From 3384e387e5ad285915f25965f71a71f9f251f4b6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:54:49 +0100 Subject: [PATCH] Move audit requirements to the end of section 4 Many requirements included in section 4 were moved to section 5. They still need to be reviewed. --- controls/cis_rhel7.yml | 954 ++++++++++++++++++++--------------------- 1 file changed, 477 insertions(+), 477 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 1cc1b82b6f4b..3dc1d4021598 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1732,701 +1732,701 @@ controls: - use_pam_wheel_group_for_su - ensure_pam_wheel_group_empty - - - - - id: 4.1.1.1 - title: Ensure auditd is installed (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - package_audit_installed - - package_audit-libs_installed - - - id: 4.1.1.2 - title: Ensure auditd service is enabled and running (Automated) - levels: - - l2_server - - l2_workstation - status: automated - rules: - - service_auditd_enabled - - - id: 4.1.1.3 - title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + - id: 4.4.1.1 + title: Ensure latest version of pam is installed (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - grub2_audit_argument + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure PAM package is updated. - - id: 4.1.2.1 - title: Ensure audit log storage size is configured (Automated) + - id: 4.4.1.2 + title: Ensure libpwquality is installed (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - auditd_data_retention_max_log_file - - var_auditd_max_log_file=6 + - package_pam_pwquality_installed - - id: 4.1.2.2 - title: Ensure audit logs are not automatically deleted (Automated) + - id: 4.4.2.1.1 + title: Ensure pam_faillock module is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated - rules: - - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file_action=keep_logs + notes: |- + This requirement is more specifically satisfied by 4.4.2.1.2. + related_rules: + - accounts_passwords_pam_faillock_deny - - id: 4.1.2.3 - title: Ensure system is disabled when audit logs are full (Automated) + - id: 4.4.2.1.2 + title: Ensure lockout for failed password attempts is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - auditd_data_retention_space_left_action - - var_auditd_space_left_action=email - - auditd_data_retention_action_mail_acct - - var_auditd_action_mail_acct=root - - auditd_data_retention_admin_space_left_action - - var_auditd_admin_space_left_action=halt + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=5 - - id: 4.1.2.4 - title: Ensure audit_backlog_limit is sufficient (Automated) + - id: 4.4.2.1.3 + title: Ensure password unlock time is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated - notes: <- - Note that currently the value is hardcoded to 8192 rules: - - grub2_audit_backlog_limit_argument + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 - - id: 4.1.3 - title: Ensure events that modify date and time information are collected (Automated) + - id: 4.4.2.1.4 + title: Ensure password failed attempts lockout includes root account (Automated) levels: - - l2_server - - l2_workstation + - l2_server + - l2_workstation status: automated rules: - - audit_rules_time_adjtimex - - audit_rules_time_settimeofday - - audit_rules_time_clock_settime - - audit_rules_time_stime - - audit_rules_time_watch_localtime + - accounts_passwords_pam_faillock_deny_root - - id: 4.1.4 - title: Ensure events that modify user/group information are collected (Automated) + - id: 4.4.2.2.1 + title: Ensure pam_pwquality module is enabled (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow + - l1_server + - l1_workstation + status: pending + notes: |- + This requirement is probably automatically satisfied when by the 4.4.1.2. + It is necessary to better investigate the scenarios to confirm. + related_rules: + - package_pam_pwquality_installed - - id: 4.1.5 - title: Ensure events that modify the system's network environment are collected (Automated) + - id: 4.4.2.2.2 + title: Ensure password number of changed characters is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_networkconfig_modification + - accounts_password_pam_difok + - var_password_pam_difok=2 - - id: 4.1.6 - title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + - id: 4.4.2.2.3 + title: Ensure password length is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_mac_modification - - audit_rules_mac_modification_usr_share + - accounts_password_pam_minlen + - var_password_pam_minlen=14 - - id: 4.1.7 - title: Ensure login and logout events are collected (Automated) + - id: 4.4.2.2.4 + title: Ensure password complexity is configured (Manual) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated + notes: |- + This requirement is expected to be manual. However, in previous versions of the policy + it was already automated the configuration of "minclass" option. This posture was kept for + RHEL 7 in this new version. Rules related to other options are informed in related_rules. + In short, minclass=4 alone can achieve the same result achieved by the combination of the + other 4 options mentioned in the policy. rules: - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + related_rules: + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit - - id: 4.1.8 - title: Ensure session initiation information is collected (Automated) + - id: 4.4.2.2.5 + title: Ensure password same consecutive characters is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_session_events + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 - - id: 4.1.9 - title: Ensure discretionary access control permission modification events are collected (Automated) + - id: 4.4.2.2.6 + title: Ensure password maximum sequential characters is configured (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr + - l1_server + - l1_workstation + status: planned + notes: |- + A new templated rule and variable are necessary for the maxsequence option. - - id: 4.1.10 - title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) + - id: 4.4.2.2.7 + title: Ensure password dictionary check is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 - - id: 4.1.11 - title: Ensure use of privileged commands is collected (Automated) + - id: 4.4.2.3.1 + title: Ensure pam_pwhistory module is enabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated - rules: - - audit_rules_privileged_commands + notes: |- + The module is properly enabled by the rules mentioned in related_rules. + Requirement 4.4.2.3.2 uses these rules more specifically. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth - - id: 4.1.12 - title: Ensure successful file system mounts are collected (Automated) + - id: 4.4.2.3.2 + title: Ensure password history remember is configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_media_export + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=24 - - id: 4.1.13 - title: Ensure file deletion events by users are collected (Automated) + - id: 4.4.2.3.3 + title: Ensure password history is enforced for the root user (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat + - l1_server + - l1_workstation + status: planned + notes: |- + A new rule needs to be created to check and remediate the enforce_for_root option in + /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. - - id: 4.1.14 - title: Ensure changes to system administration scope (sudoers) is collected (Automated) + - id: 4.4.2.3.4 + title: Ensure pam_pwhistory includes use_authtok (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_sysadmin_actions + - l1_server + - l1_workstation + status: pending + notes: |- + We don't have a rule to check and remediate this option specifically in RHEL7. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth - - id: 4.1.15 - title: Ensure system administrator command executions (sudo) are collected (Automated) + - id: 4.4.2.4.1 + title: Ensure pam_unix does not include nullok (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_suid_privilege_function + - no_empty_passwords - - id: 4.1.16 - title: Ensure kernel module loading and unloading is collected (Automated) + - id: 4.4.2.4.2 + title: Ensure pam_unix does not include remember (Automated) levels: - - l2_server - - l2_workstation - status: automated - rules: - - audit_rules_privileged_commands_insmod - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_modprobe - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_init + - l1_server + - l1_workstation + status: pending + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not + recommened by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 4.4.2.3.2. See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + A new rule needs to be created to remove the remember option from pam_unix module. - - id: 4.1.17 - title: Ensure the audit configuration is immutable (Automated) + - id: 4.4.2.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated + notes: |- + Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1. rules: - - audit_rules_immutable + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth - - id: 4.2.1.1 - title: Ensure rsyslog is installed (Automated) + - id: 4.4.2.4.4 + title: Ensure pam_unix includes use_authtok (Automated) levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_rsyslog_installed + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 7 pam_unix is enabled by default already with the use_authtok option set. + In any case, we don't have a rule to check this option specifically. Similar to 4.4.2.3.4. - - id: 4.2.1.2 - title: Ensure rsyslog Service is enabled and running (Automated) + - id: 4.5.1.1 + title: Ensure strong password hashing algorithm is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - service_rsyslog_enabled + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 - - id: 4.2.1.3 - title: Ensure rsyslog default file permissions configured (Automated) + - id: 4.5.1.2 + title: Ensure password expiration is 365 days or less (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - rsyslog_filecreatemode - - - id: 4.2.1.4 - title: Ensure logging is configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual + - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=365 - - id: 4.2.1.5 - title: Ensure rsyslog is configured to send logs to a remote log host (Automated) + - id: 4.5.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - rsyslog_remote_loghost - - - id: 4.2.1.6 - title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) - levels: - - l1_server - - l1_workstation - status: manual + - accounts_password_set_warn_age_existing + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 - - id: 4.2.2.1 - title: Ensure journald is configured to send logs to rsyslog (Automated) + - id: 4.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - journald_forward_to_syslog + - account_disable_post_pw_expiration + - accounts_set_post_pw_existing + - var_account_disable_post_pw_expiration=30 - - id: 4.2.2.2 - title: Ensure journald is configured to compress large log files (Automated) + - id: 4.5.1.5 + title: Ensure all users last password change date is in the past (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - journald_compress + - accounts_password_last_change_is_in_past - - id: 4.2.2.3 - title: Ensure journald is configured to write logfiles to persistent disk (Automated) + - id: 4.5.2.1 + title: Ensure default group for the root account is GID 0 (Automated) levels: - l1_server - l1_workstation status: automated rules: - - journald_storage + - accounts_root_gid_zero - - id: 4.2.3 - title: Ensure permissions on all logfiles are configured (Manual) + - id: 4.5.2.2 + title: Ensure root user umask is configured (Automated) levels: - - l1_server - - l1_workstation - status: manual - rules: - - rsyslog_files_permissions + - l1_server + - l1_workstation + status: pending + notes: |- + There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have + to be created. It can be based on accounts_umask_interactive_users. - - id: 4.2.4 - title: Ensure logrotate is configured (Manual) + - id: 4.5.2.3 + title: Ensure system accounts are secured (Automated) levels: - - l1_server - - l1_workstation - status: manual - related_rules: - - ensure_logrotate_activated - - package_logrotate_installed - - timer_logrotate_enabled + - l1_server + - l1_workstation + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts - - id: 4.4.1.1 - title: Ensure latest version of pam is installed (Automated) + - id: 4.5.2.4 + title: Ensure root password is set (Automated) levels: - l1_server - l1_workstation + status: automated + rules: + - ensure_root_password_configured + + - id: 4.5.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation status: pending notes: |- - It is necessary a new rule to ensure PAM package is updated. + It is necessary to create a new rule to check and remove nologin from /etc/shells. + The no_tmux_in_shells rule can be used as referece. - - id: 4.4.1.2 - title: Ensure libpwquality is installed (Automated) + - id: 4.5.3.2 + title: Ensure default user shell timeout is configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_pam_pwquality_installed + - accounts_tmout + - var_accounts_tmout=15_min - - id: 4.4.2.1.1 - title: Ensure pam_faillock module is enabled (Automated) + - id: 4.5.3.3 + title: Ensure default user umask is configured (Automated) levels: - l1_server - l1_workstation status: automated - notes: |- - This requirement is more specifically satisfied by 4.4.2.1.2. - related_rules: - - accounts_passwords_pam_faillock_deny + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - accounts_umask_interactive_users + - var_accounts_user_umask=027 - - id: 4.4.2.1.2 - title: Ensure lockout for failed password attempts is configured (Automated) +#### Most of these audit requirements go to section 5 + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=5 + - package_audit_installed + - package_audit-libs_installed - - id: 4.4.2.1.3 - title: Ensure password unlock time is configured (Automated) + - id: 4.1.1.2 + title: Ensure auditd service is enabled and running (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 + - service_auditd_enabled - - id: 4.4.2.1.4 - title: Ensure password failed attempts lockout includes root account (Automated) + - id: 4.1.1.3 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) levels: - - l2_server - - l2_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_passwords_pam_faillock_deny_root + - grub2_audit_argument - - id: 4.4.2.2.1 - title: Ensure pam_pwquality module is enabled (Automated) + - id: 4.1.2.1 + title: Ensure audit log storage size is configured (Automated) levels: - - l1_server - - l1_workstation - status: pending - notes: |- - This requirement is probably automatically satisfied when by the 4.4.1.2. - It is necessary to better investigate the scenarios to confirm. - related_rules: - - package_pam_pwquality_installed + - l2_server + - l2_workstation + status: automated + rules: + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 - - id: 4.4.2.2.2 - title: Ensure password number of changed characters is configured (Automated) + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_pam_difok - - var_password_pam_difok=2 + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=keep_logs - - id: 4.4.2.2.3 - title: Ensure password length is configured (Automated) + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_pam_minlen - - var_password_pam_minlen=14 + - auditd_data_retention_space_left_action + - var_auditd_space_left_action=email + - auditd_data_retention_action_mail_acct + - var_auditd_action_mail_acct=root + - auditd_data_retention_admin_space_left_action + - var_auditd_admin_space_left_action=halt - - id: 4.4.2.2.4 - title: Ensure password complexity is configured (Manual) + - id: 4.1.2.4 + title: Ensure audit_backlog_limit is sufficient (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - This requirement is expected to be manual. However, in previous versions of the policy - it was already automated the configuration of "minclass" option. This posture was kept for - RHEL 7 in this new version. Rules related to other options are informed in related_rules. - In short, minclass=4 alone can achieve the same result achieved by the combination of the - other 4 options mentioned in the policy. + notes: <- + Note that currently the value is hardcoded to 8192 rules: - - accounts_password_pam_minclass - - var_password_pam_minclass=4 - related_rules: - - accounts_password_pam_dcredit - - accounts_password_pam_lcredit - - accounts_password_pam_ocredit - - accounts_password_pam_ucredit + - grub2_audit_backlog_limit_argument - - id: 4.4.2.2.5 - title: Ensure password same consecutive characters is configured (Automated) + - id: 4.1.3 + title: Ensure events that modify date and time information are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_pam_maxrepeat - - var_password_pam_maxrepeat=3 + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime - - id: 4.4.2.2.6 - title: Ensure password maximum sequential characters is configured (Automated) + - id: 4.1.4 + title: Ensure events that modify user/group information are collected (Automated) levels: - - l1_server - - l1_workstation - status: planned - notes: |- - A new templated rule and variable are necessary for the maxsequence option. + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow - - id: 4.4.2.2.7 - title: Ensure password dictionary check is enabled (Automated) + - id: 4.1.5 + title: Ensure events that modify the system's network environment are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_pam_dictcheck - - var_password_pam_dictcheck=1 + - audit_rules_networkconfig_modification - - id: 4.4.2.3.1 - title: Ensure pam_pwhistory module is enabled (Automated) + - id: 4.1.6 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - The module is properly enabled by the rules mentioned in related_rules. - Requirement 4.4.2.3.2 uses these rules more specifically. - related_rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth + rules: + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share - - id: 4.4.2.3.2 - title: Ensure password history remember is configured (Automated) + - id: 4.1.7 + title: Ensure login and logout events are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - var_password_pam_remember_control_flag=requisite_or_required - - var_password_pam_remember=24 + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog - - id: 4.4.2.3.3 - title: Ensure password history is enforced for the root user (Automated) + - id: 4.1.8 + title: Ensure session initiation information is collected (Automated) levels: - - l1_server - - l1_workstation - status: planned - notes: |- - A new rule needs to be created to check and remediate the enforce_for_root option in - /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_session_events + + - id: 4.1.9 + title: Ensure discretionary access control permission modification events are collected (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr - - id: 4.4.2.3.4 - title: Ensure pam_pwhistory includes use_authtok (Automated) + - id: 4.1.10 + title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) levels: - - l1_server - - l1_workstation - status: pending - notes: |- - We don't have a rule to check and remediate this option specifically in RHEL7. - related_rules: - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate - - id: 4.4.2.4.1 - title: Ensure pam_unix does not include nullok (Automated) + - id: 4.1.11 + title: Ensure use of privileged commands is collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - no_empty_passwords + - audit_rules_privileged_commands - - id: 4.4.2.4.2 - title: Ensure pam_unix does not include remember (Automated) + - id: 4.1.12 + title: Ensure successful file system mounts are collected (Automated) levels: - - l1_server - - l1_workstation - status: pending - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommened by this policy. Instead, it should be used remember option of pam_pwhistory - module, as required in 4.4.2.3.2. See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - A new rule needs to be created to remove the remember option from pam_unix module. + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_media_export - - id: 4.4.2.4.3 - title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + - id: 4.1.13 + title: Ensure file deletion events by users are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated - notes: |- - Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1. rules: - - set_password_hashing_algorithm_systemauth - - set_password_hashing_algorithm_passwordauth + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat - - id: 4.4.2.4.4 - title: Ensure pam_unix includes use_authtok (Automated) + - id: 4.1.14 + title: Ensure changes to system administration scope (sudoers) is collected (Automated) levels: - - l1_server - - l1_workstation - status: partial - notes: |- - In RHEL 7 pam_unix is enabled by default already with the use_authtok option set. - In any case, we don't have a rule to check this option specifically. Similar to 4.4.2.3.4. + - l2_server + - l2_workstation + status: automated + rules: + - audit_rules_sysadmin_actions - - id: 4.5.1.1 - title: Ensure strong password hashing algorithm is configured (Automated) + - id: 4.1.15 + title: Ensure system administrator command executions (sudo) are collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - set_password_hashing_algorithm_libuserconf - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 + - audit_rules_suid_privilege_function - - id: 4.5.1.2 - title: Ensure password expiration is 365 days or less (Automated) + - id: 4.1.16 + title: Ensure kernel module loading and unloading is collected (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_maximum_age_login_defs - - accounts_password_set_max_life_existing - - var_accounts_maximum_age_login_defs=365 + - audit_rules_privileged_commands_insmod + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_modprobe + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init - - id: 4.5.1.3 - title: Ensure password expiration warning days is 7 or more (Automated) + - id: 4.1.17 + title: Ensure the audit configuration is immutable (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - accounts_password_set_warn_age_existing - - accounts_password_warn_age_login_defs - - var_accounts_password_warn_age_login_defs=7 + - audit_rules_immutable - - id: 4.5.1.4 - title: Ensure inactive password lock is 30 days or less (Automated) + - id: 4.2.1.1 + title: Ensure rsyslog is installed (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - account_disable_post_pw_expiration - - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=30 + - package_rsyslog_installed - - id: 4.5.1.5 - title: Ensure all users last password change date is in the past (Automated) + - id: 4.2.1.2 + title: Ensure rsyslog Service is enabled and running (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - accounts_password_last_change_is_in_past + - service_rsyslog_enabled - - id: 4.5.2.1 - title: Ensure default group for the root account is GID 0 (Automated) + - id: 4.2.1.3 + title: Ensure rsyslog default file permissions configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - accounts_root_gid_zero + - rsyslog_filecreatemode - - id: 4.5.2.2 - title: Ensure root user umask is configured (Automated) + - id: 4.2.1.4 + title: Ensure logging is configured (Manual) levels: - - l1_server - - l1_workstation - status: pending - notes: |- - There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have - to be created. It can be based on accounts_umask_interactive_users. + - l1_server + - l1_workstation + status: manual - - id: 4.5.2.3 - title: Ensure system accounts are secured (Automated) + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - no_password_auth_for_systemaccounts - - no_shelllogin_for_systemaccounts + - rsyslog_remote_loghost - - id: 4.5.2.4 - title: Ensure root password is set (Automated) + - id: 4.2.1.6 + title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation + status: manual + + - id: 4.2.2.1 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation status: automated rules: - - ensure_root_password_configured + - journald_forward_to_syslog - - id: 4.5.3.1 - title: Ensure nologin is not listed in /etc/shells (Automated) + - id: 4.2.2.2 + title: Ensure journald is configured to compress large log files (Automated) levels: - - l2_server - - l2_workstation - status: pending - notes: |- - It is necessary to create a new rule to check and remove nologin from /etc/shells. - The no_tmux_in_shells rule can be used as referece. + - l1_server + - l1_workstation + status: automated + rules: + - journald_compress - - id: 4.5.3.2 - title: Ensure default user shell timeout is configured (Automated) + - id: 4.2.2.3 + title: Ensure journald is configured to write logfiles to persistent disk (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - accounts_tmout - - var_accounts_tmout=15_min + - journald_storage - - id: 4.5.3.3 - title: Ensure default user umask is configured (Automated) + - id: 4.2.3 + title: Ensure permissions on all logfiles are configured (Manual) levels: - - l1_server - - l1_workstation - status: automated + - l1_server + - l1_workstation + status: manual rules: - - accounts_umask_etc_bashrc - - accounts_umask_etc_login_defs - - accounts_umask_etc_profile - - accounts_umask_interactive_users - - var_accounts_user_umask=027 + - rsyslog_files_permissions + + - id: 4.2.4 + title: Ensure logrotate is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + related_rules: + - ensure_logrotate_activated + - package_logrotate_installed + - timer_logrotate_enabled + + - id: 5.3.14