From 3e25fc7b45baa4306f6efaf7839d1a1a63c90edd Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 07:53:34 -0600 Subject: [PATCH 01/36] Update section 3.1.1 RHEL 8 CIS --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 991bc2263d4..d0cddaa8141 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1047,7 +1047,7 @@ controls: - package_tftp_removed - id: 3.1.1 - title: Verify if IPv6 is enabled on the system (Manual) + title: Ensure IPv6 status is identified (Manual) levels: - l1_server - l1_workstation From e6001162a9b5cc2fadd210853ccb90fe97e07a1a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 07:54:35 -0600 Subject: [PATCH 02/36] Update section 3.1.2 RHEL 8 CIS --- controls/cis_rhel8.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d0cddaa8141..24bbb910e8f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1054,13 +1054,12 @@ controls: status: manual - id: 3.1.2 - title: Ensure SCTP is disabled (Automated) + title: Ensure wireless interfaces are disabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server status: automated rules: - - kernel_module_sctp_disabled + - wireless_disable_interfaces - id: 3.1.3 title: Ensure DCCP is disabled (Automated) From a5e4b41b9d3382bf8a5b050c9fa238cb02ed29f9 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 07:56:25 -0600 Subject: [PATCH 03/36] Update section 3.1.3 RHEL 8 CIS --- controls/cis_rhel8.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 24bbb910e8f..8aedab96bfb 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1062,9 +1062,9 @@ controls: - wireless_disable_interfaces - id: 3.1.3 - title: Ensure DCCP is disabled (Automated) + title: Ensure bluetooth services are not in use (Automated) levels: - - l2_server + - l1_server - l2_workstation status: automated rules: @@ -1074,9 +1074,10 @@ controls: title: Ensure wireless interfaces are disabled (Automated) levels: - l1_server - status: automated + status: partial rules: - - wireless_disable_interfaces + - service_bluetooth_disabled + # Missing rule package_bluez_removed - id: 3.2.1 title: Ensure IP forwarding is disabled (Automated) From 380d172a32872e0a9101fd5adb89a4f80986fa0f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 08:25:50 -0600 Subject: [PATCH 04/36] Update section 3.2.1 RHEL 8 CIS --- controls/cis_rhel8.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 8aedab96bfb..e84ca45e29f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1062,15 +1062,6 @@ controls: - wireless_disable_interfaces - id: 3.1.3 - title: Ensure bluetooth services are not in use (Automated) - levels: - - l1_server - - l2_workstation - status: automated - rules: - - kernel_module_dccp_disabled - - - id: 3.1.4 title: Ensure wireless interfaces are disabled (Automated) levels: - l1_server @@ -1080,15 +1071,13 @@ controls: # Missing rule package_bluez_removed - id: 3.2.1 - title: Ensure IP forwarding is disabled (Automated) + title: Ensure dccp kernel module is not available(Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: automated rules: - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - kernel_module_dccp_disabled - id: 3.2.2 title: Ensure packet redirect sending is disabled (Automated) From 95025efd449f3b7406deeac6928de36adc77b77d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 08:28:31 -0600 Subject: [PATCH 05/36] Update section 3.2.2 RHEL 8 CIS --- controls/cis_rhel8.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index e84ca45e29f..bf005d3c38a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1080,10 +1080,14 @@ controls: - kernel_module_dccp_disabled - id: 3.2.2 - title: Ensure packet redirect sending is disabled (Automated) + title: Ensure tipc kernel module is not available (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_tipc_disabled + status: automated rules: - sysctl_net_ipv4_conf_all_send_redirects From 1d652a7f44902eea7f9218442a6832754c721e2f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 08:29:30 -0600 Subject: [PATCH 06/36] Update section 3.2.3 RHEL 8 CIS --- controls/cis_rhel8.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bf005d3c38a..51789e5d255 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1088,10 +1088,14 @@ controls: rules: - kernel_module_tipc_disabled + - id: 3.2.3 + title: Ensure rds kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects + - kernel_module_rds_disabled - id: 3.3.1 title: Ensure source routed packets are not accepted (Automated) From 5ba56bf896023f9096a9cbbe025107acad7cba34 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 08:36:10 -0600 Subject: [PATCH 07/36] Update section 3.2.4 RHEL 8 CIS --- controls/cis_rhel8.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 51789e5d255..a1c486b6f8a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1097,6 +1097,15 @@ controls: rules: - kernel_module_rds_disabled + - id: 3.2.4 + title: Ensure sctp kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - kernel_module_sctp_disabled + - id: 3.3.1 title: Ensure source routed packets are not accepted (Automated) levels: From 332f465f708a0c2ce5cec5ca45b70b00251e42ae Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:17:21 -0600 Subject: [PATCH 08/36] Update section 3.3.1 RHEL 8 CIS --- controls/cis_rhel8.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a1c486b6f8a..2607c256883 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1107,20 +1107,15 @@ controls: - kernel_module_sctp_disabled - id: 3.3.1 - title: Ensure source routed packets are not accepted (Automated) + title: Ensure ip forwarding is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled - id: 3.3.2 title: Ensure ICMP redirects are not accepted (Automated) From 4973af38be76f7fb851bb0260f25d8b7326eb4d8 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:18:22 -0600 Subject: [PATCH 09/36] Update section 3.3.2 RHEL 8 CIS --- controls/cis_rhel8.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2607c256883..728faf20d2f 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1118,20 +1118,14 @@ controls: - sysctl_net_ipv6_conf_all_forwarding_value=disabled - id: 3.3.2 - title: Ensure ICMP redirects are not accepted (Automated) + title: Ensure packet redirect sending is disabled (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects - id: 3.3.3 title: Ensure secure ICMP redirects are not accepted (Automated) From 92a3e58712452571593eb432b60d8ecc6c309075 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:18:58 -0600 Subject: [PATCH 10/36] Update section 3.3.3 RHEL 8 CIS --- controls/cis_rhel8.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 728faf20d2f..ae150125764 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1128,16 +1128,14 @@ controls: - sysctl_net_ipv4_conf_default_send_redirects - id: 3.3.3 - title: Ensure secure ICMP redirects are not accepted (Automated) + title: Ensure bogus icmp responses are ignored (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - id: 3.3.4 title: Ensure suspicious packets are logged (Automated) From dc628bb51361b55c65fddc10eeef978c1385e74e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:19:43 -0600 Subject: [PATCH 11/36] Update section 3.3.4 RHEL 8 CIS --- controls/cis_rhel8.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index ae150125764..7679b1c4ad4 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1138,16 +1138,14 @@ controls: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - id: 3.3.4 - title: Ensure suspicious packets are logged (Automated) + title: Ensure broadcast icmp requests are ignored(Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - id: 3.3.5 title: Ensure broadcast ICMP requests are ignored (Automated) From 409bc0186b4423bcc92c2f6685926a0fb554e84b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:20:26 -0600 Subject: [PATCH 12/36] Update section 3.3.5 RHEL 8 CIS --- controls/cis_rhel8.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 7679b1c4ad4..5e47269e6f7 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1148,14 +1148,20 @@ controls: - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - id: 3.3.5 - title: Ensure broadcast ICMP requests are ignored (Automated) + title: Ensure icmp redirects are not accepted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - id: 3.3.6 title: Ensure bogus ICMP responses are ignored (Automated) From aaee198da5f62529cb9e5e81a5f7fb730172332e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:22:27 -0600 Subject: [PATCH 13/36] Update section 3.3.6 RHEL 8 CIS --- controls/cis_rhel8.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 5e47269e6f7..d9fecc17115 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1164,14 +1164,16 @@ controls: - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - id: 3.3.6 - title: Ensure bogus ICMP responses are ignored (Automated) + title: Ensure secure icmp redirects are not accepted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - id: 3.3.7 title: Ensure Reverse Path Filtering is enabled (Automated) From 44bc7721c1e3754114e1d4d44adeac0d5989f71b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:22:56 -0600 Subject: [PATCH 14/36] Update section 3.3.7 RHEL 8 CIS --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d9fecc17115..38ba390c719 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1176,7 +1176,7 @@ controls: - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - id: 3.3.7 - title: Ensure Reverse Path Filtering is enabled (Automated) + title: Ensure reverse path filtering is enabled (Automated) levels: - l1_server - l1_workstation From 47da5d80fbcd17660f014fefaa0e62340ea37914 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:23:33 -0600 Subject: [PATCH 15/36] Update section 3.3.8 RHEL 8 CIS --- controls/cis_rhel8.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 38ba390c719..064624ecc2a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1188,14 +1188,20 @@ controls: - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - id: 3.3.8 - title: Ensure TCP SYN Cookies is enabled (Automated) + title: Ensure source routed packets are not accepted (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - id: 3.3.9 title: Ensure IPv6 router advertisements are not accepted (Automated) From 46c4439aca15cf7a3fe1cfe41ba7ad2f6b16499b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:24:35 -0600 Subject: [PATCH 16/36] Update section 3.3.9 RHEL 8 CIS --- controls/cis_rhel8.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 064624ecc2a..185cd4f54c4 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1204,16 +1204,17 @@ controls: - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - id: 3.3.9 - title: Ensure IPv6 router advertisements are not accepted (Automated) + title: Ensure suspicious packets are logged (Automated) levels: - l1_server - l1_workstation status: automated rules: - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - id: 3.4.1.1 title: Ensure firewalld is installed (Automated) From edaaa8a4f2958bb1171e9d8e75c04a4507e9460b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:25:20 -0600 Subject: [PATCH 17/36] Update section 3.3.10 RHEL 8 CIS --- controls/cis_rhel8.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 185cd4f54c4..ee6772cbb11 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1215,6 +1215,15 @@ controls: - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - id: 3.3.10 + title: Ensure TCP SYN Cookies is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled - id: 3.4.1.1 title: Ensure firewalld is installed (Automated) From ccc9fe8dd1d2745ecf9a162ff074ae5f5d361963 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:26:52 -0600 Subject: [PATCH 18/36] Update section 3.3.11 RHEL 8 CIS --- controls/cis_rhel8.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index ee6772cbb11..110d2af0fac 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1225,6 +1225,18 @@ controls: - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_tcp_syncookies_value=enabled + - id: 3.3.11 + title: Ensure IPv6 router advertisements are not accepted (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - id: 3.4.1.1 title: Ensure firewalld is installed (Automated) levels: From 78abea4e971b034789cf2462f0b7e07b2327ea65 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:28:08 -0600 Subject: [PATCH 19/36] Update section 3.4.1.1 RHEL 8 CIS --- controls/cis_rhel8.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 110d2af0fac..ba24efab06c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1238,13 +1238,13 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - id: 3.4.1.1 - title: Ensure firewalld is installed (Automated) + title: Ensure nftables is installed (Automated) levels: - l1_server - l1_workstation status: automated rules: - - package_firewalld_installed + - package_nftables_installed - id: 3.4.1.2 title: Ensure iptables-services not installed with firewalld (Automated) From da4ef357a2150d77e4bb7331975de5b434bf5d88 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:29:47 -0600 Subject: [PATCH 20/36] Update section 3.4.1.2 RHEL 8 CIS --- controls/cis_rhel8.yml | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index ba24efab06c..39df635b3c7 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1247,31 +1247,15 @@ controls: - package_nftables_installed - id: 3.4.1.2 - title: Ensure iptables-services not installed with firewalld (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_iptables-services_removed - - - id: 3.4.1.3 - title: Ensure nftables is not enabled with firewalld (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - service_nftables_disabled - - - id: 3.4.1.4 - title: Ensure firewalld service is enabled and running (Automated) + title: Ensure a single firewall configuration utility is in use (Automated) levels: - l1_server - l1_workstation status: automated rules: - service_firewalld_enabled + - package_firewalld_installed + - service_nftables_disabled - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) From fe49f34863d0943a9b640153f59a9facf7973f70 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:43:11 -0600 Subject: [PATCH 21/36] Update section 3.4.2.1 RHEL 8 CIS --- controls/cis_rhel8.yml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 39df635b3c7..bb279228802 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1257,6 +1257,26 @@ controls: - package_firewalld_installed - service_nftables_disabled + - id: 3.4.2.1 + title: Ensure nftables base chains exist (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. When using firewalld the base chains are installed by default. + related_rules: + - set_nftables_base_chain + - var_nftables_table=firewalld + - var_nftables_family=inet + - var_nftables_base_chain_names=chain_names + - var_nftables_base_chain_types=chain_types + - var_nftables_base_chain_hooks=chain_hooks + - var_nftables_base_chain_priorities=chain_priorities + - var_nftables_base_chain_policies=chain_policies + - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) levels: @@ -1335,26 +1355,6 @@ controls: - var_nftables_family=inet - var_nftables_table=firewalld - - id: 3.4.2.6 - title: Ensure nftables base chains exist (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. When using firewalld the base chains are installed by default. - related_rules: - - set_nftables_base_chain - - var_nftables_table=firewalld - - var_nftables_family=inet - - var_nftables_base_chain_names=chain_names - - var_nftables_base_chain_types=chain_types - - var_nftables_base_chain_hooks=chain_hooks - - var_nftables_base_chain_priorities=chain_priorities - - var_nftables_base_chain_policies=chain_policies - # NEEDS RULE # https://github.com/ComplianceAsCode/content/issues/5246 - id: 3.4.2.7 From 29bcbaaabbe54b37d513d766733eb0daaa8b3e1a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:44:57 -0600 Subject: [PATCH 22/36] Update section 3.4.2.2 RHEL 8 CIS --- controls/cis_rhel8.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bb279228802..bca5ce97a9c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1277,6 +1277,17 @@ controls: - var_nftables_base_chain_priorities=chain_priorities - var_nftables_base_chain_policies=chain_policies + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5246 + - id: 3.4.2.2 + title: Ensure host based firewall loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + + - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) levels: From 55f0de5505f9174c214498afd9ebe9656e35d6e9 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:45:36 -0600 Subject: [PATCH 23/36] Update section 3.4.2.3 RHEL 8 CIS --- controls/cis_rhel8.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index bca5ce97a9c..8b82a45c4eb 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1287,6 +1287,12 @@ controls: - l1_workstation status: pending + - id: 3.4.2.3 + title: Ensure firewalld drops unnecessary services and ports (Manual) + levels: + - l1_server + - l1_workstation + status: manual - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) From a64b1470620bbfa2f62b872df988b27f6e5039d3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:52:03 -0600 Subject: [PATCH 24/36] Update section 3.4.2.4 RHEL 8 CIS --- controls/cis_rhel8.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 8b82a45c4eb..30f676e21f4 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1294,6 +1294,19 @@ controls: - l1_workstation status: manual + - id: 3.4.2.4 + title: Ensure nftables established connections are configured + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. When using firewalld the base chains are installed by default. + related_rules: + - set_nftables_new_connections + - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) levels: From a35b987f35fd3328f13e8a4b58b3772b133a0c50 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:52:12 -0600 Subject: [PATCH 25/36] Update section 3.4.2.5 RHEL 8 CIS --- controls/cis_rhel8.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 30f676e21f4..444d4de91eb 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1307,6 +1307,19 @@ controls: related_rules: - set_nftables_new_connections + - id: 3.4.2.5 + title: Ensure nftables default deny firewall policy (Automated) + levels: + - l1_server + - l1_workstation + status: supported + notes: |- + RHEL systems use firewalld for firewall management. Although nftables is the default + back-end for firewalld, it is not recommended to use nftables directly when firewalld + is in use. + related_rules: + - nftables_ensure_default_deny_policy + - id: 3.4.1.5 title: Ensure firewalld default zone is set (Automated) levels: From aade75101813b25a26b8e8779baa06838671c927 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 09:53:56 -0600 Subject: [PATCH 26/36] Remove unused section 3 controls for RHEL 8 CIS --- controls/cis_rhel8.yml | 264 ----------------------------------------- 1 file changed, 264 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 444d4de91eb..d514b58e28d 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1320,270 +1320,6 @@ controls: related_rules: - nftables_ensure_default_deny_policy - - id: 3.4.1.5 - title: Ensure firewalld default zone is set (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_firewalld_default_zone - - - id: 3.4.1.6 - title: Ensure network interfaces are assigned to appropriate zone (Manual) - levels: - - l1_server - - l1_workstation - status: manual - rules: - - set_firewalld_appropriate_zone - related_rules: - - firewalld_sshd_port_enabled - - - id: 3.4.1.7 - title: Ensure firewalld drops unnecessary services and ports (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.2.1 - title: Ensure nftables is installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - package_nftables_installed - - # NEEDS RULE - - id: 3.4.2.2 - title: Ensure firewalld is either not installed or masked with nftables (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.2.3 - title: Ensure iptables-services not installed with nftables (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: <- - Already covered by requirement 3.4.1.2. - related_rules: - - package_iptables-services_removed - - - id: 3.4.2.4 - title: Ensure iptables are flushed with nftables (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.2.5 - title: Ensure an nftables table exists (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. firewalld uses the inet firewalld that is created when firewalld is installed. - The OVAL check cannot be automated but an SCE is availble. - rules: - - set_nftables_table - - var_nftables_family=inet - - var_nftables_table=firewalld - - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5246 - - id: 3.4.2.7 - title: Ensure nftables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.2.8 - title: Ensure nftables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.2.9 - title: Ensure nftables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: supported - notes: |- - RHEL systems use firewalld for firewall management. Although nftables is the default - back-end for firewalld, it is not recommended to use nftables directly when firewalld - is in use. - related_rules: - - nftables_ensure_default_deny_policy - - - id: 3.4.2.10 - title: Ensure nftables service is enabled (Automated) - levels: - - l1_server - - l1_workstation - notes: |- - nftables is actually the backend for firewalld but its service does not need to be running. - Otherwise, it will conflict with firewalld service. The preferred service to manage firewall - rules is firewalld. - status: automated - related_rules: - - service_nftables_enabled - - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5250 - - id: 3.4.2.11 - title: Ensure nftables rules are permanent (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.3.1.1 - title: Ensure iptables packages are installed (Automated) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - package_iptables_installed - - package_iptables-services_installed - - # NEEDS RULE - - id: 3.4.3.1.2 - title: Ensure nftables is not installed with iptables (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - # NEEDS RULE - - id: 3.4.3.1.3 - title: Ensure firewalld is either not installed or masked with iptables (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5253 - - id: 3.4.3.2.1 - title: Ensure iptables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.3.2.2 - title: Ensure iptables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.3.2.3 - title: Ensure iptables rules exist for all open ports (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - Currently the check is only available in SCE and an automated remediation is not expected. - rules: - - iptables_rules_for_open_ports - - - id: 3.4.3.2.4 - title: Ensure iptables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - set_iptables_default_rule - - # NEEDS RULE - - id: 3.4.3.2.5 - title: Ensure iptables rules are saved (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.3.2.6 - title: Ensure iptables is enabled and active (Automated) - levels: - - l1_server - - l1_workstation - status: automated - related_rules: - - service_iptables_enabled - - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5258 - - id: 3.4.3.3.1 - title: Ensure ip6tables loopback traffic is configured (Automated) - levels: - - l1_server - - l1_workstation - status: pending - - - id: 3.4.3.3.2 - title: Ensure ip6tables outbound and established connections are configured (Manual) - levels: - - l1_server - - l1_workstation - status: manual - - - id: 3.4.3.3.3 - title: Ensure ip6tables firewall rules exist for all open ports (Automated) - levels: - - l1_server - - l1_workstation - status: partial - notes: |- - Currently the check is only available in SCE and an automated remediation is not expected. - rules: - - ip6tables_rules_for_open_ports - - - id: 3.4.3.3.4 - title: Ensure ip6tables default deny firewall policy (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - set_ip6tables_default_rule - - # NEEDS RULE - - id: 3.4.3.3.5 - title: Ensure ip6tables rules are saved (Automated - levels: - - l1_server - - l1_workstation - status: pending - - # NEEDS RULE - - id: 3.4.3.3.6 - title: Ensure ip6tables is enabled and active (Automated) - levels: - - l1_server - - l1_workstation - status: pending - related_rules: - - service_ip6tables_enabled - # This rule returns error in RHEL8 because the ip6tables service is not there. - # This requirement and respective rules should be reviewed. - - id: 4.1.1.1 title: Ensure cron daemon is enabled and active (Automated) levels: From 474a6fd9831523d3d17e1b1bd69b0bc43038234d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 24 Jan 2024 10:15:19 -0600 Subject: [PATCH 27/36] Update rule file references for RHEL 8 CIS --- .../accounts_passwords_pam_faillock_deny/rule.yml | 4 ++-- .../firewalld_activation/package_firewalld_installed/rule.yml | 2 +- .../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_forwarding/rule.yml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra/rule.yml | 2 +- .../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 2 +- .../sysctl_net_ipv6_conf_default_accept_source_route/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_accept_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_log_martians/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_secure_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_conf_default_accept_source_route/rule.yml | 2 +- .../sysctl_net_ipv4_conf_default_log_martians/rule.yml | 2 +- .../sysctl_net_ipv4_conf_default_secure_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_send_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_conf_default_send_redirects/rule.yml | 2 +- .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- .../network-nftables/package_nftables_installed/rule.yml | 2 +- .../network-nftables/service_nftables_disabled/rule.yml | 2 +- .../network-uncommon/kernel_module_dccp_disabled/rule.yml | 2 +- .../network-uncommon/kernel_module_rds_disabled/rule.yml | 1 + .../network-uncommon/kernel_module_sctp_disabled/rule.yml | 2 +- .../network-uncommon/kernel_module_tipc_disabled/rule.yml | 1 + .../wireless_software/service_bluetooth_disabled/rule.yml | 2 ++ .../wireless_software/wireless_disable_interfaces/rule.yml | 2 +- .../dconf_gnome_disable_automount/rule.yml | 2 +- .../dconf_gnome_disable_automount_open/rule.yml | 2 +- .../gnome_media_settings/dconf_gnome_disable_autorun/rule.yml | 2 +- shared/references/cce-redhat-avail.txt | 1 - 36 files changed, 37 insertions(+), 34 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index 28b2413c49d..72a6685b9c8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -12,12 +12,12 @@ description: |- {{% if product in ["rhel7"] %}} Ensure that pam_faillock.so module entries in /etc/pam.d/password-auth and /etc/pam.d/system-auth are - followed by the assignment deny=<count> where count should be less than or equal to + followed by the assignment deny=<count> where count should be less than or equal to {{{xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0. {{% else %}} Ensure that the file /etc/security/faillock.conf contains the following entry: deny = <count> - Where count should be less than or equal to + Where count should be less than or equal to {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0. {{% endif %}} {{% if 'ubuntu' not in product %}} diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index e78fff4fa51..fa414dc6087 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis@alinux3: 3.4.1.1 cis@rhel7: 3.4.2.1 - cis@rhel8: 3.4.1.1 + cis@rhel8: 3.4.1.2 cis@rhel9: 3.4.1.2 cis@sle15: 3.5.1.1 disa: CCI-002314 diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index 8a3b7d2e905..cb941d67d93 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -29,7 +29,7 @@ references: cis-csc: 11,3,9 cis@alinux3: 3.4.2.1 cis@rhel7: 3.4.2.2 - cis@rhel8: 3.4.1.4 + cis@rhel8: 3.4.1.2 cis@rhel9: 3.4.1.2 cis@sle15: 3.5.1.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 700ae5470b3..2e44879f757 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -24,7 +24,7 @@ references: cis@alinux2: 3.2.9 cis@alinux3: 3.3.9 cis@rhel7: 3.3.11 - cis@rhel8: 3.3.9 + cis@rhel8: 3.3.11 cis@rhel9: 3.3.9 cis@sle12: 3.3.9 cis@sle15: 3.3.9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 4c52afb1b6d..7c503e6dcb7 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 3.2.2 cis@alinux3: 3.3.2 cis@rhel7: 3.3.5 - cis@rhel8: 3.3.2 + cis@rhel8: 3.3.5 cis@rhel9: 3.3.2 cis@sle12: 3.3.2 cis@sle15: 3.3.2 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index f741d98e119..c493622913c 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -33,7 +33,7 @@ references: cis@alinux2: 3.2.1 cis@alinux3: 3.3.1 cis@rhel7: 3.3.8 - cis@rhel8: 3.3.1 + cis@rhel8: 3.3.8 cis@rhel9: 3.3.1 cis@sle12: 3.3.1 cis@sle15: 3.3.1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index aa6b7f6f8e5..a779968cd61 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 3.1.1 cis@alinux3: 3.2.1 cis@rhel7: 3.3.1 - cis@rhel8: 3.2.1 + cis@rhel8: 3.3.1 cis@rhel9: 3.2.1 cis@sle12: 3.2.1 cis@sle15: 3.2.1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml index 8d4708fb33e..1ceb59a22c3 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -24,7 +24,7 @@ references: cis@alinux2: 3.2.9 cis@alinux3: 3.3.9 cis@rhel7: 3.3.11 - cis@rhel8: 3.3.9 + cis@rhel8: 3.3.11 cis@rhel9: 3.3.9 cis@sle12: 3.3.9 cis@sle15: 3.3.9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index e8e4af61a1c..065cf58b083 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 3.2.2 cis@alinux3: 3.3.2 cis@rhel7: 3.3.5 - cis@rhel8: 3.3.2 + cis@rhel8: 3.3.5 cis@rhel9: 3.3.2 cis@sle12: 3.3.2 cis@sle15: 3.3.2 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index 1f0c0044c3e..6ee4c1c3475 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -33,7 +33,7 @@ references: cis@alinux2: 3.2.1 cis@alinux3: 3.3.1 cis@rhel7: 3.3.8 - cis@rhel8: 3.3.1 + cis@rhel8: 3.3.8 cis@rhel9: 3.3.1 cis@sle12: 3.3.1 cis@sle15: 3.3.1 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 74dbeea6e6e..3f3c56fa4aa 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -32,7 +32,7 @@ references: cis@alinux2: 3.2.2 cis@alinux3: 3.3.2 cis@rhel7: 3.3.5 - cis@rhel8: 3.3.2 + cis@rhel8: 3.3.5 cis@rhel9: 3.3.2 cis@sle12: 3.3.2 cis@sle15: 3.3.2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 4a807a60b41..2174598c2e0 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -33,7 +33,7 @@ references: cis@alinux2: 3.2.1 cis@alinux3: 3.3.1 cis@rhel7: 3.3.8 - cis@rhel8: 3.3.1 + cis@rhel8: 3.3.8 cis@rhel9: 3.3.1 cis@sle12: 3.3.1 cis@sle15: 3.3.1 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml index 10f33250228..b8b8f917fad 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.2.4 cis@alinux3: 3.3.4 cis@rhel7: 3.3.9 - cis@rhel8: 3.3.4 + cis@rhel8: 3.3.9 cis@rhel9: 3.3.4 cis@sle12: 3.3.4 cis@sle15: 3.3.4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml index 4b97407accc..2eea579dd81 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.2.3 cis@alinux3: 3.3.3 cis@rhel7: 3.3.6 - cis@rhel8: 3.3.3 + cis@rhel8: 3.3.6 cis@rhel9: 3.3.3 cis@sle12: 3.3.3 cis@sle15: 3.3.3 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index abd9dc3b160..4475ab8e52c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 3.2.2 cis@alinux3: 3.3.2 cis@rhel7: 3.3.5 - cis@rhel8: 3.3.2 + cis@rhel8: 3.3.5 cis@rhel9: 3.3.2 cis@sle12: 3.3.3 cis@sle15: 3.3.3 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index c20fb68db78..e9447acef71 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -33,7 +33,7 @@ references: cis@alinux2: 3.2.1 cis@alinux3: 3.3.1 cis@rhel7: 3.3.8 - cis@rhel8: 3.3.1 + cis@rhel8: 3.3.8 cis@rhel9: 3.3.1 cis@sle12: 3.3.1 cis@sle15: 3.3.1 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml index 7a0d623eda8..7a813b38232 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.2.4 cis@alinux3: 3.3.4 cis@rhel7: 3.3.9 - cis@rhel8: 3.3.4 + cis@rhel8: 3.3.9 cis@rhel9: 3.3.4 cis@sle12: 3.3.4 cis@sle15: 3.3.4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml index dd7031788c9..96e9a9debc7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.2.3 cis@alinux3: 3.3.3 cis@rhel7: 3.3.6 - cis@rhel8: 3.3.3 + cis@rhel8: 3.3.6 cis@rhel9: 3.3.3 cis@sle12: 3.3.2 cis@sle15: 3.3.2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index 13dca4ba957..779e35f80a2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -29,7 +29,7 @@ references: cis@alinux2: 3.2.5 cis@alinux3: 3.3.5 cis@rhel7: 3.3.4 - cis@rhel8: 3.3.5 + cis@rhel8: 3.3.4 cis@rhel9: 3.3.5 cis@sle12: 3.3.5 cis@sle15: 3.3.5 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml index af55716bb46..dff5dc2d55b 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml @@ -27,7 +27,7 @@ references: cis@alinux2: 3.2.6 cis@alinux3: 3.3.6 cis@rhel7: 3.3.3 - cis@rhel8: 3.3.6 + cis@rhel8: 3.3.3 cis@rhel9: 3.3.6 cis@sle12: 3.3.6 cis@sle15: 3.3.6 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 36aa2fb2566..3e81383d027 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -31,7 +31,7 @@ references: cis@alinux2: 3.2.8 cis@alinux3: 3.3.8 cis@rhel7: 3.3.10 - cis@rhel8: 3.3.8 + cis@rhel8: 3.3.10 cis@rhel9: 3.3.8 cis@sle12: 3.3.8 cis@sle15: 3.3.8 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index a2fecc5c81d..4bfbab5a080 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 3.1.2 cis@alinux3: 3.2.2 cis@rhel7: 3.3.2 - cis@rhel8: 3.2.2 + cis@rhel8: 3.3.2 cis@rhel9: 3.2.2 cis@sle12: 3.2.2 cis@sle15: 3.2.2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 75745bd1cfa..1f1eb2ae38f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 3.1.2 cis@alinux3: 3.2.2 cis@rhel7: 3.3.2 - cis@rhel8: 3.2.2 + cis@rhel8: 3.3.2 cis@rhel9: 3.2.2 cis@sle12: 3.2.2 cis@sle15: 3.2.2 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index b826314b2fe..35e8af91b66 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.1.1 cis@alinux3: 3.2.1 cis@rhel7: 3.3.1 - cis@rhel8: 3.2.1 + cis@rhel8: 3.3.1 cis@rhel9: 3.2.1 cis@sle12: 3.2.1 cis@sle15: 3.2.1 diff --git a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml index 7f059fe112d..56c803c92bc 100644 --- a/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml +++ b/linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis@rhel7: 3.4.3.1 - cis@rhel8: 3.4.2.1 + cis@rhel8: 3.4.1.1 cis@rhel9: 3.4.1.1 cis@sle15: 3.5.2.1 cis@ubuntu2004: 3.5.2.1 diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml index 3745c7ead4a..19fd58277a4 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml @@ -25,7 +25,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL3 cis@alinux3: 3.4.2.3 - cis@rhel8: 3.4.1.3 + cis@rhel8: 3.4.1.2 cis@rhel9: 3.4.1.2 cis@sle15: 3.5.1.2 cis@ubuntu2004: 3.5.3.1.2 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml index 08cf8e2cc68..577e2ac70bf 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml @@ -28,7 +28,7 @@ references: cis@alinux2: 3.4.1 cis@alinux3: 3.1.3 cis@rhel7: 3.2.1 - cis@rhel8: 3.1.3 + cis@rhel8: 3.2.1 cis@sle12: 3.4.1 cis@sle15: 3.4.1 cis@ubuntu2004: 3.4.1 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml index bbfea2dd07f..45544029ea7 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml @@ -23,6 +23,7 @@ references: cis-csc: 11,14,3,9 cis@alinux2: 3.4.3 cis@rhel7: 3.2.3 + cis@rhel8: 3.2.3 cis@ubuntu2004: 3.4.3 cis@ubuntu2204: 3.4.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 2471d6d9f11..36a9b3d0c3c 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -30,7 +30,7 @@ references: cis@alinux2: 3.4.2 cis@alinux3: 3.1.2 cis@rhel7: 3.2.4 - cis@rhel8: 3.1.2 + cis@rhel8: 3.2.4 cis@sle12: 3.4.2 cis@sle15: 3.4.2 cis@ubuntu2004: 3.4.2 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml index b0d194b87f4..59c282ffbca 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml @@ -31,6 +31,7 @@ references: cis-csc: 11,14,3,9 cis@alinux2: 3.4.4 cis@rhel7: 3.2.2 + cis@rhel8: 3.2.2 cis@rhel9: 3.1.3 cis@ubuntu2004: 3.4.4 cis@ubuntu2204: 3.4.4 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml index 2d2e9250afb..9971969bbd2 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml @@ -18,10 +18,12 @@ severity: medium identifiers: cce@rhel7: CCE-27328-4 + cce@rhel8: CCE-87231-7 references: cis-csc: 11,12,14,15,3,8,9 cis@rhel7: 3.1.3 + cis@rhel8: 3.1.3 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 cui: 3.1.16 disa: CCI-000085,CCI-001551 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index c206dfc0ff3..68fee1f6da4 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -43,7 +43,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux3: 3.1.4 cis@rhel7: 3.1.2 - cis@rhel8: 3.1.4 + cis@rhel8: 3.1.2 cis@rhel9: 3.1.2 cis@sle12: 3.1.2 cis@sle15: 3.1.2 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml index 958275bff36..a1bca9a6f89 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -35,7 +35,7 @@ references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 cis@rhel7: 1.7.6 - cis@rhel8: 1.8.6,1.8.7 + cis@rhel8: 1.8.6 cis@rhel9: 1.8.6,1.8.7 cis@ubuntu2204: 1.8.6 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml index cafc2abe284..1a4b226cc39 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -36,7 +36,7 @@ references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 cis@rhel7: 1.7.6 - cis@rhel8: 1.8.6,1.8.7 + cis@rhel8: 1.8.6 cis@rhel9: 1.8.6,1.8.7 cis@ubuntu2204: 1.8.6 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml index 266a4551849..b847c036d2c 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -36,7 +36,7 @@ references: ccn@rhel9: A.11.SEC-RHEL12 cis-csc: 12,16 cis@rhel7: 1.7.8 - cis@rhel8: 1.8.8,1.8.9 + cis@rhel8: 1.8.8 cis@rhel9: 1.8.8,1.8.9 cis@ubuntu2204: 1.8.8 cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f1ff80784eb..3c537c63452 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -740,7 +740,6 @@ CCE-87227-5 CCE-87228-3 CCE-87229-1 CCE-87230-9 -CCE-87231-7 CCE-87233-3 CCE-87234-1 CCE-87235-8 From 4773fbecb881b058f2e22b14ef1702473259039f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 07:16:47 -0600 Subject: [PATCH 28/36] Add rules to Ensure host based firewall loopback traffic is configured for RHEL 8 CIS Closes #5246 --- controls/cis_rhel8.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d514b58e28d..cf1d2f303cd 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1285,7 +1285,12 @@ controls: levels: - l1_server - l1_workstation - status: pending + status: automated + rules: + - firewalld_loopback_traffic_trusted + - firewalld_loopback_traffic_restricted + + - id: 3.4.2.3 title: Ensure firewalld drops unnecessary services and ports (Manual) From 00f4dda2c52ecc90e2ca2ecd03112b9323069411 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 07:18:13 -0600 Subject: [PATCH 29/36] Adjust title for 3.3.10 RHEL 8 CIS --- controls/cis_rhel8.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index cf1d2f303cd..d0183651db2 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1216,7 +1216,7 @@ controls: - sysctl_net_ipv4_conf_default_log_martians_value=enabled - id: 3.3.10 - title: Ensure TCP SYN Cookies is enabled (Automated) + title: Ensure tcp sync Cookies is enabled (Automated) levels: - l1_server - l1_workstation @@ -1277,9 +1277,6 @@ controls: - var_nftables_base_chain_priorities=chain_priorities - var_nftables_base_chain_policies=chain_policies - - # NEEDS RULE - # https://github.com/ComplianceAsCode/content/issues/5246 - id: 3.4.2.2 title: Ensure host based firewall loopback traffic is configured (Automated) levels: From 00e09a9736a527d0f9a454225318173c6b163142 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 07:19:19 -0600 Subject: [PATCH 30/36] Adjust title for 3.4.2.4 RHEL 8 CIS --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index d0183651db2..fa21401cb6b 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1297,7 +1297,7 @@ controls: status: manual - id: 3.4.2.4 - title: Ensure nftables established connections are configured + title: Ensure nftables established connections are configured (Manual) levels: - l1_server - l1_workstation From 160da5f3e6aa0342b6fceda45e5c902e5239f467 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 07:20:42 -0600 Subject: [PATCH 31/36] Update RHEL 8 CIS 3.1.3 --- controls/cis_rhel8.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index fa21401cb6b..2a0b510d6ff 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1062,13 +1062,13 @@ controls: - wireless_disable_interfaces - id: 3.1.3 - title: Ensure wireless interfaces are disabled (Automated) + title: Ensure bluetooth services are not in use(Automated) levels: - l1_server - status: partial + - l2_workstation + status: automated rules: - service_bluetooth_disabled - # Missing rule package_bluez_removed - id: 3.2.1 title: Ensure dccp kernel module is not available(Automated) From 3f0745ff1e8a698171529fa4c90f4b5dcaf2787b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 09:45:40 -0600 Subject: [PATCH 32/36] Update RHEL 8 CIS Section 3 based on reviewer comments --- controls/cis_rhel8.yml | 8 +++----- .../ssh/ssh_server/sshd_enable_warning_banner/rule.yml | 1 + .../firewalld_loopback_traffic_restricted/rule.yml | 2 +- .../firewalld_loopback_traffic_trusted/rule.yml | 2 +- .../nftables_ensure_default_deny_policy/rule.yml | 3 ++- .../network-nftables/set_nftables_base_chain/rule.yml | 1 + .../set_nftables_new_connections/rule.yml | 1 + 7 files changed, 10 insertions(+), 8 deletions(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2a0b510d6ff..71ebfaa91a4 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1062,7 +1062,7 @@ controls: - wireless_disable_interfaces - id: 3.1.3 - title: Ensure bluetooth services are not in use(Automated) + title: Ensure bluetooth services are not in use (Automated) levels: - l1_server - l2_workstation @@ -1071,7 +1071,7 @@ controls: - service_bluetooth_disabled - id: 3.2.1 - title: Ensure dccp kernel module is not available(Automated) + title: Ensure dccp kernel module is not available (Automated) levels: - l2_server - l2_workstation @@ -1216,7 +1216,7 @@ controls: - sysctl_net_ipv4_conf_default_log_martians_value=enabled - id: 3.3.10 - title: Ensure tcp sync Cookies is enabled (Automated) + title: Ensure tcp sync cookies is enabled (Automated) levels: - l1_server - l1_workstation @@ -1287,8 +1287,6 @@ controls: - firewalld_loopback_traffic_trusted - firewalld_loopback_traffic_restricted - - - id: 3.4.2.3 title: Ensure firewalld drops unnecessary services and ports (Manual) levels: diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 13186361998..5019d6c8631 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -28,6 +28,7 @@ identifiers: references: cis-csc: 1,12,15,16 cis@alinux2: 5.2.19 + cis@rhel7: 5.2.15 cis@sle12: 5.2.18 cis@sle15: 5.2.18 cjis: 5.5.6 diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml index 200f793c91a..56a1a8ba0a2 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: rhel8,rhel9 title: 'Configure Firewalld to Restrict Loopback Traffic' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml index 80cf6668ef4..3262da82bfc 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: rhel8,rhel9 title: 'Configure Firewalld to Trust Loopback Traffic' diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml index 9b554062bd1..496bfed3804 100644 --- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml +++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/rule.yml @@ -10,7 +10,7 @@ description: |- the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. -rationale: |- +rationale: | It is easier to allow acceptable usage than to block unacceptable usage. severity: medium @@ -23,6 +23,7 @@ identifiers: references: cis@rhel7: 3.4.3.7 + cis@rhel8: 3.4.2.5 cis@sle15: 3.5.2.8 cis@ubuntu2004: 3.5.2.8 cis@ubuntu2204: 3.5.2.8 diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml index d4737a43771..1748266e5f6 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_base_chain/rule.yml @@ -25,6 +25,7 @@ identifiers: references: cis@rhel7: 3.4.3.4 + cis@rhel8: 3.4.2.1 cis@sle15: 3.5.2.5 cis@ubuntu2004: 3.5.2.5 cis@ubuntu2204: 3.5.2.5 diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml index ae1a36985f0..1c1c4848d9c 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@sle15: CCE-92564-4 references: + cis@rhel8: 3.4.2.4 cis@sle15: 3.5.2.7 ocil_clause: 'All nftables rules for established incoming, and for new and outbound connections do not match site policy' From f138fb7503e567171640482640d5c119a47cd0e4 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 15:07:34 -0600 Subject: [PATCH 33/36] Remove CIS@rhel8 reference from set_firewalld_default_zone --- .../ruleset_modifications/set_firewalld_default_zone/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml index 286429b0b82..ca690fbfcca 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml @@ -31,7 +31,6 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL3 cis-csc: 11,14,3,9 - cis@rhel8: 3.4.1.5 cis@rhel9: 3.4.2.1 cis@sle15: 3.5.1.4 cjis: 5.10.1 From c12ea21cece2430482e59722852f204564ea301f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 15:07:58 -0600 Subject: [PATCH 34/36] Add missing CCE to rules --- .../firewalld_loopback_traffic_restricted/rule.yml | 1 + .../firewalld_loopback_traffic_trusted/rule.yml | 1 + shared/references/cce-redhat-avail.txt | 2 -- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml index 56a1a8ba0a2..1b32c308033 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml @@ -30,6 +30,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87272-1 cce@rhel9: CCE-86137-7 references: diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml index 3262da82bfc..8f5c88fb05e 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml @@ -22,6 +22,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-87278-8 cce@rhel9: CCE-86116-1 references: diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 3c537c63452..1733e1c5075 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -773,13 +773,11 @@ CCE-87268-9 CCE-87269-7 CCE-87270-5 CCE-87271-3 -CCE-87272-1 CCE-87273-9 CCE-87274-7 CCE-87275-4 CCE-87276-2 CCE-87277-0 -CCE-87278-8 CCE-87279-6 CCE-87280-4 CCE-87281-2 From e7b6987e3e282a465a3db6f596678a5ddf8620e7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 16:42:57 -0600 Subject: [PATCH 35/36] Fix more review issues on CIS RHEL 8 section 3 --- .../services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml | 2 +- .../firewalld_loopback_traffic_restricted/rule.yml | 1 + .../firewalld_loopback_traffic_trusted/rule.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 5019d6c8631..290e88bbf3f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -28,7 +28,7 @@ identifiers: references: cis-csc: 1,12,15,16 cis@alinux2: 5.2.19 - cis@rhel7: 5.2.15 + cis@rhel8: 5.2.15 cis@sle12: 5.2.18 cis@sle15: 5.2.18 cjis: 5.5.6 diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml index 1b32c308033..e1bddd579d7 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml @@ -35,6 +35,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL3 + cis@rhel8: 3.4.2.2 cis@rhel9: 3.4.2.4 pcidss4: "1.4.1" diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml index 8f5c88fb05e..aac1e1750e4 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/rule.yml @@ -27,6 +27,7 @@ identifiers: references: ccn@rhel9: A.8.SEC-RHEL3 + cis@rhel8: 3.4.2.2 cis@rhel9: 3.4.2.4 pcidss4: "1.4.1" From 908eb8ab3cd0dac4876846c03ee99dba4ded8def Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 25 Jan 2024 16:50:08 -0600 Subject: [PATCH 36/36] Update RHEL 8 PCI DSS stability --- .../profile_stability/rhel8/pci-dss.profile | 453 +++++++++--------- 1 file changed, 228 insertions(+), 225 deletions(-) diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 9845793bbcd..45038c76ea7 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -19,259 +19,261 @@ metadata: - vojtapolasek reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf selections: -- set_ip6tables_default_rule -- audit_rules_dac_modification_lremovexattr -- package_sudo_installed -- no_direct_root_logins -- file_groupowner_cron_d -- audit_rules_dac_modification_fchown -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_password_warn_age_login_defs -- audit_rules_file_deletion_events_rmdir +- file_permissions_cron_d +- audit_rules_immutable - auditd_audispd_syslog_plugin_activated -- auditd_name_format -- file_permissions_etc_issue_net -- file_permissions_sshd_private_key -- grub2_enable_selinux -- audit_rules_dac_modification_fchmod -- audit_rules_session_events -- audit_rules_usergroup_modification_opasswd -- sshd_disable_x11_forwarding -- audit_rules_suid_privilege_function -- package_dhcp_removed -- dconf_gnome_screensaver_lock_delay -- file_groupowner_at_allow -- sshd_use_approved_macs -- audit_rules_login_events_faillock -- file_owner_etc_passwd -- sudo_add_use_pty -- file_owner_cron_monthly -- ensure_redhat_gpgkey_installed -- accounts_password_pam_pwhistory_remember_system_auth -- file_groupowner_cron_hourly +- coredump_disable_backtraces +- file_permissions_user_cfg - audit_rules_login_events_lastlog -- coredump_disable_storage -- accounts_password_all_shadowed -- dconf_gnome_screensaver_idle_delay -- no_shelllogin_for_systemaccounts -- audit_rules_usergroup_modification_passwd -- file_permissions_sshd_pub_key -- audit_rules_time_settimeofday -- directory_access_var_log_audit -- sysctl_kernel_core_pattern -- ensure_gpgcheck_never_disabled -- accounts_password_set_max_life_existing -- file_owner_crontab -- audit_rules_file_deletion_events_unlinkat -- auditd_data_retention_space_left +- file_at_deny_not_exist +- file_owner_backup_etc_passwd +- file_owner_cron_hourly +- file_permissions_etc_shadow - file_owner_grub2_cfg -- audit_rules_time_clock_settime -- no_empty_passwords +- set_firewalld_default_zone - accounts_passwords_pam_faillock_deny -- disable_users_coredumps -- grub2_audit_argument -- file_owner_cron_hourly -- set_password_hashing_algorithm_systemauth -- file_owner_backup_etc_group -- audit_rules_dac_modification_fremovexattr -- audit_rules_dac_modification_fsetxattr -- audit_rules_time_watch_localtime -- sysctl_net_ipv6_conf_default_accept_source_route -- sshd_disable_root_login -- service_nftables_disabled -- accounts_password_pam_minlen -- sysctl_net_ipv4_conf_default_send_redirects +- audit_rules_media_export +- dconf_gnome_screensaver_lock_delay +- file_owner_cron_d - file_groupowner_backup_etc_group -- sshd_set_loglevel_verbose -- chronyd_run_as_chrony_user -- group_unique_name +- file_permissions_grub2_cfg +- audit_rules_usergroup_modification_passwd +- no_files_unowned_by_user +- audit_rules_dac_modification_lremovexattr +- audit_rules_suid_privilege_function - package_xinetd_removed -- sudo_require_authentication -- dir_perms_world_writable_sticky_bits -- rpm_verify_ownership -- file_permissions_cron_d -- file_permissions_backup_etc_passwd -- service_rsyncd_disabled -- sshd_set_keepalive -- accounts_password_last_change_is_in_past -- audit_rules_networkconfig_modification -- bios_enable_execution_restrictions -- file_permissions_crontab +- selinux_policytype +- sshd_disable_root_login +- file_groupowner_user_cfg +- sshd_disable_empty_passwords +- accounts_password_pam_unix_remember +- accounts_no_uid_except_zero +- file_owner_cron_daily +- sshd_disable_rhosts +- accounts_tmout +- file_groupowner_cron_hourly +- sshd_set_maxstartups +- selinux_confinement_of_daemons +- sysctl_net_ipv4_conf_default_send_redirects +- audit_rules_time_clock_settime +- package_dhcp_removed +- file_permissions_etc_passwd +- sysctl_net_ipv6_conf_default_accept_source_route +- file_permissions_sshd_private_key +- file_permissions_cron_allow +- audit_rules_dac_modification_fsetxattr +- auditd_data_retention_space_left_action +- enable_authselect +- sysctl_net_ipv4_conf_all_rp_filter +- sshd_use_approved_macs - gnome_gdm_disable_automatic_login - sysctl_net_ipv4_conf_default_accept_redirects -- audit_rules_file_deletion_events_renameat -- file_owner_etc_shadow -- sudo_custom_logfile -- service_avahi-daemon_disabled -- account_unique_id -- audit_rules_dac_modification_removexattr -- sysctl_net_ipv4_ip_forward -- enable_authselect +- file_groupowner_crontab +- file_permissions_sshd_pub_key +- audit_rules_time_stime +- grub2_audit_argument +- audit_rules_login_events_faillock +- auditd_data_retention_space_left - file_owner_user_cfg -- sshd_do_not_permit_user_env -- coredump_disable_backtraces -- file_owner_backup_etc_passwd -- file_permissions_cron_allow -- package_audit_installed -- configure_ssh_crypto_policy -- audit_sudo_log_events -- file_owner_cron_d -- no_empty_passwords_etc_shadow -- dconf_gnome_disable_automount -- audit_rules_usergroup_modification_gshadow -- auditd_data_retention_admin_space_left_action -- file_permissions_sshd_config -- package_tftp_removed -- audit_rules_file_deletion_events_unlink -- package_aide_installed -- audit_rules_dac_modification_lsetxattr -- audit_rules_immutable -- audit_rules_sysadmin_actions -- accounts_set_post_pw_existing -- group_unique_id -- sshd_use_strong_kex -- account_unique_name -- audit_rules_login_events_tallylog -- rsyslog_files_permissions -- file_permissions_backup_etc_group +- kernel_module_dccp_disabled +- sshd_enable_pam +- audit_rules_networkconfig_modification +- set_ip6tables_default_rule +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses - package_ypserv_removed -- file_groupowner_etc_passwd -- sysctl_net_ipv4_tcp_syncookies -- rsyslog_files_ownership -- file_ownership_var_log_audit -- file_owner_etc_group -- package_logrotate_installed -- package_nftables_installed -- postfix_network_listening_disabled -- audit_rules_usergroup_modification_group -- account_disable_post_pw_expiration -- file_groupowner_etc_group -- file_permissions_user_cfg -- file_permissions_ungroupowned -- gnome_gdm_disable_guest_login -- sshd_set_max_auth_tries -- auditd_data_retention_space_left_action -- service_auditd_enabled -- configure_firewalld_ports -- dconf_db_up_to_date -- selinux_state -- service_firewalld_enabled -- accounts_root_gid_zero -- sshd_set_maxstartups -- file_permissions_etc_shadow -- sshd_use_approved_ciphers -- chronyd_specify_remote_server -- set_firewalld_default_zone -- file_permissions_etc_passwd -- sshd_disable_empty_passwords +- coredump_disable_storage +- dconf_gnome_screensaver_lock_enabled +- disable_host_auth +- audit_rules_dac_modification_fchownat +- file_permissions_etc_group +- file_permissions_unauthorized_world_writable +- bios_enable_execution_restrictions +- sudo_custom_logfile - file_permissions_cron_weekly +- audit_sudo_log_events +- aide_build_database +- network_sniffer_disabled +- package_nftables_installed +- rsyslog_files_permissions +- sshd_set_login_grace_time +- audit_rules_usergroup_modification_shadow +- file_permissions_at_allow +- audit_rules_file_deletion_events_renameat - accounts_password_pam_pwhistory_remember_password_auth -- install_PAE_kernel_on_x86-32 -- sshd_limit_user_access -- audit_rules_dac_modification_lchown -- file_groupowner_etc_shadow -- no_files_unowned_by_user -- set_password_hashing_algorithm_logindefs -- accounts_maximum_age_login_defs +- audit_rules_dac_modification_fchmodat - file_permissions_backup_etc_shadow +- aide_periodic_cron_checking +- package_sudo_installed - file_group_ownership_var_log_audit +- service_rpcbind_disabled +- service_auditd_enabled +- audit_rules_usergroup_modification_group +- set_password_hashing_algorithm_libuserconf +- dconf_gnome_screensaver_idle_delay +- audit_rules_dac_modification_chown +- accounts_maximum_age_login_defs +- account_disable_post_pw_expiration +- file_owner_etc_shadow +- account_unique_name +- directory_access_var_log_audit - file_owner_cron_weekly +- file_groupowner_cron_weekly +- no_direct_root_logins +- security_patches_up_to_date +- file_groupowner_grub2_cfg +- audit_rules_file_deletion_events_rename +- audit_rules_file_deletion_events_rmdir +- accounts_password_pam_lcredit +- file_groupowner_cron_d +- audit_rules_file_deletion_events_unlinkat +- file_groupowner_etc_shadow - file_permissions_var_log_audit -- sudo_require_reauthentication +- package_logrotate_installed +- file_owner_backup_etc_shadow +- file_ownership_var_log_audit +- display_login_attempts +- sshd_limit_user_access +- no_shelllogin_for_systemaccounts +- accounts_password_set_max_life_existing +- package_ypbind_removed +- file_owner_backup_etc_group +- package_telnet-server_removed - package_chrony_installed +- package_tftp_removed +- sysctl_net_ipv4_conf_all_secure_redirects +- service_nftables_disabled +- sysctl_net_ipv4_ip_forward +- kernel_module_sctp_disabled - audit_rules_time_adjtimex -- dconf_gnome_disable_automount_open -- file_groupowner_backup_etc_passwd +- package_aide_installed +- file_groupowner_etc_issue_net +- configure_firewalld_ports +- audit_rules_dac_modification_lsetxattr +- chronyd_run_as_chrony_user +- ensure_gpgcheck_never_disabled +- file_owner_crontab +- file_permissions_backup_etc_passwd +- audit_rules_dac_modification_fremovexattr +- file_owner_etc_group +- sshd_set_idle_timeout +- configure_ssh_crypto_policy - no_password_auth_for_systemaccounts -- aide_periodic_cron_checking -- dconf_gnome_screensaver_lock_enabled -- file_groupowner_cron_weekly -- accounts_tmout -- dconf_gnome_session_idle_user_locks -- configure_crypto_policy -- package_tftp-server_removed -- package_telnet_removed +- file_owner_cron_monthly +- set_password_hashing_algorithm_logindefs - ensure_gpgcheck_globally_activated -- package_ftp_removed +- audit_rules_dac_modification_removexattr +- file_groupowner_backup_etc_passwd +- sshd_disable_x11_forwarding +- kernel_module_usb-storage_disabled +- audit_rules_usergroup_modification_gshadow +- audit_rules_mac_modification +- ensure_redhat_gpgkey_installed +- file_groupowner_backup_etc_shadow +- firewalld_loopback_traffic_trusted +- grub2_audit_backlog_limit_argument +- sshd_use_strong_kex +- accounts_password_all_shadowed +- sshd_set_max_auth_tries +- audit_rules_session_events - ensure_pam_wheel_group_empty -- dconf_gnome_screensaver_idle_activation_enabled -- audit_rules_dac_modification_chmod -- security_patches_up_to_date -- kernel_module_dccp_disabled -- rpm_verify_hashes -- audit_rules_media_export -- sysctl_kernel_randomize_va_space -- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv4_tcp_syncookies +- audit_rules_time_watch_localtime +- file_owner_cron_allow +- configure_crypto_policy +- sshd_disable_tcp_forwarding +- audit_rules_dac_modification_fchown +- dconf_db_up_to_date +- package_tftp-server_removed +- audit_rules_dac_modification_lchown +- firewalld_loopback_traffic_restricted +- sudo_require_authentication +- package_libselinux_installed +- use_pam_wheel_group_for_su +- wireless_disable_interfaces +- file_permissions_backup_etc_group +- package_audit_installed +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- accounts_password_set_warn_age_existing +- account_unique_id +- file_cron_deny_not_exist +- file_permissions_cron_daily - rsyslog_files_groupownership -- audit_rules_mac_modification -- gid_passwd_group_same -- network_sniffer_disabled -- file_groupowner_cron_monthly -- sshd_set_max_sessions -- file_permissions_cron_monthly -- sshd_disable_rhosts +- disable_users_coredumps +- sudo_require_reauthentication +- accounts_password_pam_minlen +- sysctl_fs_suid_dumpable +- package_audispd-plugins_installed - accounts_passwords_pam_faillock_unlock_time +- audit_rules_dac_modification_fchmod +- audit_rules_file_deletion_events_unlink +- dconf_gnome_screensaver_mode_blank +- service_avahi-daemon_disabled +- sshd_do_not_permit_user_env +- dir_perms_world_writable_sticky_bits +- set_password_hashing_algorithm_systemauth +- rsyslog_files_ownership +- postfix_network_listening_disabled +- service_firewalld_enabled +- audit_rules_dac_modification_chmod +- accounts_password_pam_pwhistory_remember_system_auth +- file_groupowner_etc_passwd +- no_empty_passwords +- file_permissions_ungroupowned +- auditd_name_format +- install_PAE_kernel_on_x86-32 +- accounts_password_warn_age_login_defs +- ensure_root_password_configured +- selinux_state - file_groupowner_cron_allow -- sysctl_fs_suid_dumpable +- sshd_use_approved_ciphers +- audit_rules_login_events_tallylog +- network_nmcli_permissions +- sshd_set_loglevel_verbose +- gnome_gdm_disable_guest_login +- group_unique_name +- sysctl_kernel_core_pattern +- sshd_set_keepalive +- file_permissions_cron_monthly +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_automount +- chronyd_specify_remote_server +- file_groupowner_etc_group - file_groupowner_cron_daily -- ensure_root_password_configured -- file_cron_deny_not_exist -- accounts_no_uid_except_zero -- audit_rules_dac_modification_setxattr -- file_permissions_cron_daily -- sshd_enable_pam -- sshd_set_login_grace_time -- file_groupowner_user_cfg -- accounts_password_set_warn_age_existing -- file_owner_cron_allow -- disable_host_auth -- grub2_audit_backlog_limit_argument -- package_telnet-server_removed +- dconf_gnome_screensaver_idle_activation_enabled +- file_owner_etc_passwd +- package_ftp_removed +- audit_rules_sysadmin_actions +- file_groupowner_cron_monthly +- file_permissions_sshd_config +- audit_rules_time_settimeofday +- securetty_root_login_console_only +- file_permissions_etc_issue_net +- accounts_password_last_change_is_in_past +- gid_passwd_group_same +- rpm_verify_ownership - accounts_password_pam_dcredit -- package_ypbind_removed -- file_groupowner_crontab -- file_permissions_at_allow -- file_at_deny_not_exist -- file_groupowner_etc_issue_net -- service_rpcbind_disabled -- sshd_set_idle_timeout -- sysctl_net_ipv4_conf_all_secure_redirects -- sshd_disable_tcp_forwarding -- network_nmcli_permissions -- file_owner_cron_daily -- file_permissions_unauthorized_world_writable -- aide_build_database -- kernel_module_usb-storage_disabled +- service_rsyncd_disabled +- accounts_root_gid_zero +- grub2_enable_selinux - package_net-snmp_removed -- file_owner_backup_etc_shadow -- audit_rules_usergroup_modification_shadow -- service_chronyd_or_ntpd_enabled -- accounts_password_pam_unix_remember -- audit_rules_dac_modification_fchownat -- file_permissions_cron_hourly -- package_audispd-plugins_installed -- package_libselinux_installed -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- set_password_hashing_algorithm_libuserconf -- display_login_attempts -- file_permissions_grub2_cfg +- sshd_set_max_sessions +- sudo_add_use_pty +- file_groupowner_at_allow +- group_unique_id +- package_telnet_removed +- audit_rules_dac_modification_setxattr +- no_empty_passwords_etc_shadow - file_owner_etc_issue_net -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- use_pam_wheel_group_for_su -- accounts_password_pam_lcredit -- file_groupowner_backup_etc_shadow -- audit_rules_file_deletion_events_rename -- audit_rules_dac_modification_fchmodat -- file_permissions_etc_group -- audit_rules_time_stime -- kernel_module_sctp_disabled -- selinux_policytype -- wireless_disable_interfaces -- selinux_confinement_of_daemons -- file_groupowner_grub2_cfg -- audit_rules_dac_modification_chown -- securetty_root_login_console_only -- dconf_gnome_screensaver_mode_blank +- accounts_set_post_pw_existing +- sysctl_net_ipv4_conf_all_send_redirects +- rpm_verify_hashes +- audit_rules_usergroup_modification_opasswd +- dconf_gnome_session_idle_user_locks +- file_permissions_crontab +- auditd_data_retention_admin_space_left_action +- file_permissions_cron_hourly +- service_chronyd_or_ntpd_enabled +- sysctl_kernel_randomize_va_space - var_multiple_time_servers=generic - var_auditd_admin_space_left_action=single - var_auditd_space_left=100MB @@ -308,4 +310,5 @@ filter_rules: '' policies: - pcidss_4 title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 8 +definition_location: /home/mburket/Developer/ComplianceAsCode/content/products/rhel8/profiles/pci-dss.profile documentation_complete: true