diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 0bc2dafa8bf..ade24882f50 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -731,7 +731,7 @@ controls: - l1_server - l1_workstation status: automated - related_rules: + rules: - package_chrony_installed - id: 2.1.2 @@ -742,234 +742,291 @@ controls: status: automated rules: - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - var_multiple_time_servers=rhel - - id: 2.2.1 - title: Ensure xinetd is not installed (Automated) + - id: 2.1.3 + title: Ensure chrony is not run as the root user (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_xinetd_removed + - chronyd_run_as_chrony_user - - id: 2.2.2 - title: Ensure xorg-x11-server-common is not installed (Automated) + - id: 2.2.1 + title: Ensure autofs services are not in use (Automated) levels: - l1_server + - l2_workstation status: automated rules: - - package_xorg-x11-server-common_removed + - service_autofs_disabled - - id: 2.2.3 - title: Ensure Avahi Server is not installed (Automated) + - id: 2.2.2 + title: Ensure avahi daemon services are not in use (Automated) levels: - l1_server - l2_workstation status: automated rules: - package_avahi_removed - - package_avahi-autoipd_removed related_rules: - service_avahi-daemon_disabled + - id: 2.2.3 + title: Ensure dhcp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_dhcp_removed + related_rules: + - service_dhcpd_disabled + - id: 2.2.4 - title: Ensure CUPS is not installed (Automated) + title: Ensure dns server services are not in use (Automated) levels: - l1_server + - l1_workstation status: automated rules: - - package_cups_removed + - package_bind_removed related_rules: - - service_cups_disabled + - service_named_disabled - id: 2.2.5 - title: Ensure DHCP Server is not installed (Automated) + title: Ensure dnsmasq services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_dhcp_removed - related_rules: - - service_dhcpd_disabled + - package_dnsmasq_removed - id: 2.2.6 - title: Ensure DNS Server is not installed (Automated) + title: Ensure samba file server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_bind_removed + - package_samba_removed related_rules: - - service_named_disabled + - service_smb_disabled - # NEEDS RULE - id: 2.2.7 - title: Ensure FTP Server is not installed (Automated) + title: Ensure ftp server services are not in use (Automated) levels: - l1_server - l1_workstation - status: planned + status: automated + rules: + - package_vsftpd_removed related_rules: - service_vsftpd_disabled - id: 2.2.8 - title: Ensure VSFTP Server is not installed (Automated) + title: Ensure message access server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_vsftpd_removed + - package_dovecot_removed + - package_cyrus-imapd_removed + related_rules: + - service_dovecot_disabled + # new rule would be nice to disable cyrus-imapd service - id: 2.2.9 - title: Ensure TFTP Server is not installed (Automated) + title: Ensure network file system services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_tftp-server_removed + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are + dependent on the nfs-utils package. - id: 2.2.10 - title: Ensure a web server is not installed (Automated) + title: Ensure nis server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_httpd_removed - - package_nginx_removed + - package_ypserv_removed + related_rules: + - service_ypserv_disabled - id: 2.2.11 - title: Ensure IMAP and POP3 server is not installed (Automated) + title: Ensure print server services are not in use (Automated) levels: - l1_server - - l1_workstation status: automated rules: - - package_dovecot_removed - - package_cyrus-imapd_removed + - package_cups_removed + related_rules: + - service_cups_disabled - id: 2.2.12 - title: Ensure Samba is not installed (Automated) + title: Ensure rpcbind services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_samba_removed + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and + the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind + package. - id: 2.2.13 - title: Ensure HTTP Proxy Server is not installed (Automated) + title: Ensure rsync services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_squid_removed + - package_rsync_removed + related_rules: + - service_rsyncd_disabled - id: 2.2.14 - title: Ensure net-snmp is not installed (Automated) + title: Ensure snmp services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_net-snmp_removed + related_rules: + - service_snmpd_disabled - id: 2.2.15 - title: Ensure NIS server is not installed (Automated) + title: Ensure telnet server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_ypserv_removed + - package_telnet-server_removed + related_rules: + - service_telnet_disabled - id: 2.2.16 - title: Ensure telnet-server is not installed (Automated) + title: Ensure tftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_telnet-server_removed + - package_tftp-server_removed + related_rules: + - service_tftp_disabled - id: 2.2.17 - title: Ensure mail transfer agent is configured for local-only mode (Automated) + title: Ensure web proxy server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - postfix_network_listening_disabled - - var_postfix_inet_interfaces=loopback-only - - has_nonlocal_mta + - package_squid_removed + related_rules: + - service_squid_disabled - id: 2.2.18 - title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) + title: Ensure web server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_nfs_disabled + - package_httpd_removed + - package_nginx_removed related_rules: - - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages + - service_httpd_disabled + # rule would be nice to disable nginx service - id: 2.2.19 - title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + title: Ensure xinetd services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_rpcbind_disabled + - package_xinetd_removed related_rules: - - package_rpcbind_removed + - service_xinetd_disabled - id: 2.2.20 - title: Ensure rsync is not installed or the rsyncd service is masked (Automated) + title: Ensure X window server services are not in use (Automated) + levels: + - l2_server + status: automated + notes: >- + The rule also configures correct run level to prevent unbootable system. + rules: + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target + + - id: 2.2.21 + title: Ensure mail transfer agents are configured for local-only mode (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + The rule has_nonlocal_mta currently checks for services listening only on + port 25, but the policy checks also for ports 465 and 587 rules: - - package_rsync_removed - related_rules: - - service_rsyncd_disabled + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta + + - id: 2.2.22 + title: Ensure only approved services are listening on a network interface (Manual) + levels: + - l1_server + - l1_workstation + status: manual - id: 2.3.1 - title: Ensure NIS Client is not installed (Automated) + title: Ensure ftp client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_ypbind_removed + - package_ftp_removed - id: 2.3.2 - title: Ensure rsh client is not installed (Automated) + title: Ensure LDAP client is not installed (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - package_rsh_removed + - package_openldap-clients_removed - id: 2.3.3 - title: Ensure talk client is not installed (Automated) + title: Ensure NIS Client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_talk_removed + - package_ypbind_removed - id: 2.3.4 title: Ensure telnet client is not installed (Automated) @@ -981,16 +1038,7 @@ controls: - package_telnet_removed - id: 2.3.5 - title: Ensure LDAP client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_openldap-clients_removed - - - id: 2.3.6 - title: Ensure TFTP client is not installed (Automated) + title: Ensure tftp client is not installed (Automated) levels: - l1_server - l1_workstation @@ -998,13 +1046,6 @@ controls: rules: - package_tftp_removed - - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - id: 3.1.1 title: Verify if IPv6 is enabled on the system (Manual) levels: diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml index d7cd8aa03f5..b052b71e3fd 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml @@ -25,7 +25,6 @@ identifiers: references: cis-csc: 11,14,3,9 - cis@rhel8: 2.2.3 cis@rhel9: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml index 22efc987eb9..90199c30f28 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.2 - cis@rhel8: 2.2.3 + cis@rhel8: 2.2.2 cis@rhel9: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index a910807fddb..0fc4cc53ddd 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -26,6 +26,7 @@ references: cis-csc: 11,14,3,9 cis@alinux2: 2.1.3 cis@alinux3: 2.2.4 + cis@rhel8: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 cis@ubuntu2004: 2.2.3 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml index d1922acfa30..61f2684e081 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml @@ -32,7 +32,7 @@ references: anssi: BP28(R1) cis-csc: 11,14,3,9 cis@rhel7: 2.2.3 - cis@rhel8: 2.2.5 + cis@rhel8: 2.2.3 cis@rhel9: 2.2.4 cis@sle12: 2.2.5 cis@sle15: 2.2.5 diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index 9e796c7fb74..7d8d75e0722 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 2.1.5 cis@alinux3: 2.2.15 cis@rhel7: 2.2.5 - cis@rhel8: 2.2.5 + cis@rhel8: 2.2.3 cis@sle12: 2.2.5 cis@sle15: 2.2.5 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml index f605572e827..eaa5a9f133b 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml @@ -25,7 +25,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,14,3,9 cis@rhel7: 2.2.4 - cis@rhel8: 2.2.6 + cis@rhel8: 2.2.4 cis@rhel9: 2.2.5 cis@sle12: 2.2.9 cis@sle15: 2.2.9 diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index 0736c2943c9..be69445d43a 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 2.1.8 cis@alinux3: 2.2.11 cis@rhel7: 2.2.4 - cis@rhel8: 2.2.6 + cis@rhel8: 2.2.4 cis@sle12: 2.2.9 cis@sle15: 2.2.9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml index 77801e00a98..9c58ea7737c 100644 --- a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml +++ b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml @@ -19,10 +19,12 @@ severity: low identifiers: cce@rhel7: CCE-90761-8 + cce@rhel8: CCE-90746-9 cce@rhel9: CCE-86063-5 references: cis@rhel7: 2.2.5 + cis@rhel8: 2.2.5 cis@rhel9: 2.2.14 {{{ complete_ocil_entry_package(package="dnsmasq") }}} diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 1b1bbd837a6..77c48be448a 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -23,7 +23,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,14,3,9 cis@rhel7: 2.2.7 - cis@rhel8: 2.2.8 + cis@rhel8: 2.2.7 cis@rhel9: 2.2.6 cis@sle12: 2.2.10 cis@sle15: 2.2.10 diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml index 5582713f136..878abf5c300 100644 --- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml @@ -1,6 +1,7 @@ documentation_complete: true -prodtype: rhel7,rhel9 + +prodtype: rhel7,rhel8,rhel9 title: 'Remove ftp Package' @@ -21,10 +22,12 @@ severity: low identifiers: cce@rhel7: CCE-90757-6 + cce@rhel8: CCE-90745-1 cce@rhel9: CCE-86075-9 references: cis@rhel7: 2.3.1 + cis@rhel8: 2.3.1 cis@rhel9: 2.3.4 pcidss4: '2.2.4' diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index 8b55c5c1d91..0ebff2a3437 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -27,7 +27,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.18 - cis@rhel8: 2.2.10 + cis@rhel8: 2.2.18 cis@rhel9: 2.2.8 cis@sle12: 2.2.11 cis@sle15: 2.2.11 diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml index 6203eedd98e..d8815ce82d4 100644 --- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml @@ -25,6 +25,7 @@ references: cis@alinux2: 2.1.10 cis@alinux3: 2.2.9 cis@rhel7: 2.2.18 + cis@rhel8: 2.2.18 cis@sle12: 2.2.11 cis@sle15: 2.2.11 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml index c0257e0d7e5..9b04c5dda39 100644 --- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@rhel7: 2.2.18 - cis@rhel8: 2.2.10 + cis@rhel8: 2.2.18 cis@rhel9: 2.2.8 cis@ubuntu2004: 2.2.10 cis@ubuntu2204: 2.2.9 diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml index e8adc86e7b9..5dd46897b5b 100644 --- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml @@ -21,7 +21,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL4 cis@rhel7: 2.2.8 - cis@rhel8: 2.2.11 + cis@rhel8: 2.2.8 cis@rhel9: 2.2.9 cis@ubuntu2004: 2.2.11 cis@ubuntu2204: 2.2.10 diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index 51316a5145c..33d32f02129 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -28,7 +28,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis@alinux2: 2.1.11 cis@rhel7: 2.2.8 - cis@rhel8: 2.2.11 + cis@rhel8: 2.2.8 cis@rhel9: 2.2.9 cis@sle12: 2.2.12 cis@sle15: 2.2.12 diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml index 19ea139312d..60d948a1730 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml @@ -23,6 +23,7 @@ identifiers: references: cis@alinux3: 2.2.8 cis@rhel7: 2.2.8 + cis@rhel8: 2.2.8 cis@sle12: 2.2.12 cis@sle15: 2.2.12 diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml index 458e2887f55..c63d7cf8e0b 100644 --- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -35,7 +35,7 @@ references: cis@alinux2: 2.2.5 cis@alinux3: 2.3.3 cis@rhel7: 2.3.2 - cis@rhel8: 2.3.5 + cis@rhel8: 2.3.2 cis@rhel9: 2.3.2 cis@sle12: 2.3.5 cis@sle15: 2.3.5 diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml index 609a3ea3cd0..2b426df4d67 100644 --- a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml +++ b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis@rhel7: 2.2.21 - cis@rhel8: 2.2.17 + cis@rhel8: 2.2.21 cis@rhel9: 2.2.15 cis@ubuntu2004: 2.2.15 cis@ubuntu2204: 2.2.15 diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 543afbf92c8..62c1e6c121a 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 2.1.15 cis@alinux3: 2.2.18 cis@rhel7: 2.2.21 - cis@rhel8: 2.2.17 + cis@rhel8: 2.2.21 cis@rhel9: 2.2.15 cis@sle12: 2.2.16 cis@sle15: 2.2.16 diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml index 5ea45e84a32..d0f852b2fad 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml @@ -28,7 +28,7 @@ identifiers: references: cis@rhel7: 2.2.12 - cis@rhel8: 2.2.19 + cis@rhel8: 2.2.12 cis@rhel9: 2.2.17 cis@sle12: 2.2.8 cis@sle15: 2.2.8 diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 10bf2a33ecc..a6de545df38 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 2.1.7 cis@alinux3: 2.2.13 cis@rhel7: 2.2.12 - cis@rhel8: 2.2.19 + cis@rhel8: 2.2.12 cis@rhel9: 2.2.17 cis@sle12: 2.2.8 cis@sle15: 2.2.8 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml index b149b94505f..00facd75abe 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 2.1.7 cis@alinux3: 2.2.12 cis@rhel7: 2.2.9 - cis@rhel8: 2.2.18 + cis@rhel8: 2.2.9 cis@rhel9: 2.2.16 cis@sle12: 2.2.7 cis@sle15: 2.2.7 diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml index df12f760844..2ac4b293ff1 100644 --- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml @@ -24,8 +24,9 @@ identifiers: cce@sle15: CCE-91284-0 references: + cis@rhel7: 2.2.9 - cis@rhel8: 2.2.18 + cis@rhel8: 2.2.9 cis@rhel9: 2.2.16 cis@sle12: 2.2.7 cis@sle15: 2.2.7 diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml index edb0bfec5c7..c1b549e8164 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -50,7 +50,7 @@ references: cis@alinux2: 2.1.1.3 cis@alinux3: 2.2.1.2 cis@rhel7: 2.1.3 - cis@rhel8: 2.1.2 + cis@rhel8: 2.1.3 cis@rhel9: 2.1.2 cis@sle12: 2.2.1.3 cis@sle15: 2.2.1.3 diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index b9e56aabd71..4eab5583b03 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux3: 2.1.1 cis@rhel7: 2.2.19 - cis@rhel8: 2.2.1 + cis@rhel8: 2.2.19 cis@sle12: 2.1.1 cis@sle15: 2.1.1 cis@ubuntu2004: 2.1.1 diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml index ce3bb492266..cc6cd8a5d50 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.19 - cis@rhel8: 2.1.7 + cis@rhel8: 2.2.19 cis@sle12: 2.1.1 cis@sle15: 2.1.1 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index f4672fd8f70..77fc0121826 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 2.2.1 cis@alinux3: 2.3.1 cis@rhel7: 2.3.3 - cis@rhel8: 2.3.1 + cis@rhel8: 2.3.3 cis@sle12: 2.3.1 cis@sle15: 2.3.1 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index 51c52df85d4..ca3ed7d4a4b 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -28,7 +28,7 @@ references: anssi: BP28(R1) cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.10 - cis@rhel8: 2.2.15 + cis@rhel8: 2.2.10 cis@sle12: 2.2.18 cis@sle15: 2.2.18 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml index c57df6c4337..14b9e0623a9 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml @@ -25,6 +25,7 @@ references: cis@alinux2: 2.1.16 cis@alinux3: 2.2.17 cis@rhel7: 2.2.10 + cis@rhel8: 2.2.10 ocil_clause: |- {{{ ocil_clause_service_disabled(service="ypserv") }}} diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml index aac3d1c264e..416c066fa44 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -29,7 +29,7 @@ identifiers: references: cis@rhel7: 2.2.13 - cis@rhel8: 2.2.20 + cis@rhel8: 2.2.13 cis@rhel9: 2.2.18 cis@sle12: 2.2.17 cis@sle15: 2.2.17 diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 26962ea4b3d..48d5209db42 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -36,7 +36,6 @@ identifiers: references: anssi: BP28(R1) cis@alinux2: 2.2.2 - cis@rhel8: 2.3.2 cis@sle12: 2.3.2 cis@sle15: 2.3.2 cis@ubuntu2004: 2.3.2 diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index a2a929a76f2..5317336c3f9 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 2.1.20 cis@alinux3: 2.2.3 cis@rhel7: 2.2.13 - cis@rhel8: 2.2.20 + cis@rhel8: 2.2.13 cis@rhel9: 2.2.18 cis@sle12: 2.2.17 cis@sle15: 2.2.17 diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 283bf6b378c..a7473398c21 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -28,7 +28,6 @@ identifiers: references: anssi: BP28(R1) cis@alinux2: 2.2.3 - cis@rhel8: 2.3.3 cis@sle12: 2.3.3 cis@sle15: 2.3.3 cis@ubuntu2004: 2.3.3 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index bba0c3e05cc..951ddf6c88c 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -36,7 +36,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.15 - cis@rhel8: 2.2.16 + cis@rhel8: 2.2.15 cis@rhel9: 2.2.13 cis@sle12: 2.2.19 cis@sle15: 2.2.19 diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml index 02e3b3881da..47468a259d0 100644 --- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml @@ -26,6 +26,7 @@ references: cis-csc: 1,11,12,14,15,16,3,5,8,9 cis@alinux2: 2.1.18 cis@rhel7: 2.2.15 + cis@rhel8: 2.2.15 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10 cui: 3.1.13,3.4.7 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index ddb2eb11ac5..a23a1f25d44 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -29,7 +29,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.16 - cis@rhel8: 2.2.9 + cis@rhel8: 2.2.16 cis@rhel9: 2.2.7 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index 9de8850e85b..842dc58a9c3 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -27,7 +27,7 @@ identifiers: references: anssi: BP28(R1) cis@rhel7: 2.3.5 - cis@rhel8: 2.3.6 + cis@rhel8: 2.3.5 cis@rhel9: 2.3.3 pcidss4: '2.2.4' diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml index 74ab077dc14..2808ca74fa0 100644 --- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml @@ -22,6 +22,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux2: 2.1.19 cis@rhel7: 2.2.16 + cis@rhel8: 2.2.16 cis@sle15: 2.1.9 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 disa: CCI-001436 diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml index 5d5ca849f19..907f5faf2e0 100644 --- a/linux_os/guide/services/printing/package_cups_removed/rule.yml +++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml @@ -23,7 +23,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.11 - cis@rhel8: 2.2.4 + cis@rhel8: 2.2.11 cis@rhel9: 2.2.3 cis@sle12: 2.2.4 cis@sle15: 2.2.4 diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml index 10905965a25..c4c0e419d83 100644 --- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml +++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml @@ -22,7 +22,7 @@ references: cis-csc: 11,14,3,9 cis@alinux3: 2.2.16 cis@rhel7: 2.2.11 - cis@rhel8: 2.2.4 + cis@rhel8: 2.2.11 cis@rhel9: 2.2.3 cis@sle12: 2.2.4 cis@sle15: 2.2.4 diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml index cf46b14cd33..26fb842c0f5 100644 --- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml @@ -24,7 +24,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL4 cis@rhel7: 2.2.17 - cis@rhel8: 2.2.13 + cis@rhel8: 2.2.17 cis@rhel9: 2.2.11 cis@sle12: 2.2.14 cis@sle15: 2.2.14 diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml index 42ca3d01b5d..d1b052ac590 100644 --- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.13 cis@alinux3: 2.2.6 cis@rhel7: 2.2.17 + cis@rhel8: 2.2.17 cis@sle12: 2.2.14 cis@sle15: 2.2.14 diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml index f78c1c50fd4..191db10d573 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@rhel7: 2.2.6 - cis@rhel8: 2.2.12 + cis@rhel8: 2.2.6 cis@rhel9: 2.2.10 cis@sle12: 2.2.13 cis@sle15: 2.2.13 diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index 3117a47380d..32544971d82 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.12 cis@alinux3: 2.2.7 cis@rhel7: 2.2.6 + cis@rhel8: 2.2.6 cis@sle12: 2.2.13 cis@sle15: 2.2.13 disa: CCI-001436 diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index 83c319a3fb9..3eaafcb392c 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.14 cis@alinux3: 2.2.5 cis@rhel7: 2.2.14 + cis@rhel8: 2.2.14 cis@sle12: 2.2.15 cis@sle15: 2.2.15 ism: "1311" diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 3215d25b94a..daf2c38ecc0 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -34,7 +34,7 @@ references: cis@alinux2: 2.1.2 cis@alinux3: 2.2.2 cis@rhel7: 2.2.20 - cis@rhel8: 2.2.2 + cis@rhel8: 2.2.20 cis@rhel9: 2.2.1 cis@sle12: 2.2.2 cis@sle15: 2.2.2 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml index 619a59c702e..8e7c3290e94 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis-csc: 12,15,8 cis@rhel7: 2.2.20 - cis@rhel8: 2.2.2 + cis@rhel8: 2.2.20 cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 disa: CCI-000366 isa-62443-2009: 4.3.3.6.6 diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 578e570523c..d602a7de1f7 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -37,6 +37,7 @@ references: cis@alinux2: 1.1.19 cis@alinux3: 1.1.9 cis@rhel7: 2.2.1 + cis@rhel8: 2.2.1 cis@sle12: 1.1.23 cis@sle15: 1.1.23 cis@ubuntu1804: 1.1.21 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 894a5e2dc8e..bf08c0491a5 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3878,8 +3878,6 @@ CCE-90739-4 CCE-90741-0 CCE-90742-8 CCE-90743-6 -CCE-90745-1 -CCE-90746-9 CCE-90747-7 CCE-90748-5 CCE-90749-3 diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 1724a57a80a..4e89c54bc19 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -19,6 +19,7 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: +- package_ftp_removed - enable_authselect - package_sudo_installed - sshd_set_loglevel_verbose