xml | 2 +- + .../tests/selinuxtype_minimum.fail.sh | 10 ---------- + .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++ + .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +- + shared/macros-ansible.jinja | 2 +- + shared/macros-bash.jinja | 4 ++-- + 8 files changed, 14 insertions(+), 16 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 9f8cf66dfb..73e6ec7cd4 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -1,5 +1,5 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# reboot = false ++# reboot = true + # strategy = restrict + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index 2b5ce31b12..b4f79c97f9 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +index f1840a1290..3d69fff07f 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +@@ -27,7 +27,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) ++ ^SELINUXTYPE=(.*)$ + 1 + + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +deleted file mode 100644 +index 1a6eb94953..0000000000 +--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp +- +-SELINUX_FILE='/etc/selinux/config' +- +-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then +- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE +-else +- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE +-fi +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index a402a861d7..645a7acab4 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +index c0881696e1..8c328060af 100644 +--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +@@ -18,7 +18,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ ++ ^SELINUX=(.*)$ + 1 + + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 01d3155b37..580a0b948e 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}" + - value: value of the parameter + #}} + {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} +-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}} + {{%- endmacro %}} + + {{# +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 2531d1c52d..8abcc914d3 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -96,8 +96,8 @@ populate {{{ name }}} + insert_before="", + insensitive=true, + separator="=", +- separator_regex="\s*=\s*", +- prefix_regex="^\s*") ++ separator_regex="=", ++ prefix_regex="^") + }}} + {{%- endmacro -%}} + diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch new file mode 100644 index 0000000..1e028b7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch @@ -0,0 +1,40 @@ +From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 23:36:18 +0200 +Subject: [PATCH] Ansible mount_option: split mount and option task + +Separate task that adds mount options mounts the mountpoint into two tasks. +Conditioning the "mount" task on the absence of the target mount option +caused the task to always be skipped when mount option was alredy present, +and could result in the mount point not being mounted. +--- + shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 95bede25f9..a0cf8d6b7a 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -26,14 +26,19 @@ + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + +-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} ++- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options ++ set_fact: ++ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" ++ when: ++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options ++ ++- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option + mount: + path: "{{{ MOUNTPOINT }}}" + src: "{{ mount_info.source }}" +- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" ++ opts: "{{ mount_info.options }}" + state: "mounted" + fstype: "{{ mount_info.fstype }}" + when: +- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options + - device_name.stdout is defined + - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch new file mode 100644 index 0000000..47b9cdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch @@ -0,0 +1,33 @@ +From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 14 May 2020 16:46:07 +0200 +Subject: [PATCH] reorder groups because of permissions verification + +--- + ssg/build_yaml.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index e3e138283c..c9f3179c08 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -700,6 +700,11 @@ def to_xml_element(self): + # audit_rules_privileged_commands, othervise the rule + # does not catch newly installed screeen binary during remediation + # and report fail ++ # the software group should come before the ++ # bootloader-grub2 group because of conflict between ++ # rules rpm_verify_permissions and file_permissions_grub2_cfg ++ # specific rules concerning permissions should ++ # be applied after the general rpm_verify_permissions + # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. + # the firewalld_activation must come before ruleset_modifications, othervise + # remediations for ruleset_modifications won't work +@@ -707,6 +712,7 @@ def to_xml_element(self): + # otherwise the remediation prints error although it is successful + priority_order = [ + "accounts", "auditing", ++ "software", "bootloader-grub2", + "fips", "crypto", + "firewalld_activation", "ruleset_modifications", + "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch new file mode 100644 index 0000000..4b69221 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch @@ -0,0 +1,1216 @@ +From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Sun, 29 Mar 2020 00:58:02 -0400 +Subject: [PATCH 01/20] update CIS RHEL8 profile + +--- + .../service_crond_enabled/rule.yml | 2 +- + .../r_services/no_rsh_trust_files/rule.yml | 8 +- + .../rule.yml | 2 +- + .../account_unique_name/rule.yml | 11 +- + .../accounts_maximum_age_login_defs/rule.yml | 2 +- + .../accounts_minimum_age_login_defs/rule.yml | 1 + + .../rule.yml | 1 + + .../var_accounts_maximum_age_login_defs.var | 1 + + .../password_storage/no_netrc_files/rule.yml | 4 +- + .../accounts_no_uid_except_zero/rule.yml | 2 +- + .../no_direct_root_logins/rule.yml | 2 +- + .../rule.yml | 1 + + .../accounts-session/accounts_tmout/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_home_dirs/rule.yml | 4 +- + .../rsyslog_files_permissions/rule.yml | 2 +- + .../ensure_logrotate_activated/rule.yml | 1 + + .../package_rsyslog_installed/rule.yml | 2 +- + .../rsyslog_nolisten/rule.yml | 2 + + .../rsyslog_remote_loghost/rule.yml | 4 +- + .../logging/service_rsyslog_enabled/rule.yml | 2 +- + rhel8/profiles/cis.profile | 141 ++++++++++++------ + shared/references/cce-redhat-avail.txt | 2 - + 24 files changed, 137 insertions(+), 63 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index a1f82cf5c9..09d1a92a55 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -24,7 +24,7 @@ identifiers: + references: + stigid@rhel6: "000224" + srg@rhel6: SRG-OS-999999 +- cis: 5.1.1 ++ cis@rhel8: 5.1.1 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + nist: CM-6(a) + nist-csf: PR.IP-1,PR.PT-3 +diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +index 2ccf4127b7..ec2fa6c012 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +@@ -12,9 +12,9 @@ description: |- +
$ rm ~/.rhosts
+ + rationale: |- +- Trust files are convenient, but when +- used in conjunction with the R-services, they can allow +- unauthenticated access to a system. ++ This action is only meaningful if .rhosts support is permitted ++ through PAM. Trust files are convenient, but when used in conjunction with ++ the R-services, they can allow unauthenticated access to a system. + + severity: high + +@@ -26,7 +26,7 @@ identifiers: + references: + stigid@rhel6: "000019" + srg@rhel6: SRG-OS-000248 +- cis: 6.2.14 ++ cis@rhel8: 6.2.13 + disa: "1436" + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index fff30d70c7..7a1538392a 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -43,7 +43,7 @@ references: + stigid@rhel6: "000062" + srg@rhel6: SRG-OS-000120 + disa@rhel6: '803' +- cis: 6.3.1 ++ cis@rhel8: 5.4.4 + cjis: 5.6.2.2 + cui: 3.13.11 + disa: "196" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 2cdafc0609..35652a410b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -2,9 +2,15 @@ documentation_complete: true + + title: 'Ensure All Accounts on the System Have Unique Names' + +-description: 'Change usernames, or delete accounts, so each has a unique name.' ++description: |- ++ Although the useradd utility prevents creation of duplicate user ++ names, it is possible for a malicious administrator to manually edit the ++ /etc/passwd file and change the user name. + +-rationale: 'Unique usernames allow for accountability on the system.' ++rationale: |- ++ If a user is assigned a duplicate user name, the new user will be able to ++ create and have access to files with the first UID for that username as ++ defined in /etc/passwd. + + severity: medium + +@@ -19,6 +25,7 @@ references: + cjis: 5.5.2 + disa: 770,804 + pcidss: Req-8.1.1 ++ cis@rhel8: 6.2.17 + + ocil_clause: 'a line is returned' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index af1ea13d8f..c2c4aa11bc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -34,7 +34,7 @@ references: + stigid@rhel6: "000053" + srg@rhel6: SRG-OS-000076 + disa@rhel6: '180' +- cis: 5.4.1.1 ++ cis@rhel8: 5.5.1.1 + cjis: 5.6.2.1 + cui: 3.5.6 + disa: "199" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 2de12efb3e..6147d672a4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -44,6 +44,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ cis@rhel8: 5.5.1.2 + + ocil_clause: 'it is not equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +index 3a5c00708d..2a1005bd20 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 ++ cis@rhel8: 5.5.1.3 + + ocil_clause: 'it is not set to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var +index 731f8f475f..11eb238c5d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var +@@ -9,6 +9,7 @@ type: number + interactive: false + + options: ++ 365: 365 + 120: 120 + 180: 180 + 60: 60 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 01454a7274..8547893201 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -11,8 +11,7 @@ description: |- + + rationale: |- + Unencrypted passwords for remote FTP servers may be stored in .netrc +- files. DoD policy requires passwords be encrypted in storage and not used +- in access scripts. ++ files. + + severity: medium + +@@ -24,6 +23,7 @@ identifiers: + references: + stigid@rhel6: "000347" + srg@rhel6: SRG-OS-000073 ++ cis@rhel8: 6.2.11 + disa: "196" + nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7) + nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +index 0b61daf925..14f9140687 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +@@ -31,7 +31,7 @@ references: + stigid@ol7: "020310" + stigid@rhel6: "000032" + srg@rhel6: SRG-OS-999999 +- cis: 6.2.5 ++ cis@rhel8: 6.2.6 + cui: 3.1.1,3.1.5 + disa: "366" + nist: IA-2,AC-6(5),IA-4(b) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +index 1d08bde4d9..9e00f3aad6 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +@@ -33,7 +33,7 @@ identifiers: + cce@ocp4: 82698-2 + + references: +- cis: "5.5" ++ cis@rhel8: "5.6" + cui: 3.1.1,3.1.6 + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) + nist: IA-2,CM-6(a) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +index ae8ba133b7..0c26ac3240 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +@@ -35,6 +35,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: "5.6" + srg: SRG-OS-000324-GPOS-00125 + + ocil_clause: 'root login over virtual console devices is permitted' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 787f2264de..f09006b72b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ cis@rhel8: 5.5.3 + anssi: NT28(R29) + + ocil_clause: 'value of TMOUT is not less than or equal to expected setting' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index e7e9a751a4..bedf3a0b19 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -27,6 +27,7 @@ references: + disa: "366" + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "020620" ++ cis@rhel8: 6.2.20 + + ocil_clause: 'users home directory does not exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index d58884235e..1c5ac8d099 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -26,6 +26,7 @@ references: + disa: "366" + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "020650" ++ cis@rhel8: 6.2.8 + + ocil_clause: 'the group ownership is incorrect' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +index 8812f9d123..27c190b5b1 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +@@ -22,11 +22,12 @@ rationale: |- + to one another's home directories, this can be provided using + groups or ACLs. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26981-1 + cce@rhel7: 80201-7 ++ cce@rhel8: 84274-0 + + references: + disa: "225" +@@ -37,6 +38,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: 6.2.7 + + ocil_clause: 'the user home directory is group-writable or world-readable' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index 4c1e69020b..aa6e0905ae 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -31,7 +31,7 @@ references: + anssi: NT28(R36) + stigid@rhel6: "000135" + srg@rhel6: SRG-OS-000206 +- cis: 4.2.1.3 ++ cis@rhel8: 4.2.1.3 + disa: "1314" + nist: CM-6(a),AC-6(1) + pcidss: Req-10.5.1,Req-10.5.2 +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index def9566692..2c41a3b9ef 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -35,6 +35,7 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 + cis-csc: 1,14,15,16,3,5,6 ++ cis@rhel8: 4.3 + anssi: NT28(R43),NT12(R18) + + ocil_clause: 'logrotate is not configured to run daily' +diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +index 9f00dd9704..00fecf8a3c 100644 +--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +@@ -18,7 +18,7 @@ identifiers: + references: + cis@debian8: 5.1.1 + anssi: NT28(R5),NT28(R46) +- cis: 4.2.3 ++ cis@rhel8: 4.2.1.1 + disa: 1311,1312 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +index 8a5a15e1da..14e729252c 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel6: 26803-7 + cce@rhel7: 80192-8 ++ cce@rhel8: 84275-7 + + references: + stigid@ol7: "031010" +@@ -39,3 +40,4 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 + stigid@rhel7: "031010" ++ cis@rhel8: 4.2.1.6 +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 7b70b0c186..da28b99561 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -46,8 +46,8 @@ references: + anssi: NT28(R7),NT28(R43),NT12(R5) + stigid@rhel6: "000136" + srg@rhel6: SRG-OS-000043,SRG-OS-000215 +- cis: 4.2.1.4 +- disa: 136,366,1348,1851 ++ cis@rhel8: 4.2.1.5 ++ disa: 366,1348,136,1851 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1 + nist: CM-6(a),AU-4(1),AU-9(2) +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index ce8347c686..92fd6bc4d8 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -20,7 +20,7 @@ identifiers: + references: + cis@debian8: 5.1.2 + anssi: NT28(R5),NT28(R46) +- cis: 4.2.1.1 ++ cis@rhel8: 4.2.1.2 + disa: 1311,1312,1557,1851 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1 +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index cc0c2a5b9a..528f17d696 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -602,87 +602,88 @@ selections: + + ### 4.1.9 Ensure discretionary access control permission modification + ### events are collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 + + ### 4.1.16 Ensure system administrator actions (sudolog) are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 + + ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 + + ## 4.2 Configure Logging + + ### 4.2.1 Configure rsyslog + + #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- ++ - package_rsyslog_installed + + #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- ++ - service_rsyslog_enabled + + #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- ++ - rsyslog_files_permissions + + #### 4.2.1.4 Ensure logging is configured (Not Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 + + #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote + #### log host (Scored) +- ++ - rsyslog_remote_loghost + + #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on + #### designated log hosts (Not Scored) +- ++ - rsyslog_nolisten + + ### 4.2.2 Configure journald + + #### 4.2.2.1 Ensure journald is configured to send logs to + #### rsyslog (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 + + #### 4.2.2.2 Ensure journald is configured to compress large + #### log files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 + + + #### 4.2.2.3 Ensure journald is configured to write logfiles to + #### persistent disk (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 + + ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 + + ## 4.3 Ensure logrotate is conifgured (Not Scored) +- ++ - ensure_logrotate_activated + + # 5 Access, Authentication and Authorization + + ## 5.1 Configure cron + +- + ### 5.1.1 Ensure cron daemon is enabled (Scored) ++ - service_crond_enabled + + + ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +@@ -790,19 +791,19 @@ selections: + + ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute + ### or less (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 + + ### 5.2.15 Ensure SSH warning banner is configured (Scored) + - sshd_enable_warning_banner + + ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 + + ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) + - sshd_disable_tcp_forwarding + + ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 + + ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) + - sshd_set_max_sessions +@@ -815,69 +816,75 @@ selections: + + + ### 5.3.1 Create custom authselectet profile (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 + + ### 5.3.2 Select authselect profile (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 + + ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 + + ## 5.4 Configure PAM + + ### 5.4.1 Ensure password creation requirements are configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 + + ### 5.4.3 Ensure password reuse is limited (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 + + ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- ++ - set_password_hashing_algorithm_systemauth + + ## 5.5 User Accounts and Environment + + ### 5.5.1 Set Shadow Password Suite Parameters + + #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_maximum_age_login_defs + + #### 5.5.1.2 Ensure minimum days between password changes is 7 + #### or more (Scored) +- ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_minimum_age_login_defs + + #### 5.5.1.3 Ensure password expiration warning days is + #### 7 or more (Scored) +- ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_password_warn_age_login_defs + + #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 + + #### 5.5.1.5 Ensure all users last password change date is + #### in the past (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 + + ### 5.5.2 Ensure system accounts are secured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 + + ### 5.5.3 Ensure default user shell timeout is 900 seconds + ### or less (Scored) +- ++ - var_accounts_tmout=15_min ++ - accounts_tmout + + ### 5.5.4 Ensure default group for the root account is + ### GID 0 (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 + + ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 + + ## 5.6 Ensure root login is restricted to system console (Not Scored) +- ++ - securetty_root_login_console_only ++ - no_direct_root_logins + + ## 5.7 Ensure access to the su command is restricted (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 + + # System Maintenance + +@@ -971,8 +978,58 @@ selections: + ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) + - no_legacy_plus_entries_etc_passwd + +- ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ++ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) + - no_legacy_plus_entries_etc_shadow + +- ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) ++ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) + - no_legacy_plus_entries_etc_group ++ ++ ### 6.2.6 Ensure root is the only UID 0 account (Scored) ++ - accounts_no_uid_except_zero ++ ++ ### 6.2.7 Ensure users' home directories permissions are 750 ++ ### or more restrictive (Scored) ++ - file_permissions_home_dirs ++ ++ ### 6.2.8 Ensure users own their home directories (Scored) ++ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 ++ - file_groupownership_home_directories ++ ++ ### 6.2.9 Ensure users' dot files are not group or world ++ ### writable (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 ++ ++ ### 6.2.10 Ensure no users have .forward files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 ++ ++ ### 6.2.11 Ensure no users have .netrc files (Scored) ++ - no_netrc_files ++ ++ ### 6.2.12 Ensure users' .netrc Files are not group or ++ ### world accessible (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 ++ ++ ### 6.2.13 Ensure no users have .rhosts files (Scored) ++ - no_rsh_trust_files ++ ++ ### 6.2.14 Ensure all groups in /etc/passwd exist in ++ ### /etc/group (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 ++ ++ ### 6.2.15 Ensure no duplicate UIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 ++ ++ ### 6.2.16 Ensure no duplicate GIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 ++ ++ ### 6.2.17 Ensure no duplicate user names exist (Scored) ++ - account_unique_name ++ ++ ### 6.2.18 Ensure no duplicate group names exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 ++ ++ ### 6.2.19 Ensure shadow group is empty (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 ++ ++ ### 6.2.20 Ensure all users' home directories exist (Scored) ++ - accounts_user_interactive_home_directory_exists +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index feb31b0395..9e7bd35178 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -901,8 +901,6 @@ CCE-84270-8 + CCE-84271-6 + CCE-84272-4 + CCE-84273-2 +-CCE-84274-0 +-CCE-84275-7 + CCE-84276-5 + CCE-84277-3 + CCE-84278-1 + +From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Sat, 25 Apr 2020 18:52:21 -0400 +Subject: [PATCH 02/20] misc cis8 updates + +--- + .../accounts_users_home_files_ownership/rule.yml | 1 + + .../logging/log_rotation/ensure_logrotate_activated/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +index a9c73e46ac..8e225cdc64 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +@@ -24,6 +24,7 @@ references: + stigid@ol7: "020660" + disa: "366" + srg: SRG-OS-000480-GPOS-00227 ++ cis@rhel8: 6.2.8 + stigid@rhel7: "020660" + + ocil_clause: 'the user ownership is incorrect' +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index 2c41a3b9ef..6e569edfa9 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -35,7 +35,7 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 + cis-csc: 1,14,15,16,3,5,6 +- cis@rhel8: 4.3 ++ cis@rhel8: "4.3" + anssi: NT28(R43),NT12(R18) + + ocil_clause: 'logrotate is not configured to run daily' + +From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:32:44 +0200 +Subject: [PATCH 03/20] Add auxiliary rule for dconf settings + +--- + rhel8/profiles/cis.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 528f17d696..202db7f693 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -8,6 +8,8 @@ description: |- + 09-30-2019. + + selections: ++ # Necessary for dconf rules ++ - dconf_db_up_to_date + + ### Partitioning + - mount_option_home_nodev + +From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:43:20 +0200 +Subject: [PATCH 04/20] Update time synchonization rule selections + +In RHEL8, only chrony is available +--- + rhel8/profiles/cis.profile | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 202db7f693..762d4a04e3 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -256,10 +256,12 @@ selections: + ### 2.2.1 Time Synchronization + + #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - service_chronyd_or_ntpd_enabled ++ - package_chrony_installed + + #### 2.2.1.2 Ensure chrony is configured (Scored) +- - chronyd_or_ntpd_specify_remote_server ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user + + ### 2.2.2 Ensure X Window System is not installed (Scored) + - package_xorg-x11-server-common_removed + +From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:49:55 +0200 +Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects + +Fixes: #5234 +Fixes: #5235 +--- + rhel8/profiles/cis.profile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 762d4a04e3..3a8e19259b 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -371,14 +371,14 @@ selections: + - sysctl_net_ipv6_conf_all_accept_redirects + + #### net.ipv6.conf.defaults.accept_redirects = 0 +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234 ++ - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) + #### net.ipv4.conf.all.secure_redirects = 0 + - sysctl_net_ipv4_conf_all_secure_redirects + + #### net.ipv4.cof.default.secure_redirects = 0 +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235 ++ - sysctl_net_ipv4_conf_default_secure_redirects + + ### 3.2.4 Ensure suspicious packets are logged (Scored) + #### net.ipv4.conf.all.log_martians = 1 + +From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:02:09 +0200 +Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS + +Fixes: #5509 +--- + rhel8/profiles/cis.profile | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 3a8e19259b..a990de4565 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -606,7 +606,19 @@ selections: + + ### 4.1.9 Ensure discretionary access control permission modification + ### events are collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_fremovexattr + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) + +From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:07:34 +0200 +Subject: [PATCH 07/20] Select rules for unsuccessful modification + +Fixes: #5510 +--- + rhel8/profiles/cis.profile | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a990de4565..db54d9ece5 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -622,7 +622,13 @@ selections: + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) + +From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:10:45 +0200 +Subject: [PATCH 08/20] Select rules for user/group modification + +Fixes: #5511 +--- + rhel8/profiles/cis.profile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index db54d9ece5..f8ec16b9a8 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -632,7 +632,11 @@ selections: + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_opasswd + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 + +From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:12:58 +0200 +Subject: [PATCH 09/20] Audit successful system mounts + +Fixes: #5512 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index f8ec16b9a8..e4f5313e3e 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -639,7 +639,7 @@ selections: + - audit_rules_usergroup_modification_opasswd + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 ++ - audit_rules_media_export + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 + +From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:14:21 +0200 +Subject: [PATCH 10/20] Audit privileged commands + +Fixes: #5513 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index e4f5313e3e..087dd79bb5 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -642,7 +642,7 @@ selections: + - audit_rules_media_export + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 ++ - audit_rules_privileged_commands + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) + +From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:15:49 +0200 +Subject: [PATCH 11/20] Audit file deletion events + +Fixes: #5514 +--- + rhel8/profiles/cis.profile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 087dd79bb5..ca42f24190 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -646,7 +646,12 @@ selections: + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) + +From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:16:33 +0200 +Subject: [PATCH 12/20] Audit kernel module loads + +Fixes: #5515 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index ca42f24190..5e214941ec 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -655,7 +655,7 @@ selections: + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 ++ - audit_rules_kernel_module_loading + + ### 4.1.16 Ensure system administrator actions (sudolog) are + ### collected (Scored) + +From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:17:52 +0200 +Subject: [PATCH 13/20] Audit rules should be immutable + +Fixes: #5517 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 5e214941ec..a0fdd69869 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -662,7 +662,7 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 + + ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 ++ - audit_rules_immutable + + ## 4.2 Configure Logging + + +From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:31:10 +0200 +Subject: [PATCH 14/20] Select rules for password requirements + +Related to: #5533 +--- + rhel8/profiles/cis.profile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a0fdd69869..a55c3291a9 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -858,7 +858,12 @@ selections: + ## 5.4 Configure PAM + + ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 ++ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 ++ - accounts_password_pam_retry ++ - var_password_pam_minlen=14 ++ - accounts_password_pam_minlen ++ - var_password_pam_minclass=4 ++ - accounts_password_pam_minclass + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) + +From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:35:50 +0200 +Subject: [PATCH 15/20] Configure password lockout + +Fixes: #5534 +--- + rhel8/profiles/cis.profile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a55c3291a9..6e10c2efcb 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -867,7 +867,10 @@ selections: + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny + + ### 5.4.3 Ensure password reuse is limited (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 + +From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:38:58 +0200 +Subject: [PATCH 16/20] Configure password reuse + +Fixes: #5535 +--- + rhel8/profiles/cis.profile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 6e10c2efcb..2fa85d8676 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -873,7 +873,8 @@ selections: + - accounts_passwords_pam_faillock_deny + + ### 5.4.3 Ensure password reuse is limited (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 ++ - var_password_pam_unix_remember=5 ++ - accounts_password_pam_unix_remember + + ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) + - set_password_hashing_algorithm_systemauth + +From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:43:04 +0200 +Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting + +Related to: #5536 +--- + rhel8/profiles/cis.profile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 2fa85d8676..e0fd5e1492 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -898,7 +898,10 @@ selections: + - accounts_password_warn_age_login_defs + + #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 ++ # TODO: Rule doesn't check list of users ++ # https://github.com/ComplianceAsCode/content/issues/5536 ++ - var_account_disable_post_pw_expiration=30 ++ - account_disable_post_pw_expiration + + #### 5.5.1.5 Ensure all users last password change date is + #### in the past (Scored) + +From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:46:48 +0200 +Subject: [PATCH 18/20] No shelllogin for system accounts + +Fixes: #5538 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index e0fd5e1492..0431fb0d45 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -908,7 +908,7 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 + + ### 5.5.2 Ensure system accounts are secured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 ++ - no_shelllogin_for_systemaccounts + + ### 5.5.3 Ensure default user shell timeout is 900 seconds + ### or less (Scored) + +From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:54:07 +0200 +Subject: [PATCH 19/20] Partially cover umask requirements + +Related to: #5540 +--- + rhel8/profiles/cis.profile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 0431fb0d45..f332ee5462 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -920,7 +920,9 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 + + ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 ++ - var_accounts_user_umask=027 ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile + + ## 5.6 Ensure root login is restricted to system console (Not Scored) + - securetty_root_login_console_only + +From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:31:16 +0200 +Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and + OCIL + +--- + .../account_unique_name/rule.yml | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 35652a410b..909f1b6657 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -3,14 +3,13 @@ documentation_complete: true + title: 'Ensure All Accounts on the System Have Unique Names' + + description: |- +- Although the useradd utility prevents creation of duplicate user +- names, it is possible for a malicious administrator to manually edit the +- /etc/passwd file and change the user name. ++ Ensure accounts on the system have unique names. + +-rationale: |- +- If a user is assigned a duplicate user name, the new user will be able to +- create and have access to files with the first UID for that username as +- defined in /etc/passwd. ++ To ensure all accounts have unique names, run the following command: ++
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
++ If a username is returned, change or delete the username. ++ ++rationale: 'Unique usernames allow for accountability on the system.' + + severity: medium + +@@ -30,6 +29,6 @@ references: + ocil_clause: 'a line is returned' + + ocil: |- +- Run the following command to check for duplicate account names: +-
$ sudo pwck -qr
+- If there are no duplicate names, no line will be returned. ++ To verify all accounts have unique names, run the following command: ++
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
++ No output should be returned. diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 2eb0e31..adabcf5 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide -Version: 0.1.49 -Release: 1%{?dist} +Version: 0.1.50 +Release: 5%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -8,6 +8,18 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch +Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch +Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch +Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch +# Patch6 already contains typo fix +Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch +Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -42,6 +54,17 @@ present in %{name} package. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 mkdir build %build @@ -76,6 +99,32 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu May 28 2020 Gabriel Becker - 0.1.50-5 +- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526) + +* Tue May 26 2020 Watson Sato - 0.1.50-4 +- CIS Ansible fixes (RHBZ#1760734) +- HIPAA Ansible fixes (RHBZ#1832760) + +* Mon May 25 2020 Watson Sato - 0.1.50-3 + - HIPAA Profile (RHBZ#1832760) + - Enable build of RHEL8 HIPAA Profile + - Add kickstarts for HIPAA +- CIS Profile (RHBZ#1760734) + - Add Ansible fix for sshd_set_max_sessions + - Add CIS Profile content attribution to Center for Internet Security + +* Fri May 22 2020 Watson Sato - 0.1.50-2 +- Fix Ansible for no_direct_root_logins +- Fix Ansible template for SELinux booleans +- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734) + +* Wed May 20 2020 Watson Sato - 0.1.50-2 +- Update selections in RHEL8 CIS Profile (RHBZ#1760734) + +* Tue May 19 2020 Watson Sato - 0.1.50-1 +- Update to the latest upstream release (RHBZ#1815007) + * Thu Mar 19 2020 Gabriel Becker - 0.1.49-1 - Update to the latest upstream release (RHBZ#1815007)