Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Implement CIS Level 1 for Ubuntu 20.04 #6416

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ references:
cis@rhel7: 5.2.7
cis@rhel8: 5.2.9
cis@sle15: 5.2.9
cis@ubuntu2004: 5.2.8
cjis: 5.5.6
cui: 3.1.12
disa: CCI-000366
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ references:
stigid@ol7: OL07-00-040350
cis@rhel7: 5.2.6
cis@rhel8: 5.2.8
cis@ubuntu2004: 5.2.7
cjis: 5.5.6
cui: 3.1.12
disa: CCI-000366
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ references:
cis@rhel7: 5.2.10
cis@rhel8: 5.2.12
cis@sle15: 5.2.12
cis@ubuntu2004: 5.2.11
cjis: 5.5.6
cui: 3.1.12
disa: CCI-000366
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ references:
cis@rhel7: 5.2.15
cis@rhel8: 5.2.15
cis@sle15: 5.2.19
cis@ubuntu2004: 5.2.18
cjis: 5.5.6
cui: 3.1.9
disa: CCI-000048,CCI-000050,CCI-001384,CCI-001385,CCI-001386,CCI-001387,CCI-001388
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,5 +65,6 @@ template:
vars:
parameter: "ClientAliveCountMax"
value: "0"
value@ubuntu2004: "3"
missing_parameter_pass: "false"
kubernetes: "off"
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ references:
cis@rhel7: 5.2.3
cis@rhel8: 5.2.5
cis@sle15: 5.2.5
cis@ubuntu2004: 5.2.4
nist: AC-17(a),CM-6(a)

ocil_clause: 'it is commented out or is not enabled'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ references:
cis@rhel7: 5.2.5
cis@rhel8: 5.2.7
cis@sle15: 5.2.7
cis@ubuntu2004: 5.2.6
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

ocil_clause: 'it is commented out or not configured properly'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ identifiers:
references:
cis@rhe8: 1.1.21
cis@ubuntu1804: 1.1.20
cis@ubuntu2004: 1.1.22
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ identifiers:
cce@rhel8: CCE-83475-4

references:
cis@rhel7: 6.1.8
cis@rhel8: 6.1.8
cis: 6.1.8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since other section 6.1.x rules differ between RHEL and Ubuntu, I might suggest we keep these two separate for the time being.


ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ identifiers:
references:
cis@rhel7: 6.1.9
cis@rhel8: 6.1.9
cis@ubuntu2004: 6.1.3

ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'

Expand All @@ -37,4 +38,5 @@ template:
filegid@debian10: '42'
filegid@ubuntu1604: '42'
filegid@ubuntu1804: '42'
filegid@ubuntu2004: '42'
missing_file_pass: 'true'
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ identifiers:
cce@rhel8: CCE-83324-4

references:
cis@rhel7: 6.1.6
cis@rhel8: 6.1.6
cis: 6.1.6
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above.


ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@ identifiers:
cce@rhel8: CCE-83415-0

references:
cis@rhel7: 6.1.7
cis@rhel8: 6.1.7
cis: 6.1.7
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above.


ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}'

Expand All @@ -38,4 +37,5 @@ template:
filegid@debian10: '42'
filegid@ubuntu1604: '42'
filegid@ubuntu1804: '42'
filegid@ubuntu2004: '42'
missing_file_pass: 'true'
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ identifiers:
cce@rhel8: CCE-83473-9

references:
cis@rhel7: 6.1.8
cis@rhel8: 6.1.8
cis: 6.1.8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same.


ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ identifiers:
references:
cis@rhel7: 6.1.9
cis@rhel8: 6.1.9
cis@ubuntu2004: 6.1.3

ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ identifiers:
cce@rhel8: CCE-83326-9

references:
cis@rhel7: 6.1.6
cis@rhel8: 6.1.6
cis: 6.1.6

ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ identifiers:
cce@rhel8: CCE-83413-5

references:
cis@rhel7: 6.1.7
cis@rhel8: 6.1.7
cis: 6.1.7

ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ identifiers:
references:
cis@rhel7: 6.1.5
cis@rhel8: 6.1.5
cis@ubuntu2004: 6.1.9
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
isa-62443-2013: 'SR 2.1,SR 5.2'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ identifiers:
references:
cis@rhel7: 6.1.8
cis@rhel8: 6.1.8
cis@ubuntu2004: 6.1.8
cis@sle15: 6.1.9

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/group-", perms="-rw-r--r--") }}}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ references:
cis@rhel7: 6.1.9
cis@rhel8: 6.1.9
cis@sle15: 6.1.3
cis@ubuntu2004: 6.1.3

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}'

Expand All @@ -42,4 +43,5 @@ template:
filemode@debian10: '0640'
filemode@ubuntu1604: '0640'
filemode@ubuntu1804: '0640'
filemode@ubuntu2004: '0640'
missing_file_pass: 'true'
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ identifiers:
references:
cis@rhel7: 6.1.6
cis@rhel8: 6.1.6
cis@ubuntu2004: 6.1.6
cis@sle15: 6.1.7

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ identifiers:
references:
cis@rhel7: 6.1.7
cis@rhel8: 6.1.7
cis@ubuntu2004: 6.1.7
cis@sle15: 6.1.8

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms=target_perms) }}}'
Expand All @@ -43,4 +44,5 @@ template:
filemode@debian10: '0640'
filemode@ubuntu1604: '0640'
filemode@ubuntu1804: '0640'
filemode@ubuntu2004: '0640'
missing_file_pass: 'true'
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu1804
prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of cramfs'

Expand All @@ -27,9 +27,7 @@ identifiers:
cce@rhcos4: CCE-82514-1

references:
cis@rhel8: 1.1.1.1
cis@sle15: 1.1.1.1
cis@ubuntu1804: 1.1.1.1
cis: 1.1.1.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cramfs remains the same, but 1.1.1.x change between 18.04 and 20.04, so I'm inclined to leave these separate.

cui: 3.4.6
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804
prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of freevxfs'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804
prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of hfs'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804
prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of hfsplus'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804
prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of jffs2'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,rhel7,rhel8,sle15,ubuntu1804
prodtype: fedora,rhcos4,rhel7,rhel8,sle15,ubuntu1804,ubuntu2004

title: 'Disable Mounting of udf'

Expand Down Expand Up @@ -31,6 +31,7 @@ references:
cis@rhel8: 1.1.1.4
cis@sle15: 1.1.1.7
cis@ubuntu1804: 1.1.1.6
cis@ubuntu2004: 1.1.1.6
cui: 3.4.6
nist: CM-7(a),CM-7(b),CM-6(a)
nist-csf: PR.IP-1,PR.PT-3
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,ubuntu2004

title: 'Disable Modprobe Loading of USB Storage Driver'

Expand Down Expand Up @@ -38,6 +38,7 @@ references:
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
cis@rhel8: 1.1.23
cis@ubuntu2004: 1.1.24
cis@sle15: 1.1.3

{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,ubuntu1804
prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,ubuntu1804,ubuntu2004

title: 'Disable the Automounter'

Expand Down Expand Up @@ -33,6 +33,7 @@ references:
stigid@ol7: OL07-00-020110
cis@rhel8: 1.1.22
cis@ubuntu1804: 1.1.21
cis@ubuntu2004: 1.1.23
cui: 3.4.6
disa: CCI-000366,CCI-000778,CCI-001958
hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ identifiers:
references:
cis@rhel8: 1.1.5
cis@ubuntu1804: 1.1.14
cis@ubuntu2004: 1.1.7
stigid@ol7: OL07-00-021022
stigid@rhel7: RHEL-07-021022
disa: CCI-001764
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804
prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804,ubuntu2004

title: 'Add noexec Option to /dev/shm'

Expand All @@ -27,6 +27,7 @@ identifiers:
references:
cis@rhel8: 1.1.17
cis@ubuntu1804: 1.1.16
cis@ubuntu2004: 1.1.9
stigid@ol7: OL07-00-021024
stigid@rhel7: RHEL-07-021024
disa: CCI-001764
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ identifiers:
references:
cis@rhel8: 1.1.16
cis@ubuntu1804: 1.1.15
cis@ubuntu2004: 1.1.8
stigid@ol7: OL07-00-021023
stigid@rhel7: RHEL-07-021023
disa: CCI-001764
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804
prodtype: ol7,ol8,rhel7,rhel8,rhcos4,sle15,ubuntu1804,ubuntu2004

title: 'Add nodev Option to /home'

Expand Down Expand Up @@ -28,6 +28,7 @@ identifiers:
references:
cis@rhel8: 1.1.14
cis@ubuntu1804: 1.1.13
cis@ubuntu2004: 1.1.18
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.15
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4,ubuntu2004

title: 'Add nodev Option to /tmp'

Expand All @@ -25,6 +25,7 @@ identifiers:
references:
cis@rhel8: 1.1.3
cis@ubuntu1804: 1.1.3
cis@ubuntu2004: 1.1.3
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,rhcos4
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,rhcos4,ubuntu2004

title: 'Add noexec Option to /tmp'

Expand All @@ -24,6 +24,7 @@ identifiers:

references:
cis@rhel8: 1.1.5
cis@ubuntu2004: 1.1.5
cis@sle15: 1.1.6
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4,ubuntu2004

title: 'Add nosuid Option to /tmp'

Expand All @@ -25,6 +25,7 @@ identifiers:
references:
cis@rhel8: 1.1.4
cis@ubuntu1804: 1.1.4
cis@ubuntu1804: 1.1.4
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
Expand Down
Loading