ComplianceAsCode · marcusburghardt · Jan 24, 2024 · Jan 15, 2024 · Jan 15, 2024 · Jan 15, 2024
@@ -731,7 +731,7 @@ controls:
       - l1_server
       - l1_workstation
     status: automated
-    related_rules:
+    rules:
       - package_chrony_installed
 
   - id: 2.1.2
@@ -742,234 +742,291 @@ controls:
     status: automated
     rules:
       - chronyd_specify_remote_server
-      - chronyd_run_as_chrony_user
       - var_multiple_time_servers=rhel
 
-  - id: 2.2.1
-    title: Ensure xinetd is not installed (Automated)
+  - id: 2.1.3
+    title: Ensure chrony is not run as the root user (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_xinetd_removed
+      - chronyd_run_as_chrony_user
 
-  - id: 2.2.2
-    title: Ensure xorg-x11-server-common is not installed (Automated)
+  - id: 2.2.1
+    title: Ensure autofs services are not in use (Automated)
     levels:
       - l1_server
+      - l2_workstation
     status: automated
     rules:
-      - package_xorg-x11-server-common_removed
+      - service_autofs_disabled
 
-  - id: 2.2.3
-    title: Ensure Avahi Server is not installed (Automated)
+  - id: 2.2.2
+    title: Ensure avahi daemon services are not in use (Automated)
     levels:
       - l1_server
       - l2_workstation
     status: automated
     rules:
       - package_avahi_removed
-      - package_avahi-autoipd_removed
     related_rules:
       - service_avahi-daemon_disabled
 
+  - id: 2.2.3
+    title: Ensure dhcp server services are not in use (Automated)
+    levels:
+      - l1_server
+      - l1_workstation
+    status: automated
+    rules:
+      - package_dhcp_removed
+    related_rules:
+      - service_dhcpd_disabled
+
   - id: 2.2.4
-    title: Ensure CUPS is not installed (Automated)
+    title: Ensure dns server services are not in use (Automated)
     levels:
       - l1_server
+      - l1_workstation
     status: automated
     rules:
-      - package_cups_removed
+      - package_bind_removed
     related_rules:
-      - service_cups_disabled
+      - service_named_disabled
 
   - id: 2.2.5
-    title: Ensure DHCP Server is not installed (Automated)
+    title: Ensure dnsmasq services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_dhcp_removed
-    related_rules:
-      - service_dhcpd_disabled
+      - package_dnsmasq_removed
 
   - id: 2.2.6
-    title: Ensure DNS Server is not installed (Automated)
+    title: Ensure samba file server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_bind_removed
+      - package_samba_removed
     related_rules:
-      - service_named_disabled
+      - service_smb_disabled
 
-  # NEEDS RULE
   - id: 2.2.7
-    title: Ensure FTP Server is not installed (Automated)
+    title: Ensure ftp server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: planned
+    status: automated
+    rules:
+      - package_vsftpd_removed
     related_rules:
       - service_vsftpd_disabled
 
   - id: 2.2.8
-    title: Ensure VSFTP Server is not installed (Automated)
+    title: Ensure message access server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_vsftpd_removed
+      - package_dovecot_removed
+      - package_cyrus-imapd_removed
+    related_rules:
+      - service_dovecot_disabled
+    # new rule would be nice to disable cyrus-imapd service
 
   - id: 2.2.9
-    title: Ensure TFTP Server is not installed (Automated)
+    title: Ensure network file system services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_tftp-server_removed
+      - service_nfs_disabled
+    related_rules:
+      - package_nfs-utils_removed
+    notes: |-
+      Many of the libvirt packages used by Enterprise Linux virtualization are
+      dependent on the nfs-utils package.
 
   - id: 2.2.10
-    title: Ensure a web server is not installed (Automated)
+    title: Ensure nis server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_httpd_removed
-      - package_nginx_removed
+      - package_ypserv_removed
+    related_rules:
+      - service_ypserv_disabled
 
   - id: 2.2.11
-    title: Ensure IMAP and POP3 server is not installed (Automated)
+    title: Ensure print server services are not in use (Automated)
     levels:
       - l1_server
-      - l1_workstation
     status: automated
     rules:
-      - package_dovecot_removed
-      - package_cyrus-imapd_removed
+      - package_cups_removed
+    related_rules:
+      - service_cups_disabled
 
   - id: 2.2.12
-    title: Ensure Samba is not installed (Automated)
+    title: Ensure rpcbind services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_samba_removed
+      - service_rpcbind_disabled
+    related_rules:
+      - package_rpcbind_removed
+    notes: |-
+      Many of the libvirt packages used by Enterprise Linux virtualization, and
+      the nfs-utils
+      package used for The Network File System (NFS), are dependent on the rpcbind
+      package.
 
   - id: 2.2.13
-    title: Ensure HTTP Proxy Server is not installed (Automated)
+    title: Ensure rsync services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_squid_removed
+      - package_rsync_removed
+    related_rules:
+      - service_rsyncd_disabled
 
   - id: 2.2.14
-    title: Ensure net-snmp is not installed (Automated)
+    title: Ensure snmp services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
       - package_net-snmp_removed
+    related_rules:
+      - service_snmpd_disabled
 
   - id: 2.2.15
-    title: Ensure NIS server is not installed (Automated)
+    title: Ensure telnet server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_ypserv_removed
+      - package_telnet-server_removed
+    related_rules:
+      - service_telnet_disabled
 
   - id: 2.2.16
-    title: Ensure telnet-server is not installed (Automated)
+    title: Ensure tftp server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_telnet-server_removed
+      - package_tftp-server_removed
+    related_rules:
+      - service_tftp_disabled
 
   - id: 2.2.17
-    title: Ensure mail transfer agent is configured for local-only mode (Automated)
+    title: Ensure web proxy server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - postfix_network_listening_disabled
-      - var_postfix_inet_interfaces=loopback-only
-      - has_nonlocal_mta
+      - package_squid_removed
+    related_rules:
+      - service_squid_disabled
 
   - id: 2.2.18
-    title: Ensure nfs-utils is not installed or the nfs-server service is masked (Automated)
+    title: Ensure web server services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - service_nfs_disabled
+      - package_httpd_removed
+      - package_nginx_removed
     related_rules:
-      - package_nfs-utils_removed
-      # The nfs-utils package is required for systems with GUI or by some libvirt packages
+      - service_httpd_disabled
+    # rule would be nice to disable nginx service
 
   - id: 2.2.19
-    title: Ensure rpcbind is not installed or the rpcbind services are masked (Automated)
+    title: Ensure xinetd services are not in use (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - service_rpcbind_disabled
+      - package_xinetd_removed
     related_rules:
-      - package_rpcbind_removed
+      - service_xinetd_disabled
 
   - id: 2.2.20
-    title:  Ensure rsync is not installed or the rsyncd service is masked (Automated)
+    title: Ensure X window server services are not in use (Automated)
+    levels:
+      - l2_server
+    status: automated
+    notes: >-
+      The rule also configures correct run level to prevent unbootable system.
+    rules:
+      - package_xorg-x11-server-common_removed
+      - xwindows_runlevel_target
+
+  - id: 2.2.21
+    title: Ensure mail transfer agents are configured for local-only mode (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: automated
+    status: partial
+    notes:  |-
+      The rule has_nonlocal_mta currently checks for services listening only on
+      port 25, but the policy checks also for ports 465 and 587
     rules:
-      - package_rsync_removed
-    related_rules:
-      - service_rsyncd_disabled
+      - postfix_network_listening_disabled
+      - var_postfix_inet_interfaces=loopback-only
+      - has_nonlocal_mta
+
+  - id: 2.2.22
+    title: Ensure only approved services are listening on a network interface (Manual)
+    levels:
+      - l1_server
+      - l1_workstation
+    status: manual
 
   - id: 2.3.1
-    title: Ensure NIS Client is not installed (Automated)
+    title: Ensure ftp client is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_ypbind_removed
+      - package_ftp_removed
 
   - id: 2.3.2
-    title: Ensure rsh client is not installed (Automated)
+    title: Ensure LDAP client is not installed (Automated)
     levels:
-      - l1_server
-      - l1_workstation
+      - l2_server
+      - l2_workstation
     status: automated
     rules:
-      - package_rsh_removed
+      - package_openldap-clients_removed
 
   - id: 2.3.3
-    title: Ensure talk client is not installed (Automated)
+    title: Ensure NIS Client is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
-      - package_talk_removed
+      - package_ypbind_removed
 
   - id: 2.3.4
     title: Ensure telnet client is not installed (Automated)
@@ -981,30 +1038,14 @@ controls:
       - package_telnet_removed
 
   - id: 2.3.5
-    title: Ensure LDAP client is not installed (Automated)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: automated
-    rules:
-      - package_openldap-clients_removed
-
-  - id: 2.3.6
-    title: Ensure TFTP client is not installed (Automated)
+    title: Ensure tftp client is not installed (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: automated
     rules:
       - package_tftp_removed
 
-  - id: 2.4
-    title: Ensure nonessential services are removed or masked (Manual)
-    levels:
-      - l1_server
-      - l1_workstation
-    status: manual
-
   - id: 3.1.1
     title: Verify if IPv6 is enabled on the system (Manual)
     levels: