Remove unused section 3 controls for RHEL 8 CIS

ComplianceAsCode · Jan 24, 2024 · 8f140f6 · 8f140f6
1 parent 0065986
commit 8f140f6
Showing 1 changed file with 0 additions and 264 deletions.
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -1320,270 +1320,6 @@ controls:
     related_rules:
       - nftables_ensure_default_deny_policy
 
-  - id: 3.4.1.5
-    title: Ensure firewalld default zone is set (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    rules:
-      - set_firewalld_default_zone
-
-  - id: 3.4.1.6
-    title: Ensure network interfaces are assigned to appropriate zone (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-    rules:
-      - set_firewalld_appropriate_zone
-    related_rules:
-      - firewalld_sshd_port_enabled
-
-  - id: 3.4.1.7
-    title: Ensure firewalld drops unnecessary services and ports (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
-  - id: 3.4.2.1
-    title: Ensure nftables is installed (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    rules:
-      - package_nftables_installed
-
-  # NEEDS RULE
-  - id: 3.4.2.2
-    title: Ensure firewalld is either not installed or masked with nftables (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.2.3
-    title: Ensure iptables-services not installed with nftables (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    notes: <-
-      Already covered by requirement 3.4.1.2.
-    related_rules:
-      - package_iptables-services_removed
-
-  - id: 3.4.2.4
-    title: Ensure iptables are flushed with nftables (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
-  - id: 3.4.2.5
-    title: Ensure an nftables table exists (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: supported
-    notes:
-      RHEL systems use firewalld for firewall management. Although nftables is the default
-      back-end for firewalld, it is not recommended to use nftables directly when firewalld
-      is in use. firewalld uses the inet firewalld that is created when firewalld is installed.
-      The OVAL check cannot be automated but an SCE is availble.
-    rules:
-      - set_nftables_table
-      - var_nftables_family=inet
-      - var_nftables_table=firewalld
-
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5246
-  - id: 3.4.2.7
-    title: Ensure nftables loopback traffic is configured (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.2.8
-    title: Ensure nftables outbound and established connections are configured (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
-  - id: 3.4.2.9
-    title: Ensure nftables default deny firewall policy (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: supported
-    notes: |-
-      RHEL systems use firewalld for firewall management. Although nftables is the default
-      back-end for firewalld, it is not recommended to use nftables directly when firewalld
-      is in use.
-    related_rules:
-      - nftables_ensure_default_deny_policy
-
-  - id: 3.4.2.10
-    title: Ensure nftables service is enabled (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    notes: |-
-      nftables is actually the backend for firewalld but its service does not need to be running.
-      Otherwise, it will conflict with firewalld service. The preferred service to manage firewall
-      rules is firewalld.
-    status: automated
-    related_rules:
-      - service_nftables_enabled
-
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5250
-  - id: 3.4.2.11
-    title: Ensure nftables rules are permanent (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.3.1.1
-    title: Ensure iptables packages are installed (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    related_rules:
-      - package_iptables_installed
-      - package_iptables-services_installed
-
-  # NEEDS RULE
-  - id: 3.4.3.1.2
-    title: Ensure nftables is not installed with iptables (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  # NEEDS RULE
-  - id: 3.4.3.1.3
-    title: Ensure firewalld is either not installed or masked with iptables (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5253
-  - id: 3.4.3.2.1
-    title: Ensure iptables loopback traffic is configured (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.3.2.2
-    title: Ensure iptables outbound and established connections are configured (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
-  - id: 3.4.3.2.3
-    title: Ensure iptables rules exist for all open ports (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: partial
-    notes: |-
-      Currently the check is only available in SCE and an automated remediation is not expected.
-    rules:
-      - iptables_rules_for_open_ports
-
-  - id: 3.4.3.2.4
-    title: Ensure iptables default deny firewall policy (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    related_rules:
-      - set_iptables_default_rule
-
-  # NEEDS RULE
-  - id: 3.4.3.2.5
-    title: Ensure iptables rules are saved (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.3.2.6
-    title: Ensure iptables is enabled and active (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    related_rules:
-      - service_iptables_enabled
-
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5258
-  - id: 3.4.3.3.1
-    title: Ensure ip6tables loopback traffic is configured (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  - id: 3.4.3.3.2
-    title: Ensure ip6tables outbound and established connections are configured (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
-  - id: 3.4.3.3.3
-    title: Ensure ip6tables firewall rules exist for all open ports (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: partial
-    notes: |-
-      Currently the check is only available in SCE and an automated remediation is not expected.
-    rules:
-      - ip6tables_rules_for_open_ports
-
-  - id: 3.4.3.3.4
-    title: Ensure ip6tables default deny firewall policy (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    rules:
-      - set_ip6tables_default_rule
-
-  # NEEDS RULE
-  - id: 3.4.3.3.5
-    title: Ensure ip6tables rules are saved (Automated
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-
-  # NEEDS RULE
-  - id: 3.4.3.3.6
-    title: Ensure ip6tables is enabled and active (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: pending
-    related_rules:
-      - service_ip6tables_enabled
-      # This rule returns error in RHEL8 because the ip6tables service is not there.
-      # This requirement and respective rules should be reviewed.
-
   - id: 4.1.1.1
     title: Ensure auditd is installed (Automated)
     levels: