From f1a03bec677cdd4889ee55e6eacaf2af88039048 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:08:15 +0100 Subject: [PATCH 01/36] Update CIS RHEL7 section 4.1.1 4.1.1 - Configure cron Requirements were just moved from section 5 to section 4. --- controls/cis_rhel7.yml | 92 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 80 insertions(+), 12 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index dc85498537d..c4d66ad27fa 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1473,25 +1473,93 @@ controls: related_rules: - service_ip6tables_enabled - - id: 4.1.15 - title: Ensure system administrator command executions (sudo) are collected (Automated) + - id: 4.1.1.1 + title: Ensure cron daemon is enabled and active (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - audit_rules_suid_privilege_function + - service_crond_enabled - - id: 4.1.16 - title: Ensure kernel module loading and unloading is collected (Automated) + - id: 4.1.1.2 + title: Ensure permissions on /etc/crontab are configured (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - id: 4.1.1.3 + title: Ensure permissions on /etc/cron.hourly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - id: 4.1.1.4 + title: Ensure permissions on /etc/cron.daily are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - id: 4.1.1.5 + title: Ensure permissions on /etc/cron.weekly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - id: 4.1.1.6 + title: Ensure permissions on /etc/cron.monthly are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - id: 4.1.1.7 + title: Ensure permissions on /etc/cron.d are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + - id: 4.1.1.8 + title: Ensure crontab is restricted to authorized users (Automated) + levels: + - l1_server + - l1_workstation status: automated rules: - - audit_rules_privileged_commands_insmod - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_modprobe + - file_groupowner_cron_allow + - file_cron_allow_exists + - file_owner_cron_allow + - file_cron_deny_not_exist + - file_permissions_cron_allow - id: 4.2.1 title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) From 683f74d7f9ada974425c9137fcd3609e520a4455 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:09:24 +0100 Subject: [PATCH 02/36] Update rules related to CIS RHEL7 4.1.1 References were updated in related rules. --- .../guide/services/cron_and_at/file_groupowner_cron_d/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_daily/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_hourly/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_monthly/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_weekly/rule.yml | 2 +- .../guide/services/cron_and_at/file_groupowner_crontab/rule.yml | 2 +- linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_daily/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_hourly/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_monthly/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_weekly/rule.yml | 2 +- linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml | 2 +- .../guide/services/cron_and_at/file_permissions_cron_d/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_daily/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_hourly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_monthly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_weekly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_crontab/rule.yml | 2 +- .../restrict_at_cron_users/file_cron_allow_exists/rule.yml | 2 +- .../restrict_at_cron_users/file_cron_deny_not_exist/rule.yml | 2 +- .../restrict_at_cron_users/file_groupowner_cron_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_owner_cron_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_permissions_cron_allow/rule.yml | 2 +- .../guide/services/cron_and_at/service_crond_enabled/rule.yml | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 3abb92ca1d1..64c950d90fd 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.7 cis@alinux3: 5.1.7 - cis@rhel7: 5.1.7 + cis@rhel7: 4.1.1.7 cis@rhel8: 5.1.7 cis@rhel9: 5.1.7 cis@sle12: 5.1.7 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index 5b40e432e74..bfe39f06c99 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.4 cis@alinux3: 5.1.4 - cis@rhel7: 5.1.4 + cis@rhel7: 4.1.1.4 cis@rhel8: 5.1.4 cis@rhel9: 5.1.4 cis@sle12: 5.1.4 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index 2877f4aa007..2f7e84475a6 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.3 cis@alinux3: 5.1.3 - cis@rhel7: 5.1.3 + cis@rhel7: 4.1.1.3 cis@rhel8: 5.1.3 cis@rhel9: 5.1.3 cis@sle12: 5.1.3 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index 25c41071ed8..cb9e3d2fe2e 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.6 cis@alinux3: 5.1.6 - cis@rhel7: 5.1.6 + cis@rhel7: 4.1.1.6 cis@rhel8: 5.1.6 cis@rhel9: 5.1.6 cis@sle12: 5.1.6 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index 4e056865ec6..b1216335f71 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.5 cis@alinux3: 5.1.5 - cis@rhel7: 5.1.5 + cis@rhel7: 4.1.1.5 cis@rhel8: 5.1.5 cis@rhel9: 5.1.5 cis@sle12: 5.1.5 diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 5fab0e08a91..be2bf7a650c 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.2 cis@alinux3: 5.1.2 - cis@rhel7: 5.1.2 + cis@rhel7: 4.1.1.2 cis@rhel8: 5.1.2 cis@rhel9: 5.1.2 cis@sle12: 5.1.2 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 4ce6712bc3b..69e702b816a 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.7 cis@alinux3: 5.1.7 - cis@rhel7: 5.1.7 + cis@rhel7: 4.1.1.7 cis@rhel8: 5.1.7 cis@rhel9: 5.1.7 cis@sle12: 5.1.7 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index da0613579b2..54acdcc8470 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.4 cis@alinux3: 5.1.4 - cis@rhel7: 5.1.4 + cis@rhel7: 4.1.1.4 cis@rhel8: 5.1.4 cis@rhel9: 5.1.4 cis@sle12: 5.1.4 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index 58b092a83fe..f4a1ecedd66 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.3 cis@alinux3: 5.1.3 - cis@rhel7: 5.1.3 + cis@rhel7: 4.1.1.3 cis@rhel8: 5.1.3 cis@rhel9: 5.1.3 cis@sle12: 5.1.3 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index 37c27b0e3e4..66fb296b059 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.6 cis@alinux3: 5.1.6 - cis@rhel7: 5.1.6 + cis@rhel7: 4.1.1.6 cis@rhel8: 5.1.6 cis@rhel9: 5.1.6 cis@sle12: 5.1.6 diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index 96523acc545..4e94224ed22 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.5 cis@alinux3: 5.1.5 - cis@rhel7: 5.1.5 + cis@rhel7: 4.1.1.5 cis@rhel8: 5.1.5 cis@rhel9: 5.1.5 cis@sle12: 5.1.5 diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index aac564b93df..c8df5093cc7 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.2 cis@alinux3: 5.1.2 - cis@rhel7: 5.1.2 + cis@rhel7: 4.1.1.2 cis@rhel8: 5.1.2 cis@rhel9: 5.1.2 cis@sle12: 5.1.2 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index b549b5db9d6..f3f73b3263d 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.7 cis@alinux3: 5.1.7 - cis@rhel7: 5.1.7 + cis@rhel7: 4.1.1.7 cis@rhel8: 5.1.7 cis@rhel9: 5.1.7 cis@sle12: 5.1.7 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index ae37098acc3..750a347073b 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.4 cis@alinux3: 5.1.4 - cis@rhel7: 5.1.4 + cis@rhel7: 4.1.1.4 cis@rhel8: 5.1.4 cis@rhel9: 5.1.4 cis@sle12: 5.1.4 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index 1472b325429..7d0b36367db 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.3 cis@alinux3: 5.1.3 - cis@rhel7: 5.1.3 + cis@rhel7: 4.1.1.3 cis@rhel8: 5.1.3 cis@rhel9: 5.1.3 cis@sle12: 5.1.3 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index 3d2c23d2563..9a08cbd7faa 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.6 cis@alinux3: 5.1.6 - cis@rhel7: 5.1.6 + cis@rhel7: 4.1.1.6 cis@rhel8: 5.1.6 cis@rhel9: 5.1.6 cis@sle12: 5.1.6 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 04c6ec13229..7addf394f06 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.5 cis@alinux3: 5.1.5 - cis@rhel7: 5.1.5 + cis@rhel7: 4.1.1.5 cis@rhel8: 5.1.5 cis@rhel9: 5.1.5 cis@sle12: 5.1.5 diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index e83a9cc4a68..4dad1b7b2d6 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.2 cis@alinux3: 5.1.2 - cis@rhel7: 5.1.2 + cis@rhel7: 4.1.1.2 cis@rhel8: 5.1.2 cis@rhel9: 5.1.2 cis@sle12: 5.1.2 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml index 15a6224bc92..8f291d83088 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@rhel9: CCE-86185-6 references: - cis@rhel7: 5.1.8 + cis@rhel7: 4.1.1.8 cis@rhel8: 5.1.8 cis@rhel9: 5.1.8 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml index 48ccf96dd15..c69299a31ea 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml @@ -25,7 +25,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.8 + cis@rhel7: 4.1.1.8 cis@rhel8: 5.1.8 cis@rhel9: 5.1.8 cis@sle12: 5.1.8 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index 7d6d38ed50a..4d1dda42478 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.8 + cis@rhel7: 4.1.1.8 cis@rhel8: 5.1.8 cis@rhel9: 5.1.8 cis@sle12: 5.1.8 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index 7ece85c3f5b..a8b52c2e43f 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.8 + cis@rhel7: 4.1.1.8 cis@rhel8: 5.1.8 cis@rhel9: 5.1.8 cis@sle12: 5.1.8 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index f7411575498..1f2799ada7e 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -34,7 +34,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.8 + cis@rhel7: 4.1.1.8 cis@rhel8: 5.1.8 cis@rhel9: 5.1.8 cis@sle12: 5.1.8 diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml index cf9de8728bf..b7be988e65e 100644 --- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 11,14,3,9 cis@alinux2: 5.1.2 cis@alinux3: 5.1.1 - cis@rhel7: 5.1.1 + cis@rhel7: 4.1.1.1 cis@rhel8: 5.1.1 cis@rhel9: 5.1.1 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 From 49d1f7356ab94628a222d62f6f9b15cb5a06e234 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:12:21 +0100 Subject: [PATCH 03/36] Update CIS RHEL7 section 4.1.2 4.1.2 - Configure at Requirement was just moved from section 5 to section 4. --- controls/cis_rhel7.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index c4d66ad27fa..d4d39819517 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1561,6 +1561,18 @@ controls: - file_cron_deny_not_exist - file_permissions_cron_allow + - id: 4.1.2.1 + title: Ensure at is restricted to authorized users (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_at_allow + - file_owner_at_allow + - file_at_deny_not_exist + - file_permissions_at_allow + - id: 4.2.1 title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: From 68832efa5bf8eecffca9ca82f1842b941239e8b3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:13:14 +0100 Subject: [PATCH 04/36] Update rules related to CIS RHEL7 4.1.2 References were updated in related rules. --- .../restrict_at_cron_users/file_at_deny_not_exist/rule.yml | 2 +- .../restrict_at_cron_users/file_groupowner_at_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_owner_at_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_permissions_at_allow/rule.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml index df8e8a93cc7..8cb991de380 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.9 + cis@rhel7: 4.1.2.1 cis@rhel8: 5.1.9 cis@rhel9: 5.1.9 cis@sle12: 5.1.9 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index 23ccbede636..dc815b5c170 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.9 + cis@rhel7: 4.1.2.1 cis@rhel8: 5.1.9 cis@rhel9: 5.1.9 cis@sle12: 5.1.9 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index 7a96ab251c0..38be6257fd6 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -24,7 +24,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.9 + cis@rhel7: 4.1.2.1 cis@rhel8: 5.1.9 cis@rhel9: 5.1.9 cis@sle12: 5.1.9 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index 8a99a0aaa81..1029ab34641 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -34,7 +34,7 @@ identifiers: references: cis@alinux2: 5.1.8 cis@alinux3: 5.1.8 - cis@rhel7: 5.1.9 + cis@rhel7: 4.1.2.1 cis@rhel8: 5.1.9 cis@rhel9: 5.1.9 cis@sle12: 5.1.9 From 2998bff3c94652e79cfe24f7e13139744de375e0 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:55:48 +0100 Subject: [PATCH 05/36] Update CIS RHEL7 section 4.2 4.2 - Configure SSH Server Basically requirements from section 5 were moved to section 4. Some requirements were dropped and others included. This section is very similar to CIS RHEL8. --- controls/cis_rhel7.yml | 226 +++++++++++++++++++++-------------------- 1 file changed, 114 insertions(+), 112 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index d4d39819517..dedbcd46bfd 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1576,19 +1576,19 @@ controls: - id: 4.2.1 title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_groupowner_sshd_config - - file_owner_sshd_config - - file_permissions_sshd_config + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config - id: 4.2.2 title: Ensure permissions on SSH private host key files are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - file_permissions_sshd_private_key @@ -1598,205 +1598,207 @@ controls: - id: 4.2.3 title: Ensure permissions on SSH public host key files are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - file_permissions_sshd_pub_key - - file_ownership_sshd_pub_key - - file_groupownership_sshd_pub_key + - file_permissions_sshd_pub_key + - file_ownership_sshd_pub_key + - file_groupownership_sshd_pub_key - id: 4.2.4 - title: Ensure SSH access is limited (Automated) + title: Ensure sshd access is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - sshd_limit_user_access - id: 4.2.5 - title: Ensure SSH LogLevel is appropriate (Automated) + title: Ensure sshd Banner is configured (Automated) levels: - - l1_server - - l1_workstation - notes: <- - The default rule is configured to enforce the "verbose" log level. Use - tailoring to change it to "info" level. - status: automated # we have two rules either for info or verbose, no way to select - related_rules: - - sshd_set_loglevel_info + - l1_server + - l1_workstation + status: automated rules: - - sshd_set_loglevel_verbose + - sshd_enable_warning_banner_net + related_rules: + - sshd_enable_warning_banner - id: 4.2.6 - title: Ensure SSH X11 forwarding is disabled (Automated) + title: Ensure sshd Ciphers are configured (Automated) levels: - - l2_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_disable_x11_forwarding + - sshd_use_approved_ciphers - id: 4.2.7 - title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated + notes: |- + The requirement gives an example of 45 seconds, but is flexible about the values. It is only + necessary to ensure there is a timeout is configured in alignment to the site policy. rules: - - sshd_set_max_auth_tries - - sshd_max_auth_tries_value=4 + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=1 - id: 4.2.8 - title: Ensure SSH IgnoreRhosts is enabled (Automated) + title: Ensure sshd DisableForwarding is enabled (Automated) levels: - - l1_server - - l1_workstation - status: automated - rules: - - sshd_disable_rhosts + - l2_server + - l1_workstation + status: pending + notes: |- + New templated rule is necessary for "disableforwarding" option. + related_rules: + - sshd_disable_tcp_forwarding + - sshd_disable_x11_forwarding - id: 4.2.9 - title: Ensure SSH HostbasedAuthentication is disabled (Automated) + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) levels: - - l1_server - - l1_workstation + - l2_server + - l1_workstation status: automated rules: - - disable_host_auth + - sshd_disable_gssapi_auth - id: 4.2.10 - title: Ensure SSH root login is disabled (Automated) + title: Ensure sshd HostbasedAuthentication is disabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_disable_root_login + - disable_host_auth - id: 4.2.11 - title: Ensure SSH PermitEmptyPasswords is disabled (Automated) + title: Ensure sshd IgnoreRhosts is enabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_disable_empty_passwords + - sshd_disable_rhosts - id: 4.2.12 - title: Ensure SSH PermitUserEnvironment is disabled (Automated) + title: Ensure sshd KexAlgorithms is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_do_not_permit_user_env + - sshd_use_strong_kex + - sshd_strong_kex=cis_rhel7 - id: 4.2.13 - title: Ensure only strong Ciphers are used (Automated) + title: Ensure sshd LoginGraceTime is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated - notes: <- - The rule checks for default list of ciphers provided in the benchmark. rules: - - sshd_approved_ciphers=cis_rhel7 - - sshd_use_approved_ciphers + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 - id: 4.2.14 - title: Ensure only strong MAC algorithms are used (Automated) + title: Ensure sshd LogLevel is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated - notes: <- - The rule checks for default list of MACs provided in the benchmark. + notes: |- + The CIS benchmark is not opinionated about which loglevel is selected here. Here, this + profile uses VERBOSE by default, as it allows for the capture of login and logout activity + as well as key fingerprints. rules: - - sshd_approved_macs=cis_rhel7 - - sshd_use_approved_macs + - sshd_set_loglevel_verbose + related_rules: + - sshd_set_loglevel_info - id: 4.2.15 - title: Ensure only strong Key Exchange algorithms are used (Automated) + title: Ensure sshd MACs are configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated - rules: - - sshd_use_strong_kex - - sshd_strong_kex=cis_rhel7 + related_rules: + - sshd_use_strong_macs + - sshd_strong_macs=cis_rhel7 - id: 4.2.16 - title: Ensure SSH Idle Timeout Interval is configured (Automated) + title: Ensure sshd MaxAuthTries is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_set_idle_timeout - - sshd_idle_timeout_value=15_minutes - - sshd_set_keepalive - - var_sshd_set_keepalive=0 + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries - id: 4.2.17 - title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) + title: Ensure sshd MaxSessions is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_set_login_grace_time - - var_sshd_set_login_grace_time=60 + - sshd_set_max_sessions + - var_sshd_max_sessions=10 - id: 4.2.18 - title: Ensure SSH warning banner is configured (Automated) + title: Ensure sshd MaxStartups is configured (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_enable_warning_banner_net - related_rules: - - sshd_enable_warning_banner + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 - id: 4.2.19 - title: Ensure SSH PAM is enabled (Automated) + title: Ensure sshd PermitEmptyPasswords is disabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_enable_pam + - sshd_disable_empty_passwords - id: 4.2.20 - title: Ensure SSH AllowTcpForwarding is disabled (Automated) + title: Ensure sshd PermitRootLogin is disabled (Automated) levels: - - l2_server - - l2_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_disable_tcp_forwarding + - sshd_disable_root_login - id: 4.2.21 - title: Ensure SSH MaxStartups is configured (Automated) + title: Ensure sshd PermitUserEnvironment is disabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_set_maxstartups - - var_sshd_set_maxstartups=10:30:60 + - sshd_do_not_permit_user_env - id: 4.2.22 - title: Ensure SSH MaxSessions is limited (Automated) + title: Ensure sshd UsePAM is enabled (Automated) levels: - - l1_server - - l1_workstation + - l1_server + - l1_workstation status: automated rules: - - sshd_set_max_sessions - - var_sshd_max_sessions=10 + - sshd_enable_pam - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) From 910dca76b1fb6d766c97c6ee225aeca3bb8713ac Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 11:57:37 +0100 Subject: [PATCH 06/36] Update rules related to CIS RHEL7 4.2 References were updated in related rules. Two variables were also updated. --- .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 2 +- .../ssh/ssh_server/sshd_disable_empty_passwords/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 1 + .../guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_disable_root_login/rule.yml | 2 +- .../ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml | 2 +- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 +- .../ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml | 2 +- linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml | 2 +- .../ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 2 +- .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_set_max_sessions/rule.yml | 2 +- .../guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml | 2 +- .../services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml | 2 +- .../guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml | 2 +- .../guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 1 + linux_os/guide/services/ssh/sshd_strong_kex.var | 2 +- linux_os/guide/services/ssh/sshd_strong_macs.var | 1 + 23 files changed, 23 insertions(+), 20 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index 7792e86e2c4..b158d3eea51 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -33,7 +33,7 @@ references: cis-csc: 11,12,14,15,16,18,3,5,9 cis@alinux2: 5.2.9 cis@alinux3: 5.2.9 - cis@rhel7: 4.2.9 + cis@rhel7: 4.2.10 cis@rhel8: 5.2.8 cis@rhel9: 5.2.8 cis@sle12: 5.2.9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index d15b30f90fa..38ca1ede9ff 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -34,7 +34,7 @@ references: cis-csc: 11,12,13,14,15,16,18,3,5,9 cis@alinux2: 5.2.11 cis@alinux3: 5.2.11 - cis@rhel7: 4.2.11 + cis@rhel7: 4.2.19 cis@rhel8: 5.2.9 cis@rhel9: 5.2.9 cis@sle12: 5.2.11 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index 8fc2c97356d..c45531648ed 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -28,6 +28,7 @@ identifiers: references: cis-csc: 11,3,9 + cis@rhel7: 4.2.9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 cui: 3.1.12 disa: CCI-000318,CCI-000368,CCI-001812,CCI-001813,CCI-001814,CCI-000366 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index 9122bcc7d44..25a8db0cd01 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -32,7 +32,7 @@ references: cis-csc: 11,12,14,15,16,18,3,5,9 cis@alinux2: 5.2.8 cis@alinux3: 5.2.8 - cis@rhel7: 4.2.8 + cis@rhel7: 4.2.11 cis@rhel8: 5.2.11 cis@rhel9: 5.2.11 cis@sle12: 5.2.8 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index e0a9f7080c8..e7426123d1b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -31,7 +31,7 @@ references: cis-csc: 1,11,12,13,14,15,16,18,3,5 cis@alinux2: 5.2.10 cis@alinux3: 5.2.10 - cis@rhel7: 4.2.10 + cis@rhel7: 4.2.20 cis@rhel8: 5.2.7 cis@rhel9: 5.2.7 cis@sle12: 5.2.10 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml index 5c5e39f5316..481ac31b652 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml @@ -22,7 +22,7 @@ identifiers: references: cis@alinux3: 5.2.17 - cis@rhel7: 4.2.20 + cis@rhel7: 4.2.8 cis@rhel8: 5.2.13 cis@rhel9: 5.2.13 cis@sle12: 5.2.20 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index c24276597a8..1b430ac1d32 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -34,7 +34,7 @@ identifiers: references: cis@alinux2: 5.2.6 cis@alinux3: 5.2.6 - cis@rhel7: 4.2.6 + cis@rhel7: 4.2.8 cis@rhel8: 5.2.12 cis@rhel9: 5.2.12 cis@sle12: 5.2.6 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index 59b9af32917..f5e3f26dfa3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -29,7 +29,7 @@ references: cis-csc: 11,3,9 cis@alinux2: 5.2.12 cis@alinux3: 5.2.12 - cis@rhel7: 4.2.12 + cis@rhel7: 4.2.21 cis@rhel8: 5.2.10 cis@rhel9: 5.2.10 cis@sle12: 5.2.12 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml index 7a2655b98d4..35e2b372348 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle15: CCE-91333-5 references: - cis@rhel7: 4.2.19 + cis@rhel7: 4.2.22 cis@rhel8: 5.2.6 cis@rhel9: 5.2.6 cis@sle12: 5.2.19 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml index 1816d802ad3..dcbc9d003ef 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml @@ -29,7 +29,7 @@ identifiers: references: ccn@rhel9: A.11.SEC-RHEL4 - cis@rhel7: 4.2.18 + cis@rhel7: 4.2.5 cis@rhel8: 5.2.15 cis@rhel9: 5.2.15 cis@ubuntu2004: 5.2.18 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index a3066a757b1..e891d79be60 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -43,7 +43,7 @@ references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 cis@alinux2: 5.2.14 cis@alinux3: 5.2.13 - cis@rhel7: 4.2.16 + cis@rhel7: 4.2.7 cis@rhel8: 5.2.20 cis@rhel9: 5.2.20 cis@sle12: 5.2.16 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 0be2cec246e..55ea6af9414 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -37,7 +37,7 @@ references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 cis@alinux2: 5.2.14 cis@alinux3: 5.2.13 - cis@rhel7: 4.2.16 + cis@rhel7: 4.2.7 cis@rhel8: 5.2.20 cis@rhel9: 5.2.20 cis@sle12: 5.2.16 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml index c7d7de49627..af0be671bd9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml @@ -25,7 +25,7 @@ identifiers: references: cis@alinux2: 5.2.15 cis@alinux3: 5.2.14 - cis@rhel7: 4.2.17 + cis@rhel7: 4.2.13 cis@rhel8: 5.2.19 cis@rhel9: 5.2.19 cis@sle12: 5.2.17 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index 19c4df0e29d..e55891a6779 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -34,7 +34,7 @@ references: cis@alinux3: 5.2.5 cis@debian10: 9.3.2 cis@debian11: 9.3.2 - cis@rhel7: 5.3.5 + cis@rhel7: 4.2.14 cis@rhel8: 5.2.5 cis@rhel9: 5.2.5 cis@sle12: 5.2.5 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index cacfd1a6470..d31fa829701 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis@alinux2: 5.2.5 cis@alinux3: 5.2.5 - cis@rhel7: 4.2.5 + cis@rhel7: 4.2.14 cis@rhel8: 5.2.5 cis@rhel9: 5.2.5 cis@sle12: 5.2.5 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml index 45a4096f2e4..35f921005b8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml @@ -25,7 +25,7 @@ references: cis@alinux2: 5.2.7 cis@alinux3: 5.2.7 cis@debian11: 9.3.5 - cis@rhel7: 4.2.7 + cis@rhel7: 4.2.16 cis@rhel8: 5.2.16 cis@rhel9: 5.2.16 cis@sle12: 5.2.7 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml index a9e989caa0e..f0861546cc5 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@sle15: CCE-91309-5 references: - cis@rhel7: 4.2.22 + cis@rhel7: 4.2.17 cis@rhel8: 5.2.18 cis@rhel9: 5.2.18 cis@sle12: 5.2.22 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml index 501dc067964..e8ada2410d1 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle15: CCE-91308-7 references: - cis@rhel7: 4.2.21 + cis@rhel7: 4.2.18 cis@rhel8: 5.2.17 cis@rhel9: 5.2.17 cis@sle12: 5.2.21 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index e48d5cbbb74..111416daa85 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -55,7 +55,7 @@ identifiers: references: cis-csc: 1,11,12,14,15,16,18,3,5,6,8,9 cis@alinux2: 5.2.17 - cis@rhel7: 4.2.13 + cis@rhel7: 4.2.6 cis@sle12: 5.2.13 cis@sle15: 5.2.13 cis@ubuntu2004: 5.2.12 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml index fcfe592c80a..4a39ef29401 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle15: CCE-92626-1 references: - cis@rhel7: 4.2.15 + cis@rhel7: 4.2.12 cis@sle12: 5.2.15 cis@sle15: 5.2.15 cis@ubuntu2004: 5.2.14 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml index 59c831b9d25..927e35684fa 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@sle15: CCE-91396-2 references: + cis@rhel7: 4.2.15 cis@sle12: 5.2.14 cis@sle15: 5.2.14 cis@ubuntu2204: 5.2.14 diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var index 30475346d33..c7a27e433d3 100644 --- a/linux_os/guide/services/ssh/sshd_strong_kex.var +++ b/linux_os/guide/services/ssh/sshd_strong_kex.var @@ -13,7 +13,7 @@ interactive: false options: default: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 - cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + cis_rhel7: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 cis_sle12: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_sle15: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 cis_ubuntu2004: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var index b7d155f1cbc..48477e7422a 100644 --- a/linux_os/guide/services/ssh/sshd_strong_macs.var +++ b/linux_os/guide/services/ssh/sshd_strong_macs.var @@ -12,6 +12,7 @@ interactive: false options: default: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 + cis_rhel7: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 From ff6f62674c5e52b036bed63d7968a9f37b8f4931 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:10:57 +0100 Subject: [PATCH 07/36] Update CIS RHEL7 section 4.3 4.3 - Configure privilege escalation Some requirements were moved from section 5 to section 3 while others were included. --- controls/cis_rhel7.yml | 77 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index dedbcd46bfd..aa0a8749064 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1800,6 +1800,83 @@ controls: rules: - sshd_enable_pam + - id: 4.3.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_sudo_installed + + - id: 4.3.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_add_use_pty + + - id: 4.3.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_custom_logfile + - var_sudo_logfile=var_log_sudo_log + + - id: 4.3.4 + title: Ensure users must provide password for escalation (Automated) + levels: + - l2_server + - l2_workstation + status: automated + notes: |- + The rule sudo_require_authentication can probably be split to better attend requirements + 4.3.4 and 4.3.5. + rules: + - sudo_require_authentication + + - id: 4.3.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The rule sudo_require_authentication can probably be split to better attend requirements + 4.3.4 and 4.3.5. + rules: + - sudo_require_authentication + + - id: 4.3.6 + title: Ensure sudo authentication timeout is configured correctly (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - sudo_require_reauthentication + + - id: 4.3.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. + rules: + - var_pam_wheel_group_for_su=cis + - use_pam_wheel_group_for_su + - ensure_pam_wheel_group_empty + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From b3c036b11ad50f024c0a6a869018edacf764e803 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:12:27 +0100 Subject: [PATCH 08/36] Update rules related to CIS RHEL7 4.3 References were updated in related rules. --- .../guide/system/software/sudo/package_sudo_installed/rule.yml | 2 +- linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml | 2 +- .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- .../system/software/sudo/sudo_require_authentication/rule.yml | 1 + .../system/software/sudo/sudo_require_reauthentication/rule.yml | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml index e4a1aae3d62..2ac407d6814 100644 --- a/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml +++ b/linux_os/guide/system/software/sudo/package_sudo_installed/rule.yml @@ -26,7 +26,7 @@ identifiers: references: anssi: BP28(R19) cis@alinux3: 5.3.1 - cis@rhel7: 5.2.1 + cis@rhel7: 4.3.1 cis@rhel8: 5.3.1 cis@rhel9: 5.3.1 cis@sle12: 1.3.1 diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml index e5249293a3d..2da8dc0d8c0 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/rule.yml @@ -25,7 +25,7 @@ identifiers: references: anssi: BP28(R58) ccn@rhel9: A.5.SEC-RHEL1 - cis@rhel7: 5.2.2 + cis@rhel7: 4.3.2 cis@rhel8: 5.3.2 cis@rhel9: 5.3.2 cis@sle12: 1.3.2 diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml index 5bc09fde527..37ad20286c8 100644 --- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux3: 5.3.3 - cis@rhel7: 5.2.3 + cis@rhel7: 4.3.3 cis@rhel8: 5.3.3 cis@rhel9: 5.3.3 cis@sle12: 1.3.3 diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml index f6402cb642e..a335eb82e83 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml @@ -28,6 +28,7 @@ identifiers: references: ccn@rhel9: A.5.SEC-RHEL2 cis-csc: 1,12,15,16,5 + cis@rhel7: 4.3.4,4.3.5 cis@rhel8: 5.3.4 cis@rhel9: 5.3.4 cis@ubuntu2204: 5.3.4 diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index d686624d100..af5de1186eb 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -32,6 +32,7 @@ identifiers: references: ccn@rhel9: A.5.SEC-RHEL2 + cis@rhel7: 4.3.6 cis@rhel8: 5.3.5,5.3.6 cis@rhel9: 5.3.5,5.3.6 cis@ubuntu2204: 5.3.6 From d830db5dd354451c450000d30dd300bc5f75c79b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:14:09 +0100 Subject: [PATCH 09/36] Enable rhel7 in rules required by CIS RHEL7 --- .../root_logins/ensure_pam_wheel_group_empty/rule.yml | 4 +++- .../root_logins/use_pam_wheel_group_for_su/rule.yml | 4 +++- shared/references/cce-redhat-avail.txt | 2 -- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml index d7bae1e31f7..37fe768d556 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty' @@ -19,12 +19,14 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86888-5 cce@rhel8: CCE-86071-8 cce@rhel9: CCE-86072-6 cce@sle12: CCE-92353-2 cce@sle15: CCE-92528-9 references: + cis@rhel7: 4.3.7 cis@rhel8: 5.3.7 cis@rhel9: 5.3.7 cis@sle12: '5.6' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml index ce8353fcc85..b445d98e603 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication' @@ -18,12 +18,14 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86886-9 cce@rhel8: CCE-86064-3 cce@rhel9: CCE-86065-0 cce@sle12: CCE-92351-6 cce@sle15: CCE-92522-2 references: + cis@rhel7: 4.3.7 cis@rhel8: 5.3.7 cis@rhel9: 5.3.7 cis@sle12: '5.6' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index a3fa3fc3733..58ab5379424 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -482,8 +482,6 @@ CCE-86879-4 CCE-86880-2 CCE-86881-0 CCE-86882-8 -CCE-86886-9 -CCE-86888-5 CCE-86889-3 CCE-86890-1 CCE-86891-9 From db2f97ccf99d62afdace74ab1e60a646730d95b9 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:20:13 +0100 Subject: [PATCH 10/36] Update CIS RHEL7 section 4.4.1 4.4.1 - Configure PAM software packages --- controls/cis_rhel7.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index aa0a8749064..58c2eb76b16 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1877,6 +1877,24 @@ controls: - use_pam_wheel_group_for_su - ensure_pam_wheel_group_empty + - id: 4.4.1.1 + title: Ensure latest version of pam is installed (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + It is necessary a new rule to ensure PAM package is updated. + + - id: 4.4.1.2 + title: Ensure libpwquality is installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_pam_pwquality_installed + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 0226f6e4a456550f9f0bf00d509ddd2a1c95899f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:21:05 +0100 Subject: [PATCH 11/36] Update rules related to CIS RHEL7 4.4.1 References were included in package_pam_pwquality_installed. --- .../accounts-pam/package_pam_pwquality_installed/rule.yml | 6 ++++++ shared/references/cce-redhat-avail.txt | 3 --- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml index 48798893e39..6a762e21583 100644 --- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml @@ -20,7 +20,13 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: CCE-86224-3 + cce@rhel8: CCE-86225-0 + cce@rhel9: CCE-86226-8 + references: + cis@rhel7: 4.4.1.2 cis@ubuntu2004: 5.3.1 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00225 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 58ab5379424..9694024bc99 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -55,9 +55,6 @@ CCE-86214-4 CCE-86216-9 CCE-86217-7 CCE-86218-5 -CCE-86224-3 -CCE-86225-0 -CCE-86226-8 CCE-86229-2 CCE-86241-7 CCE-86242-5 From 7ab81e8b406328c1244d6f046b073d10400dd2b0 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:32:46 +0100 Subject: [PATCH 12/36] Update CIS RHEL7 section 4.4.2.1 4.4.2.1 - Configure pam_faillock module --- controls/cis_rhel7.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 58c2eb76b16..8bd8e4f0651 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1895,6 +1895,46 @@ controls: rules: - package_pam_pwquality_installed + - id: 4.4.2.1.1 + title: Ensure pam_faillock module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is more specifically satisfied by 4.4.2.1.2. + related_rules: + - accounts_passwords_pam_faillock_deny + + - id: 4.4.2.1.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=5 + + - id: 4.4.2.1.3 + title: Ensure password unlock time is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 + + - id: 4.4.2.1.4 + title: Ensure password failed attempts lockout includes root account (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - accounts_passwords_pam_faillock_deny_root + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 10c99b4fc6919ad81371cfbfa98c7b780d7a2111 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:33:23 +0100 Subject: [PATCH 13/36] Update rules related to CIS RHEL7 4.4.2.1 References were updated in related rules. --- .../accounts_passwords_pam_faillock_deny/rule.yml | 2 +- .../accounts_passwords_pam_faillock_deny_root/rule.yml | 1 + .../accounts_passwords_pam_faillock_unlock_time/rule.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index eac06cfea20..0dbac4b14a1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -43,7 +43,7 @@ references: anssi: BP28(R18) ccn@rhel9: A.30.SEC-RHEL1 cis-csc: 1,12,15,16 - cis@rhel7: 5.4.2 + cis@rhel7: 4.4.2.1.1,4.4.2.1.2 cis@rhel8: 5.4.2,5.5.2 cis@rhel9: 5.4.2,5.5.2 cis@ubuntu2204: 5.4.2 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index a34189ab72f..f9fd05a6c03 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -30,6 +30,7 @@ identifiers: references: anssi: BP28(R18) cis-csc: 1,12,15,16 + cis@rhel7: 4.4.2.1.4 cobit5: DSS05.04,DSS05.10,DSS06.10 disa: CCI-002238,CCI-000044 isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index 83647493e7e..1517403129c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -45,7 +45,7 @@ references: anssi: BP28(R18) ccn@rhel9: A.30.SEC-RHEL1 cis-csc: 1,12,15,16 - cis@rhel7: 5.4.2 + cis@rhel7: 4.4.2.1.3 cis@rhel8: 5.5.2 cis@rhel9: 5.5.2 cis@ubuntu2204: 5.4.2 From d8636c3995a512657b2521a5ca91dc87d7530b59 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:51:10 +0100 Subject: [PATCH 14/36] Update CIS RHEL7 section 4.4.2.2 4.4.2.2 - Configure pam_pwquality module --- controls/cis_rhel7.yml | 82 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 8bd8e4f0651..7b672c6f672 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1935,6 +1935,88 @@ controls: rules: - accounts_passwords_pam_faillock_deny_root + - id: 4.4.2.2.1 + title: Ensure pam_pwquality module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + This requirement is probably automatically satisfied when by the 4.4.1.2. + It is necessary to better investigate the scenarios to confirm. + related_rules: + - package_pam_pwquality_installed + + - id: 4.4.2.2.2 + title: Ensure password number of changed characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_difok + - var_password_pam_difok=2 + + - id: 4.4.2.2.3 + title: Ensure password length is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=14 + + - id: 4.4.2.2.4 + title: Ensure password complexity is configured (Manual) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + This requirement is expected to be manual. However, in previous versions of the policy + it was already automated the configuration of "minclass" option. This posture was kept for + RHEL 7 in this new version. Rules related to other options are informed in related_rules. + In short, minclass=4 alone can achieve the same result achieved by the combination of the + other 4 options mentioned in the policy. + rules: + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + related_rules: + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit + + - id: 4.4.2.2.5 + title: Ensure password same consecutive characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 + + - id: 4.4.2.2.6 + title: Ensure password maximum sequential characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: planned + notes: |- + A new templated rule and variable are necessary for the maxsequence option. + + - id: 4.4.2.2.7 + title: Ensure password dictionary check is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_dictcheck + - var_password_pam_dictcheck=1 + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 4c9855b495392bde54e00d3907c8ebe8f6f56165 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:52:50 +0100 Subject: [PATCH 15/36] Update rules related to CIS RHEL7 4.4.2.2 References were updated in related rules. --- .../accounts_password_pam_dcredit/rule.yml | 2 +- .../accounts_password_pam_difok/rule.yml | 1 + .../accounts_password_pam_lcredit/rule.yml | 2 +- .../accounts_password_pam_maxrepeat/rule.yml | 1 + .../accounts_password_pam_minclass/rule.yml | 2 +- .../accounts_password_pam_minlen/rule.yml | 2 +- .../accounts_password_pam_ocredit/rule.yml | 2 +- .../accounts_password_pam_ucredit/rule.yml | 2 +- 8 files changed, 8 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index 9f91043dc04..0daa5d87c4e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -36,7 +36,7 @@ references: anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.4 cis@ubuntu2004: 5.3.1 cis@ubuntu2204: 5.4.1 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml index 686bf9dbe8b..a846c7d45f0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -36,6 +36,7 @@ identifiers: references: cis-csc: 1,12,15,16,5 + cis@rhel7: 4.4.2.2.2 cjis: 5.6.2.1.1 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 disa: CCI-000195 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index 5963a501dd0..b58115c5c67 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -36,7 +36,7 @@ references: anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.4 cis@ubuntu2004: 5.3.1 cis@ubuntu2204: 5.4.1 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml index 816d07b4651..0f81db80490 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml @@ -31,6 +31,7 @@ identifiers: references: cis-csc: 1,12,15,16,5 + cis@rhel7: 4.4.2.2.5 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 disa: CCI-000195 isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index 90011107354..89d01e9e538 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -46,7 +46,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 cis@alinux3: 5.5.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.4 cis@rhel8: 5.5.1 cis@rhel9: 5.5.1 cis@ubuntu2004: 5.3.1 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index 59bc15a46d6..47d6060c806 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -35,7 +35,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 cis@alinux3: 5.5.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.3 cis@rhel8: 5.5.1 cis@rhel9: 5.5.1 cis@sle12: 5.3.1 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index cd398e39f86..82650d16390 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -38,7 +38,7 @@ references: anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.4 cis@ubuntu2004: 5.3.1 cis@ubuntu2204: 5.4.1 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index 259558e4653..b860d55b35e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -33,7 +33,7 @@ references: anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.1 - cis@rhel7: 5.4.1 + cis@rhel7: 4.4.2.2.4 cis@ubuntu2004: 5.3.1 cis@ubuntu2204: 5.4.1 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 From 2c25074ffa8053f9a8073a33593db09921a8ac08 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 12:53:28 +0100 Subject: [PATCH 16/36] Enable accounts_password_pam_dictcheck to rhel7 This rule satisfies the CIS RHEL7 requirement 4.4.2.2.7. --- .../accounts_password_pam_dictcheck/rule.yml | 4 +++- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml index 26640dcd757..8e275aaf135 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol8,ol9,rhel8,rhel9,ubuntu2004 +prodtype: fedora,ol8,ol9,rhel7,rhel8,rhel9,ubuntu2004 title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' @@ -22,10 +22,12 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-87158-2 cce@rhel8: CCE-86233-4 cce@rhel9: CCE-88413-0 references: + cis@rhel7: 4.4.2.2.7 disa: CCI-000366 nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) srg: SRG-OS-000480-GPOS-00225 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 9694024bc99..6761091182b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -688,7 +688,6 @@ CCE-87154-1 CCE-87155-8 CCE-87156-6 CCE-87157-4 -CCE-87158-2 CCE-87160-8 CCE-87161-6 CCE-87162-4 From 9010165c2c0aa68a6c9ba0c438735b2306f80465 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:13:02 +0100 Subject: [PATCH 17/36] Update CIS RHEL7 section 4.4.2.4 4.4.2.4 - Configure pam_unix module --- controls/cis_rhel7.yml | 91 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 7b672c6f672..45d26e73c8a 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2017,6 +2017,97 @@ controls: - accounts_password_pam_dictcheck - var_password_pam_dictcheck=1 + - id: 4.4.2.3.1 + title: Ensure pam_pwhistory module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + The module is properly enabled by the rules mentioned in related_rules. + Requirement 4.4.2.3.2 uses these rules more specifically. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + + - id: 4.4.2.3.2 + title: Ensure password history remember is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=24 + + - id: 4.4.2.3.3 + title: Ensure password history is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + status: planned + notes: |- + A new rule needs to be created to check and remediate the enforce_for_root option in + /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference. + + - id: 4.4.2.3.4 + title: Ensure pam_pwhistory includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + We don't have a rule to check and remediate this option specifically in RHEL7. + related_rules: + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + + - id: 4.4.2.4.1 + title: Ensure pam_unix does not include nullok (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - no_empty_passwords + + - id: 4.4.2.4.2 + title: Ensure pam_unix does not include remember (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not + recommened by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 4.4.2.3.2. See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + A new rule needs to be created to remove the remember option from pam_unix module. + + - id: 4.4.2.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + + - id: 4.4.2.4.4 + title: Ensure pam_unix includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + In RHEL 7 pam_unix is enabled by default already with the use_authtok option set. + In any case, we don't have a rule to check this option specifically. Similar to 4.4.2.3.4. + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 5396d318e2f9e87f4d692052dee159fb394b8a8b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 14:29:29 +0100 Subject: [PATCH 18/36] Update rules related to CIS RHEL7 4.4.2.4 References were updated in related rules. --- .../rule.yml | 2 +- .../rule.yml | 2 +- .../set_password_hashing_algorithm_logindefs/rule.yml | 2 +- .../set_password_hashing_algorithm_passwordauth/rule.yml | 2 +- .../set_password_hashing_algorithm_systemauth/rule.yml | 2 +- .../password_storage/no_empty_passwords/rule.yml | 1 + 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml index 2d51b028557..524a7b35035 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -45,7 +45,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.3 cis@alinux3: 5.5.3 - cis@rhel7: 5.4.4 + cis@rhel7: 4.4.2.3.2 cis@rhel8: 5.5.3 cis@rhel9: 5.5.3 cjis: 5.6.2.1.1 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml index e8d0f0eba31..8876ac13cbc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml @@ -45,7 +45,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.3 cis@alinux3: 5.5.3 - cis@rhel7: 5.4.4 + cis@rhel7: 4.4.2.3.2 cis@rhel8: 5.5.3 cis@rhel9: 5.5.3 cjis: 5.6.2.1.1 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index c7c68899f7a..f4f290b6eec 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -29,7 +29,7 @@ references: anssi: BP28(R32) ccn@rhel9: A.19.SEC-RHEL3 cis-csc: 1,12,15,16,5 - cis@rhel7: 5.4.3 + cis@rhel7: 4.4.2.4.3 cis@rhel8: 5.5.4 cis@rhel9: 5.5.4 cis@sle12: 5.4.1.1 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml index 44a2ad62eb8..52934805b65 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml @@ -44,7 +44,7 @@ references: anssi: BP28(R32) ccn@rhel9: A.19.SEC-RHEL3 cis-csc: 1,12,15,16,5 - cis@rhel7: 5.4.3 + cis@rhel7: 4.4.2.4.3 cis@rhel8: 5.5.4 cis@rhel9: 5.5.4 cjis: 5.6.2.2 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 403d7f8a0cf..93efb5d5ae0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -56,7 +56,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.4 cis@alinux3: 5.5.4 - cis@rhel7: 5.4.3 + cis@rhel7: 4.4.2.4.3 cis@rhel8: 5.5.4 cis@rhel9: 5.5.4 cjis: 5.6.2.2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index d78290947b5..cc9f10a3fa4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -36,6 +36,7 @@ identifiers: references: cis-csc: 1,12,13,14,15,16,18,3,5 + cis@rhel7: 4.4.2.4.1 cis@rhel8: 5.4.1 cis@rhel9: 5.4.1 cis@ubuntu2004: 6.2.1 From ec9e41053c4f1f9de6a206c1f2cf450f60342ec9 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:35:06 +0100 Subject: [PATCH 19/36] Update CIS RHEL7 section 4.5.1 and 4.5.2 4.5.1 - Configure shadow password suite parameters 4.5.2 - Configure root and system accounts and environment --- controls/cis_rhel7.yml | 95 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 2 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 45d26e73c8a..0ef4b1c0aa8 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2092,11 +2092,11 @@ controls: - l1_server - l1_workstation status: automated + notes: |- + Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1. rules: - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_passwordauth - - set_password_hashing_algorithm_logindefs - - var_password_hashing_algorithm=SHA512 - id: 4.4.2.4.4 title: Ensure pam_unix includes use_authtok (Automated) @@ -2108,6 +2108,97 @@ controls: In RHEL 7 pam_unix is enabled by default already with the use_authtok option set. In any case, we don't have a rule to check this option specifically. Similar to 4.4.2.3.4. + - id: 4.5.1.1 + title: Ensure strong password hashing algorithm is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + + - id: 4.5.1.2 + title: Ensure password expiration is 365 days or less (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=365 + + - id: 4.5.1.3 + title: Ensure password expiration warning days is 7 or more (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_set_warn_age_existing + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + + - id: 4.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - account_disable_post_pw_expiration + - accounts_set_post_pw_existing + - var_account_disable_post_pw_expiration=30 + + - id: 4.5.1.5 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_password_last_change_is_in_past + + - id: 4.5.2.1 + title: Ensure default group for the root account is GID 0 (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_root_gid_zero + + - id: 4.5.2.2 + title: Ensure root user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have + to be created. It can be based on accounts_umask_interactive_users. + + - id: 4.5.2.3 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - no_password_auth_for_systemaccounts + - no_shelllogin_for_systemaccounts + + - id: 4.5.2.4 + title: Ensure root password is set (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - ensure_root_password_configured + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 23e49bfa574ed6d2b57a27cf17ef51e16bf710c3 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:38:37 +0100 Subject: [PATCH 20/36] Update rules related to CIS RHEL7 4.5.1 and 4.5.2 References were updated in related rules. --- .../set_password_hashing_algorithm_libuserconf/rule.yml | 1 + .../set_password_hashing_algorithm_logindefs/rule.yml | 2 +- .../account_disable_post_pw_expiration/rule.yml | 2 +- .../accounts_maximum_age_login_defs/rule.yml | 2 +- .../accounts_password_set_max_life_existing/rule.yml | 2 +- .../accounts_password_set_warn_age_existing/rule.yml | 2 +- .../accounts_password_warn_age_login_defs/rule.yml | 2 +- .../password_expiration/accounts_set_post_pw_existing/rule.yml | 2 +- .../accounts_password_last_change_is_in_past/rule.yml | 2 +- .../root_logins/accounts_root_gid_zero/rule.yml | 2 +- .../root_logins/no_password_auth_for_systemaccounts/rule.yml | 2 +- .../root_logins/no_shelllogin_for_systemaccounts/rule.yml | 2 +- 12 files changed, 12 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml index 26348087122..ff7f652a556 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml @@ -34,6 +34,7 @@ identifiers: references: cis-csc: 1,12,15,16,5 + cis@rhel7: 4.5.1.1 cjis: 5.6.2.2 cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 cui: 3.13.11 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index f4f290b6eec..98936ff07e8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -29,7 +29,7 @@ references: anssi: BP28(R32) ccn@rhel9: A.19.SEC-RHEL3 cis-csc: 1,12,15,16,5 - cis@rhel7: 4.4.2.4.3 + cis@rhel7: 4.5.1.1 cis@rhel8: 5.5.4 cis@rhel9: 5.5.4 cis@sle12: 5.4.1.1 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 0845a0f1a6d..313b7cf98b9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -36,7 +36,7 @@ references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 cis@alinux2: 5.4.1.4 cis@alinux3: 5.6.1.4 - cis@rhel7: 5.5.1.4 + cis@rhel7: 4.5.1.4 cis@rhel8: 5.6.1.4 cis@rhel9: 5.6.1.4 cis@sle12: 5.4.1.5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 18e913598ad..802a751b20c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -37,7 +37,7 @@ references: cis-csc: 1,12,15,16,5 cis@alinux2: 5.4.1.1 cis@alinux3: 5.6.1.1 - cis@rhel7: 5.5.1.1 + cis@rhel7: 4.5.1.2 cis@rhel8: 5.6.1.1 cis@rhel9: 5.6.1.1 cis@sle12: 5.4.1.2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index c771a6d6237..60665bcdab6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -28,7 +28,7 @@ identifiers: references: ccn@rhel9: A.5.SEC-RHEL5 cis@alinux3: 5.6.1.1 - cis@rhel7: 5.5.1.1 + cis@rhel7: 4.5.1.2 cis@rhel8: 5.6.1.1 cis@rhel9: 5.6.1.1 cis@sle12: 5.4.1.2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml index 2a2bdbdd1e4..50f9d9ce78f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml @@ -27,7 +27,7 @@ identifiers: references: ccn@rhel9: A.5.SEC-RHEL5 - cis@rhel7: 5.5.1.3 + cis@rhel7: 4.5.1.3 cis@rhel8: 5.6.1.3 cis@rhel9: 5.6.1.3 cis@sle12: 5.4.1.4 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml index 34aedc7829e..05e01d05306 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml @@ -29,7 +29,7 @@ references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 cis@alinux2: 5.4.1.3 cis@alinux3: 5.6.1.3 - cis@rhel7: 5.5.1.3 + cis@rhel7: 4.5.1.3 cis@rhel8: 5.6.1.3 cis@rhel9: 5.6.1.3 cis@sle12: 5.4.1.4 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml index 91f8efa7cde..b94b3b8675c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-92480-3 references: - cis@rhel7: 5.5.1.4 + cis@rhel7: 4.5.1.4 cis@rhel8: 5.6.1.4 cis@rhel9: 5.6.1.4 cis@sle12: 5.4.1.5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml index 8224b631bc7..7d36b5a0be7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml @@ -22,7 +22,7 @@ identifiers: references: cis@rhel7: 5.5.1.5 - cis@rhel8: 5.6.1.5 + cis@rhel8: 4.5.1.5 cis@rhel9: 5.6.1.5 cis@sle12: 5.4.1.6 cis@sle15: 5.4.1.6 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml index 2de6bc2db0d..a8c2b23f433 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@alinux2: 5.4.3 cis@alinux3: 5.6.4 - cis@rhel7: 5.5.3 + cis@rhel7: 4.5.2.1 cis@rhel8: 5.6.4 cis@rhel9: 5.6.4 cis@sle12: 5.4.3 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml index a17355f18b5..c1547bdc9e1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml @@ -26,7 +26,7 @@ identifiers: references: ccn@rhel9: A.6.SEC-RHEL3 - cis@rhel7: 5.5.2 + cis@rhel7: 4.5.2.3 cis@rhel8: 5.6.2 cis@rhel9: 5.6.2 nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml index 9533baeb465..70efab43158 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -34,7 +34,7 @@ references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 cis@alinux2: 5.4.2 cis@alinux3: 5.6.2 - cis@rhel7: 5.5.2 + cis@rhel7: 4.5.2.3 cis@rhel8: 5.6.2 cis@rhel9: 5.6.2 cis@sle12: 5.4.2 From b2b6f78e809b77f0efe5f681272e9d2d599f7b87 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:39:12 +0100 Subject: [PATCH 21/36] Enable ensure_root_password_configured to rhel7 This rule satisfies the CIS RHEL7 requirement 4.5.2.4. --- .../root_logins/ensure_root_password_configured/rule.yml | 4 +++- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml index 5fae996278f..96dafca3ce5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_password_configured/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9,ubuntu2004,ubuntu2204 +prodtype: rhel7,rhel9,ubuntu2004,ubuntu2204 title: 'Ensure Authentication Required for Single User Mode' @@ -16,12 +16,14 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-87722-5 cce@rhel9: CCE-87101-2 platform: machine references: ccn@rhel9: A.6.SEC-RHEL4 + cis@rhel7: 4.5.2.4 cis@rhel9: 5.6.6 cis@ubuntu2004: 1.5.3 cis@ubuntu2204: 1.4.3 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6761091182b..f801858c511 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1175,7 +1175,6 @@ CCE-87717-5 CCE-87718-3 CCE-87719-1 CCE-87720-9 -CCE-87722-5 CCE-87723-3 CCE-87724-1 CCE-87727-4 From e959bde46be5fca8e58fe4588c42b4bff21c9f64 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:44:51 +0100 Subject: [PATCH 22/36] Update CIS RHEL7 section 4.5.3 4.5.3 - Configure user default environment --- controls/cis_rhel7.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 0ef4b1c0aa8..09d144a5cad 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2199,6 +2199,39 @@ controls: rules: - ensure_root_password_configured + - id: 4.5.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation + status: pending + notes: |- + It is necessary to create a new rule to check and remove nologin from /etc/shells. + The no_tmux_in_shells rule can be used as referece. + + - id: 4.5.3.2 + title: Ensure default user shell timeout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_tmout + - var_accounts_tmout=15_min + + - id: 4.5.3.3 + title: Ensure default user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - accounts_umask_interactive_users + - var_accounts_user_umask=027 + - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) levels: From 3a40c1731b8800a74b23ddcd53aef21df60413f5 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 13:45:46 +0100 Subject: [PATCH 23/36] Update rules related to CIS RHEL7 4.5.3 References were updated in related rules. --- .../system/accounts/accounts-session/accounts_tmout/rule.yml | 2 +- .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- .../user_umask/accounts_umask_etc_login_defs/rule.yml | 2 +- .../user_umask/accounts_umask_etc_profile/rule.yml | 2 +- .../user_umask/accounts_umask_interactive_users/rule.yml | 1 + 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index bd152ca6245..d50634096ac 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -51,7 +51,7 @@ references: cis-csc: 1,12,15,16 cis@alinux2: 5.4.5 cis@alinux3: 5.6.3 - cis@rhel7: 5.5.4 + cis@rhel7: 4.5.3.2 cis@rhel8: 5.6.3 cis@rhel9: 5.6.3 cis@sle12: 5.4.4 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index b6217fd82d9..7244f7611bb 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -37,7 +37,7 @@ references: cis-csc: '18' cis@alinux2: 5.4.4 cis@alinux3: 5.6.5 - cis@rhel7: 5.5.5 + cis@rhel7: 4.5.3.3 cis@rhel8: 5.6.5 cis@rhel9: 5.6.5 cis@sle12: 5.4.5 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index 3b4b694f945..d1d5c8b3db4 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -27,7 +27,7 @@ references: cis-csc: 11,18,3,9 cis@alinux2: 5.4.4 cis@alinux3: 5.6.5 - cis@rhel7: 5.5.5 + cis@rhel7: 4.5.3.3 cis@rhel8: 5.6.5 cis@rhel9: 5.6.5 cis@sle12: 5.4.5 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml index f2e588f0213..cd488aa019c 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml @@ -32,7 +32,7 @@ references: cis-csc: '18' cis@alinux2: 5.4.4 cis@alinux3: 5.6.5 - cis@rhel7: 5.5.5 + cis@rhel7: 4.5.3.3 cis@rhel8: 5.6.5 cis@rhel9: 5.6.5 cis@sle12: 5.4.5 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index 313ac772a57..c5f49759d64 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel9: CCE-90365-8 references: + cis@rhel7: 4.5.3.3 cis@ubuntu2004: 5.4.4 cis@ubuntu2204: 5.5.4 disa: CCI-000366,CCI-001814 From b119b8f383328a9d17995dd0ce47dfeb4d665fd8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 14:20:21 +0100 Subject: [PATCH 24/36] Removed CIS RHEL7 references in dropped rules In alignment to the policy changelog, rules related to dropped requirements in section 4 were updated to no longer include a referece for cis rhel7. --- .../audit_rules_privileged_commands_insmod/rule.yml | 1 - .../audit_rules_privileged_commands_modprobe/rule.yml | 1 - .../audit_rules_privileged_commands_rmmod/rule.yml | 1 - .../audit_rules_suid_privilege_function/rule.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 1086361988d..2033834d785 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -35,7 +35,6 @@ identifiers: references: anssi: BP28(R73) cis@alinux2: 4.1.17 - cis@rhel7: 4.1.16 cis@sle12: 4.1.16 cis@sle15: 4.1.16 cis@ubuntu2004: 4.1.16 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 19e74ab6136..41a2cf68167 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -39,7 +39,6 @@ identifiers: references: anssi: BP28(R73) cis@alinux2: 4.1.17 - cis@rhel7: 4.1.16 cis@sle12: 4.1.16 cis@sle15: 4.1.16 cis@ubuntu2004: 4.1.16 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index bb5b567f20f..dda8ba4e362 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -35,7 +35,6 @@ identifiers: references: anssi: BP28(R73) cis@alinux2: 4.1.17 - cis@rhel7: 4.1.16 cis@sle12: 4.1.16 cis@sle15: 4.1.16 cis@ubuntu2004: 4.1.16 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml index 23c5bb688ad..dcf6ea592d4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml @@ -49,7 +49,6 @@ identifiers: cce@sle15: CCE-85611-2 references: - cis@rhel7: 4.1.15 cis@ubuntu2004: 4.1.15 cis@ubuntu2204: 4.1.3.2 disa: CCI-001814,CCI-001882,CCI-001889,CCI-001880,CCI-001881,CCI-001878,CCI-001879,CCI-001875,CCI-001877,CCI-001914,CCI-002233,CCI-002234 From 61d971e23cba4a085b77ebc92fe441d69d1310c6 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 18 Jan 2024 14:42:53 +0100 Subject: [PATCH 25/36] Update var_password_pam_remember for CIS RHEL7 4.0.0 --- .../locking_out_password_attempts/var_password_pam_remember.var | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var index 58332ee8153..924d224cebc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var @@ -21,4 +21,5 @@ options: 7: 7 8: 8 9: 9 + 24: 24 default: 5 From 139e0adc106992c2be28b5544989315b4cd00d5b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 19 Jan 2024 10:43:18 +0100 Subject: [PATCH 26/36] Update CIS RHEL7 version in header From 3.1.1 to 4.0.0 --- controls/cis_rhel7.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 09d144a5cad..63a393e8e01 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1,7 +1,7 @@ policy: 'CIS benchmark for Red Hat Enterprise Linux 7' title: 'CIS benchmark for Red Hat Enterprise Linux 7' id: cis_rhel7 -version: '3.1.1' +version: '4.0.0' source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux levels: - id: l1_server From ad697b43056d77fbf47b33b289ee768fb0cc1343 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 19 Jan 2024 12:03:00 +0100 Subject: [PATCH 27/36] Fix wrong reference The intention was to change the reference for rhel7 but it was actually changed the line for rhel8. rhel7 is fixed and rhel8 reverted. --- .../accounts_password_last_change_is_in_past/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml index 7d36b5a0be7..5535684384e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml @@ -21,8 +21,8 @@ identifiers: cce@sle15: CCE-92504-0 references: - cis@rhel7: 5.5.1.5 - cis@rhel8: 4.5.1.5 + cis@rhel7: 4.5.1.5 + cis@rhel8: 5.6.1.5 cis@rhel9: 5.6.1.5 cis@sle12: 5.4.1.6 cis@sle15: 5.4.1.6 From 6294c3f62941b1393ef48a5fb3bdddb859568b32 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 10:51:56 +0100 Subject: [PATCH 28/36] Update requirements status after review During the PR review it was noticed that new rules would be necessary to more precisely satisfy some requirements. These requirements were moved from automated to partial and notes were included. --- controls/cis_rhel7.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 63a393e8e01..de4934c951f 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1566,7 +1566,10 @@ controls: levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + It is necessary to create a rule to ensure the existence of at.allow. + file_cron_allow_exists can be used as reference for a new templated rule. rules: - file_groupowner_at_allow - file_owner_at_allow @@ -1578,7 +1581,10 @@ controls: levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + These rules only check the /etc/ssh/sshd_config file but the policy also mentions files in + /etc/ssh/sshd_config.d directory. New templated rules should be created for sshd_config.d. rules: - file_groupowner_sshd_config - file_owner_sshd_config @@ -1643,7 +1649,7 @@ controls: status: automated notes: |- The requirement gives an example of 45 seconds, but is flexible about the values. It is only - necessary to ensure there is a timeout is configured in alignment to the site policy. + necessary to ensure there is a timeout configured in alignment to the site policy. rules: - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout From db51d12211149fd5fa10e47c36eb0c1f20189486 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 10:59:08 +0100 Subject: [PATCH 29/36] Review sshd_approved_ciphers.var Made the variable selection explicit in the control file and updated the cis_rhel7 value. Thanks Vojtech. --- controls/cis_rhel7.yml | 1 + linux_os/guide/services/ssh/sshd_approved_ciphers.var | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index de4934c951f..02e9ed2ddc8 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1640,6 +1640,7 @@ controls: status: automated rules: - sshd_use_approved_ciphers + - sshd_approved_ciphers=cis_rhel7 - id: 4.2.7 title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 4ab4d36cef9..d7b02f49457 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -14,7 +14,7 @@ options: stig: aes256-ctr,aes192-ctr,aes128-ctr stig_extended: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se - cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc + cis_rhel7: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_sle12: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_sle15: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr cis_alinux2: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr From bab06e914a55ff32e3e076f3a365356462ce24ac Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 11:09:10 +0100 Subject: [PATCH 30/36] Review usage of sudo_require_reauthentication Made the variable var_sudo_timestamp_timeout explicitly selected in the control file. It was also included a note about improvements in OVAL. --- controls/cis_rhel7.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 02e9ed2ddc8..4349c62d2dd 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1864,9 +1864,13 @@ controls: levels: - l1_server - l1_workstation - status: automated + status: partial + notes: |- + The OVAL check in sudo_require_reauthentication ensures the timestamp_timeout parameter but + is not precisely testing the value. rules: - sudo_require_reauthentication + - var_sudo_timestamp_timeout=15_minutes - id: 4.3.7 title: Ensure access to the su command is restricted (Automated) From 6a3ea7a26991c3bdb85bfe925b6a522648d42269 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 11:15:25 +0100 Subject: [PATCH 31/36] Fix rule section in CIS RHEL7 4.2.15 --- controls/cis_rhel7.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 4349c62d2dd..cde499e04a6 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -1737,7 +1737,7 @@ controls: - l1_server - l1_workstation status: automated - related_rules: + rules: - sshd_use_strong_macs - sshd_strong_macs=cis_rhel7 From c014abf958bbf370244c35cba339d8fab93524cd Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 11:33:47 +0100 Subject: [PATCH 32/36] Update selection in CIS RHEL7 4.5.3.3 Moved accounts_umask_interactive_users to related_rules since the policy is now allowing the users to override the system default via initiatization files. --- controls/cis_rhel7.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index cde499e04a6..aa881cfcee4 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2236,12 +2236,18 @@ controls: - l1_server - l1_workstation status: automated + notes: |- + The policy allows the user to override the default system umask on its discretion. + This is the reason the accounts_umask_interactive_users rule is in related_rules. If this + changes in the future, the rule can be used to ensure that users do not override the system + default. rules: - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs - accounts_umask_etc_profile - - accounts_umask_interactive_users - var_accounts_user_umask=027 + related_rules: + - accounts_umask_interactive_users - id: 5.1.1.1 title: Ensure rsyslog is installed (Automated) From 4ec14d1bea493e6b3e9bd767d98cfa93cc3511cf Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Mon, 22 Jan 2024 11:54:15 +0100 Subject: [PATCH 33/36] Include note in CIS RHEL7 4.5.3.3 Some files mentioned in the policy scripts doesn't seem relevant for RHEL7. It has to be discussed in CIS Community. --- controls/cis_rhel7.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index aa881cfcee4..3c6bb2b7f30 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2237,10 +2237,12 @@ controls: - l1_workstation status: automated notes: |- - The policy allows the user to override the default system umask on its discretion. - This is the reason the accounts_umask_interactive_users rule is in related_rules. If this - changes in the future, the rule can be used to ensure that users do not override the system - default. + It is missing a rule to check /etc/pam.d/postlogin. Files /etc/bash.bashrc and + /etc/default/login are not used in RHEL 7, but are mentioned in the policy. It has to be + clarified in CIS Community. The policy allows the user to override the default system umask + on its discretion. This is the reason the accounts_umask_interactive_users rule is in + related_rules. If this changes in the future, the rule can be used to ensure that users do + not override the system default. rules: - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs From 62c006cab70cf71b1e12833fb33bcff346430dba Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 23 Jan 2024 10:36:31 +0100 Subject: [PATCH 34/36] Just minor update in the line format This commit is just to preserve the original format of /etc/pam.d/su file. No technical impact. --- .../root_logins/use_pam_wheel_group_for_su/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index 37a425dbff1..d16374ffd6a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -6,7 +6,7 @@ PAM_CONF=/etc/pam.d/su pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) if [ -z "$pamstr" ]; then sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line - sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} + sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} else group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then From 419d75ad6910f88fe6230877bc0a33b4c4fb0e1b Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 23 Jan 2024 10:38:21 +0100 Subject: [PATCH 35/36] Remove unnecessary space at the beginning --- .../root_logins/use_pam_wheel_for_su/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh index cf672ee28c6..bd1ba1ccbc4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -1,4 +1,4 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # uncomment the option if commented - sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su +sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su From dc5ad440e2d849f1bc47c2dc0c96bb512b466e2e Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 23 Jan 2024 10:39:36 +0100 Subject: [PATCH 36/36] Fix regex for pam_wheel.so line with use_uid The regex used in OVAL was not expecting additional options configured on the same line and assumed the use_uid was the last option. This commit makes the regex more flexible and robust. --- .../root_logins/use_pam_wheel_for_su/oval/shared.xml | 12 +++++++----- .../tests/additional_options.pass.sh | 7 +++++++ 2 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/additional_options.pass.sh diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml index f84e04fa326..970fa5b71ab 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml @@ -1,19 +1,21 @@ - + {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}} - + - + /etc/pam.d/su - ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ + ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+\buse_uid\b 1 - diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/additional_options.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/additional_options.pass.sh new file mode 100644 index 00000000000..f85d91c6bbd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/additional_options.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +#clean possible commented lines +sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid/d' /etc/pam.d/su + +#apply correct line with additional options for pam_wheel.so +echo "auth required pam_wheel.so use_uid group=sugroup" >> /etc/pam.d/su