From 984f35cf77ac83aa45435b688ae04852a4a94560 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 13:40:53 +0100 Subject: [PATCH 01/37] update section 2.1.1 --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 0bc2dafa8bf..d86b7d5fdfb 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -731,7 +731,7 @@ controls: - l1_server - l1_workstation status: automated - related_rules: + rules: - package_chrony_installed - id: 2.1.2 From bff35238207ccf7d9fc7407ec94bb61dbebf39ae Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 13:53:07 +0100 Subject: [PATCH 02/37] update control 2.1.2 --- controls/cis_rhel8.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d86b7d5fdfb..69f009af1a1 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -742,7 +742,6 @@ controls: status: automated rules: - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - var_multiple_time_servers=rhel - id: 2.2.1 From 027894509aa5f5f8ca04ca39e3b98d6780ffb360 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 14:01:00 +0100 Subject: [PATCH 03/37] update control 2.1.3 --- controls/cis_rhel8.yml | 9 +++++++++ .../services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 69f009af1a1..4909fd86470 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -744,6 +744,15 @@ controls: - chronyd_specify_remote_server - var_multiple_time_servers=rhel + - id: 2.1.3 + title: Ensure chrony is not run as the root user (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - chronyd_run_as_chrony_user + - id: 2.2.1 title: Ensure xinetd is not installed (Automated) levels: diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml index edb0bfec5c7..c1b549e8164 100644 --- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml @@ -50,7 +50,7 @@ references: cis@alinux2: 2.1.1.3 cis@alinux3: 2.2.1.2 cis@rhel7: 2.1.3 - cis@rhel8: 2.1.2 + cis@rhel8: 2.1.3 cis@rhel9: 2.1.2 cis@sle12: 2.2.1.3 cis@sle15: 2.2.1.3 From 947a279fbf1222e0cb7560ee5d19d9d7f5074177 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 14:17:05 +0100 Subject: [PATCH 04/37] update control 2.2.1 --- controls/cis_rhel8.yml | 10 ++++++---- .../mounting/service_autofs_disabled/rule.yml | 1 + 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 4909fd86470..c7be66a8a89 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -754,14 +754,16 @@ controls: - chronyd_run_as_chrony_user - id: 2.2.1 - title: Ensure xinetd is not installed (Automated) + title: Ensure autofs services are not in use (Automated) levels: - l1_server - - l1_workstation - status: automated + - l2_workstation + status: partial + # we need package_autofs_removed to complete this control rules: - - package_xinetd_removed + - service_autofs_disabled + - id: 2.2.2 title: Ensure xorg-x11-server-common is not installed (Automated) levels: diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 578e570523c..d602a7de1f7 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -37,6 +37,7 @@ references: cis@alinux2: 1.1.19 cis@alinux3: 1.1.9 cis@rhel7: 2.2.1 + cis@rhel8: 2.2.1 cis@sle12: 1.1.23 cis@sle15: 1.1.23 cis@ubuntu1804: 1.1.21 From 78214e30a6a374c626cd6daba14a5820fd1d7d4b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 14:24:28 +0100 Subject: [PATCH 05/37] update control 2.2.2 --- controls/cis_rhel8.yml | 12 +----------- .../package_avahi-autoipd_removed/rule.yml | 2 +- .../package_avahi_removed/rule.yml | 2 +- 3 files changed, 3 insertions(+), 13 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index c7be66a8a89..47fd5eb8738 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -763,24 +763,14 @@ controls: rules: - service_autofs_disabled - - id: 2.2.2 - title: Ensure xorg-x11-server-common is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_xorg-x11-server-common_removed - - - id: 2.2.3 - title: Ensure Avahi Server is not installed (Automated) + title: Ensure avahi daemon services are not in use (Automated) levels: - l1_server - l2_workstation status: automated rules: - package_avahi_removed - - package_avahi-autoipd_removed related_rules: - service_avahi-daemon_disabled diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml index d7cd8aa03f5..34d0cb7c9e2 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml @@ -25,7 +25,7 @@ identifiers: references: cis-csc: 11,14,3,9 - cis@rhel8: 2.2.3 + cis@rhel8: 2.2.2 cis@rhel9: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml index 22efc987eb9..90199c30f28 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.2 - cis@rhel8: 2.2.3 + cis@rhel8: 2.2.2 cis@rhel9: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 From e5a40a2b215ddc2e788ba2a41143c0df8dec28fd Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 15:17:45 +0100 Subject: [PATCH 06/37] update control 2.2.3 --- controls/cis_rhel8.yml | 19 +++++++++---------- .../package_dhcp_removed/rule.yml | 2 +- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 47fd5eb8738..c7327073325 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -774,26 +774,25 @@ controls: related_rules: - service_avahi-daemon_disabled - - id: 2.2.4 - title: Ensure CUPS is not installed (Automated) + - id: 2.2.3 + title: Ensure dhcp server services are not in use (Automated) levels: - l1_server + - l1_workstation status: automated rules: - - package_cups_removed + - package_dhcp_removed related_rules: - - service_cups_disabled - - - id: 2.2.5 - title: Ensure DHCP Server is not installed (Automated) + - service_dhcpd_disabled + - id: 2.2.4 + title: Ensure CUPS is not installed (Automated) levels: - l1_server - - l1_workstation status: automated rules: - - package_dhcp_removed + - package_cups_removed related_rules: - - service_dhcpd_disabled + - service_cups_disabled - id: 2.2.6 title: Ensure DNS Server is not installed (Automated) diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml index d1922acfa30..61f2684e081 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml @@ -32,7 +32,7 @@ references: anssi: BP28(R1) cis-csc: 11,14,3,9 cis@rhel7: 2.2.3 - cis@rhel8: 2.2.5 + cis@rhel8: 2.2.3 cis@rhel9: 2.2.4 cis@sle12: 2.2.5 cis@sle15: 2.2.5 From 8c3f13cafcefd2b14bf1f55f31cbf6fabfd480ff Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 15:32:45 +0100 Subject: [PATCH 07/37] update control 2.2.4 --- controls/cis_rhel8.yml | 13 ++----------- .../package_bind_removed/rule.yml | 2 +- .../service_named_disabled/rule.yml | 2 +- 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index c7327073325..451974ebc55 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -784,18 +784,9 @@ controls: - package_dhcp_removed related_rules: - service_dhcpd_disabled - - id: 2.2.4 - title: Ensure CUPS is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_cups_removed - related_rules: - - service_cups_disabled - - id: 2.2.6 - title: Ensure DNS Server is not installed (Automated) + - id: 2.2.4 + title: Ensure dns server services are not in use (Automated) levels: - l1_server - l1_workstation diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml index f605572e827..eaa5a9f133b 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml @@ -25,7 +25,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,14,3,9 cis@rhel7: 2.2.4 - cis@rhel8: 2.2.6 + cis@rhel8: 2.2.4 cis@rhel9: 2.2.5 cis@sle12: 2.2.9 cis@sle15: 2.2.9 diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index 0736c2943c9..be69445d43a 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 2.1.8 cis@alinux3: 2.2.11 cis@rhel7: 2.2.4 - cis@rhel8: 2.2.6 + cis@rhel8: 2.2.4 cis@sle12: 2.2.9 cis@sle15: 2.2.9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 From 6bf3588ee5a65fe49cbc34f5a926bf99aaa206da Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 15:47:46 +0100 Subject: [PATCH 08/37] update control 2.2.5 --- controls/cis_rhel8.yml | 9 +++++++++ .../guide/services/dns/package_dnsmasq_removed/rule.yml | 2 ++ shared/references/cce-redhat-avail.txt | 1 - 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 451974ebc55..f694c7e8402 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -796,6 +796,15 @@ controls: related_rules: - service_named_disabled + - id: 2.2.5 + title: Ensure dnsmasq services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_dnsmasq_removed + # NEEDS RULE - id: 2.2.7 title: Ensure FTP Server is not installed (Automated) diff --git a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml index 77801e00a98..9c58ea7737c 100644 --- a/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml +++ b/linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml @@ -19,10 +19,12 @@ severity: low identifiers: cce@rhel7: CCE-90761-8 + cce@rhel8: CCE-90746-9 cce@rhel9: CCE-86063-5 references: cis@rhel7: 2.2.5 + cis@rhel8: 2.2.5 cis@rhel9: 2.2.14 {{{ complete_ocil_entry_package(package="dnsmasq") }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 894a5e2dc8e..0834a664681 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3879,7 +3879,6 @@ CCE-90741-0 CCE-90742-8 CCE-90743-6 CCE-90745-1 -CCE-90746-9 CCE-90747-7 CCE-90748-5 CCE-90749-3 From 315fb509ce6e73d9157fcdf6c1f2463035bbcb6d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 15 Jan 2024 15:56:44 +0100 Subject: [PATCH 09/37] update control 2.2.6 --- controls/cis_rhel8.yml | 20 ++++++++++--------- .../package_samba_removed/rule.yml | 2 +- .../service_smb_disabled/rule.yml | 1 + 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index f694c7e8402..cf49e774610 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -805,6 +805,17 @@ controls: rules: - package_dnsmasq_removed + - id: 2.2.6 + title: Ensure samba file server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_samba_removed + related_rules: + - service_smb_disabled + # NEEDS RULE - id: 2.2.7 title: Ensure FTP Server is not installed (Automated) @@ -853,15 +864,6 @@ controls: - package_dovecot_removed - package_cyrus-imapd_removed - - id: 2.2.12 - title: Ensure Samba is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_samba_removed - - id: 2.2.13 title: Ensure HTTP Proxy Server is not installed (Automated) levels: diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml index f78c1c50fd4..191db10d573 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@rhel7: 2.2.6 - cis@rhel8: 2.2.12 + cis@rhel8: 2.2.6 cis@rhel9: 2.2.10 cis@sle12: 2.2.13 cis@sle15: 2.2.13 diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index 3117a47380d..32544971d82 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.12 cis@alinux3: 2.2.7 cis@rhel7: 2.2.6 + cis@rhel8: 2.2.6 cis@sle12: 2.2.13 cis@sle15: 2.2.13 disa: CCI-001436 From 86c127f3062b536325f8dc9a3f8bccf5d13533ed Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 12:37:44 +0100 Subject: [PATCH 10/37] update control 2.2.7 --- controls/cis_rhel8.yml | 14 +++----------- .../package_vsftpd_removed/rule.yml | 2 +- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index cf49e774610..4af72b5af5c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -816,24 +816,16 @@ controls: related_rules: - service_smb_disabled - # NEEDS RULE - id: 2.2.7 - title: Ensure FTP Server is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: planned - related_rules: - - service_vsftpd_disabled - - - id: 2.2.8 - title: Ensure VSFTP Server is not installed (Automated) + title: Ensure ftp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_vsftpd_removed + related_rules: + - service_vsftpd_disabled - id: 2.2.9 title: Ensure TFTP Server is not installed (Automated) diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 1b1bbd837a6..77c48be448a 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -23,7 +23,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,14,3,9 cis@rhel7: 2.2.7 - cis@rhel8: 2.2.8 + cis@rhel8: 2.2.7 cis@rhel9: 2.2.6 cis@sle12: 2.2.10 cis@sle15: 2.2.10 From 16009f42010709fa9f8dd1f280c0b67350a7131d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 12:42:11 +0100 Subject: [PATCH 11/37] update control 2.2.8 --- controls/cis_rhel8.yml | 23 +++++++++++-------- .../package_cyrus-imapd_removed/rule.yml | 2 +- .../package_dovecot_removed/rule.yml | 2 +- .../service_dovecot_disabled/rule.yml | 1 + 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 4af72b5af5c..64afc85ee9a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -827,6 +827,19 @@ controls: related_rules: - service_vsftpd_disabled + - id: 2.2.8 + title: Ensure message access server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_dovecot_removed + - package_cyrus-imapd_removed + related_rules: + - service_dovecot_disabled + # new rule would be nice to disable cyrus-imapd service + - id: 2.2.9 title: Ensure TFTP Server is not installed (Automated) levels: @@ -846,16 +859,6 @@ controls: - package_httpd_removed - package_nginx_removed - - id: 2.2.11 - title: Ensure IMAP and POP3 server is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_dovecot_removed - - package_cyrus-imapd_removed - - id: 2.2.13 title: Ensure HTTP Proxy Server is not installed (Automated) levels: diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml index e8adc86e7b9..5dd46897b5b 100644 --- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml @@ -21,7 +21,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL4 cis@rhel7: 2.2.8 - cis@rhel8: 2.2.11 + cis@rhel8: 2.2.8 cis@rhel9: 2.2.9 cis@ubuntu2004: 2.2.11 cis@ubuntu2204: 2.2.10 diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index 51316a5145c..33d32f02129 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -28,7 +28,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis@alinux2: 2.1.11 cis@rhel7: 2.2.8 - cis@rhel8: 2.2.11 + cis@rhel8: 2.2.8 cis@rhel9: 2.2.9 cis@sle12: 2.2.12 cis@sle15: 2.2.12 diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml index 19ea139312d..60d948a1730 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml @@ -23,6 +23,7 @@ identifiers: references: cis@alinux3: 2.2.8 cis@rhel7: 2.2.8 + cis@rhel8: 2.2.8 cis@sle12: 2.2.12 cis@sle15: 2.2.12 From 0ab26144847424f6c9a3764b5ed1a429e2685e49 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 12:50:49 +0100 Subject: [PATCH 12/37] update control 2.2.9 --- controls/cis_rhel8.yml | 20 +++++++------------ .../service_nfs_disabled/rule.yml | 2 +- .../package_nfs-utils_removed/rule.yml | 3 ++- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 64afc85ee9a..3261e9eac51 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -841,13 +841,18 @@ controls: # new rule would be nice to disable cyrus-imapd service - id: 2.2.9 - title: Ensure TFTP Server is not installed (Automated) + title: Ensure network file system services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_tftp-server_removed + - service_nfs_disabled + related_rules: + - package_nfs-utils_removed + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are + dependent on the nfs-utils package. - id: 2.2.10 title: Ensure a web server is not installed (Automated) @@ -906,17 +911,6 @@ controls: - var_postfix_inet_interfaces=loopback-only - has_nonlocal_mta - - id: 2.2.18 - title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_nfs_disabled - related_rules: - - package_nfs-utils_removed - # The nfs-utils package is required for systems with GUI or by some libvirt packages - id: 2.2.19 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml index b149b94505f..00facd75abe 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 2.1.7 cis@alinux3: 2.2.12 cis@rhel7: 2.2.9 - cis@rhel8: 2.2.18 + cis@rhel8: 2.2.9 cis@rhel9: 2.2.16 cis@sle12: 2.2.7 cis@sle15: 2.2.7 diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml index df12f760844..2ac4b293ff1 100644 --- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml @@ -24,8 +24,9 @@ identifiers: cce@sle15: CCE-91284-0 references: + cis@rhel7: 2.2.9 - cis@rhel8: 2.2.18 + cis@rhel8: 2.2.9 cis@rhel9: 2.2.16 cis@sle12: 2.2.7 cis@sle15: 2.2.7 From 977ca399d87104e7ea20068057f90a73e85b7118 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:01:33 +0100 Subject: [PATCH 13/37] update control 2.2.10 --- controls/cis_rhel8.yml | 16 ++++------------ .../obsolete/nis/package_ypserv_removed/rule.yml | 2 +- .../nis/service_ypserv_disabled/rule.yml | 1 + 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 3261e9eac51..f2be9a11b7b 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -855,14 +855,15 @@ controls: dependent on the nfs-utils package. - id: 2.2.10 - title: Ensure a web server is not installed (Automated) + title: Ensure nis server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_httpd_removed - - package_nginx_removed + - package_ypserv_removed + related_rules: + - service_ypserv_disabled - id: 2.2.13 title: Ensure HTTP Proxy Server is not installed (Automated) @@ -882,15 +883,6 @@ controls: rules: - package_net-snmp_removed - - id: 2.2.15 - title: Ensure NIS server is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_ypserv_removed - - id: 2.2.16 title: Ensure telnet-server is not installed (Automated) levels: diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index 51c52df85d4..ca3ed7d4a4b 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -28,7 +28,7 @@ references: anssi: BP28(R1) cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.10 - cis@rhel8: 2.2.15 + cis@rhel8: 2.2.10 cis@sle12: 2.2.18 cis@sle15: 2.2.18 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml index c57df6c4337..14b9e0623a9 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml @@ -25,6 +25,7 @@ references: cis@alinux2: 2.1.16 cis@alinux3: 2.2.17 cis@rhel7: 2.2.10 + cis@rhel8: 2.2.10 ocil_clause: |- {{{ ocil_clause_service_disabled(service="ypserv") }}} From c49f3c2ebd60d43681252d66d32e428df1afeef5 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:08:46 +0100 Subject: [PATCH 14/37] update control 2.2.11 --- controls/cis_rhel8.yml | 10 ++++++++++ .../services/printing/package_cups_removed/rule.yml | 2 +- .../services/printing/service_cups_disabled/rule.yml | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index f2be9a11b7b..1a79b99c8b7 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -865,6 +865,16 @@ controls: related_rules: - service_ypserv_disabled + - id: 2.2.11 + title: Ensure print server services are not in use (Automated) + levels: + - l1_server + status: automated + rules: + - package_cups_removed + related_rules: + - service_cups_disabled + - id: 2.2.13 title: Ensure HTTP Proxy Server is not installed (Automated) levels: diff --git a/linux_os/guide/services/printing/package_cups_removed/rule.yml b/linux_os/guide/services/printing/package_cups_removed/rule.yml index 5d5ca849f19..907f5faf2e0 100644 --- a/linux_os/guide/services/printing/package_cups_removed/rule.yml +++ b/linux_os/guide/services/printing/package_cups_removed/rule.yml @@ -23,7 +23,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.11 - cis@rhel8: 2.2.4 + cis@rhel8: 2.2.11 cis@rhel9: 2.2.3 cis@sle12: 2.2.4 cis@sle15: 2.2.4 diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml index 10905965a25..c4c0e419d83 100644 --- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml +++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml @@ -22,7 +22,7 @@ references: cis-csc: 11,14,3,9 cis@alinux3: 2.2.16 cis@rhel7: 2.2.11 - cis@rhel8: 2.2.4 + cis@rhel8: 2.2.11 cis@rhel9: 2.2.3 cis@sle12: 2.2.4 cis@sle15: 2.2.4 From 5105c27fccf634896f15fc50262eae15ab73edae Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:16:28 +0100 Subject: [PATCH 15/37] update control 2.2.12 --- controls/cis_rhel8.yml | 16 ++++++++++++++++ .../package_rpcbind_removed/rule.yml | 2 +- .../service_rpcbind_disabled/rule.yml | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 1a79b99c8b7..6344b73e016 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -875,6 +875,22 @@ controls: related_rules: - service_cups_disabled + - id: 2.2.12 + title: Ensure rpcbind services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - service_rpcbind_disabled + related_rules: + - package_rpcbind_removed + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and + the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind + package. + - id: 2.2.13 title: Ensure HTTP Proxy Server is not installed (Automated) levels: diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml index 5ea45e84a32..d0f852b2fad 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/package_rpcbind_removed/rule.yml @@ -28,7 +28,7 @@ identifiers: references: cis@rhel7: 2.2.12 - cis@rhel8: 2.2.19 + cis@rhel8: 2.2.12 cis@rhel9: 2.2.17 cis@sle12: 2.2.8 cis@sle15: 2.2.8 diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 10bf2a33ecc..a6de545df38 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 2.1.7 cis@alinux3: 2.2.13 cis@rhel7: 2.2.12 - cis@rhel8: 2.2.19 + cis@rhel8: 2.2.12 cis@rhel9: 2.2.17 cis@sle12: 2.2.8 cis@sle15: 2.2.8 From b5872621bb377ebdbc49b96d174bc8da2c6e4997 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:21:02 +0100 Subject: [PATCH 16/37] update control 2.2.13 --- controls/cis_rhel8.yml | 6 ++++-- .../guide/services/obsolete/package_rsync_removed/rule.yml | 2 +- .../services/obsolete/service_rsyncd_disabled/rule.yml | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 6344b73e016..ab5db3e99c1 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -892,13 +892,15 @@ controls: package. - id: 2.2.13 - title: Ensure HTTP Proxy Server is not installed (Automated) + title: Ensure rsync services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_squid_removed + - package_rsync_removed + related_rules: + - service_rsyncd_disabled - id: 2.2.14 title: Ensure net-snmp is not installed (Automated) diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml index aac3d1c264e..416c066fa44 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -29,7 +29,7 @@ identifiers: references: cis@rhel7: 2.2.13 - cis@rhel8: 2.2.20 + cis@rhel8: 2.2.13 cis@rhel9: 2.2.18 cis@sle12: 2.2.17 cis@sle15: 2.2.17 diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index a2a929a76f2..5317336c3f9 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -26,7 +26,7 @@ references: cis@alinux2: 2.1.20 cis@alinux3: 2.2.3 cis@rhel7: 2.2.13 - cis@rhel8: 2.2.20 + cis@rhel8: 2.2.13 cis@rhel9: 2.2.18 cis@sle12: 2.2.17 cis@sle15: 2.2.17 From 5b627e4a011782f03b2a55c7efe81472e35cc236 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:33:54 +0100 Subject: [PATCH 17/37] update control 2.2.14 --- controls/cis_rhel8.yml | 4 +++- .../disabling_snmp_service/service_snmpd_disabled/rule.yml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index ab5db3e99c1..85d5a94338f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -903,13 +903,15 @@ controls: - service_rsyncd_disabled - id: 2.2.14 - title: Ensure net-snmp is not installed (Automated) + title: Ensure snmp services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_net-snmp_removed + related_rules: + - service_snmpd_disabled - id: 2.2.16 title: Ensure telnet-server is not installed (Automated) diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index 83c319a3fb9..3eaafcb392c 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.14 cis@alinux3: 2.2.5 cis@rhel7: 2.2.14 + cis@rhel8: 2.2.14 cis@sle12: 2.2.15 cis@sle15: 2.2.15 ism: "1311" From 7a6d950353f8a3f2bf3d7a213c8c53aed0dd55b1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:40:23 +0100 Subject: [PATCH 18/37] update control 2.2.15 --- controls/cis_rhel8.yml | 6 ++++-- .../obsolete/telnet/package_telnet-server_removed/rule.yml | 2 +- .../obsolete/telnet/service_telnet_disabled/rule.yml | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 85d5a94338f..21962c4f667 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -913,14 +913,16 @@ controls: related_rules: - service_snmpd_disabled - - id: 2.2.16 - title: Ensure telnet-server is not installed (Automated) + - id: 2.2.15 + title: Ensure telnet server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - package_telnet-server_removed + related_rules: + - service_telnet_disabled - id: 2.2.17 title: Ensure mail transfer agent is configured for local-only mode (Automated) diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index bba0c3e05cc..951ddf6c88c 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -36,7 +36,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.15 - cis@rhel8: 2.2.16 + cis@rhel8: 2.2.15 cis@rhel9: 2.2.13 cis@sle12: 2.2.19 cis@sle15: 2.2.19 diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml index 02e3b3881da..47468a259d0 100644 --- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml @@ -26,6 +26,7 @@ references: cis-csc: 1,11,12,14,15,16,3,5,8,9 cis@alinux2: 2.1.18 cis@rhel7: 2.2.15 + cis@rhel8: 2.2.15 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10 cui: 3.1.13,3.4.7 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) From 37291d8771e5216d61e57a5b8995fcce00a1c74b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:46:41 +0100 Subject: [PATCH 19/37] update control 2.2.16 --- controls/cis_rhel8.yml | 11 +++++++++++ .../tftp/package_tftp-server_removed/rule.yml | 2 +- .../obsolete/tftp/service_tftp_disabled/rule.yml | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 21962c4f667..56ea16cf591 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -924,6 +924,17 @@ controls: related_rules: - service_telnet_disabled + - id: 2.2.16 + title: Ensure tftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_tftp-server_removed + related_rules: + - service_tftp_disabled + - id: 2.2.17 title: Ensure mail transfer agent is configured for local-only mode (Automated) levels: diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index ddb2eb11ac5..a23a1f25d44 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -29,7 +29,7 @@ references: ccn@rhel9: A.8.SEC-RHEL4 cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.16 - cis@rhel8: 2.2.9 + cis@rhel8: 2.2.16 cis@rhel9: 2.2.7 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml index 74ab077dc14..2808ca74fa0 100644 --- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml @@ -22,6 +22,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux2: 2.1.19 cis@rhel7: 2.2.16 + cis@rhel8: 2.2.16 cis@sle15: 2.1.9 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 disa: CCI-001436 From d812ef18deb90a72cf5234c96a072d83be442aa7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 13:52:02 +0100 Subject: [PATCH 20/37] update control 2.2.17 --- controls/cis_rhel8.yml | 9 ++++----- .../proxy/disabling_squid/package_squid_removed/rule.yml | 2 +- .../disabling_squid/service_squid_disabled/rule.yml | 1 + 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 56ea16cf591..4239c9da145 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -936,16 +936,15 @@ controls: - service_tftp_disabled - id: 2.2.17 - title: Ensure mail transfer agent is configured for local-only mode (Automated) + title: Ensure web proxy server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - postfix_network_listening_disabled - - var_postfix_inet_interfaces=loopback-only - - has_nonlocal_mta - + - package_squid_removed + related_rules: + - service_squid_disabled - id: 2.2.19 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml index cf46b14cd33..26fb842c0f5 100644 --- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml @@ -24,7 +24,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL4 cis@rhel7: 2.2.17 - cis@rhel8: 2.2.13 + cis@rhel8: 2.2.17 cis@rhel9: 2.2.11 cis@sle12: 2.2.14 cis@sle15: 2.2.14 diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml index 42ca3d01b5d..d1b052ac590 100644 --- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml @@ -24,6 +24,7 @@ references: cis@alinux2: 2.1.13 cis@alinux3: 2.2.6 cis@rhel7: 2.2.17 + cis@rhel8: 2.2.17 cis@sle12: 2.2.14 cis@sle15: 2.2.14 From 0005ef97f60ed5b87626bc70481b2473e081cf5e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 14:02:57 +0100 Subject: [PATCH 21/37] update control 2.2.18 --- controls/cis_rhel8.yml | 13 +++++++++++++ .../disabling_httpd/package_httpd_removed/rule.yml | 2 +- .../disabling_httpd/service_httpd_disabled/rule.yml | 1 + .../disabling_nginx/package_nginx_removed/rule.yml | 2 +- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 4239c9da145..9088dc2cc3f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -946,6 +946,19 @@ controls: related_rules: - service_squid_disabled + - id: 2.2.18 + title: Ensure web server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_httpd_removed + - package_nginx_removed + related_rules: + - service_httpd_disabled + # rule would be nice to disable nginx service + - id: 2.2.19 title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) levels: diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index 8b55c5c1d91..0ebff2a3437 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -27,7 +27,7 @@ identifiers: references: cis-csc: 11,14,3,9 cis@rhel7: 2.2.18 - cis@rhel8: 2.2.10 + cis@rhel8: 2.2.18 cis@rhel9: 2.2.8 cis@sle12: 2.2.11 cis@sle15: 2.2.11 diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml index 6203eedd98e..d8815ce82d4 100644 --- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml @@ -25,6 +25,7 @@ references: cis@alinux2: 2.1.10 cis@alinux3: 2.2.9 cis@rhel7: 2.2.18 + cis@rhel8: 2.2.18 cis@sle12: 2.2.11 cis@sle15: 2.2.11 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml index c0257e0d7e5..9b04c5dda39 100644 --- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@rhel7: 2.2.18 - cis@rhel8: 2.2.10 + cis@rhel8: 2.2.18 cis@rhel9: 2.2.8 cis@ubuntu2004: 2.2.10 cis@ubuntu2204: 2.2.9 From 16e570f0bc112820b6faa081dc0f5c0c1f4cb57e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 14:09:29 +0100 Subject: [PATCH 22/37] update control 2.2.19 --- controls/cis_rhel8.yml | 6 +++--- .../inetd_and_xinetd/package_xinetd_removed/rule.yml | 2 +- .../inetd_and_xinetd/service_xinetd_disabled/rule.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 9088dc2cc3f..e71be1e9718 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -960,15 +960,15 @@ controls: # rule would be nice to disable nginx service - id: 2.2.19 - title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated) + title: Ensure xinetd services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_rpcbind_disabled + - package_xinetd_removed related_rules: - - package_rpcbind_removed + - service_xinetd_disabled - id: 2.2.20 title: Ensure rsync is not installed or the rsyncd service is masked (Automated) diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index b9e56aabd71..4eab5583b03 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux3: 2.1.1 cis@rhel7: 2.2.19 - cis@rhel8: 2.2.1 + cis@rhel8: 2.2.19 cis@sle12: 2.1.1 cis@sle15: 2.1.1 cis@ubuntu2004: 2.1.1 diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml index ce3bb492266..cc6cd8a5d50 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 2.2.19 - cis@rhel8: 2.1.7 + cis@rhel8: 2.2.19 cis@sle12: 2.1.1 cis@sle15: 2.1.1 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 From 957007df40b33ec0cf61bf8d078a44b14200b61f Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 14:39:09 +0100 Subject: [PATCH 23/37] update control 2.2.20 --- controls/cis_rhel8.yml | 11 +++++------ .../xwindows_remove_packages/rule.yml | 1 + 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e71be1e9718..15c4a2d62a7 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -971,15 +971,14 @@ controls: - service_xinetd_disabled - id: 2.2.20 - title: Ensure rsync is not installed or the rsyncd service is masked (Automated) + title: Ensure X window server services are not in use (Automated) levels: - - l1_server - - l1_workstation + - l2_server status: automated + notes: >- + The rule also configures correct run level to prevent unbootable system. rules: - - package_rsync_removed - related_rules: - - service_rsyncd_disabled + - xwindows_remove_packages - id: 2.3.1 title: Ensure NIS Client is not installed (Automated) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml index 0951feb29b7..b00d8316bf6 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml @@ -36,6 +36,7 @@ identifiers: references: cis@alinux2: 2.1.2 cis@alinux3: 2.2.2 + cis@rhel8: 2.2.20 cis@sle12: 2.2.2 cis@sle15: 2.2.2 disa: CCI-000366 From 29fd2d71384c0c568e570b6153a3c30c06fec389 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 14:48:32 +0100 Subject: [PATCH 24/37] update control 2.2.21 --- controls/cis_rhel8.yml | 14 ++++++++++++++ .../guide/services/mail/has_nonlocal_mta/rule.yml | 2 +- .../postfix_network_listening_disabled/rule.yml | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 15c4a2d62a7..a5809987e2b 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -980,6 +980,20 @@ controls: rules: - xwindows_remove_packages + - id: 2.2.21 + title: Ensure mail transfer agents are configured for local-only mode (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + The rule has_nonlocal_mta currently checks for services listening only on + port 25, but the policy checks also for ports 465 and 587 + rules: + - postfix_network_listening_disabled + - var_postfix_inet_interfaces=loopback-only + - has_nonlocal_mta + - id: 2.3.1 title: Ensure NIS Client is not installed (Automated) levels: diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml index 609a3ea3cd0..2b426df4d67 100644 --- a/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml +++ b/linux_os/guide/services/mail/has_nonlocal_mta/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis@rhel7: 2.2.21 - cis@rhel8: 2.2.17 + cis@rhel8: 2.2.21 cis@rhel9: 2.2.15 cis@ubuntu2004: 2.2.15 cis@ubuntu2204: 2.2.15 diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 543afbf92c8..62c1e6c121a 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 2.1.15 cis@alinux3: 2.2.18 cis@rhel7: 2.2.21 - cis@rhel8: 2.2.17 + cis@rhel8: 2.2.21 cis@rhel9: 2.2.15 cis@sle12: 2.2.16 cis@sle15: 2.2.16 From c2e7f0753361c60940d45821823d5c03be0f8742 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 14:53:14 +0100 Subject: [PATCH 25/37] update control 2.2.22 --- controls/cis_rhel8.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a5809987e2b..4404e701343 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -994,6 +994,13 @@ controls: - var_postfix_inet_interfaces=loopback-only - has_nonlocal_mta + - id: 2.2.22 + title: Ensure only approved services are listening on a network interface (Manual) + levels: + - l1_server + - l1_workstation + status: manual + - id: 2.3.1 title: Ensure NIS Client is not installed (Automated) levels: From 23c4f7e5560f35f824a176d56fd79d6c87748ca1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 16:48:11 +0100 Subject: [PATCH 26/37] update control 2.3.1 --- controls/cis_rhel8.yml | 4 ++-- linux_os/guide/services/ftp/package_ftp_removed/rule.yml | 5 ++++- shared/references/cce-redhat-avail.txt | 1 - 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 4404e701343..5e4233a6003 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1002,13 +1002,13 @@ controls: status: manual - id: 2.3.1 - title: Ensure NIS Client is not installed (Automated) + title: Ensure ftp client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_ypbind_removed + - package_ftp_removed - id: 2.3.2 title: Ensure rsh client is not installed (Automated) diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml index 5582713f136..878abf5c300 100644 --- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml +++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml @@ -1,6 +1,7 @@ documentation_complete: true -prodtype: rhel7,rhel9 + +prodtype: rhel7,rhel8,rhel9 title: 'Remove ftp Package' @@ -21,10 +22,12 @@ severity: low identifiers: cce@rhel7: CCE-90757-6 + cce@rhel8: CCE-90745-1 cce@rhel9: CCE-86075-9 references: cis@rhel7: 2.3.1 + cis@rhel8: 2.3.1 cis@rhel9: 2.3.4 pcidss4: '2.2.4' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 0834a664681..bf08c0491a5 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -3878,7 +3878,6 @@ CCE-90739-4 CCE-90741-0 CCE-90742-8 CCE-90743-6 -CCE-90745-1 CCE-90747-7 CCE-90748-5 CCE-90749-3 From 5b97893ae61c748f15fae1e3c0b8cf6b672146d2 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 16:54:19 +0100 Subject: [PATCH 27/37] update control 2.3.2 --- controls/cis_rhel8.yml | 8 ++++---- .../package_openldap-clients_removed/rule.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 5e4233a6003..438c58c25d8 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1011,13 +1011,13 @@ controls: - package_ftp_removed - id: 2.3.2 - title: Ensure rsh client is not installed (Automated) + title: Ensure LDAP client is not installed (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - package_rsh_removed + - package_openldap-clients_removed - id: 2.3.3 title: Ensure talk client is not installed (Automated) diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml index 458e2887f55..c63d7cf8e0b 100644 --- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml @@ -35,7 +35,7 @@ references: cis@alinux2: 2.2.5 cis@alinux3: 2.3.3 cis@rhel7: 2.3.2 - cis@rhel8: 2.3.5 + cis@rhel8: 2.3.2 cis@rhel9: 2.3.2 cis@sle12: 2.3.5 cis@sle15: 2.3.5 From 52938a8e07a0a23945d256cf4cec6b05df37dcbe Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 16:59:14 +0100 Subject: [PATCH 28/37] update control 2.3.3 --- controls/cis_rhel8.yml | 4 ++-- .../services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 438c58c25d8..68a55cfd10d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1020,13 +1020,13 @@ controls: - package_openldap-clients_removed - id: 2.3.3 - title: Ensure talk client is not installed (Automated) + title: Ensure NIS Client is not installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_talk_removed + - package_ypbind_removed - id: 2.3.4 title: Ensure telnet client is not installed (Automated) diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index f4672fd8f70..77fc0121826 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 2.2.1 cis@alinux3: 2.3.1 cis@rhel7: 2.3.3 - cis@rhel8: 2.3.1 + cis@rhel8: 2.3.3 cis@sle12: 2.3.1 cis@sle15: 2.3.1 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) From 8dcabcd7c91c49667b7b0871e42af9dca421a358 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 17:07:13 +0100 Subject: [PATCH 29/37] update control 2.3.5 --- controls/cis_rhel8.yml | 11 +---------- .../obsolete/tftp/package_tftp_removed/rule.yml | 2 +- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 68a55cfd10d..4b7b489668c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1038,16 +1038,7 @@ controls: - package_telnet_removed - id: 2.3.5 - title: Ensure LDAP client is not installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_openldap-clients_removed - - - id: 2.3.6 - title: Ensure TFTP client is not installed (Automated) + title: Ensure tftp client is not installed (Automated) levels: - l1_server - l1_workstation diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index 9de8850e85b..842dc58a9c3 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -27,7 +27,7 @@ identifiers: references: anssi: BP28(R1) cis@rhel7: 2.3.5 - cis@rhel8: 2.3.6 + cis@rhel8: 2.3.5 cis@rhel9: 2.3.3 pcidss4: '2.2.4' From c383fa739a6b9bd641037bd62ad10278f3b12e25 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jan 2024 17:09:29 +0100 Subject: [PATCH 30/37] remove control 2.4 --- controls/cis_rhel8.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 4b7b489668c..c03084f80df 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1046,13 +1046,6 @@ controls: rules: - package_tftp_removed - - id: 2.4 - title: Ensure nonessential services are removed or masked (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - id: 3.1.1 title: Verify if IPv6 is enabled on the system (Manual) levels: From a81204a098ddacf0274f49b886518bf02be92c8c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 18 Jan 2024 14:33:16 +0100 Subject: [PATCH 31/37] remove CIS references in rules which were removed from the profile --- .../disable_avahi_group/package_avahi-autoipd_removed/rule.yml | 1 - .../services/obsolete/r_services/package_rsh_removed/rule.yml | 1 - .../guide/services/obsolete/talk/package_talk_removed/rule.yml | 1 - .../package_xorg-x11-server-common_removed/rule.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml index 34d0cb7c9e2..b052b71e3fd 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml @@ -25,7 +25,6 @@ identifiers: references: cis-csc: 11,14,3,9 - cis@rhel8: 2.2.2 cis@rhel9: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 26962ea4b3d..48d5209db42 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -36,7 +36,6 @@ identifiers: references: anssi: BP28(R1) cis@alinux2: 2.2.2 - cis@rhel8: 2.3.2 cis@sle12: 2.3.2 cis@sle15: 2.3.2 cis@ubuntu2004: 2.3.2 diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 283bf6b378c..a7473398c21 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -28,7 +28,6 @@ identifiers: references: anssi: BP28(R1) cis@alinux2: 2.2.3 - cis@rhel8: 2.3.3 cis@sle12: 2.3.3 cis@sle15: 2.3.3 cis@ubuntu2004: 2.3.3 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 3215d25b94a..ab99571e3df 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -34,7 +34,6 @@ references: cis@alinux2: 2.1.2 cis@alinux3: 2.2.2 cis@rhel7: 2.2.20 - cis@rhel8: 2.2.2 cis@rhel9: 2.2.1 cis@sle12: 2.2.2 cis@sle15: 2.2.2 From 46224776ce4592a1b97f45b6fd49639375391d8d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 18 Jan 2024 14:52:03 +0100 Subject: [PATCH 32/37] modify profile stability test of RHEL 8 PCI-DSS this should not be in scope of this PR, but changing prodtype of the rule package_ftp_removed made it inserted into the RHEL 8 PCI-DSS profile as well. This change is made so that tests pass. --- tests/data/profile_stability/rhel8/pci-dss.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 1724a57a80a..4e89c54bc19 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -19,6 +19,7 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: +- package_ftp_removed - enable_authselect - package_sudo_installed - sshd_set_loglevel_verbose From c25538f3128d62dc4933344cd243ac36d24bade1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 23 Jan 2024 10:15:03 +0100 Subject: [PATCH 33/37] change status of 2.2.1 in fact, due to autofs being a dependency, the control is automated with service_autofs_disabled --- controls/cis_rhel8.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index c03084f80df..e45f65acf7d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -758,8 +758,7 @@ controls: levels: - l1_server - l2_workstation - status: partial - # we need package_autofs_removed to complete this control + status: automated rules: - service_autofs_disabled From 59e00e648f85414c65ea45619055e6789af79337 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 23 Jan 2024 10:17:25 +0100 Subject: [PATCH 34/37] include reference also in related rule for 2.2.2 --- .../disable_avahi_group/service_avahi-daemon_disabled/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index a910807fddb..0fc4cc53ddd 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -26,6 +26,7 @@ references: cis-csc: 11,14,3,9 cis@alinux2: 2.1.3 cis@alinux3: 2.2.4 + cis@rhel8: 2.2.2 cis@sle12: 2.2.3 cis@sle15: 2.2.3 cis@ubuntu2004: 2.2.3 From 769bbe4ab489e833739d911549953f7cc454ad61 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 23 Jan 2024 10:18:58 +0100 Subject: [PATCH 35/37] update refernce in related rule of 2.2.3 --- .../dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml index 9e796c7fb74..7d8d75e0722 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 2.1.5 cis@alinux3: 2.2.15 cis@rhel7: 2.2.5 - cis@rhel8: 2.2.5 + cis@rhel8: 2.2.3 cis@sle12: 2.2.5 cis@sle15: 2.2.5 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 From a5a8c741a91650b4738c455b938bc0f31226920b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 23 Jan 2024 10:21:29 +0100 Subject: [PATCH 36/37] update control 2.2.20 to set correct runlevel --- controls/cis_rhel8.yml | 3 ++- .../package_xorg-x11-server-common_removed/rule.yml | 1 + .../disabling_xwindows/xwindows_runlevel_target/rule.yml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e45f65acf7d..ade24882f50 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -977,7 +977,8 @@ controls: notes: >- The rule also configures correct run level to prevent unbootable system. rules: - - xwindows_remove_packages + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target - id: 2.2.21 title: Ensure mail transfer agents are configured for local-only mode (Automated) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index ab99571e3df..daf2c38ecc0 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -34,6 +34,7 @@ references: cis@alinux2: 2.1.2 cis@alinux3: 2.2.2 cis@rhel7: 2.2.20 + cis@rhel8: 2.2.20 cis@rhel9: 2.2.1 cis@sle12: 2.2.2 cis@sle15: 2.2.2 diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml index 619a59c702e..8e7c3290e94 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis-csc: 12,15,8 cis@rhel7: 2.2.20 - cis@rhel8: 2.2.2 + cis@rhel8: 2.2.20 cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 disa: CCI-000366 isa-62443-2009: 4.3.3.6.6 From f0aa2d5e9ce104c7ca4d20f431fc683f2b6e4e67 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 23 Jan 2024 14:41:06 +0100 Subject: [PATCH 37/37] remove cis reference from xwindows_remove_packages --- .../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml index b00d8316bf6..0951feb29b7 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml @@ -36,7 +36,6 @@ identifiers: references: cis@alinux2: 2.1.2 cis@alinux3: 2.2.2 - cis@rhel8: 2.2.20 cis@sle12: 2.2.2 cis@sle15: 2.2.2 disa: CCI-000366