Skip to content

Split RHEL 8 CIS profile using new controls file format #6976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 57 commits into from
Aug 18, 2021
Merged

Split RHEL 8 CIS profile using new controls file format #6976

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
7f366ca
Split RHEL 8 CIS profile into modular files per-benchmark
alexhaydock Jun 29, 2021
e53bf4c
Add CIS control file for RHEL 8
alexhaydock Jul 1, 2021
7cb13c1
Add RHEL 8 Sections 3 & 4 to CIS control file
alexhaydock Jul 2, 2021
e10bc63
Add RHEL 8 Section 5 to CIS control file
alexhaydock Jul 3, 2021
9aa351c
Add RHEL 8 Section 6 to CIS control file
alexhaydock Jul 3, 2021
9328919
Tweak RHEL8 CIS control file to satisfy yamllint
alexhaydock Jul 3, 2021
035dd0b
Updates to address comments on RHEL 8 CIS PR
alexhaydock Jul 8, 2021
0d2d6a3
Allow DEFAULT crypto policy for RHEL 8 CIS (conditional on merge of #…
alexhaydock Jul 16, 2021
85befb5
Update RHEL 8 CIS Section 2 rules
alexhaydock Jul 16, 2021
fc72716
Update RHEL 8 CIS Section 3 rules
alexhaydock Jul 16, 2021
3520671
Update controls/cis_rhel8.yml
alexhaydock Jul 20, 2021
0d1ff0c
RHEL 8 CIS 1.5.1 is only partially automated currently
alexhaydock Jul 30, 2021
60e7bde
Add EFI GRUB rules to RHEL 8 CIS control 1.5.1
alexhaydock Jul 30, 2021
3be0003
Update controls/cis_rhel8.yml
alexhaydock Aug 4, 2021
c62def9
Explicitly set var_auditd_max_log_file_action
alexhaydock Aug 4, 2021
860425b
Explicitly set the number of auditd logs to keep to 6
alexhaydock Aug 4, 2021
28cad02
The audit_rules_time_settimeofday rule does not directly align with CIS
alexhaydock Aug 4, 2021
fe54240
RHEL CIS control 4.1.7 is missing a rule to achieve full automation
alexhaydock Aug 4, 2021
ed08790
Remove opinionated rule from CIS 4.1.10 as it does not align with the…
alexhaydock Aug 4, 2021
47bf486
Use "partially" rather than "partial" for automation key
alexhaydock Aug 4, 2021
42e08dd
Disable automation for control 4.1.13 as it does not align exactly wi…
alexhaydock Aug 4, 2021
769029e
Remove opinionated rule from CIS 4.1.14 as it does not align with the…
alexhaydock Aug 4, 2021
fe163c1
Disable the rsyslog_files_permissions rule as it does not align with …
alexhaydock Aug 4, 2021
404aef2
Disable 4.2.1.5 and 5.2.3 as they do not align perfectly with the ben…
alexhaydock Aug 4, 2021
012d4f8
5.2.4 is only partially automated
alexhaydock Aug 4, 2021
e5cfc29
Ensure var_sshd_set_keepalive variable gets used properly
alexhaydock Aug 4, 2021
d21ea1b
Align RHEL 8 Chrony configuration rule more closely with CIS benchmark
alexhaydock Aug 5, 2021
ade74cf
Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file
alexhaydock Aug 5, 2021
723681d
Disable SSH warning banner rule in RHEL 8 CIS (uses wrong path)
alexhaydock Aug 5, 2021
b0615c2
Add explicit variable definition for SSH MaxStartups rule in RHEL 8 C…
alexhaydock Aug 5, 2021
03504b0
Update SSH MaxSessions to match the value CIS audits for vs the one i…
alexhaydock Aug 5, 2021
0ef85e8
Fix rule ID for 5.3.3
alexhaydock Aug 5, 2021
85c2fcf
Remove misaligned rules from RHEL 8 CIS 5.4.2
alexhaydock Aug 5, 2021
edbd2b2
RHEL 8 CIS 5.4.1 is only partially automated
alexhaydock Aug 5, 2021
e32f465
Import logic for the "Ensure password reuse is limited" rule from RHEL 7
alexhaydock Aug 5, 2021
c77bbff
RHEL 8 CIS 5.4.4 is only partially automated
alexhaydock Aug 5, 2021
be70608
RHEL 8 CIS 5.5.1.1 is only partially automated
alexhaydock Aug 5, 2021
075eb33
RHEL 8 CIS 5.5.1.2 is only partially automated
alexhaydock Aug 5, 2021
1e3c17e
RHEL 8 CIS 5.5.1.3 is only partially automated
alexhaydock Aug 5, 2021
97c5ff8
RHEL 8 CIS 5.5.1.4 is only partially automated
alexhaydock Aug 5, 2021
2d5603c
Set SSH idle timeout to 15 minutes
alexhaydock Aug 6, 2021
da63d39
RHEL 8 CIS 5.5.2 is only partially automated
alexhaydock Aug 6, 2021
d07ec30
RHEL 8 CIS 5.5.3 is only partially automated
alexhaydock Aug 6, 2021
cd86706
RHEL 8 CIS 5.5.5 is only partially automated
alexhaydock Aug 6, 2021
ec2d43b
RHEL 8 CIS 5.7 can be partially satisfied by use_pam_wheel_for_su
alexhaydock Aug 6, 2021
ca3b471
Rules exist which satisfy RHEL 8 CIS 6.2.3
alexhaydock Aug 6, 2021
92adfbb
Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without OVAL checks or…
alexhaydock Aug 6, 2021
25b0bbb
Rules exist for RHEL 8 CIS 6.2.20 but without OVAL checks or remediat…
alexhaydock Aug 6, 2021
c8d07e3
We cannot use audit_rules_kernel_module_loading because it also check…
alexhaydock Aug 6, 2021
b3a579b
Use only 'related_rules' and not 'rules' when a control is not automated
alexhaydock Aug 9, 2021
3f6766b
Correct value of SSH MaxSessions based on upstream Draft Benchmark 1.1.0
alexhaydock Aug 10, 2021
e9ca1ba
Control to disable IPv6 should not be automated
alexhaydock Aug 11, 2021
b63d2be
Merge branch 'ComplianceAsCode:master' into rhel-modular-cis
alexhaydock Aug 17, 2021
8c8d6c7
Merge branch 'ComplianceAsCode:master' into rhel-modular-cis
alexhaydock Aug 17, 2021
a7b6c13
Fix rules with missing CCEs for RHEL8
alexhaydock Aug 17, 2021
b2a35c5
Add missing CIS references for RHEL 8 rules
alexhaydock Aug 17, 2021
379910b
Quote reference to avoid it being interpreted as an integer
alexhaydock Aug 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2,322 changes: 2,322 additions & 0 deletions controls/cis_rhel8.yml
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ identifiers:

references:
cis@rhel7: 5.3.5
cis@rhel8: 5.2.5
disa: CCI-000067
nerc-cip: CIP-007-3 R7.1
nist: AC-17(a),AC-17(1),CM-6(a)
Expand Down
1 change: 1 addition & 0 deletions linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ identifiers:

references:
cis@rhel7: 2.2.2
cis@rhel8: 2.2.2
disa: CCI-000366
nist: CM-6(b)
srg: SRG-OS-000480-GPOS-00227
Expand Down
1 change: 1 addition & 0 deletions ..._os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ identifiers:

references:
cis@rhel7: "5.7"
cis@rhel8: "5.7"
cis@sle15: '5.6'
cis@ubuntu2004: '5.6'
ospp: FMT_SMF_EXT.1.1
Expand Down
1 change: 1 addition & 0 deletions ...ide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ identifiers:
references:
cis-csc: 11,3,9
cis@rhel7: 6.2.10
cis@rhel8: 6.2.3
cis@sle15: 6.2.4
cis@ubuntu2004: 6.2.3
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
Expand Down
2 changes: 2 additions & 0 deletions linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ severity: unknown

identifiers:
cce@rhel7: CCE-80199-3
cce@rhel8: CCE-85914-0

references:
cis-csc: 11,3,9
cis@rhel7: 6.2.10
cis@rhel8: 6.2.3
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
disa: CCI-000366
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
Expand Down
1 change: 1 addition & 0 deletions .../guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ references:
anssi: BP28(R35)
cis-csc: 11,18,3,9
cis@rhel7: 5.5.5
cis@rhel8: 5.5.5
cis@ubuntu2004: 5.4.4
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05
disa: CCI-000366
Expand Down
1 change: 1 addition & 0 deletions linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ severity: medium

identifiers:
cce@rhel7: CCE-83430-9
cce@rhel8: CCE-85915-7

references:
cis-csc: 12,13,14,15,16,18,3,5
Expand Down
1 change: 1 addition & 0 deletions linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ severity: medium

identifiers:
cce@rhel7: CCE-83429-1
cce@rhel8: CCE-85913-2

references:
cis-csc: 12,13,14,15,16,18,3,5
Expand Down
1 change: 1 addition & 0 deletions linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ severity: medium

identifiers:
cce@rhel7: CCE-83431-7
cce@rhel8: CCE-85912-4

references:
cis-csc: 12,13,14,15,16,18,3,5
Expand Down
Loading