diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml index a0321a155ce9..471207ff53ef 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87730-8 cce@rhel10: CCE-90697-4 ocil_clause: "the option '-c' is not set in the '/etc/audit/audit.rules' file" diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_nsswitch_conf/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_nsswitch_conf/rule.yml index 4b1a0be28d34..7f77f5cf75b5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_nsswitch_conf/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_nsswitch_conf/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87835-5 cce@rhel9: CCE-86213-6 cce@rhel10: CCE-90524-0 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml index 3703e2858943..378a1cf6b684 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89453-5 cce@rhel9: CCE-86212-8 cce@rhel10: CCE-90525-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pamd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pamd/rule.yml index 10b73036e667..aa58fd805ae2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pamd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pamd/rule.yml @@ -11,6 +11,7 @@ rationale: |- should be investigated. identifiers: + cce@rhel8: CCE-90268-4 cce@rhel9: CCE-86211-0 cce@rhel10: CCE-90526-5 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var index e21cc0c02fc3..bde0d87fbfb6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var +++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var @@ -22,7 +22,7 @@ options: rotate: rotate ol8: syslog|single|halt rhel8: syslog|single|halt - cis_rhel8: syslog|single|halt + cis_rhel8: single|halt cis_rhel9: halt|single cis_rhel10: halt|single cis_fedora: halt|single diff --git a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml index a5e129ccb36d..cdd150b6925d 100644 --- a/linux_os/guide/auditing/package_audit-libs_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-libs_installed/rule.yml @@ -16,6 +16,7 @@ rationale: 'The auditd service is an access monitoring and accounting daemon, wa severity: medium identifiers: + cce@rhel8: CCE-87113-7 cce@rhel9: CCE-86772-1 cce@rhel10: CCE-90611-5 cce@sle12: CCE-92320-1 diff --git a/linux_os/guide/services/base/service_cockpit_disabled/rule.yml b/linux_os/guide/services/base/service_cockpit_disabled/rule.yml index ae327a56e63b..386955d3dfdb 100644 --- a/linux_os/guide/services/base/service_cockpit_disabled/rule.yml +++ b/linux_os/guide/services/base/service_cockpit_disabled/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89026-9 cce@rhel10: CCE-87509-6 platform: system_with_kernel diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml index e1e1d6b50ff1..5cf3fa93447d 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87776-1 cce@rhel10: CCE-88898-2 references: diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml index fb8cf53646f7..e7871c2c0908 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88838-8 cce@rhel10: CCE-90735-2 references: diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml index c3e1ebbf6449..928e62783f70 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86796-0 cce@rhel10: CCE-90732-9 references: diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml index 70efd4ed136b..6acdf95eb38f 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87348-9 cce@rhel10: CCE-86596-4 {{{ complete_ocil_entry_package(package="kea") }}} diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-Xwayland_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-Xwayland_removed/rule.yml index 00fd2976f671..9e80a12acaed 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-Xwayland_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-Xwayland_removed/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87005-5 cce@rhel10: CCE-90601-6 ocil_clause: The xorg-x11-server-Xwayland package is installed. diff --git a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml index 2d6927fb5b52..5ad5b10084b4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml @@ -26,6 +26,7 @@ rationale: |- The system should only provide access after performing authentication of a user. identifiers: + cce@rhel8: CCE-87083-2 cce@rhel10: CCE-87536-9 severity: medium diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml index f1135bab0b32..091fcba70146 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml @@ -14,6 +14,7 @@ rationale: |- without requiring the user to re-enter it multiple times. identifiers: + cce@rhel8: CCE-90463-1 cce@rhel10: CCE-86732-5 severity: medium diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml index dc966621059e..5edf9b9175b8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89997-1 cce@rhel10: CCE-86733-3 ocil_clause: 'Usage of use_authtok for pam_unix.so is required' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml index 0f88bd3eaf79..d826f6450d1e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml @@ -27,6 +27,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89090-5 cce@rhel10: CCE-87367-9 platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var index fd14a5db0e49..d955dbe9c17d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var @@ -19,5 +19,6 @@ options: yescrypt: YESCRYPT cis_ubuntu2204: SHA512|YESCRYPT cis_ubuntu2404: SHA512|YESCRYPT + cis_rhel8: YESCRYPT|SHA512 cis_rhel10: YESCRYPT|SHA512 cis_fedora: YESCRYPT|SHA512 diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var index 6d806caaf29d..b6e46765560f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var @@ -16,4 +16,5 @@ options: default: sha512 sha512: sha512 yescrypt: yescrypt + cis_rhel8: yescrypt|sha512 cis_rhel10: yescrypt|sha512 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml index 9477c5580778..5bdeb2065700 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87733-2 cce@rhel10: CCE-87072-5 cce@sle15: CCE-92592-5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml index 158952859c20..46f7228f32ab 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87435-4 cce@rhel10: CCE-87390-1 ocil_clause: 'any .rhost files exist' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml index ead00151bf87..f10a74615044 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: high identifiers: + cce@rhel8: CCE-90313-8 cce@rhel9: CCE-86567-5 cce@rhel10: CCE-87073-3 cce@sle15: CCE-92565-1 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml index 7ae881ff6732..9ab739f5a3dc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml @@ -15,6 +15,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88390-0 cce@rhel9: CCE-86746-5 cce@rhel10: CCE-86751-5 cce@sle15: CCE-92591-7 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml index 2841baf859fd..2f506c1a3364 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml @@ -14,6 +14,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89104-4 cce@rhel10: CCE-87392-7 cce@sle15: CCE-92554-5 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml index 527883d9f74c..a30e8012f881 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml @@ -16,6 +16,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90424-3 cce@rhel10: CCE-87074-1 cce@sle15: CCE-92484-5 diff --git a/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml index 0561347170f2..b8b3d10787b4 100644 --- a/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml @@ -34,6 +34,7 @@ ocil: |- ocil_clause: 'is commented out or not configured correctly' identifiers: + cce@rhel8: CCE-88250-6 cce@rhel10: CCE-88340-5 cce@sle15: CCE-92566-9 diff --git a/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml b/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml index e8f6fe2d2be2..2ba4782a8f49 100644 --- a/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml +++ b/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml @@ -21,6 +21,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87557-5 cce@rhel10: CCE-86711-9 cce@sle15: CCE-92604-8 cce@slmicro5: CCE-94084-1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index 884ac8dd07c6..0325334a4d14 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88884-2 cce@rhel10: CCE-87075-8 cce@sle12: CCE-83248-5 cce@sle15: CCE-85725-0 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_forwarding/rule.yml index b266bb0ec178..d2931231db56 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_forwarding/rule.yml @@ -12,6 +12,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86652-5 cce@rhel10: CCE-88797-6 ocil_clause: 'IP forwarding value is "1" and the system is not router' diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/rule.yml index 81780a141d8a..0117f8d58e81 100644 --- a/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/rule.yml @@ -26,6 +26,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89626-6 cce@rhel10: CCE-86647-5 ocil_clause: 'files and directories exist that are not owned by a valid group' diff --git a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/rule.yml index 1c4ef724f3d6..d82ca010bb3a 100644 --- a/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/rule.yml @@ -24,6 +24,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89978-1 cce@rhel10: CCE-86643-4 # The rule check uses password probe, which doesn't support offline mode diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd/rule.yml index 54983596def3..b60ee94d8429 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89558-1 cce@rhel10: CCE-90453-2 cce@sle15: CCE-92539-6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd_old/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd_old/rule.yml index 5fde10a49ba3..6bb74d5cddae 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd_old/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd_old/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90263-5 cce@rhel10: CCE-89419-6 cce@sle15: CCE-92540-4 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd/rule.yml index afd36da9e6af..755be90159cf 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89852-8 cce@rhel10: CCE-86791-1 cce@sle15: CCE-92545-3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd_old/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd_old/rule.yml index b29ad8093f51..9e7601e81bc9 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd_old/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd_old/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90509-1 cce@rhel10: CCE-88528-5 cce@sle15: CCE-92546-1 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd/rule.yml index c38f6e3ca1dc..529490a47979 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd/rule.yml @@ -12,6 +12,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88772-9 cce@rhel10: CCE-89580-5 cce@sle15: CCE-92558-6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd_old/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd_old/rule.yml index c4179d5b667e..1f628d790e5c 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd_old/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd_old/rule.yml @@ -12,6 +12,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-89332-1 cce@rhel10: CCE-87434-7 cce@sle15: CCE-92559-4 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml index b090a1a5a556..2a5a68ad2bd8 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: low identifiers: + cce@rhel8: CCE-90461-5 cce@rhel10: CCE-87507-0 cce@sle15: CCE-92579-2 diff --git a/linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml b/linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml index c18b398d7e68..5a27f8ddf534 100644 --- a/linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml +++ b/linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml @@ -27,6 +27,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86968-5 cce@rhel10: CCE-87228-3 ocil_clause: |- diff --git a/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml b/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml index 4eb4b73f9357..f8fc38d995b3 100644 --- a/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml +++ b/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml @@ -13,6 +13,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-88727-3 cce@rhel10: CCE-86970-1 ocil_clause: 'the install_weak_deps option is not set to 0' diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index 46662793b322..e09bec239828 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -2,7 +2,7 @@ policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' title: 'CIS Benchmark for Red Hat Enterprise Linux 8' id: cis_rhel8 -version: '3.0.0' +version: '4.0.0' source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux levels: @@ -30,24 +30,11 @@ controls: rules: - dconf_db_up_to_date - - id: enable_authselect - title: Enable Authselect - levels: - - l1_server - - l1_workstation - notes: |- - We need this in all CIS versions, but the policy doesn't have any section where this - would fit better. - status: automated - rules: - - var_authselect_profile=sssd - - enable_authselect - - id: 1.1.1.1 title: Ensure cramfs kernel module is not available (Automated) levels: - - l1_workstation - l1_server + - l1_workstation status: automated rules: - kernel_module_cramfs_disabled @@ -55,8 +42,8 @@ controls: - id: 1.1.1.2 title: Ensure freevxfs kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_freevxfs_disabled @@ -64,8 +51,8 @@ controls: - id: 1.1.1.3 title: Ensure hfs kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_hfs_disabled @@ -73,8 +60,8 @@ controls: - id: 1.1.1.4 title: Ensure hfsplus kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_hfsplus_disabled @@ -82,13 +69,22 @@ controls: - id: 1.1.1.5 title: Ensure jffs2 kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_jffs2_disabled - id: 1.1.1.6 + title: Ensure overlay kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_overlayfs_disabled + + - id: 1.1.1.7 title: Ensure squashfs kernel module is not available (Automated) levels: - l2_server @@ -97,7 +93,7 @@ controls: rules: - kernel_module_squashfs_disabled - - id: 1.1.1.7 + - id: 1.1.1.8 title: Ensure udf kernel module is not available (Automated) levels: - l2_server @@ -106,7 +102,16 @@ controls: rules: - kernel_module_udf_disabled - - id: 1.1.1.8 + - id: 1.1.1.9 + title: Ensure firewire-core kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - kernel_module_firewire-core_disabled + + - id: 1.1.1.10 title: Ensure usb-storage kernel module is not available (Automated) levels: - l1_server @@ -115,8 +120,15 @@ controls: rules: - kernel_module_usb-storage_disabled + - id: 1.1.1.11 + title: Ensure unused filesystems kernel modules are not available (Manual) + levels: + - l1_server + - l1_workstation + status: manual + - id: 1.1.2.1.1 - title: Ensure /tmp is a separate partition (Automated) + title: Ensure /tmp is tmpfs or a separate partition (Automated) levels: - l1_server - l1_workstation @@ -152,7 +164,7 @@ controls: - mount_option_tmp_noexec - id: 1.1.2.2.1 - title: Ensure /dev/shm is a separate partition (Automated) + title: Ensure /dev/shm is tmpfs (Automated) levels: - l1_server - l1_workstation @@ -349,7 +361,7 @@ controls: rules: - mount_option_var_log_audit_noexec - - id: 1.2.1 + - id: 1.2.1.1 title: Ensure GPG keys are configured (Manual) levels: - l1_server @@ -358,8 +370,8 @@ controls: related_rules: - ensure_redhat_gpgkey_installed - - id: 1.2.2 - title: Ensure gpgcheck is globally activated (Automated) + - id: 1.2.1.2 + title: Ensure gpgcheck is configured (Automated) levels: - l1_server - l1_workstation @@ -368,21 +380,30 @@ controls: - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - - id: 1.2.3 + - id: 1.2.1.3 title: Ensure repo_gpgcheck is globally activated (Manual) levels: - l2_server - l2_workstation status: manual - - id: 1.2.4 + - id: 1.2.1.4 title: Ensure package manager repositories are configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 1.2.5 + - id: 1.2.1.5 + title: Ensure weak dependencies are configured (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - disable_weak_deps + + - id: 1.2.2.1 title: Ensure updates, patches, and additional security software are installed (Manual) levels: - l1_server @@ -391,7 +412,80 @@ controls: related_rules: - security_patches_up_to_date - - id: 1.3.1 + - id: 1.3.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_libselinux_installed + + - id: 1.3.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - grub2_enable_selinux + + - id: 1.3.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - var_selinux_policy_name=targeted + - selinux_policytype + + - id: 1.3.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - selinux_not_disabled + + - id: 1.3.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - var_selinux_state=enforcing + - selinux_state + + - id: 1.3.1.6 + title: Ensure no unconfined services exist (Manual) + levels: + - l2_server + - l2_workstation + status: manual + related_rules: + - selinux_confinement_of_daemons + + - id: 1.3.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_mcstrans_removed + + - id: 1.3.1.8 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: automated + rules: + - package_setroubleshoot_removed + + - id: 1.4.1 title: Ensure bootloader password is set (Automated) levels: - l1_server @@ -401,8 +495,8 @@ controls: - grub2_password - grub2_uefi_password - - id: 1.3.2 - title: Ensure permissions on bootloader config are configured (Automated) + - id: 1.4.2 + title: Ensure access to bootloader config is configured (Automated) levels: - l1_server - l1_workstation @@ -421,114 +515,95 @@ controls: - file_permissions_efi_user_cfg - file_permissions_user_cfg - - id: 1.4.1 - title: Ensure address space layout randomization (ASLR) is enabled (Automated) + - id: 1.5.1 + title: Ensure core file size is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_kernel_randomize_va_space + - disable_users_coredumps - - id: 1.4.2 - title: Ensure ptrace_scope is restricted (Automated) + - id: 1.5.2 + title: Ensure fs.protected_hardlinks is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_kernel_yama_ptrace_scope + - sysctl_fs_protected_hardlinks - - id: 1.4.3 - title: Ensure core dump backtraces are disabled (Automated) + - id: 1.5.3 + title: Ensure fs.protected_symlinks is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - coredump_disable_backtraces + - sysctl_fs_protected_symlinks - - id: 1.4.4 - title: Ensure core dump storage is disabled (Automated) + - id: 1.5.4 + title: Ensure fs.suid_dumpable is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - coredump_disable_storage + - sysctl_fs_suid_dumpable - - id: 1.5.1.1 - title: Ensure SELinux is installed (Automated) + - id: 1.5.5 + title: Ensure kernel.dmesg_restrict is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_libselinux_installed + - sysctl_kernel_dmesg_restrict - - id: 1.5.1.2 - title: Ensure SELinux is not disabled in bootloader configuration (Automated) + - id: 1.5.6 + title: Ensure kernel.kptr_restrict is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - grub2_enable_selinux + - sysctl_kernel_kptr_restrict - - id: 1.5.1.3 - title: Ensure SELinux policy is configured (Automated) + - id: 1.5.7 + title: Ensure kernel.yama.ptrace_scope is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - var_selinux_policy_name=targeted - - selinux_policytype + - sysctl_kernel_yama_ptrace_scope - - id: 1.5.1.4 - title: Ensure the SELinux mode is not disabled (Automated) + - id: 1.5.8 + title: Ensure kernel.randomize_va_space is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - selinux_not_disabled - - - id: 1.5.1.5 - title: Ensure the SELinux mode is enforcing (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - var_selinux_state=enforcing - - selinux_state + - sysctl_kernel_randomize_va_space - - id: 1.5.1.6 - title: Ensure no unconfined services exist (Automated) + - id: 1.5.9 + title: Ensure systemd-coredump ProcessSizeMax is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - selinux_confinement_of_daemons + - coredump_disable_backtraces - - id: 1.5.1.7 - title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + - id: 1.5.10 + title: Ensure systemd-coredump Storage is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_mcstrans_removed - - - id: 1.5.1.8 - title: Ensure SETroubleshoot is not installed (Automated) - levels: - - l1_server - status: automated - rules: - - package_setroubleshoot_removed + - coredump_disable_storage - id: 1.6.1 title: Ensure system wide crypto policy is not set to legacy (Automated) @@ -545,13 +620,11 @@ controls: - l1_server - l1_workstation status: automated - notes: |- - This requirement is already satisfied by 1.6.1. rules: - configure_custom_crypto_policy_cis - id: 1.6.3 - title: Ensure system wide crypto policy disables cbc for ssh (Automated) + title: Ensure system wide crypto policy macs are configured (Automated) levels: - l1_server - l1_workstation @@ -560,7 +633,7 @@ controls: - configure_custom_crypto_policy_cis - id: 1.6.4 - title: Ensure system wide crypto policy disables macs less than 128 bits (Automated) + title: Ensure system wide crypto policy disables cbc for ssh (Automated) levels: - l1_server - l1_workstation @@ -568,8 +641,22 @@ controls: rules: - configure_custom_crypto_policy_cis + - id: 1.6.5 + title: Ensure system wide crypto policy disables chacha20poly1305 for ssh (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 1.6.6 + title: Ensure system wide crypto policy disables EtM for ssh (Manual) + levels: + - l1_server + - l1_workstation + status: manual + - id: 1.7.1 - title: Ensure message of the day is configured properly (Automated) + title: Ensure /etc/motd is configured (Automated) levels: - l1_server - l1_workstation @@ -579,7 +666,7 @@ controls: - cis_banner_text=cis - id: 1.7.2 - title: Ensure local login warning banner is configured properly (Automated) + title: Ensure /etc/issue is configured (Automated) levels: - l1_server - l1_workstation @@ -589,7 +676,7 @@ controls: - cis_banner_text=cis - id: 1.7.3 - title: Ensure remote login warning banner is configured properly (Automated) + title: Ensure /etc/issue.net is configured (Automated) levels: - l1_server - l1_workstation @@ -632,14 +719,6 @@ controls: - file_permissions_etc_issue_net - id: 1.8.1 - title: Ensure GNOME Display Manager is removed (Automated) - levels: - - l2_server - status: automated - rules: - - package_gdm_removed - - - id: 1.8.2 title: Ensure GDM login banner is configured (Automated) levels: - l1_server @@ -650,8 +729,8 @@ controls: - dconf_gnome_login_banner_text - login_banner_text=cis_banners - - id: 1.8.3 - title: Ensure GDM disable-user-list option is enabled (Automated) + - id: 1.8.2 + title: Ensure GDM disable-user-list is configured (Automated) levels: - l1_server - l1_workstation @@ -659,8 +738,8 @@ controls: rules: - dconf_gnome_disable_user_list - - id: 1.8.4 - title: Ensure GDM screen locks when the user is idle (Automated) + - id: 1.8.3 + title: Ensure GDM screen lock is configured (Automated) levels: - l1_server - l1_workstation @@ -668,44 +747,23 @@ controls: rules: - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - - inactivity_timeout_value=15_minutes - - var_screensaver_lock_delay=5_seconds - - - id: 1.8.5 - title: Ensure GDM screen locks cannot be overridden (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - dconf_gnome_session_idle_user_locks - dconf_gnome_screensaver_user_locks + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds - - id: 1.8.6 - title: Ensure GDM automatic mounting of removable media is disabled (Automated) + - id: 1.8.4 + title: Ensure GDM automount is configured (Automated) levels: - l1_server - - l1_workstation + - l2_workstation status: automated rules: - dconf_gnome_disable_automount - dconf_gnome_disable_automount_open - - id: 1.8.7 - title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The same rules used in 1.8.6 are applicable here since they configure and also lock the - settings. - related_rules: - - dconf_gnome_disable_automount - - dconf_gnome_disable_automount_open - - - id: 1.8.8 - title: Ensure GDM autorun-never is enabled (Automated) + - id: 1.8.5 + title: Ensure GDM autorun-never is configured (Automated) levels: - l1_server - l1_workstation @@ -713,19 +771,7 @@ controls: rules: - dconf_gnome_disable_autorun - - id: 1.8.9 - title: Ensure GDM autorun-never is not overridden (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: |- - The same rules used in 1.8.8 are applicable here since they configure and also lock the - settings. - related_rules: - - dconf_gnome_disable_autorun - - - id: 1.8.10 + - id: 1.8.6 title: Ensure XDMCP is not enabled (Automated) levels: - l1_server @@ -734,35 +780,16 @@ controls: rules: - gnome_gdm_disable_xdmcp - - id: 2.1.1 - title: Ensure time synchronization is in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_chrony_installed - - - id: 2.1.2 - title: Ensure chrony is configured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - chronyd_specify_remote_server - - var_multiple_time_servers=rhel - - - id: 2.1.3 - title: Ensure chrony is not run as the root user (Automated) + - id: 1.8.7 + title: Ensure Xwayland is configured (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - chronyd_run_as_chrony_user + - xwayland_disabled - - id: 2.2.1 + - id: 2.1.1 title: Ensure autofs services are not in use (Automated) levels: - l1_server @@ -771,7 +798,7 @@ controls: rules: - service_autofs_disabled - - id: 2.2.2 + - id: 2.1.2 title: Ensure avahi daemon services are not in use (Automated) levels: - l1_server @@ -782,18 +809,27 @@ controls: related_rules: - package_avahi_removed - - id: 2.2.3 + - id: 2.1.3 + title: Ensure cockpit web services are not in use (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - service_cockpit_disabled + + - id: 2.1.4 title: Ensure dhcp server services are not in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_dhcp_removed + - package_kea_removed related_rules: - service_dhcpd_disabled - - id: 2.2.4 + - id: 2.1.5 title: Ensure dns server services are not in use (Automated) levels: - l1_server @@ -804,7 +840,7 @@ controls: related_rules: - service_named_disabled - - id: 2.2.5 + - id: 2.1.6 title: Ensure dnsmasq services are not in use (Automated) levels: - l1_server @@ -813,18 +849,7 @@ controls: rules: - package_dnsmasq_removed - - id: 2.2.6 - title: Ensure samba file server services are not in use (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_samba_removed - related_rules: - - service_smb_disabled - - - id: 2.2.7 + - id: 2.1.7 title: Ensure ftp server services are not in use (Automated) levels: - l1_server @@ -835,7 +860,7 @@ controls: related_rules: - service_vsftpd_disabled - - id: 2.2.8 + - id: 2.1.8 title: Ensure message access server services are not in use (Automated) levels: - l1_server @@ -846,23 +871,22 @@ controls: - package_cyrus-imapd_removed related_rules: - service_dovecot_disabled - # new rule would be nice to disable cyrus-imapd service - - id: 2.2.9 + - id: 2.1.9 title: Ensure network file system services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the + nfs-utils package. rules: - service_nfs_disabled related_rules: - package_nfs-utils_removed - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization are - dependent on the nfs-utils package. - - id: 2.2.10 + - id: 2.1.10 title: Ensure nis server services are not in use (Automated) levels: - l1_server @@ -870,10 +894,8 @@ controls: status: automated rules: - package_ypserv_removed - related_rules: - - service_ypserv_disabled - - id: 2.2.11 + - id: 2.1.11 title: Ensure print server services are not in use (Automated) levels: - l1_server @@ -883,23 +905,21 @@ controls: related_rules: - package_cups_removed - - id: 2.2.12 + - id: 2.1.12 title: Ensure rpcbind services are not in use (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind package. rules: - service_rpcbind_disabled related_rules: - package_rpcbind_removed - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization, and - the nfs-utils - package used for The Network File System (NFS), are dependent on the rpcbind - package. - - id: 2.2.13 + - id: 2.1.13 title: Ensure rsync services are not in use (Automated) levels: - l1_server @@ -910,7 +930,18 @@ controls: related_rules: - service_rsyncd_disabled - - id: 2.2.14 + - id: 2.1.14 + title: Ensure samba file server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_samba_removed + related_rules: + - service_smb_disabled + + - id: 2.1.15 title: Ensure snmp services are not in use (Automated) levels: - l1_server @@ -921,7 +952,7 @@ controls: related_rules: - service_snmpd_disabled - - id: 2.2.15 + - id: 2.1.16 title: Ensure telnet server services are not in use (Automated) levels: - l1_server @@ -932,7 +963,7 @@ controls: related_rules: - service_telnet_disabled - - id: 2.2.16 + - id: 2.1.17 title: Ensure tftp server services are not in use (Automated) levels: - l1_server @@ -943,7 +974,7 @@ controls: related_rules: - service_tftp_disabled - - id: 2.2.17 + - id: 2.1.18 title: Ensure web proxy server services are not in use (Automated) levels: - l1_server @@ -954,7 +985,7 @@ controls: related_rules: - service_squid_disabled - - id: 2.2.18 + - id: 2.1.19 title: Ensure web server services are not in use (Automated) levels: - l1_server @@ -965,9 +996,8 @@ controls: - package_nginx_removed related_rules: - service_httpd_disabled - # rule would be nice to disable nginx service - - id: 2.2.19 + - id: 2.1.20 title: Ensure xinetd services are not in use (Automated) levels: - l1_server @@ -978,18 +1008,23 @@ controls: related_rules: - service_xinetd_disabled - - id: 2.2.20 + - id: 2.1.21 + title: Ensure GNOME Display Manager is removed (Automated) + levels: + - l2_server + status: automated + rules: + - package_gdm_removed + + - id: 2.1.22 title: Ensure X window server services are not in use (Automated) levels: - l2_server status: automated - notes: >- - The rule also configures correct run level to prevent unbootable system. rules: - - package_xorg-x11-server-common_removed - - xwindows_runlevel_target + - package_xorg-x11-server-Xwayland_removed - - id: 2.2.21 + - id: 2.1.23 title: Ensure mail transfer agents are configured for local-only mode (Automated) levels: - l1_server @@ -1000,14 +1035,14 @@ controls: - var_postfix_inet_interfaces=loopback-only - has_nonlocal_mta - - id: 2.2.22 + - id: 2.1.24 title: Ensure only approved services are listening on a network interface (Manual) levels: - l1_server - l1_workstation status: manual - - id: 2.3.1 + - id: 2.2.1 title: Ensure ftp client is not installed (Automated) levels: - l1_server @@ -1016,8 +1051,8 @@ controls: rules: - package_ftp_removed - - id: 2.3.2 - title: Ensure LDAP client is not installed (Automated) + - id: 2.2.2 + title: Ensure ldap client is not installed (Automated) levels: - l2_server - l2_workstation @@ -1025,32 +1060,173 @@ controls: rules: - package_openldap-clients_removed + - id: 2.2.3 + title: Ensure nis client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_ypbind_removed + + - id: 2.2.4 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_telnet_removed + + - id: 2.2.5 + title: Ensure tftp client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_tftp_removed + + - id: 2.3.1 + title: Ensure time synchronization is in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_chrony_installed + + - id: 2.3.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - chronyd_specify_remote_server + - var_multiple_time_servers=rhel + - id: 2.3.3 - title: Ensure NIS Client is not installed (Automated) + title: Ensure chrony is not run as the root user (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - chronyd_run_as_chrony_user + + - id: 2.4.1.1 + title: Ensure cron daemon is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_cron_installed + - service_crond_enabled + + - id: 2.4.1.2 + title: Ensure access to /etc/crontab is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 2.4.1.3 + title: Ensure access to /etc/cron.hourly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 2.4.1.4 + title: Ensure access to /etc/cron.daily is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 2.4.1.5 + title: Ensure access to /etc/cron.weekly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 2.4.1.6 + title: Ensure access to /etc/cron.monthly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 2.4.1.7 + title: Ensure access to /etc/cron.yearly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_yearly + - file_owner_cron_yearly + - file_permissions_cron_yearly + + - id: 2.4.1.8 + title: Ensure access to /etc/cron.d is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_ypbind_removed + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d - - id: 2.3.4 - title: Ensure telnet client is not installed (Automated) + - id: 2.4.1.9 + title: Ensure access to crontab is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_telnet_removed + - file_cron_deny_not_exist + - file_cron_allow_exists + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow - - id: 2.3.5 - title: Ensure tftp client is not installed (Automated) + - id: 2.4.2.1 + title: Ensure access to at is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_tftp_removed + - file_at_deny_not_exist + - file_at_allow_exists + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow - id: 3.1.1 title: Ensure IPv6 status is identified (Manual) @@ -1060,7 +1236,7 @@ controls: status: manual - id: 3.1.2 - title: Ensure wireless interfaces are disabled (Automated) + title: Ensure wireless interfaces are not available (Automated) levels: - l1_server status: automated @@ -1077,64 +1253,107 @@ controls: - service_bluetooth_disabled - id: 3.2.1 - title: Ensure dccp kernel module is not available (Automated) + title: Ensure atm kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - kernel_module_dccp_disabled + - kernel_module_atm_disabled - id: 3.2.2 - title: Ensure tipc kernel module is not available (Automated) + title: Ensure can kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - kernel_module_tipc_disabled + - kernel_module_can_disabled - id: 3.2.3 + title: Ensure dccp kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - kernel_module_dccp_disabled + + - id: 3.2.4 title: Ensure rds kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_rds_disabled - - id: 3.2.4 + - id: 3.2.5 title: Ensure sctp kernel module is not available (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - kernel_module_sctp_disabled - - id: 3.3.1 - title: Ensure ip forwarding is disabled (Automated) + - id: 3.2.6 + title: Ensure tipc kernel module is not available (Automated) levels: - l1_server - l1_workstation status: automated + rules: + - kernel_module_tipc_disabled + + - id: 3.3.1.1 + title: Ensure net.ipv4.ip_forward is configured (Automated) + levels: + - l1_workstation + - l2_server + status: automated rules: - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - id: 3.3.2 - title: Ensure packet redirect sending is disabled (Automated) + - id: 3.3.1.2 + title: Ensure net.ipv4.conf.all.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_net_ipv4_conf_all_forwarding + + - id: 3.3.1.3 + title: Ensure net.ipv4.conf.default.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_net_ipv4_conf_default_forwarding + - sysctl_net_ipv4_conf_default_forwarding_value=disabled + + - id: 3.3.1.4 + title: Ensure net.ipv4.conf.all.send_redirects is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - sysctl_net_ipv4_conf_all_send_redirects + + - id: 3.3.1.5 + title: Ensure net.ipv4.conf.default.send_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - sysctl_net_ipv4_conf_default_send_redirects - - id: 3.3.3 - title: Ensure bogus icmp responses are ignored (Automated) + - id: 3.3.1.6 + title: Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated) levels: - l1_server - l1_workstation @@ -1143,8 +1362,8 @@ controls: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - id: 3.3.4 - title: Ensure broadcast icmp requests are ignored(Automated) + - id: 3.3.1.7 + title: Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated) levels: - l1_server - l1_workstation @@ -1153,8 +1372,8 @@ controls: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - id: 3.3.5 - title: Ensure icmp redirects are not accepted (Automated) + - id: 3.3.1.8 + title: Ensure net.ipv4.conf.all.accept_redirects is configured (Automated) levels: - l1_server - l1_workstation @@ -1162,15 +1381,19 @@ controls: rules: - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + + - id: 3.3.1.9 + title: Ensure net.ipv4.conf.default.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - id: 3.3.6 - title: Ensure secure icmp redirects are not accepted (Automated) + - id: 3.3.1.10 + title: Ensure net.ipv4.conf.all.secure_redirects is configured (Automated) levels: - l1_server - l1_workstation @@ -1178,11 +1401,19 @@ controls: rules: - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + + - id: 3.3.1.11 + title: Ensure net.ipv4.conf.default.secure_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - id: 3.3.7 - title: Ensure reverse path filtering is enabled (Automated) + - id: 3.3.1.12 + title: Ensure net.ipv4.conf.all.rp_filter is configured (Automated) levels: - l1_server - l1_workstation @@ -1190,11 +1421,19 @@ controls: rules: - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + + - id: 3.3.1.13 + title: Ensure net.ipv4.conf.default.rp_filter is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - id: 3.3.8 - title: Ensure source routed packets are not accepted (Automated) + - id: 3.3.1.14 + title: Ensure net.ipv4.conf.all.accept_source_route is configured (Automated) levels: - l1_server - l1_workstation @@ -1202,15 +1441,19 @@ controls: rules: - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + + - id: 3.3.1.15 + title: Ensure net.ipv4.conf.default.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - id: 3.3.9 - title: Ensure suspicious packets are logged (Automated) + - id: 3.3.1.16 + title: Ensure net.ipv4.conf.all.log_martians is configured (Automated) levels: - l1_server - l1_workstation @@ -1218,252 +1461,216 @@ controls: rules: - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - id: 3.3.10 - title: Ensure tcp sync cookies is enabled (Automated) + - id: 3.3.1.17 + title: Ensure net.ipv4.conf.default.log_martians is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - id: 3.3.11 - title: Ensure IPv6 router advertisements are not accepted (Automated) + - id: 3.3.1.18 + title: Ensure net.ipv4.tcp_syncookies is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled - - id: 3.4.1.1 - title: Ensure nftables is installed (Automated) + - id: 3.3.2.1 + title: Ensure net.ipv6.conf.all.forwarding is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_nftables_installed + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - id: 3.4.1.2 - title: Ensure a single firewall configuration utility is in use (Automated) + - id: 3.3.2.2 + title: Ensure net.ipv6.conf.default.forwarding is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_firewalld_enabled - - package_firewalld_installed - - service_nftables_disabled + - sysctl_net_ipv6_conf_default_forwarding + - sysctl_net_ipv6_conf_default_forwarding_value=disabled - - id: 3.4.2.1 - title: Ensure nftables base chains exist (Automated) + - id: 3.3.2.3 + title: Ensure net.ipv6.conf.all.accept_redirects is configured (Automated) levels: - l1_server - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. - related_rules: - - set_nftables_base_chain - - var_nftables_table=firewalld - - var_nftables_family=inet - - var_nftables_base_chain_names=chain_names - - var_nftables_base_chain_types=chain_types - - var_nftables_base_chain_hooks=chain_hooks - - var_nftables_base_chain_priorities=chain_priorities - - var_nftables_base_chain_policies=chain_policies + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - id: 3.4.2.2 - title: Ensure host based firewall loopback traffic is configured (Automated) + - id: 3.3.2.4 + title: Ensure net.ipv6.conf.default.accept_redirects is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - firewalld_loopback_traffic_trusted - - firewalld_loopback_traffic_restricted + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - id: 3.4.2.3 - title: Ensure firewalld drops unnecessary services and ports (Manual) + - id: 3.3.2.5 + title: Ensure net.ipv6.conf.all.accept_source_route is configured (Automated) levels: - l1_server - l1_workstation - status: manual + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - id: 3.4.2.4 - title: Ensure nftables established connections are configured (Manual) + - id: 3.3.2.6 + title: Ensure net.ipv6.conf.default.accept_source_route is configured (Automated) levels: - l1_server - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. - related_rules: - - set_nftables_new_connections + status: automated + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - id: 3.4.2.5 - title: Ensure nftables default deny firewall policy (Automated) + - id: 3.3.2.7 + title: Ensure net.ipv6.conf.all.accept_ra is configured (Automated) levels: - l1_server - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. - related_rules: - - nftables_ensure_default_deny_policy + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - id: 4.1.1.1 - title: Ensure cron daemon is enabled and active (Automated) + - id: 3.3.2.8 + title: Ensure net.ipv6.conf.default.accept_ra is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_crond_enabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - id: 4.1.1.2 - title: Ensure permissions on /etc/crontab are configured (Automated) + - id: 4.1.1 + title: Ensure firewalld is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_crontab - - file_owner_crontab - - file_permissions_crontab + - package_firewalld_installed - - id: 4.1.1.3 - title: Ensure permissions on /etc/cron.hourly are configured (Automated) + - id: 4.1.2 + title: Ensure firewalld backend is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_cron_hourly - - file_owner_cron_hourly - - file_permissions_cron_hourly + - firewalld-backend - - id: 4.1.1.4 - title: Ensure permissions on /etc/cron.daily are configured (Automated) + - id: 4.1.3 + title: Ensure firewalld.service is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_cron_daily - - file_owner_cron_daily - - file_permissions_cron_daily + - service_firewalld_enabled - - id: 4.1.1.5 - title: Ensure permissions on /etc/cron.weekly are configured (Automated) + - id: 4.1.4 + title: Ensure firewalld active zone target is configured (Automated) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_cron_weekly - - file_owner_cron_weekly - - file_permissions_cron_weekly + status: pending + notes: |- + There is not an easy way to do this for only active zones using OVAL. + For now, there are are no rules for this control. - - id: 4.1.1.6 - title: Ensure permissions on /etc/cron.monthly are configured (Automated) + - id: 4.1.5 + title: Ensure firewalld loopback traffic is configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_cron_monthly - - file_owner_cron_monthly - - file_permissions_cron_monthly + status: manual - - id: 4.1.1.7 - title: Ensure permissions on /etc/cron.d are configured (Automated) + - id: 4.1.6 + title: Ensure firewalld loopback source address traffic is configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_groupowner_cron_d - - file_owner_cron_d - - file_permissions_cron_d + status: manual - - id: 4.1.1.8 - title: Ensure cron is restricted to authorized users (Automated) + - id: 4.1.7 + title: Ensure firewalld services and ports are configured (Manual) levels: - l1_server - l1_workstation - status: automated - rules: - - file_cron_deny_not_exist - - file_cron_allow_exists - - file_groupowner_cron_allow - - file_owner_cron_allow - - file_permissions_cron_allow + status: manual - - id: 4.1.2.1 - title: Ensure at is restricted to authorized users (Automated) + - id: 5.1.1 + title: Ensure sshd crypto_policy is not set (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_at_deny_not_exist - - file_at_allow_exists - - file_groupowner_at_allow - - file_owner_at_allow - - file_permissions_at_allow + - configure_ssh_crypto_policy - - id: 4.2.1 - title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) + - id: 5.1.2 + title: Ensure access to /etc/ssh/sshd_config is configured (Automated) levels: - l1_server - l1_workstation - status: partial - notes: |- - These rules only check the /etc/ssh/sshd_config file but the policy also mentions files in - /etc/ssh/sshd_config.d directory. New templated rules should be created for sshd_config.d. + status: automated rules: - file_groupowner_sshd_config - file_owner_sshd_config - file_permissions_sshd_config - - id: 4.2.2 - title: Ensure permissions on SSH private host key files are configured (Automated) + - id: 5.1.3 + title: Ensure access to /etc/sysconfig/sshd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: New rules need to be created. + + - id: 5.1.4 + title: Ensure access to SSH private host key files is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_permissions_sshd_private_key - - file_ownership_sshd_private_key - file_groupownership_sshd_private_key + - file_ownership_sshd_private_key + - file_permissions_sshd_private_key - - id: 4.2.3 - title: Ensure permissions on SSH public host key files are configured (Automated) + - id: 5.1.5 + title: Ensure access to SSH public host key files is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - file_groupownership_sshd_pub_key + - file_ownership_sshd_pub_key + - file_permissions_sshd_pub_key - - id: 4.2.4 + - id: 5.1.6 title: Ensure sshd access is configured (Automated) levels: - l1_server @@ -1472,7 +1679,7 @@ controls: rules: - sshd_limit_user_access - - id: 4.2.5 + - id: 5.1.7 title: Ensure sshd Banner is configured (Automated) levels: - l1_server @@ -1483,18 +1690,16 @@ controls: related_rules: - sshd_enable_warning_banner - - id: 4.2.6 + - id: 5.1.8 title: Ensure sshd Ciphers are configured (Automated) levels: - l1_server - l1_workstation status: automated - notes: |- - Introduced in CIS RHEL8 v3.0.0 rules: - configure_custom_crypto_policy_cis - - id: 4.2.7 + - id: 5.1.9 title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) levels: - l1_server @@ -1502,26 +1707,35 @@ controls: status: automated notes: |- The requirement gives an example of 45 seconds, but is flexible about the values. It is only - necessary to ensure there is a timeout is configured in alignment to the site policy. + necessary to ensure there is a timeout configured in alignment to the site policy. rules: - - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout + - sshd_idle_timeout_value=5_minutes - sshd_set_keepalive - var_sshd_set_keepalive=1 - - id: 4.2.8 + - id: 5.1.10 title: Ensure sshd DisableForwarding is enabled (Automated) levels: - - l2_server - l1_workstation + - l2_server status: automated - rules: - - sshd_disable_forwarding related_rules: - sshd_disable_tcp_forwarding - sshd_disable_x11_forwarding + rules: + - sshd_disable_forwarding + + - id: 5.1.11 + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) + levels: + - l1_workstation + - l2_server + status: automated + rules: + - sshd_disable_gssapi_auth - - id: 4.2.9 + - id: 5.1.12 title: Ensure sshd HostbasedAuthentication is disabled (Automated) levels: - l1_server @@ -1530,7 +1744,7 @@ controls: rules: - disable_host_auth - - id: 4.2.10 + - id: 5.1.13 title: Ensure sshd IgnoreRhosts is enabled (Automated) levels: - l1_server @@ -1539,7 +1753,7 @@ controls: rules: - sshd_disable_rhosts - - id: 4.2.11 + - id: 5.1.14 title: Ensure sshd KexAlgorithms is configured (Automated) levels: - l1_server @@ -1553,7 +1767,7 @@ controls: rules: - configure_custom_crypto_policy_cis - - id: 4.2.12 + - id: 5.1.15 title: Ensure sshd LoginGraceTime is configured (Automated) levels: - l1_server @@ -1563,7 +1777,7 @@ controls: - sshd_set_login_grace_time - var_sshd_set_login_grace_time=60 - - id: 4.2.13 + - id: 5.1.16 title: Ensure sshd LogLevel is configured (Automated) levels: - l1_server @@ -1578,7 +1792,7 @@ controls: related_rules: - sshd_set_loglevel_info - - id: 4.2.14 + - id: 5.1.17 title: Ensure sshd MACs are configured (Automated) levels: - l1_server @@ -1587,17 +1801,17 @@ controls: rules: - configure_custom_crypto_policy_cis - - id: 4.2.15 + - id: 5.1.18 title: Ensure sshd MaxAuthTries is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sshd_max_auth_tries_value=4 - sshd_set_max_auth_tries + - sshd_max_auth_tries_value=4 - - id: 4.2.16 + - id: 5.1.19 title: Ensure sshd MaxSessions is configured (Automated) levels: - l1_server @@ -1607,7 +1821,7 @@ controls: - sshd_set_max_sessions - var_sshd_max_sessions=10 - - id: 4.2.17 + - id: 5.1.20 title: Ensure sshd MaxStartups is configured (Automated) levels: - l1_server @@ -1617,7 +1831,7 @@ controls: - sshd_set_maxstartups - var_sshd_set_maxstartups=10:30:60 - - id: 4.2.18 + - id: 5.1.21 title: Ensure sshd PermitEmptyPasswords is disabled (Automated) levels: - l1_server @@ -1626,7 +1840,7 @@ controls: rules: - sshd_disable_empty_passwords - - id: 4.2.19 + - id: 5.1.22 title: Ensure sshd PermitRootLogin is disabled (Automated) levels: - l1_server @@ -1635,7 +1849,7 @@ controls: rules: - sshd_disable_root_login - - id: 4.2.20 + - id: 5.1.23 title: Ensure sshd PermitUserEnvironment is disabled (Automated) levels: - l1_server @@ -1644,7 +1858,7 @@ controls: rules: - sshd_do_not_permit_user_env - - id: 4.2.21 + - id: 5.1.24 title: Ensure sshd UsePAM is enabled (Automated) levels: - l1_server @@ -1653,16 +1867,7 @@ controls: rules: - sshd_enable_pam - - id: 4.2.22 - title: Ensure sshd crypto_policy is not set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - configure_ssh_crypto_policy - - - id: 4.3.1 + - id: 5.2.1 title: Ensure sudo is installed (Automated) levels: - l1_server @@ -1671,7 +1876,7 @@ controls: rules: - package_sudo_installed - - id: 4.3.2 + - id: 5.2.2 title: Ensure sudo commands use pty (Automated) levels: - l1_server @@ -1680,7 +1885,7 @@ controls: rules: - sudo_add_use_pty - - id: 4.3.3 + - id: 5.2.3 title: Ensure sudo log file exists (Automated) levels: - l1_server @@ -1689,40 +1894,35 @@ controls: rules: - sudo_custom_logfile - - id: 4.3.4 + - id: 5.2.4 title: Ensure users must provide password for escalation (Automated) levels: - l2_server - l2_workstation status: automated - notes: |- - The rule sudo_require_authentication can probably be split to better attend requirements - 4.3.4 and 4.3.5. rules: - - sudo_require_authentication + - sudo_remove_nopasswd - - id: 4.3.5 + - id: 5.2.5 title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) levels: - l1_server - l1_workstation status: automated - notes: |- - The rule sudo_require_authentication can probably be split to better attend requirements - 4.3.4 and 4.3.5. rules: - - sudo_require_authentication + - sudo_remove_no_authenticate - - id: 4.3.6 - title: Ensure sudo authentication timeout is configured correctly (Automated) + - id: 5.2.6 + title: Ensure sudo timestamp_timeout is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - sudo_require_reauthentication + - var_sudo_timestamp_timeout=15_minutes - - id: 4.3.7 + - id: 5.2.7 title: Ensure access to the su command is restricted (Automated) levels: - l1_server @@ -1738,25 +1938,23 @@ controls: - use_pam_wheel_group_for_su - ensure_pam_wheel_group_empty - - id: 4.4.1.1 + - id: 5.3.1.1 title: Ensure latest version of pam is installed (Automated) levels: - l1_server - l1_workstation status: pending - notes: |- - It is necessary a new rule to ensure PAM package is updated. + notes: New rule needs to be created. - - id: 4.4.1.2 + - id: 5.3.1.2 title: Ensure latest version of authselect is installed (Automated) levels: - l1_server - l1_workstation status: pending - notes: |- - It is necessary a new rule to ensure PAM package is updated. + notes: New rule needs to be created. - - id: 4.4.2.1 + - id: 5.3.2.1 title: Ensure active authselect profile includes pam modules (Automated) levels: - l1_server @@ -1771,33 +1969,32 @@ controls: related_rules: - no_empty_passwords - - id: 4.4.2.2 + - id: 5.3.2.2 title: Ensure pam_faillock module is enabled (Automated) levels: - l1_server - l1_workstation status: automated notes: |- - This requirement is also indirectly satisfied by the requirement 4.4.3.1. + This requirement is also indirectly satisfied by the requirement 5.3.3.1. rules: - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - - id: 4.4.2.3 + - id: 5.3.2.3 title: Ensure pam_pwquality module is enabled (Automated) levels: - l1_server - l1_workstation status: automated notes: |- - CIS requirement asks to enable an authselect feature called "with-pwquality" but this - feature is not present in RHEL 8. This needs to be discussed in CIS Community. For now the - requirement is attended by ensuring the libpwquality is present. Its configuration is - covered by other requirements. + This requirement is also indirectly satisfied by the requirement 5.3.3.2. rules: - package_pam_pwquality_installed + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_system_auth - - id: 4.4.2.4 + - id: 5.3.2.4 title: Ensure pam_pwhistory module is enabled (Automated) levels: - l1_server @@ -1805,25 +2002,23 @@ controls: status: automated notes: |- The module is properly enabled by the rules mentioned in related_rules. - Requirements in 4.4.3.3 use these rules. + Requirements in 5.3.3.3 use these rules. related_rules: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth - - id: 4.4.2.5 + - id: 5.3.2.5 title: Ensure pam_unix module is enabled (Automated) levels: - l1_server - l1_workstation - status: partial - notes: |- - This module is always present by default. It is necessary to investigate if a new rule to - check its existence needs to be created. But so far the rule no_empty_passwords, used in - 4.4.3.4.1 can ensure this requirement is attended. + status: automated related_rules: - no_empty_passwords + rules: + - accounts_password_pam_unix_enabled - - id: 4.4.3.1.1 + - id: 5.3.3.1.1 title: Ensure password failed attempts lockout is configured (Automated) levels: - l1_server @@ -1833,7 +2028,7 @@ controls: - accounts_passwords_pam_faillock_deny - var_accounts_passwords_pam_faillock_deny=5 - - id: 4.4.3.1.2 + - id: 5.3.3.1.2 title: Ensure password unlock time is configured (Automated) levels: - l1_server @@ -1844,10 +2039,10 @@ controls: by an administrator. However, it also mentions that using value 0 can facilitate a DoS attack to legitimate users. rules: - - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_unlock_time_with_zero - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 4.4.3.1.3 + - id: 5.3.3.1.3 title: Ensure password failed attempts lockout includes root account (Automated) levels: - l2_server @@ -1856,7 +2051,7 @@ controls: rules: - accounts_passwords_pam_faillock_deny_root - - id: 4.4.3.2.1 + - id: 5.3.3.2.1 title: Ensure password number of changed characters is configured (Automated) levels: - l1_server @@ -1866,7 +2061,7 @@ controls: - accounts_password_pam_difok - var_password_pam_difok=2 - - id: 4.4.3.2.2 + - id: 5.3.3.2.2 title: Ensure password length is configured (Automated) levels: - l1_server @@ -1876,28 +2071,14 @@ controls: - accounts_password_pam_minlen - var_password_pam_minlen=14 - - id: 4.4.3.2.3 + - id: 5.3.3.2.3 title: Ensure password complexity is configured (Manual) levels: - l1_server - - l1_workstation - status: automated - notes: |- - This requirement is expected to be manual. However, in previous versions of the policy - it was already automated the configuration of "minclass" option. This posture was kept for - RHEL 8 in this new version. Rules related to other options are informed in related_rules. - In short, minclass=4 alone can achieve the same result achieved by the combination of the - other 4 options mentioned in the policy. - rules: - - accounts_password_pam_minclass - - var_password_pam_minclass=4 - related_rules: - - accounts_password_pam_dcredit - - accounts_password_pam_lcredit - - accounts_password_pam_ocredit - - accounts_password_pam_ucredit + - l1_workstation + status: manual - - id: 4.4.3.2.4 + - id: 5.3.3.2.4 title: Ensure password same consecutive characters is configured (Automated) levels: - l1_server @@ -1907,7 +2088,7 @@ controls: - accounts_password_pam_maxrepeat - var_password_pam_maxrepeat=3 - - id: 4.4.3.2.5 + - id: 5.3.3.2.5 title: Ensure password maximum sequential characters is configured (Automated) levels: - l1_server @@ -1917,7 +2098,7 @@ controls: - accounts_password_pam_maxsequence - var_password_pam_maxsequence=3 - - id: 4.4.3.2.6 + - id: 5.3.3.2.6 title: Ensure password dictionary check is enabled (Automated) levels: - l1_server @@ -1927,7 +2108,7 @@ controls: - accounts_password_pam_dictcheck - var_password_pam_dictcheck=1 - - id: 4.4.3.2.7 + - id: 5.3.3.2.7 title: Ensure password quality is enforced for the root user (Automated) levels: - l1_server @@ -1936,14 +2117,14 @@ controls: rules: - accounts_password_pam_enforce_root - - id: 4.4.3.3.1 + - id: 5.3.3.3.1 title: Ensure password history remember is configured (Automated) levels: - l1_server - l1_workstation status: automated notes: |- - Although mentioned in the section 4.4.3.3, there is no explicit requirement to configure + Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry can be used. rules: @@ -1954,7 +2135,7 @@ controls: related_rules: - accounts_password_pam_retry - - id: 4.4.3.3.2 + - id: 5.3.3.3.2 title: Ensure password history is enforced for the root user (Automated) levels: - l1_server @@ -1963,33 +2144,30 @@ controls: rules: - accounts_password_pam_pwhistory_enforce_for_root - - id: 4.4.3.3.3 + - id: 5.3.3.3.3 title: Ensure pam_pwhistory includes use_authtok (Automated) levels: - l1_server - l1_workstation - status: partial - notes: |- - In RHEL 8 pam_pwhistory is enabled via authselect feature, as required in 4.4.3.3.1. The - feature automatically set "use_authok" option. In any case, we don't have a rule to check - this option specifically. + status: automated related_rules: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth + rules: + - accounts_password_pam_pwhistory_use_authtok - - id: 4.4.3.4.1 + - id: 5.3.3.4.1 title: Ensure pam_unix does not include nullok (Automated) levels: - l1_server - l1_workstation status: automated notes: |- - The rule more specifically used in this requirement also satify the requirements 4.4.2.1 - and 4.4.2.5. + The rule more specifically used in this requirement also satify the requirement 5.3.2.5. rules: - no_empty_passwords - - id: 4.4.3.4.2 + - id: 5.3.3.4.2 title: Ensure pam_unix does not include remember (Automated) levels: - l1_server @@ -1998,71 +2176,74 @@ controls: notes: |- Usage of pam_unix.so module together with "remember" option is deprecated and is not recommended by this policy. Instead, it should be used remember option of pam_pwhistory - module, as required in 4.4.3.3.1. See here for more details about pam_unix.so: + module, as required in 5.3.3.3.1. See here for more details about pam_unix.so: https://bugzilla.redhat.com/show_bug.cgi?id=1778929 rules: - accounts_password_pam_unix_no_remember - - id: 4.4.3.4.3 + - id: 5.3.3.4.3 title: Ensure pam_unix includes a strong password hashing algorithm (Automated) levels: - l1_server - l1_workstation status: automated notes: |- - Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1. + Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4 rules: - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_passwordauth - - var_password_hashing_algorithm_pam=sha512 + - var_password_hashing_algorithm_pam=cis_rhel8 - - id: 4.4.3.4.4 + - id: 5.3.3.4.4 title: Ensure pam_unix includes use_authtok (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - In RHEL 8 pam_unix is enabled by default in all authselect profiles already with the - use_authtok option set. In any case, we don't have a rule to check this option specifically, - like in 4.4.3.3.3. - - - id: 4.5.1.1 - title: Ensure strong password hashing algorithm is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 - - var_password_hashing_algorithm_pam=sha512 + - accounts_password_pam_unix_authtok - - id: 4.5.1.2 - title: Ensure password expiration is 365 days or less (Automated) + - id: 5.4.1.1 + title: Ensure password expiration is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - accounts_maximum_age_login_defs - - accounts_password_set_max_life_existing - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing - - id: 4.5.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 5.4.1.2 + title: Ensure minimum password days is configured (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 5.4.1.3 + title: Ensure password expiration warning days is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - accounts_password_set_warn_age_existing - accounts_password_warn_age_login_defs - var_accounts_password_warn_age_login_defs=7 + - accounts_password_set_warn_age_existing + + - id: 5.4.1.4 + title: Ensure strong password hashing algorithm is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=cis_rhel8 - - id: 4.5.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 5.4.1.5 + title: Ensure inactive password lock is configured (Automated) levels: - l1_server - l1_workstation @@ -2070,9 +2251,9 @@ controls: rules: - account_disable_post_pw_expiration - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=30 + - var_account_disable_post_pw_expiration=45 - - id: 4.5.1.5 + - id: 5.4.1.6 title: Ensure all users last password change date is in the past (Automated) levels: - l1_server @@ -2081,27 +2262,67 @@ controls: rules: - accounts_password_last_change_is_in_past - - id: 4.5.2.1 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 5.4.2.1 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_no_uid_except_zero + + - id: 5.4.2.2 + title: Ensure root is the only GID 0 account (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + There is assessment but no automated remediation for this rule and this sounds reasonable. rules: - accounts_root_gid_zero - - id: 4.5.2.2 - title: Ensure root user umask is configured (Automated) + - id: 5.4.2.3 + title: Ensure group root is the only GID 0 group (Automated) levels: - l1_server - l1_workstation - status: pending + status: automated notes: |- - There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have - to be created. It can be based on accounts_umask_interactive_users. + There is assessment but no automated remediation for this rule and this sounds reasonable. + rules: + - groups_no_zero_gid_except_root + + - id: 5.4.2.4 + title: Ensure root account access is controlled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - ensure_root_password_configured + + - id: 5.4.2.5 + title: Ensure root path integrity (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot + + - id: 5.4.2.6 + title: Ensure root user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_umask_root - - id: 4.5.2.3 - title: Ensure system accounts are secured (Automated) + - id: 5.4.2.7 + title: Ensure system accounts do not have a valid login shell (Automated) levels: - l1_server - l1_workstation @@ -2110,26 +2331,25 @@ controls: - no_password_auth_for_systemaccounts - no_shelllogin_for_systemaccounts - - id: 4.5.2.4 - title: Ensure root password is set (Automated) + - id: 5.4.2.8 + title: Ensure accounts without a valid login shell are locked (Automated) levels: - l1_server - l1_workstation status: automated rules: - - ensure_root_password_configured + - no_invalid_shell_accounts_unlocked - - id: 4.5.3.1 + - id: 5.4.3.1 title: Ensure nologin is not listed in /etc/shells (Automated) levels: - l2_server - l2_workstation - status: pending - notes: |- - It is necessary to create a new rule to check and remove nologin from /etc/shells. - The no_tmux_in_shells rule can be used as referece. + status: automated + rules: + - no_nologin_in_shells - - id: 4.5.3.2 + - id: 5.4.3.2 title: Ensure default user shell timeout is configured (Automated) levels: - l1_server @@ -2139,118 +2359,127 @@ controls: - accounts_tmout - var_accounts_tmout=15_min - - id: 4.5.3.3 + - id: 5.4.3.3 title: Ensure default user umask is configured (Automated) levels: - l1_server - l1_workstation status: automated - notes: |- - It is missing a rule to check /etc/pam.d/postlogin. Files /etc/bash.bashrc and - /etc/default/login are not used in RHEL 8, but are mentioned in the policy. It has to be - clarified in CIS Community. The policy allows the user to override the default system umask - on its discretion. This is the reason the accounts_umask_interactive_users rule is in - related_rules. If this changes in the future, the rule can be used to ensure that users do - not override the system default. rules: - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs - accounts_umask_etc_profile - var_accounts_user_umask=027 - related_rules: - - accounts_umask_interactive_users - - id: 5.1.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 6.1.1 + title: Ensure AIDE is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_rsyslog_installed + - package_aide_installed + - aide_build_database - - id: 5.1.1.2 - title: Ensure rsyslog service is enabled (Manual) + - id: 6.1.2 + title: Ensure filesystem integrity is regularly checked (Automated) levels: - l1_server - l1_workstation status: automated - notes: |- - This requirement is expected to be manual in the policy because there are valid cases where - other solutions are used for logging. rsyslog is the default in RHEL 8 and so far other - solutions are not expected to be incompatible with rsyslog. If so, for these particular - cases, this rule should be removed for those systems by a tailored file. rules: - - service_rsyslog_enabled + - aide_periodic_cron_checking + related_rules: + - aide_periodic_checking_systemd_timer - - id: 5.1.1.3 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 6.1.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_forward_to_syslog + - aide_check_audit_tools + related_rules: + - aide_use_fips_hashes - - id: 5.1.1.4 - title: Ensure rsyslog default file permissions are configured (Automated) + - id: 6.2.1.1.1 + title: Ensure journald service is active (Automated) levels: - l1_server - l1_workstation status: automated rules: - - rsyslog_filecreatemode + - service_systemd-journald_enabled - - id: 5.1.1.5 - title: Ensure logging is configured (Manual) + - id: 6.2.1.1.2 + title: Ensure journald log file access is configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 5.1.1.6 - title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + - id: 6.2.1.1.3 + title: Ensure journald log file rotation is configured (Manual) levels: - l1_server - l1_workstation status: manual - related_rules: - - rsyslog_remote_loghost - - id: 5.1.1.7 - title: Ensure rsyslog is not configured to recieve logs from a remote client (Automated) + - id: 6.2.1.1.4 + title: Ensure journald ForwardToSyslog is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - rsyslog_nolisten + - journald_disable_forward_to_syslog - - id: 5.1.2.1.1 - title: Ensure systemd-journal-remote is installed (Manual) + - id: 6.2.1.1.5 + title: Ensure journald Storage is configured (Automated) levels: - l1_server - l1_workstation - status: manual - related_rules: + status: automated + rules: + - journald_storage + + - id: 6.2.1.1.6 + title: Ensure journald Compress is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - journald_compress + + - id: 6.2.1.2.1 + title: Ensure systemd-journal-remote is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: - package_systemd-journal-remote_installed - - id: 5.1.2.1.2 - title: Ensure systemd-journal-remote is configured (Manual) + - id: 6.2.1.2.2 + title: Ensure systemd-journal-remote authentication is configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 5.1.2.1.3 - title: Ensure systemd-journal-remote is enabled (Manual) + - id: 6.2.1.2.3 + title: Ensure systemd-journal-upload is enabled and active (Automated) levels: - l1_server - l1_workstation - status: manual + status: automated + rules: + - service_systemd-journal-upload_enabled - - id: 5.1.2.1.4 - title: Ensure journald is not configured to recieve logs from a remote client (Automated) + - id: 6.2.1.2.4 + title: Ensure systemd-journal-remote service is not in use (Automated) levels: - l1_server - l1_workstation @@ -2258,60 +2487,84 @@ controls: rules: - socket_systemd-journal-remote_disabled - - id: 5.1.2.2 - title: Ensure journald service is enabled (Automated) + - id: 6.2.2.1 + title: Ensure rsyslog is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - service_systemd-journald_enabled + - package_rsyslog_installed - - id: 5.1.2.3 - title: Ensure journald is configured to compress large log files (Automated) + - id: 6.2.2.2 + title: Ensure rsyslog service is enabled and active (Automated) levels: - l1_server - l1_workstation status: automated + notes: |- + This requirement is expected to be manual in the policy because there are valid cases where + other solutions are used for logging. rsyslog is the default in RHEL 8 and so far other + solutions are not expected to be incompatible with rsyslog. If so, for these particular + cases, this rule should be removed for those systems by a tailored file. rules: - - journald_compress + - service_rsyslog_enabled + + - id: 6.2.2.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + The rule journald_forward_to_syslog is the opposite of the rule + journald_disable_forward_to_syslog which is also a part of this profile. + related_rules: + - journald_forward_to_syslog - - id: 5.1.2.4 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 6.2.2.4 + title: Ensure rsyslog log file creation mode is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_storage + - rsyslog_filecreatemode - - id: 5.1.2.5 - title: Ensure journald is not configured to send logs to rsyslog (Manual) + - id: 6.2.2.5 + title: Ensure rsyslog logging is configured (Manual) levels: - l1_server - l1_workstation status: manual - - id: 5.1.2.6 - title: Ensure journald log rotation is configured per site policy (Manual) + - id: 6.2.2.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server - l1_workstation status: manual + related_rules: + - rsyslog_remote_loghost - - id: 5.1.3 + - id: 6.2.2.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - rsyslog_nolisten + + - id: 6.2.2.8 title: Ensure logrotate is configured (Manual) levels: - l1_server - l1_workstation status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled - - id: 5.1.4 - title: Ensure all logfiles have appropriate access configured (Automated) + - id: 6.2.3.1 + title: Ensure access to all logfiles has been configured (Automated) levels: - l1_server - l1_workstation @@ -2321,16 +2574,17 @@ controls: - rsyslog_files_ownership - rsyslog_files_permissions - - id: 5.2.1.1 - title: Ensure audit is installed (Automated) + - id: 6.3.1.1 + title: Ensure auditd packages are installed (Automated) levels: - l2_server - l2_workstation status: automated rules: - package_audit_installed + - package_audit-libs_installed - - id: 5.2.1.2 + - id: 6.3.1.2 title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - l2_server @@ -2339,8 +2593,8 @@ controls: rules: - grub2_audit_argument - - id: 5.2.1.3 - title: Ensure audit_backlog_limit is sufficient (Automated) + - id: 6.3.1.3 + title: Ensure audit_backlog_limit is configured (Automated) levels: - l2_server - l2_workstation @@ -2349,8 +2603,8 @@ controls: - grub2_audit_backlog_limit_argument - var_audit_backlog_limit=8192 - - id: 5.2.1.4 - title: Ensure auditd service is enabled (Automated) + - id: 6.3.1.4 + title: Ensure auditd service is enabled and active (Automated) levels: - l2_server - l2_workstation @@ -2358,7 +2612,7 @@ controls: rules: - service_auditd_enabled - - id: 5.2.2.1 + - id: 6.3.2.1 title: Ensure audit log storage size is configured (Automated) levels: - l2_server @@ -2366,9 +2620,9 @@ controls: status: automated rules: - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - var_auditd_max_log_file=8 - - id: 5.2.2.2 + - id: 6.3.2.2 title: Ensure audit logs are not automatically deleted (Automated) levels: - l2_server @@ -2378,7 +2632,7 @@ controls: - auditd_data_retention_max_log_file_action - var_auditd_max_log_file_action=keep_logs - - id: 5.2.2.3 + - id: 6.3.2.3 title: Ensure system is disabled when audit logs are full (Automated) levels: - l2_server @@ -2390,22 +2644,20 @@ controls: - var_auditd_disk_error_action=cis_rhel8 - var_auditd_disk_full_action=cis_rhel8 - - id: 5.2.2.4 + - id: 6.3.2.4 title: Ensure system warns when audit logs are low on space (Automated) levels: - l2_server - l2_workstation status: automated rules: - - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_space_left_action - - var_auditd_action_mail_acct=root - var_auditd_admin_space_left_action=cis_rhel8 - var_auditd_space_left_action=cis_rhel8 - - id: 5.2.3.1 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 6.3.3.1 + title: Ensure changes to system administration scope (sudoers) is collected (Automated)894 levels: - l2_server - l2_workstation @@ -2413,7 +2665,7 @@ controls: rules: - audit_rules_sysadmin_actions - - id: 5.2.3.2 + - id: 6.3.3.2 title: Ensure actions as another user are always logged (Automated) levels: - l2_server @@ -2422,7 +2674,7 @@ controls: rules: - audit_rules_suid_auid_privilege_function - - id: 5.2.3.3 + - id: 6.3.3.3 title: Ensure events that modify the sudo log file are collected (Automated) levels: - l2_server @@ -2431,20 +2683,25 @@ controls: rules: - audit_sudo_log_events - - id: 5.2.3.4 + - id: 6.3.3.4 title: Ensure events that modify date and time information are collected (Automated) levels: - l2_server - l2_workstation status: automated + notes: |- + We have moved audit_rules_time_stime to related rules because even though the prose + in CIS RHEL 8 Benchmark v4.0.0 mentions stime but the check and remediation texts + don't contain stime. rules: - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_clock_settime - - audit_rules_time_stime - audit_rules_time_watch_localtime + related_rules: + - audit_rules_time_stime - - id: 5.2.3.5 + - id: 6.3.3.5 title: Ensure events that modify the system's network environment are collected (Automated) levels: - l2_server @@ -2454,7 +2711,7 @@ controls: - audit_rules_networkconfig_modification - audit_rules_networkconfig_modification_network_scripts - - id: 5.2.3.6 + - id: 6.3.3.6 title: Ensure use of privileged commands are collected (Automated) levels: - l2_server @@ -2463,7 +2720,7 @@ controls: rules: - audit_rules_privileged_commands - - id: 5.2.3.7 + - id: 6.3.3.7 title: Ensure unsuccessful file access attempts are collected (Automated) levels: - l2_server @@ -2476,7 +2733,7 @@ controls: - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_truncate - - id: 5.2.3.8 + - id: 6.3.3.8 title: Ensure events that modify user/group information are collected (Automated) levels: - l2_server @@ -2484,12 +2741,15 @@ controls: status: automated rules: - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_nsswitch_conf + - audit_rules_usergroup_modification_pam_conf + - audit_rules_usergroup_modification_pamd - - id: 5.2.3.9 + - id: 6.3.3.9 title: Ensure discretionary access control permission modification events are collected (Automated) levels: - l2_server @@ -2497,20 +2757,20 @@ controls: status: automated rules: - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_setxattr - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_fremovexattr - - id: 5.2.3.10 + - id: 6.3.3.10 title: Ensure successful file system mounts are collected (Automated) levels: - l2_server @@ -2519,7 +2779,7 @@ controls: rules: - audit_rules_media_export - - id: 5.2.3.11 + - id: 6.3.3.11 title: Ensure session initiation information is collected (Automated) levels: - l2_server @@ -2530,7 +2790,7 @@ controls: - audit_rules_session_events_btmp - audit_rules_session_events_wtmp - - id: 5.2.3.12 + - id: 6.3.3.12 title: Ensure login and logout events are collected (Automated) levels: - l2_server @@ -2541,7 +2801,7 @@ controls: - audit_rules_login_events_lastlog - var_accounts_passwords_pam_faillock_dir=run - - id: 5.2.3.13 + - id: 6.3.3.13 title: Ensure file deletion events by users are collected (Automated) levels: - l2_server @@ -2553,7 +2813,7 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - - id: 5.2.3.14 + - id: 6.3.3.14 title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - l2_server @@ -2563,7 +2823,7 @@ controls: - audit_rules_mac_modification - audit_rules_mac_modification_usr_share - - id: 5.2.3.15 + - id: 6.3.3.15 title: Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) levels: - l2_server @@ -2572,7 +2832,7 @@ controls: rules: - audit_rules_execution_chcon - - id: 5.2.3.16 + - id: 6.3.3.16 title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) levels: - l2_server @@ -2581,7 +2841,7 @@ controls: rules: - audit_rules_execution_setfacl - - id: 5.2.3.17 + - id: 6.3.3.17 title: Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) levels: - l2_server @@ -2590,7 +2850,7 @@ controls: rules: - audit_rules_execution_chacl - - id: 5.2.3.18 + - id: 6.6.3.18 title: Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) levels: - l2_server @@ -2599,8 +2859,8 @@ controls: rules: - audit_rules_privileged_commands_usermod - - id: 5.2.3.19 - title: Ensure kernel module loading, unloading and modification is collected (Automated) + - id: 6.3.3.19 + title: Ensure kernel module loading unloading and modification is collected (Automated) levels: - l2_server - l2_workstation @@ -2613,7 +2873,16 @@ controls: - audit_rules_kernel_module_loading_query - audit_rules_privileged_commands_kmod - - id: 5.2.3.20 + - id: 6.3.3.20 + title: Ensure the audit configuration is loaded regardless of errors (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_continue_loading + + - id: 6.3.3.21 title: Ensure the audit configuration is immutable (Automated) levels: - l2_server @@ -2622,15 +2891,15 @@ controls: rules: - audit_rules_immutable - - id: 5.2.3.21 + - id: 6.3.3.22 title: Ensure the running and on disk configuration is the same (Manual) levels: - l2_server - l2_workstation status: manual - - id: 5.2.4.1 - title: Ensure the audit log directory is 0750 or more restrictive (Automated) + - id: 6.3.4.1 + title: Ensure the audit log file directory mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2638,8 +2907,8 @@ controls: rules: - directory_permissions_var_log_audit - - id: 5.2.4.2 - title: Ensure audit log files are mode 0640 or less permissive (Automated) + - id: 6.3.4.2 + title: Ensure audit log files mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2647,8 +2916,8 @@ controls: rules: - file_permissions_var_log_audit - - id: 5.2.4.3 - title: Ensure only authorized users own audit log files (Automated) + - id: 6.3.4.3 + title: Ensure audit log files owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2656,8 +2925,8 @@ controls: rules: - file_ownership_var_log_audit_stig - - id: 5.2.4.4 - title: Ensure only authorized groups are assigned ownership of audit log files (Automated) + - id: 6.3.4.4 + title: Ensure audit log files group owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2665,8 +2934,8 @@ controls: rules: - file_group_ownership_var_log_audit - - id: 5.2.4.5 - title: Ensure audit configuration files are 640 or more restrictive (Automated) + - id: 6.3.4.5 + title: Ensure audit configuration files mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2674,8 +2943,8 @@ controls: rules: - file_permissions_audit_configuration - - id: 5.2.4.6 - title: Ensure audit configuration files are owned by root (Automated) + - id: 6.3.4.6 + title: Ensure audit configuration files owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2683,8 +2952,8 @@ controls: rules: - file_ownership_audit_configuration - - id: 5.2.4.7 - title: Ensure audit configuration files belong to group root (Automated) + - id: 6.3.4.7 + title: Ensure audit configuration files group owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2692,8 +2961,8 @@ controls: rules: - file_groupownership_audit_configuration - - id: 5.2.4.8 - title: Ensure audit tools are 755 or more restrictive (Automated) + - id: 6.3.4.8 + title: Ensure audit tools mode is configured (Automated) levels: - l2_server - l2_workstation @@ -2701,8 +2970,8 @@ controls: rules: - file_permissions_audit_binaries - - id: 5.2.4.9 - title: Ensure audit tools are owned by root (Automated) + - id: 6.3.4.9 + title: Ensure audit tools owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2710,8 +2979,8 @@ controls: rules: - file_ownership_audit_binaries - - id: 5.2.4.10 - title: Ensure audit tools belong to group root (Automated) + - id: 6.3.4.10 + title: Ensure audit tools group owner is configured (Automated) levels: - l2_server - l2_workstation @@ -2719,40 +2988,8 @@ controls: rules: - file_groupownership_audit_binaries - - id: 5.3.1 - title: Ensure AIDE is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_aide_installed - - aide_build_database - - - id: 5.3.2 - title: Ensure filesystem integrity is regularly checked (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_periodic_cron_checking - related_rules: - - aide_periodic_checking_systemd_timer - - - id: 5.3.3 - title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - aide_check_audit_tools - related_rules: - - aide_use_fips_hashes - - - id: 6.1.1 - title: Ensure permissions on /etc/passwd are configured (Automated) + - id: 7.1.1 + title: Ensure access to /etc/passwd is configured (Automated) levels: - l1_server - l1_workstation @@ -2762,8 +2999,8 @@ controls: - file_owner_etc_passwd - file_permissions_etc_passwd - - id: 6.1.2 - title: Ensure permissions on /etc/passwd- are configured (Automated) + - id: 7.1.2 + title: Ensure access to /etc/passwd- is configured (Automated) levels: - l1_server - l1_workstation @@ -2773,18 +3010,8 @@ controls: - file_owner_backup_etc_passwd - file_permissions_backup_etc_passwd - - id: 6.1.3 - title: Ensure permissions on /etc/security/opasswd are configured (Automated) - levels: - - l1_server - - l1_workstation - status: partial - rules: - # TODO: We need another rule that checks /etc/security/opasswd.old - - file_etc_security_opasswd - - - id: 6.1.4 - title: Ensure permissions on /etc/group are configured (Automated) + - id: 7.1.3 + title: Ensure access to /etc/group is configured (Automated) levels: - l1_server - l1_workstation @@ -2794,8 +3021,8 @@ controls: - file_owner_etc_group - file_permissions_etc_group - - id: 6.1.5 - title: Ensure permissions on /etc/group- are configured (Automated) + - id: 7.1.4 + title: Ensure access to /etc/group- is configured (Automated) levels: - l1_server - l1_workstation @@ -2805,8 +3032,8 @@ controls: - file_owner_backup_etc_group - file_permissions_backup_etc_group - - id: 6.1.6 - title: Ensure permissions on /etc/shadow are configured (Automated) + - id: 7.1.5 + title: Ensure access to /etc/shadow is configured (Automated) levels: - l1_server - l1_workstation @@ -2816,8 +3043,8 @@ controls: - file_groupowner_etc_shadow - file_permissions_etc_shadow - - id: 6.1.7 - title: Ensure permissions on /etc/shadow- are configured (Automated) + - id: 7.1.6 + title: Ensure access to /etc/shadow- is configured (Automated) levels: - l1_server - l1_workstation @@ -2827,8 +3054,8 @@ controls: - file_owner_backup_etc_shadow - file_permissions_backup_etc_shadow - - id: 6.1.8 - title: Ensure permissions on /etc/gshadow are configured (Automated) + - id: 7.1.7 + title: Ensure access to /etc/gshadow is configured (Automated) levels: - l1_server - l1_workstation @@ -2838,8 +3065,8 @@ controls: - file_owner_etc_gshadow - file_permissions_etc_gshadow - - id: 6.1.9 - title: Ensure permissions on /etc/gshadow- are configured (Automated) + - id: 7.1.8 + title: Ensure access to /etc/gshadow- is configured (Automated) levels: - l1_server - l1_workstation @@ -2849,8 +3076,8 @@ controls: - file_owner_backup_etc_gshadow - file_permissions_backup_etc_gshadow - - id: 6.1.10 - title: Ensure permissions on /etc/shells are configured (Automated) + - id: 7.1.9 + title: Ensure access to /etc/shells is configured (Automated) levels: - l1_server - l1_workstation @@ -2860,7 +3087,21 @@ controls: - file_owner_etc_shells - file_permissions_etc_shells - - id: 6.1.11 + - id: 7.1.10 + title: Ensure access to /etc/security/opasswd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_security_opasswd + - file_owner_etc_security_opasswd + - file_permissions_etc_security_opasswd + - file_groupowner_etc_security_opasswd_old + - file_owner_etc_security_opasswd_old + - file_permissions_etc_security_opasswd_old + + - id: 7.1.11 title: Ensure world writable files and directories are secured (Automated) levels: - l1_server @@ -2870,18 +3111,17 @@ controls: - file_permissions_unauthorized_world_writable - dir_perms_world_writable_sticky_bits - - id: 6.1.12 - title: Ensure no unowned or ungrouped files or directories exist (Automated) + - id: 7.1.12 + title: Ensure no files or directories without an owner and a group exist (Automated) levels: - l1_server - l1_workstation - status: partial + status: automated rules: - # TODO: add rules for unowned/ungrouped directories - - no_files_unowned_by_user - - file_permissions_ungroupowned + - no_files_or_dirs_unowned_by_user + - no_files_or_dirs_ungroupowned - - id: 6.1.13 + - id: 7.1.13 title: Ensure SUID and SGID files are reviewed (Manual) levels: - l1_server @@ -2891,17 +3131,7 @@ controls: - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid - - id: 6.1.14 - title: Audit system file permissions (Manual) - levels: - - l2_server - - l2_workstation - status: manual - related_rules: - - rpm_verify_permissions - - rpm_verify_ownership - - - id: 6.2.1 + - id: 7.2.1 title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) levels: - l1_server @@ -2910,7 +3140,7 @@ controls: rules: - accounts_password_all_shadowed - - id: 6.2.2 + - id: 7.2.2 title: Ensure /etc/shadow password fields are not empty (Automated) levels: - l1_server @@ -2919,7 +3149,7 @@ controls: rules: - no_empty_passwords_etc_shadow - - id: 6.2.3 + - id: 7.2.3 title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) levels: - l1_server @@ -2928,7 +3158,7 @@ controls: rules: - gid_passwd_group_same - - id: 6.2.4 + - id: 7.2.4 title: Ensure no duplicate UIDs exist (Automated) levels: - l1_server @@ -2937,7 +3167,7 @@ controls: rules: - account_unique_id - - id: 6.2.5 + - id: 7.2.5 title: Ensure no duplicate GIDs exist (Automated) levels: - l1_server @@ -2946,7 +3176,7 @@ controls: rules: - group_unique_id - - id: 6.2.6 + - id: 7.2.6 title: Ensure no duplicate user names exist (Automated) levels: - l1_server @@ -2955,7 +3185,7 @@ controls: rules: - account_unique_name - - id: 6.2.7 + - id: 7.2.7 title: Ensure no duplicate group names exist (Automated) levels: - l1_server @@ -2964,26 +3194,7 @@ controls: rules: - group_unique_name - - id: 6.2.8 - title: Ensure root path integrity (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_path_dirs_no_write - - root_path_no_dot - - - id: 6.2.9 - title: Ensure root is the only UID 0 account (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_no_uid_except_zero - - - id: 6.2.10 + - id: 7.2.8 title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server @@ -2993,8 +3204,10 @@ controls: - accounts_user_interactive_home_directory_exists - file_ownership_home_directories - file_permissions_home_directories + related_rules: + - file_groupownership_home_directories - - id: 6.2.11 + - id: 7.2.9 title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server @@ -3004,13 +3217,19 @@ controls: and .rhost files should be investigated and remediated manually. However, in other profiles we remediate the rule using the automated remediation. - status: partial - # TODO: add rule checking that .bash_history is mode 0600 or more restrictive + Also, we will add accounts_users_netrc_file_permissions to related rules, + because even though CIS Benchmark says that .netrc files aren't allowed, + it also contains this note: If a .netrc file is required, and follows + local site policy, it should be mode 0600 or more restrictive. + status: automated rules: - accounts_user_dot_group_ownership - accounts_user_dot_user_ownership - file_permission_user_init_files - var_user_initialization_files_regex=all_dotfiles - no_forward_files - - no_rsh_trust_files + - no_netrc_files + - no_rhost_files + - file_permission_user_bash_history + related_rules: - accounts_users_netrc_file_permissions diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile index 6628f71ca97e..0c9238a14407 100644 --- a/products/rhel8/profiles/cis.profile +++ b/products/rhel8/profiles/cis.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: 3.0.0 + version: 4.0.0 SMEs: - marcusburghardt - vojtapolasek @@ -15,13 +15,11 @@ title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server' description: |- This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 8 Benchmark™, v3.0.0, released 2023-10-30. + Linux 8 Benchmark™, v4.0.0, released 2025-08-28. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. selections: - cis_rhel8:all:l2_server - # Following rules once had a prodtype incompatible with the rhel8 product - - '!file_owner_at_allow' - - '!package_dnsmasq_removed' + - var_authselect_profile=local diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile index f476ef657021..49550c65f6c5 100644 --- a/products/rhel8/profiles/cis_server_l1.profile +++ b/products/rhel8/profiles/cis_server_l1.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: 3.0.0 + version: 4.0.0 SMEs: - marcusburghardt - vojtapolasek @@ -15,13 +15,11 @@ title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server' description: |- This profile defines a baseline that aligns to the "Level 1 - Server" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 8 Benchmark™, v3.0.0, released 2023-10-30. + Linux 8 Benchmark™, v4.0.0, released 2025-08-28. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. selections: - cis_rhel8:all:l1_server - # Following rules once had a prodtype incompatible with the rhel8 product - - '!file_owner_at_allow' - - '!package_dnsmasq_removed' + - var_authselect_profile=local diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile index be273b57ff5f..039b7e17f248 100644 --- a/products/rhel8/profiles/cis_workstation_l1.profile +++ b/products/rhel8/profiles/cis_workstation_l1.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: 3.0.0 + version: 4.0.0 SMEs: - marcusburghardt - vojtapolasek @@ -15,13 +15,11 @@ title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 1 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 8 Benchmark™, v3.0.0, released 2023-10-30. + Linux 8 Benchmark™, v4.0.0, released 2025-08-28. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. selections: - cis_rhel8:all:l1_workstation - # Following rules once had a prodtype incompatible with the rhel8 product - - '!file_owner_at_allow' - - '!package_dnsmasq_removed' + - var_authselect_profile=local diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile index 8725839bbaf0..0f886980338e 100644 --- a/products/rhel8/profiles/cis_workstation_l2.profile +++ b/products/rhel8/profiles/cis_workstation_l2.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: 3.0.0 + version: 4.0.0 SMEs: - marcusburghardt - vojtapolasek @@ -15,13 +15,11 @@ title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation' description: |- This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise - Linux 8 Benchmark™, v3.0.0, released 2023-10-30. + Linux 8 Benchmark™, v4.0.0, released 2025-08-28. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. selections: - cis_rhel8:all:l2_workstation - # Following rules once had a prodtype incompatible with the rhel8 product - - '!file_owner_at_allow' - - '!package_dnsmasq_removed' + - var_authselect_profile=local diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 362f53b9eb25..8b3cd0016da6 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -727,3 +727,7 @@ selections: - service_zebra_disabled - package_rsh-server_removed - sshd_use_strong_macs + - file_etc_security_opasswd + - package_xorg-x11-server-common_removed + - accounts_users_netrc_file_permissions + - journald_forward_to_syslog diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 3e0119fa5fdd..ff6f03907140 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -41,7 +41,6 @@ CCE-86637-6 CCE-86641-8 CCE-86648-3 CCE-86650-9 -CCE-86652-5 CCE-86654-1 CCE-86661-6 CCE-86662-4 @@ -87,7 +86,6 @@ CCE-86789-5 CCE-86790-3 CCE-86793-7 CCE-86795-2 -CCE-86796-0 CCE-86798-6 CCE-86799-4 CCE-86802-6 @@ -115,7 +113,6 @@ CCE-86842-2 CCE-86846-3 CCE-86862-0 CCE-86863-8 -CCE-86864-6 CCE-86865-3 CCE-86866-1 CCE-86867-9 @@ -157,7 +154,6 @@ CCE-86958-6 CCE-86959-4 CCE-86963-6 CCE-86965-1 -CCE-86968-5 CCE-86971-9 CCE-86972-7 CCE-86973-5 @@ -178,7 +174,6 @@ CCE-86997-4 CCE-86998-2 CCE-87000-6 CCE-87002-2 -CCE-87005-5 CCE-87006-3 CCE-87010-5 CCE-87011-3 @@ -205,14 +200,12 @@ CCE-87078-2 CCE-87079-0 CCE-87080-8 CCE-87081-6 -CCE-87083-2 CCE-87084-0 CCE-87085-7 CCE-87092-3 CCE-87093-1 CCE-87094-9 CCE-87110-3 -CCE-87113-7 CCE-87115-2 CCE-87116-0 CCE-87117-8 @@ -360,7 +353,6 @@ CCE-87334-9 CCE-87342-2 CCE-87343-0 CCE-87346-3 -CCE-87348-9 CCE-87350-5 CCE-87351-3 CCE-87353-9 @@ -412,7 +404,6 @@ CCE-87426-3 CCE-87427-1 CCE-87431-3 CCE-87432-1 -CCE-87435-4 CCE-87436-2 CCE-87437-0 CCE-87438-8 @@ -477,7 +468,6 @@ CCE-87550-0 CCE-87553-4 CCE-87554-2 CCE-87556-7 -CCE-87557-5 CCE-87558-3 CCE-87559-1 CCE-87562-5 @@ -580,9 +570,7 @@ CCE-87724-1 CCE-87727-4 CCE-87728-2 CCE-87729-0 -CCE-87730-8 CCE-87732-4 -CCE-87733-2 CCE-87735-7 CCE-87737-3 CCE-87738-1 @@ -606,7 +594,6 @@ CCE-87769-6 CCE-87772-0 CCE-87773-8 CCE-87774-6 -CCE-87776-1 CCE-87778-7 CCE-87779-5 CCE-87780-3 @@ -646,7 +633,6 @@ CCE-87830-6 CCE-87832-2 CCE-87833-0 CCE-87834-8 -CCE-87835-5 CCE-87839-7 CCE-87840-5 CCE-87843-9 @@ -897,7 +883,6 @@ CCE-88244-9 CCE-88245-6 CCE-88247-2 CCE-88249-8 -CCE-88250-6 CCE-88251-4 CCE-88252-2 CCE-88253-0 @@ -983,7 +968,6 @@ CCE-88385-0 CCE-88387-6 CCE-88388-4 CCE-88389-2 -CCE-88390-0 CCE-88392-6 CCE-88393-4 CCE-88394-2 @@ -1190,7 +1174,6 @@ CCE-88720-8 CCE-88721-6 CCE-88722-4 CCE-88725-7 -CCE-88727-3 CCE-88728-1 CCE-88729-9 CCE-88734-9 @@ -1212,7 +1195,6 @@ CCE-88765-3 CCE-88766-1 CCE-88768-7 CCE-88769-5 -CCE-88772-9 CCE-88774-5 CCE-88775-2 CCE-88776-0 @@ -1244,7 +1226,6 @@ CCE-88832-1 CCE-88833-9 CCE-88835-4 CCE-88836-2 -CCE-88838-8 CCE-88839-6 CCE-88842-0 CCE-88846-1 @@ -1271,7 +1252,6 @@ CCE-88875-0 CCE-88878-4 CCE-88879-2 CCE-88883-4 -CCE-88884-2 CCE-88885-9 CCE-88886-7 CCE-88887-5 @@ -1350,7 +1330,6 @@ CCE-89016-0 CCE-89019-4 CCE-89024-4 CCE-89025-1 -CCE-89026-9 CCE-89028-5 CCE-89030-1 CCE-89031-9 @@ -1383,7 +1362,6 @@ CCE-89082-2 CCE-89083-0 CCE-89084-8 CCE-89087-1 -CCE-89090-5 CCE-89092-1 CCE-89094-7 CCE-89095-4 @@ -1393,7 +1371,6 @@ CCE-89100-2 CCE-89101-0 CCE-89102-8 CCE-89103-6 -CCE-89104-4 CCE-89108-5 CCE-89109-3 CCE-89110-1 @@ -1526,7 +1503,6 @@ CCE-89327-1 CCE-89328-9 CCE-89329-7 CCE-89331-3 -CCE-89332-1 CCE-89335-4 CCE-89336-2 CCE-89337-0 @@ -1600,7 +1576,6 @@ CCE-89445-1 CCE-89447-7 CCE-89449-3 CCE-89451-9 -CCE-89453-5 CCE-89454-3 CCE-89463-4 CCE-89464-2 @@ -1660,7 +1635,6 @@ CCE-89553-2 CCE-89554-0 CCE-89556-5 CCE-89557-3 -CCE-89558-1 CCE-89559-9 CCE-89560-7 CCE-89563-1 @@ -1697,7 +1671,6 @@ CCE-89618-3 CCE-89619-1 CCE-89621-7 CCE-89623-3 -CCE-89626-6 CCE-89627-4 CCE-89629-0 CCE-89630-8 @@ -1859,7 +1832,6 @@ CCE-89848-6 CCE-89849-4 CCE-89850-2 CCE-89851-0 -CCE-89852-8 CCE-89853-6 CCE-89854-4 CCE-89855-1 @@ -1938,7 +1910,6 @@ CCE-89971-6 CCE-89973-2 CCE-89974-0 CCE-89976-5 -CCE-89978-1 CCE-89979-9 CCE-89984-9 CCE-89986-4 @@ -1950,7 +1921,6 @@ CCE-89993-0 CCE-89994-8 CCE-89995-5 CCE-89996-3 -CCE-89997-1 CCE-90007-6 CCE-90008-4 CCE-90009-2 @@ -2117,11 +2087,9 @@ CCE-90255-1 CCE-90256-9 CCE-90258-5 CCE-90259-3 -CCE-90263-5 CCE-90264-3 CCE-90265-0 CCE-90266-8 -CCE-90268-4 CCE-90269-2 CCE-90270-0 CCE-90272-6 @@ -2152,7 +2120,6 @@ CCE-90309-6 CCE-90310-4 CCE-90311-2 CCE-90312-0 -CCE-90313-8 CCE-90314-6 CCE-90315-3 CCE-90316-1 @@ -2225,7 +2192,6 @@ CCE-90419-3 CCE-90420-1 CCE-90422-7 CCE-90423-5 -CCE-90424-3 CCE-90425-0 CCE-90426-8 CCE-90427-6 @@ -2248,9 +2214,7 @@ CCE-90457-3 CCE-90458-1 CCE-90459-9 CCE-90460-7 -CCE-90461-5 CCE-90462-3 -CCE-90463-1 CCE-90464-9 CCE-90467-2 CCE-90468-0 @@ -2284,7 +2248,6 @@ CCE-90501-8 CCE-90502-6 CCE-90503-4 CCE-90505-9 -CCE-90509-1 CCE-90510-9 CCE-90512-5 CCE-90513-3 diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index d58409af8fd8..a4f4b36dd47f 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -12,18 +12,22 @@ accounts_password_pam_difok accounts_password_pam_enforce_root accounts_password_pam_maxrepeat accounts_password_pam_maxsequence -accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_enforce_for_root accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_pwhistory_use_authtok +accounts_password_pam_pwquality_password_auth +accounts_password_pam_pwquality_system_auth +accounts_password_pam_unix_authtok +accounts_password_pam_unix_enabled accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs accounts_passwords_pam_faillock_deny accounts_passwords_pam_faillock_deny_root -accounts_passwords_pam_faillock_unlock_time +accounts_passwords_pam_faillock_unlock_time_with_zero accounts_root_gid_zero accounts_root_path_dirs_no_write accounts_set_post_pw_existing @@ -31,13 +35,14 @@ accounts_tmout accounts_umask_etc_bashrc accounts_umask_etc_login_defs accounts_umask_etc_profile +accounts_umask_root accounts_user_dot_group_ownership accounts_user_dot_user_ownership accounts_user_interactive_home_directory_exists -accounts_users_netrc_file_permissions aide_build_database aide_check_audit_tools aide_periodic_cron_checking +audit_rules_continue_loading audit_rules_dac_modification_chmod audit_rules_dac_modification_chown audit_rules_dac_modification_fchmod @@ -82,7 +87,6 @@ audit_rules_sysadmin_actions audit_rules_time_adjtimex audit_rules_time_clock_settime audit_rules_time_settimeofday -audit_rules_time_stime audit_rules_time_watch_localtime audit_rules_unsuccessful_file_modification_creat audit_rules_unsuccessful_file_modification_ftruncate @@ -91,13 +95,15 @@ audit_rules_unsuccessful_file_modification_openat audit_rules_unsuccessful_file_modification_truncate audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow +audit_rules_usergroup_modification_nsswitch_conf audit_rules_usergroup_modification_opasswd +audit_rules_usergroup_modification_pam_conf +audit_rules_usergroup_modification_pamd audit_rules_usergroup_modification_passwd audit_rules_usergroup_modification_shadow audit_sudo_log_events auditd_data_disk_error_action auditd_data_disk_full_action -auditd_data_retention_action_mail_acct auditd_data_retention_admin_space_left_action auditd_data_retention_max_log_file auditd_data_retention_max_log_file_action @@ -126,7 +132,8 @@ dconf_gnome_session_idle_user_locks dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth -enable_authselect +disable_users_coredumps +disable_weak_deps ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty @@ -135,7 +142,6 @@ file_at_allow_exists file_at_deny_not_exist file_cron_allow_exists file_cron_deny_not_exist -file_etc_security_opasswd file_group_ownership_var_log_audit file_groupowner_at_allow file_groupowner_backup_etc_group @@ -148,6 +154,7 @@ file_groupowner_cron_daily file_groupowner_cron_hourly file_groupowner_cron_monthly file_groupowner_cron_weekly +file_groupowner_cron_yearly file_groupowner_crontab file_groupowner_efi_grub2_cfg file_groupowner_efi_user_cfg @@ -157,6 +164,8 @@ file_groupowner_etc_issue file_groupowner_etc_issue_net file_groupowner_etc_motd file_groupowner_etc_passwd +file_groupowner_etc_security_opasswd +file_groupowner_etc_security_opasswd_old file_groupowner_etc_shadow file_groupowner_etc_shells file_groupowner_grub2_cfg @@ -166,6 +175,7 @@ file_groupownership_audit_binaries file_groupownership_audit_configuration file_groupownership_sshd_private_key file_groupownership_sshd_pub_key +file_owner_at_allow file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd @@ -176,6 +186,7 @@ file_owner_cron_daily file_owner_cron_hourly file_owner_cron_monthly file_owner_cron_weekly +file_owner_cron_yearly file_owner_crontab file_owner_efi_grub2_cfg file_owner_efi_user_cfg @@ -185,6 +196,8 @@ file_owner_etc_issue file_owner_etc_issue_net file_owner_etc_motd file_owner_etc_passwd +file_owner_etc_security_opasswd +file_owner_etc_security_opasswd_old file_owner_etc_shadow file_owner_etc_shells file_owner_grub2_cfg @@ -196,6 +209,7 @@ file_ownership_home_directories file_ownership_sshd_private_key file_ownership_sshd_pub_key file_ownership_var_log_audit_stig +file_permission_user_bash_history file_permission_user_init_files file_permissions_at_allow file_permissions_audit_binaries @@ -210,6 +224,7 @@ file_permissions_cron_daily file_permissions_cron_hourly file_permissions_cron_monthly file_permissions_cron_weekly +file_permissions_cron_yearly file_permissions_crontab file_permissions_efi_grub2_cfg file_permissions_efi_user_cfg @@ -219,6 +234,8 @@ file_permissions_etc_issue file_permissions_etc_issue_net file_permissions_etc_motd file_permissions_etc_passwd +file_permissions_etc_security_opasswd +file_permissions_etc_security_opasswd_old file_permissions_etc_shadow file_permissions_etc_shells file_permissions_grub2_cfg @@ -227,15 +244,14 @@ file_permissions_sshd_config file_permissions_sshd_private_key file_permissions_sshd_pub_key file_permissions_unauthorized_world_writable -file_permissions_ungroupowned file_permissions_user_cfg file_permissions_var_log_audit -firewalld_loopback_traffic_restricted -firewalld_loopback_traffic_trusted +firewalld-backend gid_passwd_group_same gnome_gdm_disable_xdmcp group_unique_id group_unique_name +groups_no_zero_gid_except_root grub2_audit_argument grub2_audit_backlog_limit_argument grub2_enable_selinux @@ -244,14 +260,18 @@ grub2_uefi_password has_nonlocal_mta inactivity_timeout_value=15_minutes journald_compress -journald_forward_to_syslog +journald_disable_forward_to_syslog journald_storage +kernel_module_atm_disabled +kernel_module_can_disabled kernel_module_cramfs_disabled kernel_module_dccp_disabled +kernel_module_firewire-core_disabled kernel_module_freevxfs_disabled kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled +kernel_module_overlayfs_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_squashfs_disabled @@ -280,26 +300,32 @@ mount_option_var_tmp_noexec mount_option_var_tmp_nosuid no_empty_passwords no_empty_passwords_etc_shadow -no_files_unowned_by_user +no_files_or_dirs_ungroupowned +no_files_or_dirs_unowned_by_user no_forward_files +no_invalid_shell_accounts_unlocked +no_netrc_files +no_nologin_in_shells no_password_auth_for_systemaccounts -no_rsh_trust_files +no_rhost_files no_shelllogin_for_systemaccounts package_aide_installed +package_audit-libs_installed package_audit_installed package_bind_removed package_chrony_installed +package_cron_installed package_cyrus-imapd_removed -package_dhcp_removed +package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed package_gdm_removed package_httpd_removed +package_kea_removed package_libselinux_installed package_mcstrans_removed package_net-snmp_removed -package_nftables_installed package_nginx_removed package_openldap-clients_removed package_pam_pwquality_installed @@ -309,13 +335,14 @@ package_samba_removed package_setroubleshoot_removed package_squid_removed package_sudo_installed +package_systemd-journal-remote_installed package_telnet-server_removed package_telnet_removed package_tftp-server_removed package_tftp_removed package_vsftpd_removed package_xinetd_removed -package_xorg-x11-server-common_removed +package_xorg-x11-server-Xwayland_removed package_ypbind_removed package_ypserv_removed partition_for_dev_shm @@ -332,7 +359,6 @@ rsyslog_files_groupownership rsyslog_files_ownership rsyslog_files_permissions rsyslog_nolisten -selinux_confinement_of_daemons selinux_not_disabled selinux_policytype selinux_state @@ -340,21 +366,22 @@ service_auditd_enabled service_autofs_disabled service_avahi-daemon_disabled service_bluetooth_disabled +service_cockpit_disabled service_crond_enabled service_cups_disabled service_firewalld_enabled service_nfs_disabled -service_nftables_disabled service_rpcbind_disabled service_rsyslog_enabled +service_systemd-journal-upload_enabled service_systemd-journald_enabled -set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled sshd_disable_empty_passwords sshd_disable_forwarding +sshd_disable_gssapi_auth sshd_disable_rhosts sshd_disable_root_login sshd_do_not_permit_user_env @@ -372,14 +399,21 @@ sshd_set_max_sessions sshd_set_maxstartups sudo_add_use_pty sudo_custom_logfile -sudo_require_authentication +sudo_remove_no_authenticate +sudo_remove_nopasswd sudo_require_reauthentication +sysctl_fs_protected_hardlinks +sysctl_fs_protected_symlinks +sysctl_fs_suid_dumpable +sysctl_kernel_dmesg_restrict +sysctl_kernel_kptr_restrict sysctl_kernel_randomize_va_space sysctl_kernel_yama_ptrace_scope sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_redirects_value=disabled sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +sysctl_net_ipv4_conf_all_forwarding sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_log_martians_value=enabled sysctl_net_ipv4_conf_all_rp_filter @@ -391,6 +425,8 @@ sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_redirects_value=disabled sysctl_net_ipv4_conf_default_accept_source_route sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +sysctl_net_ipv4_conf_default_forwarding +sysctl_net_ipv4_conf_default_forwarding_value=disabled sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_log_martians_value=enabled sysctl_net_ipv4_conf_default_rp_filter @@ -419,8 +455,10 @@ sysctl_net_ipv6_conf_default_accept_redirects sysctl_net_ipv6_conf_default_accept_redirects_value=disabled sysctl_net_ipv6_conf_default_accept_source_route sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +sysctl_net_ipv6_conf_default_forwarding +sysctl_net_ipv6_conf_default_forwarding_value=disabled use_pam_wheel_group_for_su -var_account_disable_post_pw_expiration=30 +var_account_disable_post_pw_expiration=45 var_accounts_maximum_age_login_defs=365 var_accounts_password_warn_age_login_defs=7 var_accounts_passwords_pam_faillock_deny=5 @@ -429,23 +467,21 @@ var_accounts_passwords_pam_faillock_unlock_time=900 var_accounts_tmout=15_min var_accounts_user_umask=027 var_audit_backlog_limit=8192 -var_auditd_action_mail_acct=root var_auditd_admin_space_left_action=cis_rhel8 var_auditd_disk_error_action=cis_rhel8 var_auditd_disk_full_action=cis_rhel8 -var_auditd_max_log_file=6 +var_auditd_max_log_file=8 var_auditd_max_log_file_action=keep_logs var_auditd_space_left_action=cis_rhel8 -var_authselect_profile=sssd +var_authselect_profile=local var_multiple_time_servers=rhel var_pam_wheel_group_for_su=cis -var_password_hashing_algorithm=SHA512 -var_password_hashing_algorithm_pam=sha512 +var_password_hashing_algorithm=cis_rhel8 +var_password_hashing_algorithm_pam=cis_rhel8 var_password_pam_dictcheck=1 var_password_pam_difok=2 var_password_pam_maxrepeat=3 var_password_pam_maxsequence=3 -var_password_pam_minclass=4 var_password_pam_minlen=14 var_password_pam_remember=24 var_password_pam_remember_control_flag=requisite_or_required @@ -457,6 +493,7 @@ var_sshd_max_sessions=10 var_sshd_set_keepalive=1 var_sshd_set_login_grace_time=60 var_sshd_set_maxstartups=10:30:60 +var_sudo_timestamp_timeout=15_minutes var_user_initialization_files_regex=all_dotfiles wireless_disable_interfaces -xwindows_runlevel_target +xwayland_disabled diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index 6e05bc0c9d28..e2e7d573b761 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -12,17 +12,21 @@ accounts_password_pam_difok accounts_password_pam_enforce_root accounts_password_pam_maxrepeat accounts_password_pam_maxsequence -accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_enforce_for_root accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_pwhistory_use_authtok +accounts_password_pam_pwquality_password_auth +accounts_password_pam_pwquality_system_auth +accounts_password_pam_unix_authtok +accounts_password_pam_unix_enabled accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs accounts_passwords_pam_faillock_deny -accounts_passwords_pam_faillock_unlock_time +accounts_passwords_pam_faillock_unlock_time_with_zero accounts_root_gid_zero accounts_root_path_dirs_no_write accounts_set_post_pw_existing @@ -30,10 +34,10 @@ accounts_tmout accounts_umask_etc_bashrc accounts_umask_etc_login_defs accounts_umask_etc_profile +accounts_umask_root accounts_user_dot_group_ownership accounts_user_dot_user_ownership accounts_user_interactive_home_directory_exists -accounts_users_netrc_file_permissions aide_build_database aide_check_audit_tools aide_periodic_cron_checking @@ -60,7 +64,7 @@ dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dir_perms_world_writable_sticky_bits disable_host_auth -enable_authselect +disable_users_coredumps ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty @@ -69,7 +73,6 @@ file_at_allow_exists file_at_deny_not_exist file_cron_allow_exists file_cron_deny_not_exist -file_etc_security_opasswd file_groupowner_at_allow file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow @@ -81,6 +84,7 @@ file_groupowner_cron_daily file_groupowner_cron_hourly file_groupowner_cron_monthly file_groupowner_cron_weekly +file_groupowner_cron_yearly file_groupowner_crontab file_groupowner_efi_grub2_cfg file_groupowner_efi_user_cfg @@ -90,6 +94,8 @@ file_groupowner_etc_issue file_groupowner_etc_issue_net file_groupowner_etc_motd file_groupowner_etc_passwd +file_groupowner_etc_security_opasswd +file_groupowner_etc_security_opasswd_old file_groupowner_etc_shadow file_groupowner_etc_shells file_groupowner_grub2_cfg @@ -97,6 +103,7 @@ file_groupowner_sshd_config file_groupowner_user_cfg file_groupownership_sshd_private_key file_groupownership_sshd_pub_key +file_owner_at_allow file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd @@ -107,6 +114,7 @@ file_owner_cron_daily file_owner_cron_hourly file_owner_cron_monthly file_owner_cron_weekly +file_owner_cron_yearly file_owner_crontab file_owner_efi_grub2_cfg file_owner_efi_user_cfg @@ -116,6 +124,8 @@ file_owner_etc_issue file_owner_etc_issue_net file_owner_etc_motd file_owner_etc_passwd +file_owner_etc_security_opasswd +file_owner_etc_security_opasswd_old file_owner_etc_shadow file_owner_etc_shells file_owner_grub2_cfg @@ -124,6 +134,7 @@ file_owner_user_cfg file_ownership_home_directories file_ownership_sshd_private_key file_ownership_sshd_pub_key +file_permission_user_bash_history file_permission_user_init_files file_permissions_at_allow file_permissions_backup_etc_group @@ -136,6 +147,7 @@ file_permissions_cron_daily file_permissions_cron_hourly file_permissions_cron_monthly file_permissions_cron_weekly +file_permissions_cron_yearly file_permissions_crontab file_permissions_efi_grub2_cfg file_permissions_efi_user_cfg @@ -145,6 +157,8 @@ file_permissions_etc_issue file_permissions_etc_issue_net file_permissions_etc_motd file_permissions_etc_passwd +file_permissions_etc_security_opasswd +file_permissions_etc_security_opasswd_old file_permissions_etc_shadow file_permissions_etc_shells file_permissions_grub2_cfg @@ -153,23 +167,33 @@ file_permissions_sshd_config file_permissions_sshd_private_key file_permissions_sshd_pub_key file_permissions_unauthorized_world_writable -file_permissions_ungroupowned file_permissions_user_cfg -firewalld_loopback_traffic_restricted -firewalld_loopback_traffic_trusted +firewalld-backend gid_passwd_group_same gnome_gdm_disable_xdmcp group_unique_id group_unique_name +groups_no_zero_gid_except_root grub2_enable_selinux grub2_password grub2_uefi_password has_nonlocal_mta inactivity_timeout_value=15_minutes journald_compress -journald_forward_to_syslog +journald_disable_forward_to_syslog journald_storage +kernel_module_atm_disabled +kernel_module_can_disabled kernel_module_cramfs_disabled +kernel_module_dccp_disabled +kernel_module_firewire-core_disabled +kernel_module_freevxfs_disabled +kernel_module_hfs_disabled +kernel_module_hfsplus_disabled +kernel_module_jffs2_disabled +kernel_module_rds_disabled +kernel_module_sctp_disabled +kernel_module_tipc_disabled kernel_module_usb-storage_disabled login_banner_text=cis_banners mount_option_dev_shm_nodev @@ -193,24 +217,28 @@ mount_option_var_tmp_noexec mount_option_var_tmp_nosuid no_empty_passwords no_empty_passwords_etc_shadow -no_files_unowned_by_user +no_files_or_dirs_ungroupowned +no_files_or_dirs_unowned_by_user no_forward_files +no_invalid_shell_accounts_unlocked +no_netrc_files no_password_auth_for_systemaccounts -no_rsh_trust_files +no_rhost_files no_shelllogin_for_systemaccounts package_aide_installed package_bind_removed package_chrony_installed +package_cron_installed package_cyrus-imapd_removed -package_dhcp_removed +package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed package_httpd_removed +package_kea_removed package_libselinux_installed package_mcstrans_removed package_net-snmp_removed -package_nftables_installed package_nginx_removed package_pam_pwquality_installed package_rsync_removed @@ -219,6 +247,7 @@ package_samba_removed package_setroubleshoot_removed package_squid_removed package_sudo_installed +package_systemd-journal-remote_installed package_telnet-server_removed package_telnet_removed package_tftp-server_removed @@ -236,7 +265,6 @@ rsyslog_files_groupownership rsyslog_files_ownership rsyslog_files_permissions rsyslog_nolisten -selinux_confinement_of_daemons selinux_not_disabled selinux_policytype service_autofs_disabled @@ -246,11 +274,10 @@ service_crond_enabled service_cups_disabled service_firewalld_enabled service_nfs_disabled -service_nftables_disabled service_rpcbind_disabled service_rsyslog_enabled +service_systemd-journal-upload_enabled service_systemd-journald_enabled -set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth @@ -273,14 +300,19 @@ sshd_set_max_sessions sshd_set_maxstartups sudo_add_use_pty sudo_custom_logfile -sudo_require_authentication +sudo_remove_no_authenticate sudo_require_reauthentication +sysctl_fs_protected_hardlinks +sysctl_fs_suid_dumpable +sysctl_kernel_dmesg_restrict +sysctl_kernel_kptr_restrict sysctl_kernel_randomize_va_space sysctl_kernel_yama_ptrace_scope sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_redirects_value=disabled sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +sysctl_net_ipv4_conf_all_forwarding sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_log_martians_value=enabled sysctl_net_ipv4_conf_all_rp_filter @@ -292,6 +324,8 @@ sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_redirects_value=disabled sysctl_net_ipv4_conf_default_accept_source_route sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +sysctl_net_ipv4_conf_default_forwarding +sysctl_net_ipv4_conf_default_forwarding_value=disabled sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_log_martians_value=enabled sysctl_net_ipv4_conf_default_rp_filter @@ -303,7 +337,6 @@ sysctl_net_ipv4_icmp_echo_ignore_broadcasts sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled sysctl_net_ipv4_icmp_ignore_bogus_error_responses sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -sysctl_net_ipv4_ip_forward sysctl_net_ipv4_tcp_syncookies sysctl_net_ipv4_tcp_syncookies_value=enabled sysctl_net_ipv6_conf_all_accept_ra @@ -320,24 +353,25 @@ sysctl_net_ipv6_conf_default_accept_redirects sysctl_net_ipv6_conf_default_accept_redirects_value=disabled sysctl_net_ipv6_conf_default_accept_source_route sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +sysctl_net_ipv6_conf_default_forwarding +sysctl_net_ipv6_conf_default_forwarding_value=disabled use_pam_wheel_group_for_su -var_account_disable_post_pw_expiration=30 +var_account_disable_post_pw_expiration=45 var_accounts_maximum_age_login_defs=365 var_accounts_password_warn_age_login_defs=7 var_accounts_passwords_pam_faillock_deny=5 var_accounts_passwords_pam_faillock_unlock_time=900 var_accounts_tmout=15_min var_accounts_user_umask=027 -var_authselect_profile=sssd +var_authselect_profile=local var_multiple_time_servers=rhel var_pam_wheel_group_for_su=cis -var_password_hashing_algorithm=SHA512 -var_password_hashing_algorithm_pam=sha512 +var_password_hashing_algorithm=cis_rhel8 +var_password_hashing_algorithm_pam=cis_rhel8 var_password_pam_dictcheck=1 var_password_pam_difok=2 var_password_pam_maxrepeat=3 var_password_pam_maxsequence=3 -var_password_pam_minclass=4 var_password_pam_minlen=14 var_password_pam_remember=24 var_password_pam_remember_control_flag=requisite_or_required @@ -348,5 +382,6 @@ var_sshd_max_sessions=10 var_sshd_set_keepalive=1 var_sshd_set_login_grace_time=60 var_sshd_set_maxstartups=10:30:60 +var_sudo_timestamp_timeout=15_minutes var_user_initialization_files_regex=all_dotfiles wireless_disable_interfaces diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index facb0525cd4a..f2cc5764bdae 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -12,17 +12,21 @@ accounts_password_pam_difok accounts_password_pam_enforce_root accounts_password_pam_maxrepeat accounts_password_pam_maxsequence -accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_enforce_for_root accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_pwhistory_use_authtok +accounts_password_pam_pwquality_password_auth +accounts_password_pam_pwquality_system_auth +accounts_password_pam_unix_authtok +accounts_password_pam_unix_enabled accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs accounts_passwords_pam_faillock_deny -accounts_passwords_pam_faillock_unlock_time +accounts_passwords_pam_faillock_unlock_time_with_zero accounts_root_gid_zero accounts_root_path_dirs_no_write accounts_set_post_pw_existing @@ -30,10 +34,10 @@ accounts_tmout accounts_umask_etc_bashrc accounts_umask_etc_login_defs accounts_umask_etc_profile +accounts_umask_root accounts_user_dot_group_ownership accounts_user_dot_user_ownership accounts_user_interactive_home_directory_exists -accounts_users_netrc_file_permissions aide_build_database aide_check_audit_tools aide_periodic_cron_checking @@ -49,8 +53,6 @@ coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date dconf_gnome_banner_enabled -dconf_gnome_disable_automount -dconf_gnome_disable_automount_open dconf_gnome_disable_autorun dconf_gnome_disable_user_list dconf_gnome_login_banner_text @@ -60,7 +62,7 @@ dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks dir_perms_world_writable_sticky_bits disable_host_auth -enable_authselect +disable_users_coredumps ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty @@ -69,7 +71,6 @@ file_at_allow_exists file_at_deny_not_exist file_cron_allow_exists file_cron_deny_not_exist -file_etc_security_opasswd file_groupowner_at_allow file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow @@ -81,6 +82,7 @@ file_groupowner_cron_daily file_groupowner_cron_hourly file_groupowner_cron_monthly file_groupowner_cron_weekly +file_groupowner_cron_yearly file_groupowner_crontab file_groupowner_efi_grub2_cfg file_groupowner_efi_user_cfg @@ -90,6 +92,8 @@ file_groupowner_etc_issue file_groupowner_etc_issue_net file_groupowner_etc_motd file_groupowner_etc_passwd +file_groupowner_etc_security_opasswd +file_groupowner_etc_security_opasswd_old file_groupowner_etc_shadow file_groupowner_etc_shells file_groupowner_grub2_cfg @@ -97,6 +101,7 @@ file_groupowner_sshd_config file_groupowner_user_cfg file_groupownership_sshd_private_key file_groupownership_sshd_pub_key +file_owner_at_allow file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd @@ -107,6 +112,7 @@ file_owner_cron_daily file_owner_cron_hourly file_owner_cron_monthly file_owner_cron_weekly +file_owner_cron_yearly file_owner_crontab file_owner_efi_grub2_cfg file_owner_efi_user_cfg @@ -116,6 +122,8 @@ file_owner_etc_issue file_owner_etc_issue_net file_owner_etc_motd file_owner_etc_passwd +file_owner_etc_security_opasswd +file_owner_etc_security_opasswd_old file_owner_etc_shadow file_owner_etc_shells file_owner_grub2_cfg @@ -124,6 +132,7 @@ file_owner_user_cfg file_ownership_home_directories file_ownership_sshd_private_key file_ownership_sshd_pub_key +file_permission_user_bash_history file_permission_user_init_files file_permissions_at_allow file_permissions_backup_etc_group @@ -136,6 +145,7 @@ file_permissions_cron_daily file_permissions_cron_hourly file_permissions_cron_monthly file_permissions_cron_weekly +file_permissions_cron_yearly file_permissions_crontab file_permissions_efi_grub2_cfg file_permissions_efi_user_cfg @@ -145,6 +155,8 @@ file_permissions_etc_issue file_permissions_etc_issue_net file_permissions_etc_motd file_permissions_etc_passwd +file_permissions_etc_security_opasswd +file_permissions_etc_security_opasswd_old file_permissions_etc_shadow file_permissions_etc_shells file_permissions_grub2_cfg @@ -153,23 +165,33 @@ file_permissions_sshd_config file_permissions_sshd_private_key file_permissions_sshd_pub_key file_permissions_unauthorized_world_writable -file_permissions_ungroupowned file_permissions_user_cfg -firewalld_loopback_traffic_restricted -firewalld_loopback_traffic_trusted +firewalld-backend gid_passwd_group_same gnome_gdm_disable_xdmcp group_unique_id group_unique_name +groups_no_zero_gid_except_root grub2_enable_selinux grub2_password grub2_uefi_password has_nonlocal_mta inactivity_timeout_value=15_minutes journald_compress -journald_forward_to_syslog +journald_disable_forward_to_syslog journald_storage +kernel_module_atm_disabled +kernel_module_can_disabled kernel_module_cramfs_disabled +kernel_module_dccp_disabled +kernel_module_firewire-core_disabled +kernel_module_freevxfs_disabled +kernel_module_hfs_disabled +kernel_module_hfsplus_disabled +kernel_module_jffs2_disabled +kernel_module_rds_disabled +kernel_module_sctp_disabled +kernel_module_tipc_disabled login_banner_text=cis_banners mount_option_dev_shm_nodev mount_option_dev_shm_noexec @@ -192,24 +214,28 @@ mount_option_var_tmp_noexec mount_option_var_tmp_nosuid no_empty_passwords no_empty_passwords_etc_shadow -no_files_unowned_by_user +no_files_or_dirs_ungroupowned +no_files_or_dirs_unowned_by_user no_forward_files +no_invalid_shell_accounts_unlocked +no_netrc_files no_password_auth_for_systemaccounts -no_rsh_trust_files +no_rhost_files no_shelllogin_for_systemaccounts package_aide_installed package_bind_removed package_chrony_installed +package_cron_installed package_cyrus-imapd_removed -package_dhcp_removed +package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed package_httpd_removed +package_kea_removed package_libselinux_installed package_mcstrans_removed package_net-snmp_removed -package_nftables_installed package_nginx_removed package_pam_pwquality_installed package_rsync_removed @@ -217,6 +243,7 @@ package_rsyslog_installed package_samba_removed package_squid_removed package_sudo_installed +package_systemd-journal-remote_installed package_telnet-server_removed package_telnet_removed package_tftp-server_removed @@ -234,23 +261,22 @@ rsyslog_files_groupownership rsyslog_files_ownership rsyslog_files_permissions rsyslog_nolisten -selinux_confinement_of_daemons selinux_not_disabled selinux_policytype service_crond_enabled service_firewalld_enabled service_nfs_disabled -service_nftables_disabled service_rpcbind_disabled service_rsyslog_enabled +service_systemd-journal-upload_enabled service_systemd-journald_enabled -set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled sshd_disable_empty_passwords sshd_disable_forwarding +sshd_disable_gssapi_auth sshd_disable_rhosts sshd_disable_root_login sshd_do_not_permit_user_env @@ -268,14 +294,19 @@ sshd_set_max_sessions sshd_set_maxstartups sudo_add_use_pty sudo_custom_logfile -sudo_require_authentication +sudo_remove_no_authenticate sudo_require_reauthentication +sysctl_fs_protected_hardlinks +sysctl_fs_suid_dumpable +sysctl_kernel_dmesg_restrict +sysctl_kernel_kptr_restrict sysctl_kernel_randomize_va_space sysctl_kernel_yama_ptrace_scope sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_redirects_value=disabled sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +sysctl_net_ipv4_conf_all_forwarding sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_log_martians_value=enabled sysctl_net_ipv4_conf_all_rp_filter @@ -287,6 +318,8 @@ sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_redirects_value=disabled sysctl_net_ipv4_conf_default_accept_source_route sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +sysctl_net_ipv4_conf_default_forwarding +sysctl_net_ipv4_conf_default_forwarding_value=disabled sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_log_martians_value=enabled sysctl_net_ipv4_conf_default_rp_filter @@ -315,24 +348,25 @@ sysctl_net_ipv6_conf_default_accept_redirects sysctl_net_ipv6_conf_default_accept_redirects_value=disabled sysctl_net_ipv6_conf_default_accept_source_route sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +sysctl_net_ipv6_conf_default_forwarding +sysctl_net_ipv6_conf_default_forwarding_value=disabled use_pam_wheel_group_for_su -var_account_disable_post_pw_expiration=30 +var_account_disable_post_pw_expiration=45 var_accounts_maximum_age_login_defs=365 var_accounts_password_warn_age_login_defs=7 var_accounts_passwords_pam_faillock_deny=5 var_accounts_passwords_pam_faillock_unlock_time=900 var_accounts_tmout=15_min var_accounts_user_umask=027 -var_authselect_profile=sssd +var_authselect_profile=local var_multiple_time_servers=rhel var_pam_wheel_group_for_su=cis -var_password_hashing_algorithm=SHA512 -var_password_hashing_algorithm_pam=sha512 +var_password_hashing_algorithm=cis_rhel8 +var_password_hashing_algorithm_pam=cis_rhel8 var_password_pam_dictcheck=1 var_password_pam_difok=2 var_password_pam_maxrepeat=3 var_password_pam_maxsequence=3 -var_password_pam_minclass=4 var_password_pam_minlen=14 var_password_pam_remember=24 var_password_pam_remember_control_flag=requisite_or_required @@ -343,4 +377,5 @@ var_sshd_max_sessions=10 var_sshd_set_keepalive=1 var_sshd_set_login_grace_time=60 var_sshd_set_maxstartups=10:30:60 +var_sudo_timestamp_timeout=15_minutes var_user_initialization_files_regex=all_dotfiles diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 1a6b60298756..eb5c54e60a92 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -12,18 +12,22 @@ accounts_password_pam_difok accounts_password_pam_enforce_root accounts_password_pam_maxrepeat accounts_password_pam_maxsequence -accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_enforce_for_root accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_pwhistory_use_authtok +accounts_password_pam_pwquality_password_auth +accounts_password_pam_pwquality_system_auth +accounts_password_pam_unix_authtok +accounts_password_pam_unix_enabled accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs accounts_passwords_pam_faillock_deny accounts_passwords_pam_faillock_deny_root -accounts_passwords_pam_faillock_unlock_time +accounts_passwords_pam_faillock_unlock_time_with_zero accounts_root_gid_zero accounts_root_path_dirs_no_write accounts_set_post_pw_existing @@ -31,13 +35,14 @@ accounts_tmout accounts_umask_etc_bashrc accounts_umask_etc_login_defs accounts_umask_etc_profile +accounts_umask_root accounts_user_dot_group_ownership accounts_user_dot_user_ownership accounts_user_interactive_home_directory_exists -accounts_users_netrc_file_permissions aide_build_database aide_check_audit_tools aide_periodic_cron_checking +audit_rules_continue_loading audit_rules_dac_modification_chmod audit_rules_dac_modification_chown audit_rules_dac_modification_fchmod @@ -82,7 +87,6 @@ audit_rules_sysadmin_actions audit_rules_time_adjtimex audit_rules_time_clock_settime audit_rules_time_settimeofday -audit_rules_time_stime audit_rules_time_watch_localtime audit_rules_unsuccessful_file_modification_creat audit_rules_unsuccessful_file_modification_ftruncate @@ -91,13 +95,15 @@ audit_rules_unsuccessful_file_modification_openat audit_rules_unsuccessful_file_modification_truncate audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow +audit_rules_usergroup_modification_nsswitch_conf audit_rules_usergroup_modification_opasswd +audit_rules_usergroup_modification_pam_conf +audit_rules_usergroup_modification_pamd audit_rules_usergroup_modification_passwd audit_rules_usergroup_modification_shadow audit_sudo_log_events auditd_data_disk_error_action auditd_data_disk_full_action -auditd_data_retention_action_mail_acct auditd_data_retention_admin_space_left_action auditd_data_retention_max_log_file auditd_data_retention_max_log_file_action @@ -126,7 +132,8 @@ dconf_gnome_session_idle_user_locks dir_perms_world_writable_sticky_bits directory_permissions_var_log_audit disable_host_auth -enable_authselect +disable_users_coredumps +disable_weak_deps ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty @@ -135,7 +142,6 @@ file_at_allow_exists file_at_deny_not_exist file_cron_allow_exists file_cron_deny_not_exist -file_etc_security_opasswd file_group_ownership_var_log_audit file_groupowner_at_allow file_groupowner_backup_etc_group @@ -148,6 +154,7 @@ file_groupowner_cron_daily file_groupowner_cron_hourly file_groupowner_cron_monthly file_groupowner_cron_weekly +file_groupowner_cron_yearly file_groupowner_crontab file_groupowner_efi_grub2_cfg file_groupowner_efi_user_cfg @@ -157,6 +164,8 @@ file_groupowner_etc_issue file_groupowner_etc_issue_net file_groupowner_etc_motd file_groupowner_etc_passwd +file_groupowner_etc_security_opasswd +file_groupowner_etc_security_opasswd_old file_groupowner_etc_shadow file_groupowner_etc_shells file_groupowner_grub2_cfg @@ -166,6 +175,7 @@ file_groupownership_audit_binaries file_groupownership_audit_configuration file_groupownership_sshd_private_key file_groupownership_sshd_pub_key +file_owner_at_allow file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd @@ -176,6 +186,7 @@ file_owner_cron_daily file_owner_cron_hourly file_owner_cron_monthly file_owner_cron_weekly +file_owner_cron_yearly file_owner_crontab file_owner_efi_grub2_cfg file_owner_efi_user_cfg @@ -185,6 +196,8 @@ file_owner_etc_issue file_owner_etc_issue_net file_owner_etc_motd file_owner_etc_passwd +file_owner_etc_security_opasswd +file_owner_etc_security_opasswd_old file_owner_etc_shadow file_owner_etc_shells file_owner_grub2_cfg @@ -196,6 +209,7 @@ file_ownership_home_directories file_ownership_sshd_private_key file_ownership_sshd_pub_key file_ownership_var_log_audit_stig +file_permission_user_bash_history file_permission_user_init_files file_permissions_at_allow file_permissions_audit_binaries @@ -210,6 +224,7 @@ file_permissions_cron_daily file_permissions_cron_hourly file_permissions_cron_monthly file_permissions_cron_weekly +file_permissions_cron_yearly file_permissions_crontab file_permissions_efi_grub2_cfg file_permissions_efi_user_cfg @@ -219,6 +234,8 @@ file_permissions_etc_issue file_permissions_etc_issue_net file_permissions_etc_motd file_permissions_etc_passwd +file_permissions_etc_security_opasswd +file_permissions_etc_security_opasswd_old file_permissions_etc_shadow file_permissions_etc_shells file_permissions_grub2_cfg @@ -227,15 +244,14 @@ file_permissions_sshd_config file_permissions_sshd_private_key file_permissions_sshd_pub_key file_permissions_unauthorized_world_writable -file_permissions_ungroupowned file_permissions_user_cfg file_permissions_var_log_audit -firewalld_loopback_traffic_restricted -firewalld_loopback_traffic_trusted +firewalld-backend gid_passwd_group_same gnome_gdm_disable_xdmcp group_unique_id group_unique_name +groups_no_zero_gid_except_root grub2_audit_argument grub2_audit_backlog_limit_argument grub2_enable_selinux @@ -244,14 +260,18 @@ grub2_uefi_password has_nonlocal_mta inactivity_timeout_value=15_minutes journald_compress -journald_forward_to_syslog +journald_disable_forward_to_syslog journald_storage +kernel_module_atm_disabled +kernel_module_can_disabled kernel_module_cramfs_disabled kernel_module_dccp_disabled +kernel_module_firewire-core_disabled kernel_module_freevxfs_disabled kernel_module_hfs_disabled kernel_module_hfsplus_disabled kernel_module_jffs2_disabled +kernel_module_overlayfs_disabled kernel_module_rds_disabled kernel_module_sctp_disabled kernel_module_squashfs_disabled @@ -280,25 +300,31 @@ mount_option_var_tmp_noexec mount_option_var_tmp_nosuid no_empty_passwords no_empty_passwords_etc_shadow -no_files_unowned_by_user +no_files_or_dirs_ungroupowned +no_files_or_dirs_unowned_by_user no_forward_files +no_invalid_shell_accounts_unlocked +no_netrc_files +no_nologin_in_shells no_password_auth_for_systemaccounts -no_rsh_trust_files +no_rhost_files no_shelllogin_for_systemaccounts package_aide_installed +package_audit-libs_installed package_audit_installed package_bind_removed package_chrony_installed +package_cron_installed package_cyrus-imapd_removed -package_dhcp_removed +package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed package_httpd_removed +package_kea_removed package_libselinux_installed package_mcstrans_removed package_net-snmp_removed -package_nftables_installed package_nginx_removed package_openldap-clients_removed package_pam_pwquality_installed @@ -307,6 +333,7 @@ package_rsyslog_installed package_samba_removed package_squid_removed package_sudo_installed +package_systemd-journal-remote_installed package_telnet-server_removed package_telnet_removed package_tftp-server_removed @@ -329,7 +356,6 @@ rsyslog_files_groupownership rsyslog_files_ownership rsyslog_files_permissions rsyslog_nolisten -selinux_confinement_of_daemons selinux_not_disabled selinux_policytype selinux_state @@ -337,20 +363,21 @@ service_auditd_enabled service_autofs_disabled service_avahi-daemon_disabled service_bluetooth_disabled +service_cockpit_disabled service_crond_enabled service_firewalld_enabled service_nfs_disabled -service_nftables_disabled service_rpcbind_disabled service_rsyslog_enabled +service_systemd-journal-upload_enabled service_systemd-journald_enabled -set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled sshd_disable_empty_passwords sshd_disable_forwarding +sshd_disable_gssapi_auth sshd_disable_rhosts sshd_disable_root_login sshd_do_not_permit_user_env @@ -368,14 +395,21 @@ sshd_set_max_sessions sshd_set_maxstartups sudo_add_use_pty sudo_custom_logfile -sudo_require_authentication +sudo_remove_no_authenticate +sudo_remove_nopasswd sudo_require_reauthentication +sysctl_fs_protected_hardlinks +sysctl_fs_protected_symlinks +sysctl_fs_suid_dumpable +sysctl_kernel_dmesg_restrict +sysctl_kernel_kptr_restrict sysctl_kernel_randomize_va_space sysctl_kernel_yama_ptrace_scope sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_redirects_value=disabled sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +sysctl_net_ipv4_conf_all_forwarding sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_log_martians_value=enabled sysctl_net_ipv4_conf_all_rp_filter @@ -387,6 +421,8 @@ sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_redirects_value=disabled sysctl_net_ipv4_conf_default_accept_source_route sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +sysctl_net_ipv4_conf_default_forwarding +sysctl_net_ipv4_conf_default_forwarding_value=disabled sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_log_martians_value=enabled sysctl_net_ipv4_conf_default_rp_filter @@ -415,8 +451,10 @@ sysctl_net_ipv6_conf_default_accept_redirects sysctl_net_ipv6_conf_default_accept_redirects_value=disabled sysctl_net_ipv6_conf_default_accept_source_route sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +sysctl_net_ipv6_conf_default_forwarding +sysctl_net_ipv6_conf_default_forwarding_value=disabled use_pam_wheel_group_for_su -var_account_disable_post_pw_expiration=30 +var_account_disable_post_pw_expiration=45 var_accounts_maximum_age_login_defs=365 var_accounts_password_warn_age_login_defs=7 var_accounts_passwords_pam_faillock_deny=5 @@ -425,23 +463,21 @@ var_accounts_passwords_pam_faillock_unlock_time=900 var_accounts_tmout=15_min var_accounts_user_umask=027 var_audit_backlog_limit=8192 -var_auditd_action_mail_acct=root var_auditd_admin_space_left_action=cis_rhel8 var_auditd_disk_error_action=cis_rhel8 var_auditd_disk_full_action=cis_rhel8 -var_auditd_max_log_file=6 +var_auditd_max_log_file=8 var_auditd_max_log_file_action=keep_logs var_auditd_space_left_action=cis_rhel8 -var_authselect_profile=sssd +var_authselect_profile=local var_multiple_time_servers=rhel var_pam_wheel_group_for_su=cis -var_password_hashing_algorithm=SHA512 -var_password_hashing_algorithm_pam=sha512 +var_password_hashing_algorithm=cis_rhel8 +var_password_hashing_algorithm_pam=cis_rhel8 var_password_pam_dictcheck=1 var_password_pam_difok=2 var_password_pam_maxrepeat=3 var_password_pam_maxsequence=3 -var_password_pam_minclass=4 var_password_pam_minlen=14 var_password_pam_remember=24 var_password_pam_remember_control_flag=requisite_or_required @@ -453,4 +489,6 @@ var_sshd_max_sessions=10 var_sshd_set_keepalive=1 var_sshd_set_login_grace_time=60 var_sshd_set_maxstartups=10:30:60 +var_sudo_timestamp_timeout=15_minutes var_user_initialization_files_regex=all_dotfiles +xwayland_disabled