Update RHEL 8 CIS profile

linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml

@@ -15,6 +15,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87730-8
     cce@rhel10: CCE-90697-4
 
 ocil_clause: "the option '-c' is not set in the '/etc/audit/audit.rules' file"

linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_nsswitch_conf/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87835-5
     cce@rhel9: CCE-86213-6
     cce@rhel10: CCE-90524-0
 

linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89453-5
     cce@rhel9: CCE-86212-8
     cce@rhel10: CCE-90525-7
 

linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pamd/rule.yml

@@ -11,6 +11,7 @@ rationale: |-
     should be investigated.
 
 identifiers:
+    cce@rhel8: CCE-90268-4
     cce@rhel9: CCE-86211-0
     cce@rhel10: CCE-90526-5
 

linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var

@@ -22,7 +22,7 @@ options:
     rotate: rotate
     ol8: syslog|single|halt
     rhel8: syslog|single|halt
-    cis_rhel8: syslog|single|halt
+    cis_rhel8: single|halt
     cis_rhel9: halt|single
     cis_rhel10: halt|single
     cis_fedora: halt|single

linux_os/guide/auditing/package_audit-libs_installed/rule.yml

@@ -16,6 +16,7 @@ rationale: 'The auditd service is an access monitoring and accounting daemon, wa
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87113-7
     cce@rhel9: CCE-86772-1
     cce@rhel10: CCE-90611-5
     cce@sle12: CCE-92320-1

linux_os/guide/services/base/service_cockpit_disabled/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89026-9
     cce@rhel10: CCE-87509-6
 
 platform: system_with_kernel

linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87776-1
     cce@rhel10: CCE-88898-2
 
 references:

linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88838-8
     cce@rhel10: CCE-90735-2
 
 references:

linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86796-0
     cce@rhel10: CCE-90732-9
 
 references:

linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87348-9
     cce@rhel10: CCE-86596-4
 
 {{{ complete_ocil_entry_package(package="kea") }}}

linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-Xwayland_removed/rule.yml

@@ -15,6 +15,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87005-5
     cce@rhel10: CCE-90601-6
 
 ocil_clause: The xorg-x11-server-Xwayland package is installed.

linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml

@@ -26,6 +26,7 @@ rationale: |-
     The system should only provide access after performing authentication of a user.
 
 identifiers:
+    cce@rhel8: CCE-87083-2
     cce@rhel10: CCE-87536-9
 
 severity: medium

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
     without requiring the user to re-enter it multiple times.
 
 identifiers:
+    cce@rhel8: CCE-90463-1
     cce@rhel10: CCE-86732-5
 
 severity: medium

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml

@@ -15,6 +15,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89997-1
     cce@rhel10: CCE-86733-3
 
 ocil_clause: 'Usage of use_authtok for pam_unix.so is required'

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml

@@ -27,6 +27,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89090-5
     cce@rhel10: CCE-87367-9
 
 platform: package[pam]

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -19,5 +19,6 @@ options:
     yescrypt: YESCRYPT
     cis_ubuntu2204: SHA512|YESCRYPT
     cis_ubuntu2404: SHA512|YESCRYPT
+    cis_rhel8: YESCRYPT|SHA512
     cis_rhel10: YESCRYPT|SHA512
     cis_fedora: YESCRYPT|SHA512

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var

@@ -16,4 +16,5 @@ options:
     default: sha512
     sha512: sha512
     yescrypt: yescrypt
+    cis_rhel8: yescrypt|sha512
     cis_rhel10: yescrypt|sha512

linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87733-2
     cce@rhel10: CCE-87072-5
     cce@sle15: CCE-92592-5
 

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87435-4
     cce@rhel10: CCE-87390-1
 
 ocil_clause: 'any .rhost files exist'

linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml

@@ -15,6 +15,7 @@ rationale: |-
 severity: high
 
 identifiers:
+    cce@rhel8: CCE-90313-8
     cce@rhel9: CCE-86567-5
     cce@rhel10: CCE-87073-3
     cce@sle15: CCE-92565-1

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml

@@ -15,6 +15,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88390-0
     cce@rhel9: CCE-86746-5
     cce@rhel10: CCE-86751-5
     cce@sle15: CCE-92591-7

linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89104-4
     cce@rhel10: CCE-87392-7
     cce@sle15: CCE-92554-5
 

linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml

@@ -16,6 +16,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-90424-3
     cce@rhel10: CCE-87074-1
     cce@sle15: CCE-92484-5
 

linux_os/guide/system/logging/journald/journald_disable_forward_to_syslog/rule.yml

@@ -34,6 +34,7 @@ ocil: |-
 ocil_clause: 'is commented out or not configured correctly'
 
 identifiers:
+    cce@rhel8: CCE-88250-6
     cce@rhel10: CCE-88340-5
     cce@sle15: CCE-92566-9
 

linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml

@@ -21,6 +21,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-87557-5
     cce@rhel10: CCE-86711-9
     cce@sle15: CCE-92604-8
     cce@slmicro5: CCE-94084-1

linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88884-2
     cce@rhel10: CCE-87075-8
     cce@sle12: CCE-83248-5
     cce@sle15: CCE-85725-0

linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_forwarding/rule.yml

@@ -12,6 +12,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86652-5
     cce@rhel10: CCE-88797-6
 
 ocil_clause: 'IP forwarding value is "1" and the system is not router'

linux_os/guide/system/permissions/files/no_files_or_dirs_ungroupowned/rule.yml

@@ -26,6 +26,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89626-6
     cce@rhel10: CCE-86647-5
 
 ocil_clause: 'files and directories exist that are not owned by a valid group'

linux_os/guide/system/permissions/files/no_files_or_dirs_unowned_by_user/rule.yml

@@ -24,6 +24,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89978-1
     cce@rhel10: CCE-86643-4
 
 # The rule check uses password probe, which doesn't support offline mode

linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd/rule.yml

@@ -11,6 +11,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89558-1
     cce@rhel10: CCE-90453-2
     cce@sle15: CCE-92539-6
 

linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_security_opasswd_old/rule.yml

@@ -11,6 +11,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-90263-5
     cce@rhel10: CCE-89419-6
     cce@sle15: CCE-92540-4
 

linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd/rule.yml

@@ -11,6 +11,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89852-8
     cce@rhel10: CCE-86791-1
     cce@sle15: CCE-92545-3
 

linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_security_opasswd_old/rule.yml

@@ -11,6 +11,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-90509-1
     cce@rhel10: CCE-88528-5
     cce@sle15: CCE-92546-1
 

linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd/rule.yml

@@ -12,6 +12,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88772-9
     cce@rhel10: CCE-89580-5
     cce@sle15: CCE-92558-6
 

linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_security_opasswd_old/rule.yml

@@ -12,6 +12,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-89332-1
     cce@rhel10: CCE-87434-7
     cce@sle15: CCE-92559-4
 

linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: low
 
 identifiers:
+    cce@rhel8: CCE-90461-5
     cce@rhel10: CCE-87507-0
     cce@sle15: CCE-92579-2
 

linux_os/guide/system/software/gnome/xwayland_disabled/rule.yml

@@ -27,6 +27,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+  cce@rhel8: CCE-86968-5
   cce@rhel10: CCE-87228-3
 
 ocil_clause: |-

linux_os/guide/system/software/updating/disable_weak_deps/rule.yml

@@ -13,6 +13,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-88727-3
     cce@rhel10: CCE-86970-1
 
 ocil_clause: 'the install_weak_deps option is not set to 0'