Introduce CIS RHEL9 profiles #10091
Introduce CIS RHEL9 profiles #10091
Conversation
This controlfile was based on cis_rhel8 to optimize efforts and then reviewed to reflect the v1.0.0 version of CIS for RHEL9.
Many pending requriements could be satisfied by existing rules. Some rules are relatively new but there was also cases of new CIS RHEL9 requirements which were already included in other benchmarks and consequently have a rule in the project.
The profiles are no longer Drafts.
marcusburghardt
added
RHEL9
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
I have not finished my review, but can you please add a CODEOWNERS entry for this new control file? |
Sure. Done in the last commit. |
|
Please take a look at the output from |
Some special rules were not included in previous commits. Also, some missing references were identified by utils/refchecker.py script
This rule should satisfy the requirement. However, it is reporting an error during the tests and will be included later to keep the profile as stable as possible.
In RHEL9, the path for grub2 files were unified. Now everthying is in /boot/grub2. The rules specific for UEFI were moved to related_rules just for reference.
Mab879
added
Highlight
There was a problem hiding this comment.
I am working on getting PR out for a script that checks for control id vs. rule reference discrepancies. But for the time being, I will place the output of it here:
sudo_require_reauthentication cis@rhel9 5.3.6 does not match the control id 5.3.5
set_password_hashing_algorithm_systemauth cis@rhel9 5.4.4 does not match the control id 5.5.4
linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
Outdated
Show resolved
Hide resolved
...counts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
Outdated
Show resolved
Hide resolved
…ion/rule.yml Co-authored-by: Matthew Burket <m@tthewburket.com>
…ng_algorithm/set_password_hashing_algorithm_systemauth/rule.yml Co-authored-by: Matthew Burket <m@tthewburket.com>
|
Thanks for the detailed review @Mab879 . I believe is everything adjusted now. |
|
Code Climate has analyzed commit fa29174 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.7% (0.0% change). View more on Code Climate. |
Description:
CIS released the
CIS Red Hat Enterprise Linux 9 Benchmark v1.0.0in 2022-11-28.As outcome of the Benchmark review, the CIS RHEL9 controlfile was created, the proper CIS reference was included in all relevant rules and the final CIS RHEL9 profiles were updated from
Draftto the final version.Some rules, besides the CIS RHEL9 reference, might have RHEL CCEs included and the
prodtypeincremented.Rationale:
Final version of CIS RHEL9 profiles.
Review Hints:
The PR is mostly about references inclusions. However, it was split in some commits aligned to the CIS Benchmark sections.