From 6a669ccfafad0720998b882cd609470a60de3b23 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 15:54:35 +0100 Subject: [PATCH 1/2] Select rules for system file permissions And update references for these rules --- .../rule.yml | 3 +- .../rule.yml | 3 +- .../rule.yml | 3 +- .../file_permissions_ungroupowned/rule.yml | 3 +- .../files/no_files_unowned_by_user/rule.yml | 3 +- .../file_groupowner_etc_group/rule.yml | 3 +- .../file_groupowner_etc_gshadow/rule.yml | 3 +- .../file_groupowner_etc_passwd/rule.yml | 3 +- .../file_groupowner_etc_shadow/rule.yml | 3 +- .../file_owner_etc_group/rule.yml | 3 +- .../file_owner_etc_gshadow/rule.yml | 3 +- .../file_owner_etc_passwd/rule.yml | 3 +- .../file_owner_etc_shadow/rule.yml | 3 +- .../file_permissions_etc_group/rule.yml | 3 +- .../file_permissions_etc_gshadow/rule.yml | 3 +- .../file_permissions_etc_passwd/rule.yml | 3 +- .../file_permissions_etc_shadow/rule.yml | 3 +- 18 files changed, 74 insertions(+), 18 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index 32c176d67f..fb00519f64 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -31,7 +31,8 @@ identifiers: references: anssi: NT28(R37),NT28(R38) - cis: 6.1.14 + cis@rhel7: 6.1.14 + cis@rhel8: 6.1.14 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index ae5f1307ce..3c7898b912 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -31,7 +31,8 @@ identifiers: references: anssi: NT28(R37),NT28(R38) - cis: 6.1.13 + cis@rhel7: 6.1.13 + cis@rhel8: 6.1.13 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml index c70b7989c6..871da04b77 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml @@ -28,7 +28,8 @@ identifiers: references: stigid@rhel6: "000282" srg@rhel6: SRG-OS-999999 - cis: 6.1.10 + cis@rhel7: 6.1.10 + cis@rhel8: 6.1.10 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index e51cd7e1ea..2fe8c27da3 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -27,7 +27,8 @@ identifiers: references: disa@rhel6: '224' - cis: 6.1.12 + cis@rhel7: 6.1.12 + cis@rhel8: 6.1.12 disa: "02165" nist: CM-6(a),AC-6(1) nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3 diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index f2fb1f2d20..a8bf12ff81 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -27,7 +27,8 @@ identifiers: references: disa@rhel6: '224' - cis: 6.1.11 + cis@rhel7: 6.1.11 + cis@rhel8: 6.1.11 disa: "002165" nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml index 5ffa26b0f2..53301cbbf5 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000043" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.4 + cis@rhel7: 6.1.4 + cis@rhel8: 6.1.4 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index 6c770216f1..c2e12377ef 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000037" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.5 + cis@rhel7: 6.1.5 + cis@rhel8: 6.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml index ad9814e836..86e2e6c25c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000040" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.2 + cis@rhel7: 6.1.2 + cis@rhel8: 6.1.2 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml index 5147551c0f..d8a9d04142 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000034" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.3 + cis@rhel7: 6.1.3 + cis@rhel8: 6.1.3 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml index 48cbe081be..ee0433c568 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml @@ -18,7 +18,8 @@ identifiers: references: stigid@rhel6: "000042" srg@rhel6: SRG-OS-999999 - cis: 6.1.4 + cis@rhel7: 6.1.4 + cis@rhel8: 6.1.4 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml index a1e65af70a..39f1b83381 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000036" srg@rhel6: SRG-OS-999999 disa@rhel6: '366' - cis: 6.1.5 + cis@rhel7: 6.1.5 + cis@rhel8: 6.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml index 9b5048001e..e19de1bba2 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml @@ -19,7 +19,8 @@ references: stigid@rhel6: "000039" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.2 + cis@rhel7: 6.1.2 + cis@rhel8: 6.1.2 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml index cf8e6e4a3e..989cb11c62 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml @@ -22,7 +22,8 @@ references: stigid@rhel6: "000033" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.3 + cis@rhel7: 6.1.3 + cis@rhel8: 6.1.3 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml index 8e5f39a13e..38ff43d62c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml @@ -20,7 +20,8 @@ references: stigid@rhel6: "000044" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.4 + cis@rhel7: 6.1.4 + cis@rhel8: 6.1.4 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml index c8d8c8a73c..d1ed4475fb 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml @@ -21,7 +21,8 @@ references: stigid@rhel6: "000038" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.5 + cis@rhel7: 6.1.5 + cis@rhel8: 6.1.5 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 isa-62443-2013: 'SR 2.1,SR 5.2' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml index d72b5277f1..ac48885925 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml @@ -22,7 +22,8 @@ references: stigid@rhel6: "000041" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.2 + cis@rhel7: 6.1.2 + cis@rhel8: 6.1.2 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index 7ec0b092f5..61f4fb6cce 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -24,7 +24,8 @@ references: stigid@rhel6: "000035" srg@rhel6: SRG-OS-999999 disa@rhel6: '225' - cis: 6.1.3 + cis@rhel7: 6.1.3 + cis@rhel8: 6.1.3 cjis: 5.5.2.2 nist: CM-6(a),AC-6(1) nist-csf: PR.AC-4,PR.DS-5 From b7f33f79e59d58cf6181e8fdb7879f40f54bb63a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 17 Mar 2020 15:56:17 +0100 Subject: [PATCH 2/2] Update references for rpm_verification rules These rule checks whether permission and ownership of all installed files are according to what the vendor (package provider) expects. These rules can contribute to the for specific permissions and ownerships of specific files, granted the package is aligned with the rules. --- .../rpm_verification/rpm_verify_ownership/rule.yml | 3 ++- .../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml index 6c3c857442..1503836f75 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml @@ -35,7 +35,8 @@ references: nist-csf@rhel6: PR.DS-6,PR.DS-8 srg@rhel6: SRG-OS-000257,SRG-OS-000258 stigid@rhel6: "000279" - cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 + cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 + cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 cjis: 5.10.4.1 cui: 3.3.8,3.4.1 disa: 1494,1496 diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml index d6cc546921..1b3dd500b3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -41,7 +41,9 @@ references: nist-csf@rhel6: PR.DS-6,PR.IP-8 srg@rhel6: SRG-OS-999999,SRG-OS-000256 stigid@rhel6: "000518" - cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 + cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 + cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 + cjis: 5.10.4.1 cui: 3.3.8,3.4.1 disa: 1494,1496