Merge pull request #10698 from marcusburghardt/cis_rhel7

Complete some CIS requirements for RHEL7
ComplianceAsCode · Jun 8, 2023 · 4710492 · 4710492
2 parents 3bd11d5 + 5b3d960
commit 4710492
Show file tree

Hide file tree

Showing 13 changed files with 119 additions and 59 deletions.
diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -1026,23 +1026,25 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # missing rule
+ status: pending # missing rule
 
  - id: 3.5.1.3
  title: Ensure nftables either not installed or masked with firewalld (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: automated
+ rules:
+ - service_nftables_disabled
 
  - id: 3.5.1.4
  title: Ensure firewalld service enabled and running (Automated)
  levels:
  - l1_server
  - l1_workstation
- status: partial # only checking systemd service, not running "firewall-cmd --state"
+ status: automated
  rules:
- - service_firewalld_enabled
+  - service_firewalld_enabled
 
  - id: 3.5.1.5
  title: Ensure firewalld default zone is set (Automated)
@@ -1076,23 +1078,26 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- notes: <-
- CIS benchmark allows to choose from several firewall applications. This interpretation of the benchmark chose the Firewalld application and other subsections are not automated.
- automated: no # rule missing
+ status: supported
+ notes: |-
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ related_rules:
+ - package_nftables_installed
 
  - id: 3.5.2.2
  title: Ensure firewalld is either not installed or masked with nftables (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.2.3
  title: Ensure iptables-services not installed with nftables (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.2.4
  title: Ensure iptables are flushed with nftables (Manual)
@@ -1108,7 +1113,8 @@ controls:
  - l1_workstation
  status: supported
  notes: |-
- RHEL7 is not using nftables by default.
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
  related_rules:
  - set_nftables_table
  - var_nftables_family=inet
@@ -1119,14 +1125,31 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: supported
+ notes: |-
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ related_rules:
+ - set_nftables_base_chain
+ - var_nftables_table=firewalld
+ - var_nftables_family=inet
+ - var_nftables_base_chain_names=chain_names
+ - var_nftables_base_chain_types=chain_types
+ - var_nftables_base_chain_hooks=chain_hooks
+ - var_nftables_base_chain_priorities=chain_priorities
+ - var_nftables_base_chain_policies=chain_policies
 
  - id: 3.5.2.7
  title: Ensure nftables loopback traffic is configured (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: supported
+ notes: |-
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ related_rules:
+ - set_nftables_loopback_traffic
 
  - id: 3.5.2.8
  title: Ensure nftables outbound and established connections are configured (Manual)
@@ -1142,18 +1165,20 @@ controls:
  - l1_workstation
  status: supported
  notes: |-
- RHEL7 is not using nftables by default.
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ related_rules:
+ - nftables_ensure_default_deny_policy
 
  - id: 3.5.2.10
  title: Ensure nftables service is enabled (Automated)
  levels:
  - l1_server
  - l1_workstation
  notes: |-
- nftables can be a backend for firewalld but its service does not need to be running.
- Otherwise, it will conflict with firewalld service. The preferred service to manage firewall
- rules is firewalld. In addition, the default backend in RHEL7 is iptables.
- status: automated
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ status: supported
  related_rules:
  - service_nftables_enabled
 
@@ -1162,39 +1187,47 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ notes: |-
+ RHEL systems use firewalld for firewall management. The back-end for firewalld in RHEL7 is
+ iptables. nftables is supported in RHEL7 but is not expected by default.
+ status: supported
+ related_rules:
+ - var_nftables_master_config_file=sysconfig
+ - nftables_rules_permanent
 
  - id: 3.5.3.1.1
  title: Ensure iptables packages are installed (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no
+ status: automated
  notes: <-
- CIS benchmark allows to choose from several firewall applications. This interpretation of the benchmark chose the Firewalld application and other subsections are not automated.
+ Already covered by requirement 3.5.1.1.
  related_rules:
- - package_iptables_installed
+  - package_iptables_installed
 
  - id: 3.5.3.1.2
  title: Ensure nftables is not installed with iptables (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: automated
+ rules:
+ - package_nftables_removed
 
  - id: 3.5.3.1.3
  title: Ensure firewalld is either not installed or masked with iptables
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.3.2.1
  title: Ensure iptables loopback traffic is configured (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.3.2.2
  title: Ensure iptables outbound and established connections are configured (Manual)
@@ -1228,14 +1261,14 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.3.2.6
  title: Ensure iptables is enabled and running (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no
+ status: pending
  related_rules:
  - service_iptables_enabled
 
@@ -1244,7 +1277,7 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.3.3.2
  title: Ensure ip6tables outbound and established connections are configured (Manual)
@@ -1278,14 +1311,14 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # rule missing
+ status: pending # rule missing
 
  - id: 3.5.3.3.6
  title: Ensure ip6tables is enabled and running (Automated)
  levels:
  - l1_server
  - l1_workstation
- automated: no
+ status: pending
  related_rules:
  - service_ip6tables_enabled
 
@@ -1294,9 +1327,10 @@ controls:
  levels:
  - l2_server
  - l2_workstation
- status: partial # we do not check for audit-libs package
+ status: automated
  rules:
- - package_audit_installed
+ - package_audit_installed
+ - package_audit-libs_installed
 
  - id: 4.1.1.2
  title: Ensure auditd service is enabled and running (Automated)
@@ -1503,7 +1537,9 @@ controls:
  levels:
  - l2_server
  - l2_workstation
- automated: no # missing rule
+ status: automated
+ rules:
+ - audit_rules_suid_privilege_function
 
  - id: 4.1.16
  title: Ensure kernel module loading and unloading is collected (Automated)
@@ -2006,7 +2042,12 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- automated: no # we can check only certain parts, we need probably some complex rule for this
+ status: automated
+ rules:
+ - accounts_passwords_pam_faillock_deny
+ - var_accounts_passwords_pam_faillock_deny=5
+ - accounts_passwords_pam_faillock_unlock_time
+ - var_accounts_passwords_pam_faillock_unlock_time=900
 
  - id: 5.4.3
  title: Ensure password hashing algorithm is SHA-512 (Automated)
@@ -2041,20 +2082,22 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- status: partial # missing rule for checking of /etc/shadow
+ status: automated
  rules:
- - accounts_maximum_age_login_defs
- - var_accounts_maximum_age_login_defs=365
+ - accounts_maximum_age_login_defs
+ - var_accounts_maximum_age_login_defs=365
+ - accounts_password_set_max_life_existing
 
  - id: 5.5.1.2
  title: Ensure minimum days between password changes is configured (Automated)
  levels:
  - l1_server
  - l1_workstation
- status: partial # missing rule for checking of /etc/shadow
+ status: automated
  rules:
- - accounts_minimum_age_login_defs
- - var_accounts_minimum_age_login_defs=1
+ - accounts_minimum_age_login_defs
+ - var_accounts_minimum_age_login_defs=1
+ - accounts_password_set_min_life_existing
 
  - id: 5.5.1.3
  title: Ensure password expiration warning days is 7 or more (Automated)
@@ -2092,9 +2135,10 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- status: partial # missing rule for locking of accounts
+ status: automated
  rules:
- - no_shelllogin_for_systemaccounts
+ - no_password_auth_for_systemaccounts
+ - no_shelllogin_for_systemaccounts
 
  - id: 5.5.3
  title: Ensure default group for the root account is GID 0 (Automated)
@@ -2110,10 +2154,14 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- status: partial # we check only for value of tmout variable, no export or readonly and we do not check /etc/bashrc
+ status: partial
+ notes: |-
+ The OVAL properly checks the variable but not if it is exported and readonly.
+ The Bash remediation ensures it is exported and readonly. OVAL and Ansible remediation
+ need to be incremented for CIS.
  rules:
- - accounts_tmout
- - var_accounts_tmout=15_min
+  - accounts_tmout
+  - var_accounts_tmout=15_min
 
  - id: 5.5.5
  title: Ensure default user umask is configured (Automated)
@@ -2139,9 +2187,14 @@ controls:
  levels:
  - l1_server
  - l1_workstation
- status: partial # we check only for usage of use_uid with pam_su, not for the group
+ status: automated
+ notes: |-
+ Members of "wheel" or GID 0 groups are checked by default if the group option is not set for
+ pam_wheel.so module. The recommendation states the group should be empty to reinforce the
+ use of "sudo" for privileged access. Therefore, members of these groups should be manually
+ checked or a different group should be informed.
  rules:
- - use_pam_wheel_for_su
+  - use_pam_wheel_for_su
 
  - id: 6.1.1
  title: Audit system file permissions (Manual)

diff --git a/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -32,7 +32,7 @@ identifiers:
 references:
  anssi: BP28(R18)
  cis-csc: 1,12,15,16
- cis@rhel7: 5.3.2
+ cis@rhel7: 5.4.2
  cis@rhel8: 5.4.2,5.5.2
  cis@rhel9: 5.4.2,5.5.2
  cis@ubuntu2204: 5.4.2

diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -32,7 +32,7 @@ identifiers:
 references:
  anssi: BP28(R18)
  cis-csc: 1,12,15,16
- cis@rhel7: 5.3.2
+ cis@rhel7: 5.4.2
  cis@rhel8: 5.5.2
  cis@rhel9: 5.5.2
  cis@ubuntu2204: 5.4.2

diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
@@ -27,6 +27,7 @@ identifiers:
 
 references:
  cis@alinux3: 5.6.1.1
+ cis@rhel7: 5.5.1.1
  cis@rhel8: 5.6.1.1
  cis@rhel9: 5.6.1.1
  cis@sle12: 5.4.1.2

diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -27,6 +27,7 @@ identifiers:
 
 references:
  cis@alinux3: 5.6.1.2
+ cis@rhel7: 5.5.1.2
  cis@rhel8: 5.6.1.2
  cis@rhel9: 5.6.1.2
  cis@sle12: 5.4.1.3

diff --git a/...m/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml b/...m/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml
@@ -23,6 +23,7 @@ identifiers:
  cce@rhel9: CCE-86113-8
 
 references:
+ cis@rhel7: 5.5.2
  cis@rhel8: 5.6.2
  cis@rhel9: 5.6.2
  nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
@@ -24,4 +24,6 @@ done
 if [ $tmout_found -eq 0 ]; then
  echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh
  echo "declare -xr TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh
+ echo "readonly TMOUT" >> /etc/profile.d/tmout.sh
+ echo "export TMOUT" >> /etc/profile.d/tmout.sh
 fi