diff --git a/section_1/cis_6.xxx/cis_1.3.1.yml b/section_1/cis_6.xxx/cis_1.3.1.yml deleted file mode 100644 index 33f8d11..0000000 --- a/section_1/cis_6.xxx/cis_1.3.1.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Vars.rhel9cis_rule_1_3_1 }} -package: - aide: - title: 1.3.1 | Ensure AIDE is installed - installed: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.3.1 - CISv8: - - 3.14 - CISv8_IG1: false - CISv8_IG2: false - CISv8_IG3: true -{{ end }} diff --git a/section_1/cis_6.xxx/cis_1.3.2.yml b/section_1/cis_6.xxx/cis_1.3.2.yml deleted file mode 100644 index f3b9c65..0000000 --- a/section_1/cis_6.xxx/cis_1.3.2.yml +++ /dev/null @@ -1,60 +0,0 @@ -{{ if .Vars.rhel9cis_config_aide }} - {{ if .Vars.rhel9cis_rule_1_3_2 }} - {{ if eq .Vars.rhel9_aide_scan "cron" }} -command: - aide_cron: - title: 1.3.2 | Ensure filesystem integrity is regularly checked - exit-status: - or: - - 0 - - 2 - exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*" - stdout: - - '!/^#/' - {{ end }} - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.3.2 - CISv8: - - 3.14 - CISv8_IG1: false - CISv8_IG2: false - CISv8_IG3: true -# Can be enabled if using timer and service files -service: - {{ if eq .Vars.rhel9_aide_scan "timer" }} - aidecheck: - title: 1.3.2 | Ensure filesystem integrity is regularly checked - enabled: true - running: true - skip: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.3.2 - CISv8: - - 3.14 - CISv8_IG1: false - CISv8_IG2: false - CISv8_IG3: true - aidecheck.timer: - title: 1.3.2 | Ensure filesystem integrity is regularly checked - enabled: true - running: true - skip: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.3.2 - CISv8: - - 3.14 - CISv8_IG1: false - CISv8_IG2: false - CISv8_IG3: true - {{ end }} - {{ end }} -{{ end }} diff --git a/section_1/cis_6.xxx/cis_1.3.3.yml b/section_1/cis_6.xxx/cis_1.3.3.yml deleted file mode 100644 index ef1c4bf..0000000 --- a/section_1/cis_6.xxx/cis_1.3.3.yml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Vars.rhel9cis_rule_1_3_3 }} -command: - audit_bins_crypto_aide: - title: 1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools - exec: grep /sbin/au /etc/aide.conf - exit-status: - or: - - 0 - - 2 - stdout: - - '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512' - - '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512' - - '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512' - - '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512' - - '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512' - - '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.3.3 - CISv8: - - 3.14 - CISv8_IG1: false - CISv8_IG2: false - CISv8_IG3: true -{{ end }} - diff --git a/section_2/cis_2.1/cis_2.1.1.yml b/section_2/cis_2.1/cis_2.1.1.yml index bad84a8..2c8a6f3 100644 --- a/section_2/cis_2.1/cis_2.1.1.yml +++ b/section_2/cis_2.1/cis_2.1.1.yml @@ -1,16 +1,50 @@ -{{ if .Vars.rhel9cis_rule_2_1_1 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_1 }} + {{ if not .Vars.rhel9cis_autofs_services }} + {{ if not .Vars.rhel9cis_autofs_mask }} package: - chrony: - title: 2.1.1 | Ensure time synchronization is in use - installed: true + autofs_pkg: + title: 2.1.1 | Ensure autofs services are not in use | pkg removed + name: autofs + installed: false meta: server: 1 - workstation: 1 + workstation: 2 CIS_ID: - 2.1.1 CISv8: - - 8.4 + - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ if .Vars.rhel9cis_autofs_mask }} +file: + autofs_masked: + title: 2.1.1 | Ensure autofs services are not in use | masked + path: /etc/systemd/system/autofs.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ end }} + {{ end }} {{ end }} diff --git a/section_2/cis_2.1/cis_2.1.10.yml b/section_2/cis_2.1/cis_2.1.10.yml new file mode 100644 index 0000000..228c836 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.10.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_10 }} + {{ if not .Vars.rhel9cis_nis_server }} + {{ if not .Vars.rhel9cis_nis_mask }} +package: + ypserv_pkg: + title: 2.1.10 | Ensure nis server services are not in use | pkg removed + name: ypserv + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_nis_mask }} +file: + ypbind_service_masked: + title: 2.1.10 | Ensure nis server services are not in use | masked + path: /etc/systemd/system/ypbind-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.11.yml b/section_2/cis_2.1/cis_2.1.11.yml new file mode 100644 index 0000000..31df1eb --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.11.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_11 }} + {{ if not .Vars.rhel9cis_print_server }} + {{ if not .Vars.rhel9cis_print_mask }} +package: + cups_pkg: + title: 2.1.11 | Ensure print server services are not in use | pkg removed + name: cups + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_print_mask }} +file: + cups_service_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + cups_socket_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.12.yml b/section_2/cis_2.1/cis_2.1.12.yml new file mode 100644 index 0000000..62c0e3f --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.12.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_12 }} + {{ if not .Vars.rhel9cis_rpc_server }} + {{ if not .Vars.rhel9cis_rpc_mask }} +package: + rpcbind_pkg: + title: 2.1.12 | Ensure rpcbind services are not in use | pkg removed + name: rpcbind + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_rpc_mask }} +file: + rpcbind_service_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + rpcbind_socket_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.13.yml b/section_2/cis_2.1/cis_2.1.13.yml new file mode 100644 index 0000000..f5e6b2f --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.13.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_13 }} + {{ if not .Vars.rhel9cis_rsync_server }} + {{ if not .Vars.rhel9cis_rsync_mask }} +package: + rsync_pkg: + title: 2.1.13 | Ensure rsync services are not in use | pkg removed + name: rsync-daemon + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_rsync_mask }} +file: + rsync_service_masked: + title: 2.1.13 | Ensure rsync services are not in use | masked + path: /etc/systemd/system/rsyncd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + rsync_socket_masked: + title: 2.1.13 | Ensure rsync services are not in use | masked + path: /etc/systemd/system/rsyncd.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.14.yml b/section_2/cis_2.1/cis_2.1.14.yml new file mode 100644 index 0000000..daa2482 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.14.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_14 }} + {{ if not .Vars.rhel9cis_snmp_server }} + {{ if not .Vars.rhel9cis_snmp_mask }} +package: + snmp_pkg: + title: 2.1.14 | Ensure snmp services are not in use | pkg removed + name: net-snmp + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_snmp_mask }} +file: + snmp_service_masked: + title: 2.1.14 | Ensure snmp services are not in use | masked + path: /etc/systemd/system/snmpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.15.yml b/section_2/cis_2.1/cis_2.1.15.yml new file mode 100644 index 0000000..96c3fd9 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.15.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_15 }} + {{ if not .Vars.rhel9cis_telnet_server }} + {{ if not .Vars.rhel9cis_telnet_mask }} +package: + telnet_pkg: + title: 2.1.15 | Ensure telnet server services are not in use | pkg removed + name: telnet-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ if .Vars.rhel9cis_telnet_mask }} +file: + telnet_service_masked: + title: 2.1.15 | Ensure telnet server services are not in use | masked + path: /etc/systemd/system/telnetd-hpa.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + telnet_socket_masked: + title: 2.1.15 | Ensure telnet server services are not in use | masked + path: /etc/systemd/system/telnet.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.16.yml b/section_2/cis_2.1/cis_2.1.16.yml new file mode 100644 index 0000000..d62ea27 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.16.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_16 }} + {{ if not .Vars.rhel9cis_tftp_server }} + {{ if not .Vars.rhel9cis_tftp_mask }} +package: + tftp_pkg: + title: 2.1.16 | Ensure tftp server services are not in use | pkg removed + name: tftpd-hpa + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_tftp_mask }} +file: + tftp_service_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftpd-hpa.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + tftp_socket_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftp.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.17.yml b/section_2/cis_2.1/cis_2.1.17.yml new file mode 100644 index 0000000..10951d6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.17.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_17 }} + {{ if not .Vars.rhel9cis_squid_server }} + {{ if not .Vars.rhel9cis_squid_mask }} +package: + squid_pkg: + title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed + name: squid + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_squid_mask }} +file: + squid_service_masked: + title: 2.1.17 | Ensure web proxy server services are not in use | masked + path: /etc/systemd/system/squid.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_httpd.yml b/section_2/cis_2.1/cis_2.1.18_httpd.yml new file mode 100644 index 0000000..1896ae2 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_httpd.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_18 }} + {{ if not .Vars.rhel9cis_httpd_server }} + {{ if not .Vars.rhel9cis_httpd_mask }} +package: + httpd_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: httpd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_httpd_mask }} +file: + httpd_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/httpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + httpd_socket_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/httpd.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_nginx.yml b/section_2/cis_2.1/cis_2.1.18_nginx.yml new file mode 100644 index 0000000..c73f78a --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_nginx.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_18 }} + {{ if not .Vars.rhel9cis_nginx_server }} + {{ if not .Vars.rhel9cis_nginx_mask }} +package: + nginx_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: nginx + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_nginx_mask }} +file: + nginx_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/nginx.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.19.yml b/section_2/cis_2.1/cis_2.1.19.yml new file mode 100644 index 0000000..686d589 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.19.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_19 }} + {{ if not .Vars.rhel9cis_xinetd_server }} + {{ if not .Vars.rhel9cis_xinetd_mask }} +package: + xinetd_pkg: + title: 2.1.19 | Ensure xinetd services are not in use | pkg removed + name: xinetd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_xinetd_mask }} +file: + xinetd_service_masked: + title: 2.1.19 | Ensure xinetd services are not in use | masked + path: /etc/systemd/system/xinetd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.2.yml b/section_2/cis_2.1/cis_2.1.2.yml index d375ef2..d1253c9 100644 --- a/section_2/cis_2.1/cis_2.1.2.yml +++ b/section_2/cis_2.1/cis_2.1.2.yml @@ -1,37 +1,66 @@ -{{ if .Vars.rhel9cis_rule_2_1_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_2 }} + {{ if not .Vars.rhel9cis_avahi_server }} + {{ if not .Vars.rhel9cis_avahi_mask }} +package: + avahi_pkg: + title: 2.1.2 | Ensure avahi daemon services are not in use | pkg removed + name: avahi + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ if .Vars.rhel9cis_avahi_mask }} file: - chrony_servers_pools: - title: 2.1.2 | Ensure chrony is configured | server - path: /etc/chrony.conf + avahi_socket_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.socket exists: true - contents: - - '/^(server|pool)\s.*/' - skip: false + filetype: symlink + linked-to: /dev/null meta: server: 1 - workstation: 1 + workstation: 2 CIS_ID: - 2.1.2 CISv8: - - 8.4 + - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - chrony_sysconfig: - title: 2.1.2 | Ensure chrony is configured | sysconfig - path: /etc/sysconfig/chronyd + NIST800-53R5: + - SI-4 + avahi_service_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.service exists: true - contents: - - '/^OPTIONS="-u chrony"/' - skip: false + filetype: symlink + linked-to: /dev/null meta: server: 1 - workstation: 1 + workstation: 2 CIS_ID: - 2.1.2 CISv8: - - 8.4 + - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ end }} + {{ end }} {{ end }} diff --git a/section_2/cis_2.1/cis_2.1.20.yml b/section_2/cis_2.1/cis_2.1.20.yml new file mode 100644 index 0000000..a5fdaaa --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.20.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_20 }} + {{ if not .Vars.rhel9cis_xwindow_server }} +package: + xwindow_pkg: + title: 2.1.20 | Ensure X window server services are not in use | pkg removed + name: xorg-x11-server-common + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.20 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.21.yml b/section_2/cis_2.1/cis_2.1.21.yml new file mode 100644 index 0000000..e9c823d --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.21.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_is_mail_server }} + {{ if .Vars.rhel9cis_rule_2_1_21 }} +command: + mta_listening_port25: + title: 2.1.21 Ensure mail transfer agent is configured for local-only mode + exit-status: 1 + exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 +file: + /etc/postfix/main.conf: + title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode + exists: true + contents: + - '/^inet_interfaces\s*=\s*loopback-only/' + - '!/^inet_interfaces\s*=\s*all/' + - '!/^(?i)inet_interfaces\s*=\s*ipv4/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.22.yml b/section_2/cis_2.1/cis_2.1.22.yml new file mode 100644 index 0000000..a700b7f --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.22.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_22 }} +command: + manual_listening_ports: + title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required + exit-status: + or: + - 0 + - 1 + exec: echo "Manual!! - Please check only approved services are listening" + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.22 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.3.yml b/section_2/cis_2.1/cis_2.1.3.yml new file mode 100644 index 0000000..4a338c5 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.3.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_3 }} + {{ if not .Vars.rhel9cis_dhcp_server }} + {{ if not .Vars.rhel9cis_dhcp_mask }} +package: + dhcp_pkg: + title: 2.1.3 | Ensure dhcp server services are not in use | pkg removed + name: dhcp-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_dhcp_mask }} +file: + dhcp_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/dhcpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dhcp6_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/dhcpd6.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.4.yml b/section_2/cis_2.1/cis_2.1.4.yml new file mode 100644 index 0000000..d283ebe --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_4 }} + {{ if not .Vars.rhel9cis_dns_server }} + {{ if not .Vars.rhel9cis_dns_mask }} +package: + dns_pkg: + title: 2.1.4 | Ensure dns server services are not in use | pkg removed + name: named + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_dns_mask }} +file: + dns_service_masked: + title: 2.1.4 | Ensure dns server services are not in use | masked + path: /etc/systemd/system/named.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.5.yml b/section_2/cis_2.1/cis_2.1.5.yml new file mode 100644 index 0000000..9500c3f --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_5 }} + {{ if not .Vars.rhel9cis_dnsmasq_server }} + {{ if not .Vars.rhel9cis_dnsmasq_mask }} +package: + dnsmasq_pkg: + title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed + name: dnsmasq + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_dnsmasq_mask }} +file: + dnsmasq_service_masked: + title: 2.1.5 | Ensure dnsmasq server services are not in use | masked + path: /etc/systemd/system/dnsmasq.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.6.yml b/section_2/cis_2.1/cis_2.1.6.yml new file mode 100644 index 0000000..9593261 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.6.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_6 }} + {{ if not .Vars.rhel9cis_samba_server }} + {{ if not .Vars.rhel9cis_samba_mask }} +package: + samba_pkg: + title: 2.1.6 | Ensure samba file server services are not in use | pkg removed + name: samba + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_samba_mask }} +file: + samba_service_masked: + title: 2.1.6 | Ensure samba server services are not in use | masked + path: /etc/systemd/system/smb.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.7.yml b/section_2/cis_2.1/cis_2.1.7.yml new file mode 100644 index 0000000..8d6309e --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.7.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_7 }} + {{ if not .Vars.rhel9cis_ftp_server }} + {{ if not .Vars.rhel9cis_ftp_mask }} +package: + ftp_pkg: + title: 2.1.7 | Ensure ftp server services are not in use | pkg removed + name: vsftp + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_ftp_mask }} +file: + ftp_service_masked: + title: 2.1.7 | Ensure ftp server services are not in use | masked + path: /etc/systemd/system/vsftpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.7a.yml b/section_2/cis_2.1/cis_2.1.7a.yml new file mode 100644 index 0000000..fb375e6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.7a.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_7 }} + {{ if not .Vars.rhel9cis_ldap_server }} + {{ if not .Vars.rhel9cis_ldap_mask }} +package: + ldap_pkg: + title: 2.1.7 | Ensure ldap server services are not in use | pkg removed + name: slapd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_ldap_mask }} +file: + ldap_service_masked: + title: 2.1.7 | Ensure ldap server services are not in use | masked + path: /etc/systemd/system/slapd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.8.yml b/section_2/cis_2.1/cis_2.1.8.yml new file mode 100644 index 0000000..4f6febe --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.8.yml @@ -0,0 +1,100 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_8 }} + {{ if not .Vars.rhel9cis_message_server }} + {{ if not .Vars.rhel9cis_message_mask }} +package: + dovecot_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: dovecot + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + cyrus_impad_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: cyrus-impad + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_message_mask }} +file: + dovecot_service_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + cyrus_imapd_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/cyrus-imapd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dovecot_socket_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.9.yml b/section_2/cis_2.1/cis_2.1.9.yml new file mode 100644 index 0000000..0b96490 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.9.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_1_9 }} + {{ if not .Vars.rhel9cis_nfs_server }} + {{ if not .Vars.rhel9cis_nfs_mask }} +package: + nfs_pkg: + title: 2.1.9 | Ensure network file system services are not in use | pkg removed + name: nfs-utils + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_nfs_mask }} +file: + nfs_service_masked: + title: 2.1.9 | Ensure network file system services are not in use | masked + path: /etc/systemd/system/nfs-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.1.yml b/section_2/cis_2.2/cis_2.2.1.yml index 941d6e4..decea3a 100644 --- a/section_2/cis_2.2/cis_2.2.1.yml +++ b/section_2/cis_2.2/cis_2.2.1.yml @@ -1,12 +1,16 @@ -{{ if not .Vars.rhel9cis_gui }} - {{ if .Vars.rhel9cis_rule_2_2_1 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if not .Vars.rhel9cis_ftp_client }} + {{ if .Vars.rhel9cis_rule_2_2_1 }} package: - xorg-x11-server-common: - title: 2.2.1 | Ensure X11 Server components are not installed + ftp: + title: 2.2.1 | Ensure ftp client is not installed installed: false + name: ftp meta: server: 1 - workstation: NA + workstation: 1 CIS_ID: - 2.2.1 CISv8: @@ -14,5 +18,8 @@ package: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.2/cis_2.2.10.yml b/section_2/cis_2.2/cis_2.2.10.yml deleted file mode 100644 index 5335474..0000000 --- a/section_2/cis_2.2/cis_2.2.10.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_samba_server}} - {{ if .Vars.rhel9cis_rule_2_2_10 }} -package: - samba: - title: 2.2.10 | Ensure Samba is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.10 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.11.yml b/section_2/cis_2.2/cis_2.2.11.yml deleted file mode 100644 index a2a3ffe..0000000 --- a/section_2/cis_2.2/cis_2.2.11.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_squid_server }} - {{ if .Vars.rhel9cis_rule_2_2_11 }} -package: - squid: - title: 2.2.11 | Ensure HTTP proxy Server is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.11 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.12.yml b/section_2/cis_2.2/cis_2.2.12.yml deleted file mode 100644 index 15f5ab1..0000000 --- a/section_2/cis_2.2/cis_2.2.12.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_snmp_server}} - {{ if .Vars.rhel9cis_rule_2_2_12 }} -package: - snmpd: - title: 2.2.12 | Ensure net-smp Server is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.12 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.13.yml b/section_2/cis_2.2/cis_2.2.13.yml deleted file mode 100644 index 2043fea..0000000 --- a/section_2/cis_2.2/cis_2.2.13.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_telnet_server }} - {{ if .Vars.rhel9cis_rule_2_2_13 }} -package: - telnet-server: - title: 2.2.13 | Ensure telnet-server is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.13 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.14.yml b/section_2/cis_2.2/cis_2.2.14.yml deleted file mode 100644 index bcccdf8..0000000 --- a/section_2/cis_2.2/cis_2.2.14.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_dnsmasq_server }} - {{ if .Vars.rhel9cis_rule_2_2_14 }} -package: - dnsmasq: - title: 2.2.14 | Ensure dnsmasq is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.14 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.15.yml b/section_2/cis_2.2/cis_2.2.15.yml deleted file mode 100644 index 894d459..0000000 --- a/section_2/cis_2.2/cis_2.2.15.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Vars.rhel9cis_is_mail_server }} - {{ if .Vars.rhel9cis_rule_2_2_15 }} -command: - mta_installed: - title: 2.2.15 Ensure mail transfer agent is configured for local-only mode - exit-status: 1 - exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' - stdout: ['!/./'] - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.15 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -file: - postfix_local: - title: 2.2.15 | Ensure mail transfer agent is configured for local-only mode - path: /etc/postfix/main.conf - exists: true - contents: - - '/^inet_interfaces = loopback-only/' - - '!/^inet_interfaces = all/' - - '!/^inet_interfaces = [iI][pP][vV]4/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.15 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.16.yml b/section_2/cis_2.2/cis_2.2.16.yml deleted file mode 100644 index 5b51c0d..0000000 --- a/section_2/cis_2.2/cis_2.2.16.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Vars.rhel9cis_rule_2_2_16 }} - {{ if not .Vars.rhel9cis_use_nfs_server }} - {{ if not .Vars.rhel9cis_use_nfs_service }} -package: - nfs-utils: - title: 2.2.16 | Ensure nfs-utils is not installed or the nfs-server service is masked - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.16 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if .Vars.rhel9cis_use_nfs_service }} -command: - nfs_masked: - title: 2.2.16 | Ensure nfs-utils is not installed or the nfs-server service is masked - exec: systemctl is-enabled nfs-server - exit-status: 0 - stdout: - - '/^masked/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.16 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.17.yml b/section_2/cis_2.2/cis_2.2.17.yml deleted file mode 100644 index 8f19a95..0000000 --- a/section_2/cis_2.2/cis_2.2.17.yml +++ /dev/null @@ -1,55 +0,0 @@ -{{ if .Vars.rhel9cis_rule_2_2_17 }} - {{ if not .Vars.rhel9cis_use_rpc_server }} - {{ if not .Vars.rhel9cis_use_rpc_service }} -package: - rpcbind: - title: 2.2.17 | Ensure rpcbind is not installed or the rpcbind services are masked - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.17 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if .Vars.rhel9cis_use_rpc_service }} -command: - rpc_masked: - title: 2.2.17 | Ensure rpcbind is not installed or the rpcbind services are masked | rpc_masked - exec: systemctl is-enabled rpcbind - exit-status: 0 - stdout: - - '/^masked/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.17 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - rpc_socket_masked: - title: 2.2.17 | Ensure rpcbind is not installed or the rpcbind services are masked | rpc_socket_masked - exec: systemctl is-enabled rpcbind.socket - exit-status: 0 - stdout: - - '/^masked/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.17 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.18.yml b/section_2/cis_2.2/cis_2.2.18.yml deleted file mode 100644 index 23dad00..0000000 --- a/section_2/cis_2.2/cis_2.2.18.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Vars.rhel9cis_rule_2_2_18 }} - {{ if not .Vars.rhel9cis_use_rsync_server }} - {{ if not .Vars.rhel9cis_use_rsync_service }} -package: - rsync: - title: 2.2.19 Ensure rsync is not installed or the rsyncd service is masked - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.19 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if .Vars.rhel9cis_use_rsync_service }} -command: - rsyncd masked: - title: 2.2.19 Ensure rsync is not installed or the rsyncd service is masked - exit-status: 1 - exec: systemctl is-enabled rsyncd - stdout: - - '/^masked/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.19 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.2.yml b/section_2/cis_2.2/cis_2.2.2.yml index b440945..68c07c4 100644 --- a/section_2/cis_2.2/cis_2.2.2.yml +++ b/section_2/cis_2.2/cis_2.2.2.yml @@ -1,24 +1,14 @@ -{{ if not .Vars.rhel9cis_avahi_server }} - {{ if .Vars.rhel9cis_rule_2_2_2 }} +--- +{{ if .Vars.rhel9cis_level_2 }} + {{ if not .Vars.rhel9cis_openldap_clients_required }} + {{ if .Vars.rhel9cis_rule_2_2_2 }} package: - avahi: - title: 2.2.2 | Ensure Avahi Server is not installed | avahi pkg + openldap-clients: + title: 2.2.2 | Ensure LDAP client is not installed installed: false + name: openldap-clients meta: - server: 1 - workstation: 2 - CIS_ID: - - 2.2.2 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - avahi-autoipd: - title: 2.2.2 | Ensure Avahi Server is not installed | autoipd pkg - installed: false - meta: - server: 1 + server: 2 workstation: 2 CIS_ID: - 2.2.2 @@ -27,5 +17,8 @@ package: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.2/cis_2.2.3.yml b/section_2/cis_2.2/cis_2.2.3.yml index aba094c..be60136 100644 --- a/section_2/cis_2.2/cis_2.2.3.yml +++ b/section_2/cis_2.2/cis_2.2.3.yml @@ -1,12 +1,16 @@ -{{ if not .Vars.rhel9cis_cups_server }} - {{ if .Vars.rhel9cis_rule_2_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if not .Vars.rhel9cis_ypbind_required }} + {{ if .Vars.rhel9cis_rule_2_2_3 }} package: - cups: - title: 2.2.3 | Ensure CUPS is not installed + nis_client: + title: 2.2.3 | Ensure nis client is not installed installed: false + name: ypbind meta: server: 1 - workstation: NA + workstation: 1 CIS_ID: - 2.2.3 CISv8: @@ -14,5 +18,8 @@ package: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.2/cis_2.2.4.yml b/section_2/cis_2.2/cis_2.2.4.yml index 1f40823..3a4d774 100644 --- a/section_2/cis_2.2/cis_2.2.4.yml +++ b/section_2/cis_2.2/cis_2.2.4.yml @@ -1,12 +1,16 @@ -{{ if not .Vars.rhel9cis_dhcp_server }} - {{ if .Vars.rhel9cis_rule_2_2_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if not .Vars.rhel9cis_telnet_required }} + {{ if .Vars.rhel9cis_rule_2_2_4 }} package: - dhcp-server: - title: 2.2.4 | Ensure DHCP Server is not installed + telnet_client: + title: 2.2.4 | Ensure telnet client is not installed installed: false + name: telnet meta: server: 1 - workstation: 1 + workstation: NA CIS_ID: - 2.2.4 CISv8: @@ -14,5 +18,8 @@ package: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.2/cis_2.2.5.yml b/section_2/cis_2.2/cis_2.2.5.yml index 4d9681c..8f9044b 100644 --- a/section_2/cis_2.2/cis_2.2.5.yml +++ b/section_2/cis_2.2/cis_2.2.5.yml @@ -1,12 +1,16 @@ -{{ if not .Vars.rhel9cis_dns_server }} - {{ if .Vars.rhel9cis_rule_2_2_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if not .Vars.rhel9cis_tftp_client }} + {{ if .Vars.rhel9cis_rule_2_2_5 }} package: - bind: - title: 2.2.5 | Ensure DNS Server is not installed + tftp_client: + title: 2.2.5 | Ensure tftp client is not installed installed: false + name: tftp meta: server: 1 - workstation: 1 + workstation: NA CIS_ID: - 2.2.5 CISv8: @@ -14,5 +18,8 @@ package: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.2/cis_2.2.6.yml b/section_2/cis_2.2/cis_2.2.6.yml deleted file mode 100644 index fe5fd6d..0000000 --- a/section_2/cis_2.2/cis_2.2.6.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_vsftpd_server}} - {{ if .Vars.rhel9cis_rule_2_2_6 }} -package: - vsftp: - title: 2.2.6 | Ensure VSFTP Server is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.6 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.7.yml b/section_2/cis_2.2/cis_2.2.7.yml deleted file mode 100644 index 9119fa3..0000000 --- a/section_2/cis_2.2/cis_2.2.7.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if not .Vars.rhel9cis_tftp_server }} - {{ if .Vars.rhel9cis_rule_2_2_7 }} -package: - tftp-server: - title: 2.2.7 | Ensure TFTP Server is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.7 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.8.yml b/section_2/cis_2.2/cis_2.2.8.yml deleted file mode 100644 index a94a58e..0000000 --- a/section_2/cis_2.2/cis_2.2.8.yml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if not .Vars.rhel9cis_httpd_server}} - {{ if .Vars.rhel9cis_rule_2_2_8 }} -service: - httpd: - title: 2.2.8 | Ensure a web server is not installed | httpd - running: false - enabled: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.8 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - nginx: - title: 2.2.8 | Ensure a web server is not installed | nginx - running: false - enabled: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.8 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.9.yml b/section_2/cis_2.2/cis_2.2.9.yml deleted file mode 100644 index 3bee6df..0000000 --- a/section_2/cis_2.2/cis_2.2.9.yml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Vars.rhel9cis_rule_2_2_9 }} - {{ if not .Vars.rhel9cis_dovecot_server }} -service: - dovecot: - title: 2.2.9 | Ensure IMAP and POP3 Server is not installed | dovecot - running: false - enabled: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.9 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ if not .Vars.rhel9cis_imap_server }} - cyrus-imapd: - title: 2.2.9 | Ensure IMAP and POP3 Server is not installed | imapd - running: false - enabled: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.2.9 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.1.yml b/section_2/cis_2.3/cis_2.3.1.yml new file mode 100644 index 0000000..efdf0d3 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_3_1 }} +package: + chrony_installed: + title: 2.3.1 | Ensure time synchronization is in use + installed: true + name: chrony + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.1_4.yml b/section_2/cis_2.3/cis_2.3.1_4.yml deleted file mode 100644 index 465039d..0000000 --- a/section_2/cis_2.3/cis_2.3.1_4.yml +++ /dev/null @@ -1,73 +0,0 @@ -package: - {{ if not .Vars.rhel9cis_telnet_required }} - {{ if .Vars.rhel9cis_rule_2_3_1 }} - telnet: - title: 2.3.1 | Ensure telnet client is not installed - installed: false - name: telnet - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.3.1 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel9cis_openldap_clients_required }} - {{ if .Vars.rhel9cis_rule_2_3_2 }} - openldap-clients: - title: 2.3.2 | Ensure LDAP client is not installed - installed: false - name: openldap-clients - meta: - server: 1 - workstation: NA - CIS_ID: - - 2.3.2 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel9cis_tftp_client }} - {{ if .Vars.rhel9cis_rule_2_3_3 }} - tftp: - title: 2.3.3 | Ensure TFTP client is not installed - installed: false - name: tftp - meta: - server: 1 - workstation: NA - CIS_ID: - - 2.3.3 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel9cis_ftp_client }} - {{ if .Vars.rhel9cis_rule_2_3_4 }} - ftp: - title: 2.3.4 | Ensure FTP client is not installed - installed: false - name: ftp - meta: - server: 1 - workstation: NA - CIS_ID: - - 2.3.4 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.yml b/section_2/cis_2.3/cis_2.3.2.yml new file mode 100644 index 0000000..fe444d5 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_3_2 }} +file: + chrony_servers_pools: + title: 2.3.2 | Ensure chrony is configured | server + path: /etc/chrony.conf + exists: true + contents: + - '/^(server|pool)\s.*/' + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.3.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.yml b/section_2/cis_2.3/cis_2.3.3.yml new file mode 100644 index 0000000..cd393ae --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_3_3 }} +file: + chrony_sysconfig: + title: 2.3.3 | Ensure chrony is not run as the root user | sysconfig + path: /etc/sysconfig/chronyd + exists: true + contents: + - '/^OPTIONS=".*-u chrony.*"/' + - '!/^OPTIONS="".*-u root.*"/' + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.3.3 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.1.yml b/section_2/cis_2.4/cis_2.4.1.1.yml new file mode 100644 index 0000000..dfea2f7 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.1.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_4_1_1 }} +service: + crond: + title: 2.4.1.1 | Ensure cron daemon is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.2.yml b/section_2/cis_2.4/cis_2.4.1.2.yml new file mode 100644 index 0000000..9c7b2e1 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_4_1_2 }} +file: + crontab_perms: + title: 2.4.1.2 | Ensure permissions on /etc/crontab are configured + path: /etc/crontab + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.3_7.yml b/section_2/cis_2.4/cis_2.4.1.3_7.yml similarity index 59% rename from section_5/cis_5.1/cis_5.1.3_7.yml rename to section_2/cis_2.4/cis_2.4.1.3_7.yml index a649f23..e3e032b 100644 --- a/section_5/cis_5.1/cis_5.1.3_7.yml +++ b/section_2/cis_2.4/cis_2.4.1.3_7.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_1_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_4_1_3 }} file: cron_hourly_perms: - title: 5.1.3 | Ensure permissions on /etc/cron.hourly are configured + title: 2.4.1.3 | Ensure permissions on /etc/cron.hourly are configured path: /etc/cron.hourly exists: true owner: root @@ -11,15 +14,18 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.1.3 + - 2.4.1.3 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 {{ end }} -{{ if .Vars.rhel9cis_rule_5_1_4 }} +{{ if .Vars.rhel9cis_rule_2_4_1_4 }} cron_daily_perms: - title: 5.1.4 | Ensure permissions on /etc/cron.daily are configured + title: 2.4.1.4 | Ensure permissions on /etc/cron.daily are configured path: /etc/cron.daily exists: true owner: root @@ -29,15 +35,18 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.1.4 + - 2.4.1.4 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 {{ end }} -{{ if .Vars.rhel9cis_rule_5_1_5 }} +{{ if .Vars.rhel9cis_rule_2_4_1_5 }} cron_weekly_perms: - title: 5.1.5 | Ensure permissions on /etc/cron.weekly are configured + title: 2.4.1.5 | Ensure permissions on /etc/cron.weekly are configured path: /etc/cron.weekly exists: true owner: root @@ -47,15 +56,18 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.1.5 + - 2.4.1.5 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 {{ end }} -{{ if .Vars.rhel9cis_rule_5_1_6 }} +{{ if .Vars.rhel9cis_rule_2_4_1_6 }} cron_month_perms: - title: 5.1.6 | Ensure permissions on /etc/cron.monthly are configured + title: 2.4.1.6 | Ensure permissions on /etc/cron.monthly are configured path: /etc/cron.monthly exists: true owner: root @@ -65,15 +77,18 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.1.6 + - 2.4.1.6 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 {{ end }} -{{ if .Vars.rhel9cis_rule_5_1_7 }} +{{ if .Vars.rhel9cis_rule_2_4_1_7 }} crond_perms: - title: 5.1.7 | Ensure permissions on /etc/cron.d are configured + title: 2.4.1.7 | Ensure permissions on /etc/cron.d are configured path: /etc/cron.d exists: true owner: root @@ -83,9 +98,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.1.7 + - 2.4.1.7 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.8.yml b/section_2/cis_2.4/cis_2.4.1.8.yml new file mode 100644 index 0000000..f4dd3b8 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.8.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_4_1_8 }} +file: + cron_deny_users: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + path: /etc/cron.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + cron_allow_users: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + path: /etc/cron.allow + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.2.1.yml b/section_2/cis_2.4/cis_2.4.2.1.yml new file mode 100644 index 0000000..3eac553 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.2.1.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_2_4_2_1 }} +file: + at_deny_users: + title: 2.4.2.1 | Ensure at is restricted to authorized users + path: /etc/at.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + at_allow_users: + title: 2.4.2.1| Ensure at is restricted to authorized users + path: /etc/at.allow + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml index 8e596ac..6b635ae 100644 --- a/section_3/cis_3.1/cis_3.1.1.yml +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -1,4 +1,7 @@ -{{ if .Vars.rhel9cis_rule_3_1_1 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_1_1 }} command: {{ if not .Vars.rhel9cis_ipv6_required }} default_grub_ipv6: @@ -17,6 +20,8 @@ command: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 sysctl_ipv6_disable: title: 3.1.1 | Ensure IPv6 status is identified exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/* @@ -36,6 +41,8 @@ command: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 {{ end }} {{ if .Vars.rhel9cis_ipv6_required }} default_grub_ipv6: @@ -54,6 +61,8 @@ command: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 sysctl_ipv6_disable: title: 3.1.1 | Ensure IPv6 status is identified exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/* @@ -73,5 +82,8 @@ command: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} {{ end }} diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml index 2128063..b611f87 100644 --- a/section_3/cis_3.1/cis_3.1.2.yml +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -1,4 +1,7 @@ -{{ if .Vars.rhel9cis_rule_3_1_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_1_2 }} command: wireless_disabled: title: 3.1.2 | Ensure wireless interfaces are disabled @@ -15,4 +18,7 @@ command: CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} {{ end }} diff --git a/section_3/cis_3.1/cis_3.1.3.yml b/section_3/cis_3.1/cis_3.1.3.yml index 5272b6c..910c1e3 100644 --- a/section_3/cis_3.1/cis_3.1.3.yml +++ b/section_3/cis_3.1/cis_3.1.3.yml @@ -1,34 +1,48 @@ -{{ if .Vars.rhel9cis_level_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} {{ if .Vars.rhel9cis_rule_3_1_3 }} -command: - modprobe_tipc: - title: 3.1.3 | Ensure TIPC is disabled - exit-status: 0 - exec: 'modprobe -n -v tipc' - stdout: ['install /bin/true'] + {{ if not .Vars.rhel9cis_bluetooth_server }} + {{ if not .Vars.rhel9cis_bluetooth_mask }} +package: + bluetooth_pkg: + title: 3.1.3 | Ensure bluetooth services are not in use | pkg removed + name: bluez + installed: false meta: - server: 2 + server: 1 workstation: 2 CIS_ID: - 3.1.3 - CISv8: 4.8 + CISv8: + - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - blacklist_tipc: - title: 3.1.3 | Ensure TIPC is disabled - exit-status: 0 - exec: grep tipc /etc/modprobe.d/blacklist.conf - stdout: - - '/^blacklist tipc/' + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.rhel9cis_bluetooth_mask }} +file: + bluetooth_service_masked: + title: 3.1.3 | Ensure bluetooth server services are not in use | masked + path: /etc/systemd/system/bluetooth.service + exists: true + filetype: symlink + linked-to: /dev/null meta: - server: 2 + server: 1 workstation: 2 CIS_ID: - 3.1.3 - CISv8: 4.8 + CISv8: + - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} {{ end }} {{ end }} diff --git a/section_3/cis_3.2/cis_3.2.1.yml b/section_3/cis_3.2/cis_3.2.1.yml index 51c07dd..0ae799f 100644 --- a/section_3/cis_3.2/cis_3.2.1.yml +++ b/section_3/cis_3.2/cis_3.2.1.yml @@ -1,64 +1,45 @@ -{{ if not .Vars.rhel9cis_is_router }} +--- + +{{ if .Vars.rhel9cis_level_2 }} {{ if .Vars.rhel9cis_rule_3_2_1 }} -kernel-param: - net.ipv4.ip_forward: - title: 3.2.1 | Ensure IP forwarding is disabled | ipv4 live - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.2.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ if .Vars.rhel9cis_ipv6_required }} - net.ipv6.conf.all.forwarding: - title: 3.2.1 | Ensure IP forwarding is disabled | ipv6 live - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.2.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true command: - ip4_forward_conf: - title: 3.2.1 | Ensure IP forwarding is disabled | ipv4 conf - exec: grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* + modprobe_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | DCCP config exit-status: 0 + exec: 'modprobe -n -v dccp' stdout: - - '/.*:net.ipv4.ip_forward( |)=( |)0/' - - '!/.*:net.ipv4.ip_forward( |)=( |)1/' + - '/install /bin/(true|false)/' meta: - server: 1 - workstation: 1 + server: 2 + workstation: 2 CIS_ID: - 3.2.1 - CISv8: 4.1 - CISv8_IG1: true + CISv8: + - 4.8 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - ip6_forward_conf: - title: 3.2.1 | Ensure IP forwarding is disabled | ipv6 conf - exec: grep net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | running dccp + exit-status: 1 + exec: lsmod | grep -i dccp stdout: - - '/.*:net.ipv6.conf.all.forwarding( |)=( |)0/' - - '!/.*:net.ipv6.conf.all.forwarding( |)=( |)1/' + - '!/^.*/' meta: - server: 1 - workstation: 1 + server: 2 + workstation: 2 CIS_ID: - 3.2.1 - CISv8: 4.1 - CISv8_IG1: true + CISv8: + - 4.8 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - {{ end }} + NIST800-53R5: + - CM-7 + - SI-4 {{ end }} {{ end }} diff --git a/section_3/cis_3.2/cis_3.2.2.yml b/section_3/cis_3.2/cis_3.2.2.yml index 7f4c7f2..2f7e886 100644 --- a/section_3/cis_3.2/cis_3.2.2.yml +++ b/section_3/cis_3.2/cis_3.2.2.yml @@ -1,60 +1,48 @@ -{{ if .Vars.rhel9cis_rule_3_2_2 }} -kernel-param: - net.ipv4.conf.all.send_redirects: - title: 3.2.2 | Ensure packet redirect sending is disabled | live - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.2.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv4.conf.default.send_redirects: - title: 3.2.2 | Ensure packet redirect sending is disabled | live - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.2.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_2_2 }} command: - ip4_all_send_redirects: - title: 3.2.2 | Ensure packet redirect sending is disabled | all_send_redirects conf - exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 + modprobe_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | tipc config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v tipc' stdout: - - '/.*:net.ipv4.conf.all.send_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.all.send_redirects( |)=( |)1/' + - '/install /bin/(true|false)/' meta: - server: 1 - workstation: 1 + server: 2 + workstation: 2 CIS_ID: - 3.2.2 - CISv8: 4.1 - CISv8_IG1: true + CISv8: + - 4.8 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - ip4_default_send_redirects: - title: 3.2.2 | Ensure packet redirect sending is disabled | default_send_redirects conf - exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | running tipc + exit-status: 1 + exec: lsmod | grep -i tipc stdout: - - '/.*:net.ipv4.conf.default.send_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.default.send_redirects( |)=( |)1/' + - '!/^.*/' meta: - server: 1 - workstation: 1 + server: 2 + workstation: 2 CIS_ID: - 3.2.2 - CISv8: 4.1 - CISv8_IG1: true + CISv8: + - 4.8 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} {{ end }} diff --git a/section_3/cis_3.2/cis_3.2.3.yml b/section_3/cis_3.2/cis_3.2.3.yml new file mode 100644 index 0000000..96349ef --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.3.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_2_3 }} +command: + modprobe_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | rds config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v rds' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | running rds + exit-status: 1 + exec: lsmod | grep -i rds + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.4.yml b/section_3/cis_3.2/cis_3.2.4.yml new file mode 100644 index 0000000..dae3c7a --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.4.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_2_4 }} +command: + modprobe_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | sctp config + exit-status: 0 + exec: 'modprobe -n -v sctp' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | running sctp + exit-status: 1 + exec: lsmod | grep -i sctp + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.1.yml b/section_3/cis_3.3/cis_3.3.1.yml index cae1945..97291aa 100644 --- a/section_3/cis_3.3/cis_3.3.1.yml +++ b/section_3/cis_3.3/cis_3.3.1.yml @@ -1,116 +1,91 @@ -{{ if .Vars.rhel9cis_rule_3_3_1 }} +--- +{{ if .Vars.rhel9cis_level_1 }} + {{ if not .Vars.rhel9cis_is_router }} + {{ if .Vars.rhel9cis_rule_3_2_1 }} kernel-param: - net.ipv4.conf.all.accept_source_route: - title: 3.3.1 | Ensure source routed packets are not accepted + net.ipv4.ip_forward: + title: 3.2.1 | Ensure IP forwarding is disabled | ipv4 live value: '0' meta: server: 1 workstation: 1 CIS_ID: - - 3.3.1 + - 3.2.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true - net.ipv4.conf.default.accept_source_route: - title: 3.3.1 | Ensure source routed packets are not accepted + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ if .Vars.rhel9cis_ipv6_required }} + net.ipv6.conf.all.forwarding: + title: 3.2.1 | Ensure IP forwarding is disabled | ipv6 live value: '0' meta: server: 1 workstation: 1 CIS_ID: - - 3.3.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv6.conf.all.accept_source_route: - title: 3.3.1 | Ensure source routed packets are not accepted - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv6.conf.default.accept_source_route: - title: 3.3.1 | Ensure source routed packets are not accepted - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.1 + - 3.2.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_all_source_routed: - title: 3.3.1 | Ensure source routed packets are not accepted | live ipv4 all - exec: grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* + ip4_forward_conf: + title: 3.2.1 | Ensure IP forwarding is disabled | ipv4 conf + exec: grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.all.accept_source_route( |)=( |)0/' - - '!/.*:net.ipv4.conf.all.accept_source_route( |)=( |)1/' + - '/.*:net.ipv4.ip_forward( |)=( |)0/' + - '!/.*:net.ipv4.ip_forward( |)=( |)1/' meta: server: 1 workstation: 1 CIS_ID: - - 3.3.1 + - 3.2.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true - ipv4_default_source_routed: - title: 3.3.1 | Ensure source routed packets are not accepted | live ipv4 default - exec: grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ip6_forward_conf: + title: 3.2.1 | Ensure IP forwarding is disabled | ipv6 conf + exec: grep net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.default.accept_source_route( |)=( |)0/' - - '!/.*:net.ipv4.conf.default.accept_source_route( |)=( |)1/' + - '/.*:net.ipv6.conf.all.forwarding( |)=( |)0/' + - '!/.*:net.ipv6.conf.all.forwarding( |)=( |)1/' meta: server: 1 workstation: 1 CIS_ID: - - 3.3.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - ipv6_all_source_routed: - title: 3.3.1 | Ensure source routed packets are not accepted | live ipv6 all - exec: grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv6.conf.all.accept_source_route( |)=( |)0/' - - '!/.*:net.ipv6.conf.all.accept_source_route( |)=( |)1/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.1 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - ipv6_default_source_routed: - title: 3.3.1 | Ensure source routed packets are not accepted | live ipv6 default - exec: grep net.ipv6.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv6.conf.default.accept_source_route( |)=( |)0/' - - '!/.*:net.ipv6.conf.default.accept_source_route( |)=( |)1/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.1 + - 3.2.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.10.yml b/section_3/cis_3.3/cis_3.3.10.yml new file mode 100644 index 0000000..be75ac2 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.10.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_10 }} +kernel-param: + net.ipv4.tcp_syncookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_tcp_syn_cookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled | live ipv4 + exec: grep net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv4.tcp_syncookies( |)=( |)1/' + - '!/.*:net.ipv4.tcp_syncookies( |)=( |)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.11.yml b/section_3/cis_3.3/cis_3.3.11.yml new file mode 100644 index 0000000..e1af73f --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.11.yml @@ -0,0 +1,90 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_ipv6_required }} + {{ if .Vars.rhel9cis_rule_3_3_11 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.3.11 | Ensure IPv6 router advertisements are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_ra: + title: 3.3.11 | Ensure IPv6 router advertisements are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_accept_ra: + title: 3.3.11 | Ensure IPv6 router advertisements are not accepted | live ipv6 all + exec: grep net.ipv6.conf.all.accept_ra /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.all.accept_ra( |)=( |)0/' + - '!/.*:net.ipv6.conf.all.accept_ra( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_default_accept_ra: + title: 3.3.11 | Ensure IPv6 router advertisements are not accepted | live ipv6 default + exec: grep net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.default.accept_ra( |)=( |)0/' + - '!/.*:net.ipv6.conf.default.accept_ra( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.2.yml b/section_3/cis_3.3/cis_3.3.2.yml index 2a2030b..297ae9d 100644 --- a/section_3/cis_3.3/cis_3.3.2.yml +++ b/section_3/cis_3.3/cis_3.3.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_3_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_2 }} kernel-param: - net.ipv4.conf.all.accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted + net.ipv4.conf.all.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | live value: '0' meta: server: 1 @@ -12,32 +15,14 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true - net.ipv4.conf.default.accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv6.conf.all.accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv6.conf.default.accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | live value: '0' meta: server: 1 @@ -48,14 +33,20 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_all_accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted | live ipv4 all - exec: grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* + ip4_all_send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | all_send_redirects conf + exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.all.accept_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.all.accept_redirects( |)=( |)1/' + - '/.*:net.ipv4.conf.all.send_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.all.send_redirects( |)=( |)1/' meta: server: 1 workstation: 1 @@ -65,45 +56,19 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true - ipv4_default_accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted | live ipv4 default - exec: grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ip4_default_send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | default_send_redirects conf + exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.default.accept_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.default.accept_redirects( |)=( |)1/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - ipv6_all_accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted | live ipv6 all - exec: grep net.ipv6.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv6.conf.all.accept_redirects( |)=( |)0/' - - '!/.*:net.ipv6.conf.all.accept_redirects( |)=( |)1/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - ipv6_default_accept_redirects: - title: 3.3.2 | Ensure ICMP redirects are not accepted | live ipv6 default - exec: grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv6.conf.default.accept_redirects( |)=( |)0/' - - '!/.*:net.ipv6.conf.default.accept_redirects( |)=( |)1/' + - '/.*:net.ipv4.conf.default.send_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.default.send_redirects( |)=( |)1/' meta: server: 1 workstation: 1 @@ -113,4 +78,11 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.3.yml b/section_3/cis_3.3/cis_3.3.3.yml index 8156cc8..b7d9750 100644 --- a/section_3/cis_3.3/cis_3.3.3.yml +++ b/section_3/cis_3.3/cis_3.3.3.yml @@ -1,20 +1,11 @@ -{{ if .Vars.rhel9cis_rule_3_3_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_3 }} kernel-param: - net.ipv4.conf.all.secure_redirects: - title: 3.3.3 | Ensure secure ICMP redirects are not accepted - value: '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.3 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - net.ipv4.conf.default.secure_redirects: - title: 3.3.3 | Ensure secure ICMP redirects are not accepted - value: '0' + net.ipv4.icmp_ignore_bogus_error_responses: + title: 3.3.3 | Ensure bogus ICMP responses are ignored + value: '1' meta: server: 1 workstation: 1 @@ -24,30 +15,20 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_all_secure_redirects: - title: 3.3.3 | Ensure secure ICMP redirects are not accepted | live ipv4 all - exec: grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* + ipv4_ignore_bogus: + title: 3.3.3 | Ensure bogus ICMP responses are ignored | live ipv4 all + exec: grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.all.secure_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.all.secure_redirects( |)=( |)1/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.3 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - ipv4_default_secure_redirects: - title: 3.3.3 | Ensure secure ICMP redirects are not accepted | live ipv4 default - exec: grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv4.conf.default.secure_redirects( |)=( |)0/' - - '!/.*:net.ipv4.conf.default.secure_redirects( |)=( |)1/' + - '/.*:net.ipv4.icmp_ignore_bogus_error_responses( |)=( |)1/' + - '!/.*:net.ipv4.icmp_ignore_bogus_error_responses( |)=( |)0/' meta: server: 1 workstation: 1 @@ -57,4 +38,11 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.4.yml b/section_3/cis_3.3/cis_3.3.4.yml index 9ca7db1..eb78e88 100644 --- a/section_3/cis_3.3/cis_3.3.4.yml +++ b/section_3/cis_3.3/cis_3.3.4.yml @@ -1,60 +1,48 @@ -{{ if .Vars.rhel9cis_rule_3_3_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_4 }} kernel-param: - net.ipv4.conf.all.log_martians: - title: 3.3.4 | Ensure suspicious packets are logged + net.ipv4.icmp_echo_ignore_broadcasts: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored value: '1' meta: server: 1 workstation: 1 CIS_ID: - 3.3.4 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - net.ipv4.conf.default.log_martians: - title: 3.3.4 | Ensure suspicious packets are logged - value: '1' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.4 - CISv8: 8.5 - CISv8_IG1: false + CISv8: 4.1 + CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_all_log_martians: - title: 3.3.4 | Ensure suspicious packets are logged | live ipv4 all - exec: grep net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d/* + ipv4_echo_ignore_broadcasts: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored | live ipv4 all + exec: grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.conf.all.log_martians( |)=( |)1/' - - '!/.*:net.ipv4.conf.all.log_martians( |)=( |)0/' + - '/.*:net.ipv4.icmp_echo_ignore_broadcasts( |)=( |)1/' + - '!/.*:net.ipv4.icmp_echo_ignore_broadcasts( |)=( |)0/' meta: server: 1 workstation: 1 CIS_ID: - 3.3.4 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - ipv4_default_log_martians: - title: 3.3.4 | Ensure suspicious packets are logged | live ipv4 default - exec: grep net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv4.conf.default.log_martians( |)=( |)1/' - - '!/.*:net.ipv4.conf.default.log_martians( |)=( |)0/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 3.3.4 - CISv8: 8.5 - CISv8_IG1: false + CISv8: 4.1 + CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.5.yml b/section_3/cis_3.3/cis_3.3.5.yml index e732b25..316151d 100644 --- a/section_3/cis_3.3/cis_3.3.5.yml +++ b/section_3/cis_3.3/cis_3.3.5.yml @@ -1,8 +1,11 @@ -{{ if .Vars.rhel9cis_rule_3_3_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_5 }} kernel-param: - net.ipv4.icmp_echo_ignore_broadcasts: - title: 3.3.5 | Ensure broadcast ICMP requests are ignored - value: '1' + net.ipv4.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted + value: '0' meta: server: 1 workstation: 1 @@ -12,14 +15,74 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_echo_ignore_broadcasts: - title: 3.3.5 | EEnsure broadcast ICMP requests are ignored | live ipv4 all - exec: grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* + ipv4_all_accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | live ipv4 all + exec: grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.icmp_echo_ignore_broadcasts( |)=( |)1/' - - '!/.*:net.ipv4.icmp_echo_ignore_broadcasts( |)=( |)0/' + - '/.*:net.ipv4.conf.all.accept_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.all.accept_redirects( |)=( |)1/' meta: server: 1 workstation: 1 @@ -29,4 +92,77 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_default_accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | live ipv4 default + exec: grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv4.conf.default.accept_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.default.accept_redirects( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_all_accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | live ipv6 all + exec: grep net.ipv6.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.all.accept_redirects( |)=( |)0/' + - '!/.*:net.ipv6.conf.all.accept_redirects( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_default_accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | live ipv6 default + exec: grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.default.accept_redirects( |)=( |)0/' + - '!/.*:net.ipv6.conf.default.accept_redirects( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.6.yml b/section_3/cis_3.3/cis_3.3.6.yml index 9c085ff..5bb63b7 100644 --- a/section_3/cis_3.3/cis_3.3.6.yml +++ b/section_3/cis_3.3/cis_3.3.6.yml @@ -1,8 +1,11 @@ -{{ if .Vars.rhel9cis_rule_3_3_6 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_6 }} kernel-param: - net.ipv4.icmp_ignore_bogus_error_responses: - title: 3.3.6 | Ensure bogus ICMP responses are ignored - value: '1' + net.ipv4.conf.all.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted + value: '0' meta: server: 1 workstation: 1 @@ -12,14 +15,38 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: - ipv4_ignore_bogus: - title: 3.3.6 | Ensure bogus ICMP responses are ignored | live ipv4 all - exec: grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/* + ipv4_all_secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | live ipv4 all + exec: grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv4.icmp_ignore_bogus_error_responses( |)=( |)1/' - - '!/.*:net.ipv4.icmp_ignore_bogus_error_responses( |)=( |)0/' + - '/.*:net.ipv4.conf.all.secure_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.all.secure_redirects( |)=( |)1/' meta: server: 1 workstation: 1 @@ -29,4 +56,33 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_default_secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | live ipv4 default + exec: grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv4.conf.default.secure_redirects( |)=( |)0/' + - '!/.*:net.ipv4.conf.default.secure_redirects( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.7.yml b/section_3/cis_3.3/cis_3.3.7.yml index a413863..9721bff 100644 --- a/section_3/cis_3.3/cis_3.3.7.yml +++ b/section_3/cis_3.3/cis_3.3.7.yml @@ -1,4 +1,7 @@ -{{ if .Vars.rhel9cis_rule_3_3_7 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_7 }} kernel-param: net.ipv4.conf.all.rp_filter: title: 3.3.7 | Ensure Reverse Path Filtering is enabled @@ -12,6 +15,12 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 net.ipv4.conf.default.rp_filter: title: 3.3.7 | Ensure Reverse Path Filtering is enabled value: '1' @@ -24,10 +33,16 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ipv4_all_rp_filter: title: 3.3.7 | Ensure Reverse Path Filtering is enabled | live ipv4 all - exec: grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* + exec: grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - '/.*:net.ipv4.conf.all.rp_filter( |)=( |)1/' @@ -41,9 +56,15 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 ipv4_default_rp_filter: title: 3.3.7 | Ensure Reverse Path Filtering is enabled | live ipv4 default - exec: grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* + exec: grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - '/.*:net.ipv4.conf.default.rp_filter( |)=( |)1/' @@ -57,4 +78,11 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.8.yml b/section_3/cis_3.3/cis_3.3.8.yml index c380e9c..e3618e5 100644 --- a/section_3/cis_3.3/cis_3.3.8.yml +++ b/section_3/cis_3.3/cis_3.3.8.yml @@ -1,8 +1,11 @@ -{{ if .Vars.rhel9cis_rule_3_3_8 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_3_3_8 }} kernel-param: - net.ipv4.tcp_syncookies: - title: 3.3.8 | Ensure TCP SYN Cookies is enabled - value: '1' + net.ipv4.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted + value: '0' meta: server: 1 workstation: 1 @@ -12,14 +15,15 @@ kernel-param: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true -command: - ipv4_tcp_syn_cookies: - title: 3.3.8 | Ensure TCP SYN Cookies is enabled | live ipv4 - exec: grep net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* - exit-status: 0 - stdout: - - '/.*:net.ipv4.tcp_syncookies( |)=( |)1/' - - '!/.*:net.ipv4.tcp_syncookies( |)=( |)0/' + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted + value: '0' meta: server: 1 workstation: 1 @@ -28,5 +32,137 @@ command: CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true - CISv8_IG3: tru + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_source_routed: + title: 3.3.8 | Ensure source routed packets are not accepted | live ipv4 all + exec: grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv4.conf.all.accept_source_route( |)=( |)0/' + - '!/.*:net.ipv4.conf.all.accept_source_route( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_default_source_routed: + title: 3.3.8 | Ensure source routed packets are not accepted | live ipv4 default + exec: grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv4.conf.default.accept_source_route( |)=( |)0/' + - '!/.*:net.ipv4.conf.default.accept_source_route( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_all_source_routed: + title: 3.3.8 | Ensure source routed packets are not accepted | live ipv6 all + exec: grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.all.accept_source_route( |)=( |)0/' + - '!/.*:net.ipv6.conf.all.accept_source_route( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_default_source_routed: + title: 3.3.8 | Ensure source routed packets are not accepted | live ipv6 default + exec: grep net.ipv6.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf + exit-status: 0 + stdout: + - '/.*:net.ipv6.conf.default.accept_source_route( |)=( |)0/' + - '!/.*:net.ipv6.conf.default.accept_source_route( |)=( |)1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_3/cis_3.3/cis_3.3.9.yml b/section_3/cis_3.3/cis_3.3.9.yml index a03423a..aea2121 100644 --- a/section_3/cis_3.3/cis_3.3.9.yml +++ b/section_3/cis_3.3/cis_3.3.9.yml @@ -1,62 +1,72 @@ -{{ if .Vars.rhel9cis_ipv6_required }} +--- + +{{ if .Vars.rhel9cis_level_1 }} {{ if .Vars.rhel9cis_rule_3_3_9 }} kernel-param: - net.ipv6.conf.all.accept_ra: - title: 3.3.9 | Ensure IPv6 router advertisements are not accepted - value: '0' + net.ipv4.conf.all.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged + value: '1' meta: server: 1 workstation: 1 CIS_ID: - 3.3.9 - CISv8: 4.1 - CISv8_IG1: true + CISv8: 8.5 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - net.ipv6.conf.default.accept_ra: - title: 3.3.9 | Ensure IPv6 router advertisements are not accepted - value: '0' + NIST800-53R5: + - AU-3 + net.ipv4.conf.default.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged + value: '1' meta: server: 1 workstation: 1 CIS_ID: - 3.3.9 - CISv8: 4.1 - CISv8_IG1: true + CISv8: 8.5 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 command: - ipv6_all_accept_ra: - title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | live ipv6 all - exec: grep net.ipv6.conf.all.accept_ra /etc/sysctl.conf /etc/sysctl.d/* + ipv4_all_log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | live ipv4 all + exec: grep net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv6.conf.all.accept_ra( |)=( |)0/' - - '!/.*:net.ipv6.conf.all.accept_ra( |)=( |)1/' + - '/.*:net.ipv4.conf.all.log_martians( |)=( |)1/' + - '!/.*:net.ipv4.conf.all.log_martians( |)=( |)0/' meta: server: 1 workstation: 1 CIS_ID: - 3.3.9 - CISv8: 4.1 - CISv8_IG1: true + CISv8: 8.5 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true - ipv6_default_accept_ra: - title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | live ipv6 default - exec: grep net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d/* + NIST800-53R5: + - AU-3 + ipv4_default_log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | live ipv4 default + exec: grep net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf exit-status: 0 stdout: - - '/.*:net.ipv6.conf.default.accept_ra( |)=( |)0/' - - '!/.*:net.ipv6.conf.default.accept_ra( |)=( |)1/' + - '/.*:net.ipv4.conf.default.log_martians( |)=( |)1/' + - '!/.*:net.ipv4.conf.default.log_martians( |)=( |)0/' meta: server: 1 workstation: 1 CIS_ID: - 3.3.9 - CISv8: 4.1 - CISv8_IG1: true + CISv8: 8.5 + CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 {{ end }} {{ end }} diff --git a/section_4/cis_4.1.1/cis_4.1.1.4.yml b/section_4/cis_4.1.1/cis_4.1.1.4.yml deleted file mode 100644 index 3f71c0a..0000000 --- a/section_4/cis_4.1.1/cis_4.1.1.4.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_1_4 }} -service: - auditd: - title: 4.1.1.4 | Ensure auditd service is enabled - enabled: true - running: true - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.1.4 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.2/cis_4.1.2.3.yml b/section_4/cis_4.1.2/cis_4.1.2.3.yml deleted file mode 100644 index a427c05..0000000 --- a/section_4/cis_4.1.2/cis_4.1.2.3.yml +++ /dev/null @@ -1,22 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_2_3 }} -command: - logs_full_auditd_conf: - title: 4.1.2.3 | Ensure system is disabled when audit logs are full - exec: grep -E "space|mail" /etc/audit/auditd.conf - exit-status: 0 - stdout: - - space_left_action = email - - action_mail_acct = root - - '/^admin_space_left_action = (halt|single)/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.2.3 - CISv8: - - 8.2 - - 8.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.13.yml b/section_4/cis_4.1.3/cis_4.1.3.13.yml deleted file mode 100644 index 1864a99..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.13.yml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_13 }} -command: - auditd_delete_cnf: - title: 4.1.3.13 | Ensure file deletion events by users are collected | conf check - exec: grep delete /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295) -F key=delete/' - - '/-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295) -F key=delete/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.13 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - auditd_delete_live: - title: 4.1.3.13 | Ensure file deletion events by users are collected | running - exec: auditctl -l | grep delete - exit-status: 0 - stdout: - - '-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete' - - '-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.13 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.15.yml b/section_4/cis_4.1.3/cis_4.1.3.15.yml deleted file mode 100644 index 13e26b5..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.15.yml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_15 }} -command: - auditd_chcon_cnf: - title: 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | config - exec: grep chcon /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|4294967295) -k perm_chng/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.15 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - auditd_chcon_live: - title: 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | running - exec: auditctl -l | grep chcon - exit-status: 0 - stdout: - - '-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.15 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.16.yml b/section_4/cis_4.1.3/cis_4.1.3.16.yml deleted file mode 100644 index f8fac23..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.16.yml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_16 }} -command: - auditd_setfacl_cnf: - title: 4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | config - exec: grep setfacl /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295) -k perm_chng/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.16 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - auditd_setfacl_live: - title: 4.1.3.16 |Ensure successful and unsuccessful attempts to use the setfacl command are recorded | running - exec: auditctl -l | grep setfacl - exit-status: 0 - stdout: - - '-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.16 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.18.yml b/section_4/cis_4.1.3/cis_4.1.3.18.yml deleted file mode 100644 index ae59903..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.18.yml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_18 }} -command: - auditd_usermod_cnf: - title: 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | config - exec: grep usermod /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295) -k usermod/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.18 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - auditd_usermod_live: - title: 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | running - exec: auditctl -l | grep usermod - exit-status: 0 - stdout: - - '-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -F key=usermod' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.18 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.19.yml b/section_4/cis_4.1.3/cis_4.1.3.19.yml deleted file mode 100644 index 155191e..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.19.yml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_19 }} -command: - auditd_module_cnf: - title: 4.1.3.19 | Ensure kernel module loading unloading and modification is collected | conf check - exec: grep modules /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295) -k kernel_modules/' - - '/-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module.query_module -F auid>=1000 -F auid!=(unset|4294967295) -k kernel_modules/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.19 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - auditd_admin_module_live: - title: 4.1.3.19 | Ensure kernel module loading unloading and modification is collected | running - exec: auditctl -l | grep modules - exit-status: 0 - stdout: - - '-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules' - - '-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel_modules' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.19 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.2.yml b/section_4/cis_4.1.3/cis_4.1.3.2.yml deleted file mode 100644 index 52053be..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.2.yml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_2 }} -command: - auditd_other_user_cnf: - title: 4.1.3.2 | Ensure actions as another user are always logged | conf_check - exec: grep user_emu /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation' - - '-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.2 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - auditd_other_user_live: - title: 4.1.3.2 | Ensure actions as another user are always logged | running - exec: auditctl -l | grep user_emu - exit-status: 0 - stdout: - - '-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation' - - '-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.2 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.7.yml b/section_4/cis_4.1.3/cis_4.1.3.7.yml deleted file mode 100644 index 09c191d..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.7.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_7 }} -command: - auditd_access_cnf: - title: 4.1.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | conf check - exec: grep access /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295) -k access/' - - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295) -k access/' - - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295) -k access/' - - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295) -k access/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.7 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - auditd_access_live: - title: 4.1.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | running - exec: auditctl -l | grep access - exit-status: 0 - stdout: - - '-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access' - - '-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access' - - '-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access' - - '-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.7 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.9.yml b/section_4/cis_4.1.3/cis_4.1.3.9.yml deleted file mode 100644 index be3c7d7..0000000 --- a/section_4/cis_4.1.3/cis_4.1.3.9.yml +++ /dev/null @@ -1,43 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_9 }} -command: - auditd_perms_cnf: - title: 4.1.3.9 | Ensure discretionary access control permission modification events are collected | conf check - exec: grep perm_mod /etc/audit/rules.d/*.rules - exit-status: 0 - stdout: - - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - - '/-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295) -F key=perm_mod/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.9 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - auditd_perms_live: - title: 4.1.3.9 | Ensure discretionary access control permission modification events are collected | running - exec: auditctl -l | grep perm_mod - exit-status: 0 - stdout: - - '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod' - - '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod' - - '-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod' - - '-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod' - - '-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod' - - '-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.3.9 - CISv8: 8.5 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.6.yml b/section_4/cis_4.1.4/cis_4.1.4.6.yml deleted file mode 100644 index ac6bea7..0000000 --- a/section_4/cis_4.1.4/cis_4.1.4.6.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_6 }} -command: - audit_conf_owner: - title: 4.1.4.6 | Ensure audit configuration files are owned by root - exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done - exit-status: 0 - stdout: - - '/.*_root$/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 4.1.4.6 - CISv8: - - 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_3/cis_3.4.1/cis_3.4.1.1.yml b/section_4/cis_4.1/cis_4.1.1.yml similarity index 51% rename from section_3/cis_3.4.1/cis_3.4.1.1.yml rename to section_4/cis_4.1/cis_4.1.1.yml index 29635d1..b4bb90a 100644 --- a/section_3/cis_3.4.1/cis_3.4.1.1.yml +++ b/section_4/cis_4.1/cis_4.1.1.yml @@ -1,15 +1,21 @@ -{{ if .Vars.rhel9cis_rule_3_4_1_1}} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_1_1 }} package: nftables: - title: 3.4.1.1 | Ensure nftables package is installed + title: 4.1.1 | Ensure nftables is installed installed: true meta: server: 1 workstation: 1 CIS_ID: - - 3.4.1.1 + - 4.1.1 CISv8: 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 + {{ end }} {{ end }} diff --git a/section_3/cis_3.4.1/cis_3.4.1.2.yml b/section_4/cis_4.1/cis_4.1.2.yml similarity index 60% rename from section_3/cis_3.4.1/cis_3.4.1.2.yml rename to section_4/cis_4.1/cis_4.1.2.yml index 970ce67..037a5d2 100644 --- a/section_3/cis_3.4.1/cis_3.4.1.2.yml +++ b/section_4/cis_4.1/cis_4.1.2.yml @@ -1,8 +1,11 @@ -{{ if .Vars.rhel9cis_rule_3_4_1_2 }} - {{ if eq .Vars.rhel9cis_firewall "nftables" }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_1_2 }} + {{ if eq .Vars.rhel9cis_firewall "nftables" }} file: firewalld_masked: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | firewalld masked + title: 4.1.2 | Ensure a single firewall configuration utility is in use | firewalld masked path: /etc/systemd/system/firewalld.service filetype: symlink linked-to: /dev/null @@ -11,49 +14,55 @@ file: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA service: firewalld: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | firewalld service stopped + title: 4.1.2 | Ensure a single firewall configuration utility is in use | firewalld service stopped enabled: false running: false meta: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA nftables: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | nftables running + title: 4.1.2 | Ensure a single firewall configuration utility is in use | nftables running enabled: true running: true meta: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA {{ end }} {{ if eq .Vars.rhel9cis_firewall "firewalld" }} file: nftables_masked: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | nftables masked + title: 4.1.2 | Ensure a single firewall configuration utility is in use | nftables masked path: /etc/systemd/system/nftables.service filetype: symlink linked-to: /dev/null @@ -62,43 +71,50 @@ file: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA service: firewalld: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | firewalld running and enabled + title: 4.1.2 | Ensure a single firewall configuration utility is in use | firewalld running and enabled enabled: true running: true meta: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA nftables: - title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | nftables stopped + title: 4.1.2 | Ensure a single firewall configuration utility is in use | nftables stopped enabled: false running: false meta: server: 1 workstation: 1 CIS_ID: - - 3.4.1.2 + - 4.1.2 CISv8: - 4.4 - 4.8 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} {{ end }} {{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.1.yml b/section_4/cis_4.2.1/cis_4.2.1.1.yml deleted file mode 100644 index a076df2..0000000 --- a/section_4/cis_4.2.1/cis_4.2.1.1.yml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_1 }} -package: - rsyslog: - title: 4.2.1.1 | Ensure rsyslog is installed - installed: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.1.1 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.2.yml b/section_4/cis_4.2.1/cis_4.2.1.2.yml deleted file mode 100644 index 03bd4a1..0000000 --- a/section_4/cis_4.2.1/cis_4.2.1.2.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_2 }} -service: - rsyslog: - title: 4.2.1.2 | Ensure rsyslog Service is enabled and running - running: true - enabled: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.1.2 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.1.yml b/section_4/cis_4.2.2/cis_4.2.2.1.1.yml deleted file mode 100644 index 05ca9a0..0000000 --- a/section_4/cis_4.2.2/cis_4.2.2.1.1.yml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_1_1 }} -package: - systemd-journal-remote: - title: 4.2.2.1.1 | Ensure systemd-journal-remote is installed - installed: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.2.1.1 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.5.yml b/section_4/cis_4.2.2/cis_4.2.2.1.5.yml deleted file mode 100644 index 42c4b0e..0000000 --- a/section_4/cis_4.2.2/cis_4.2.2.1.5.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_2 }} -service: - systemd-journald: - title: 4.2.2.2 | Ensure journald service is enabled - running: true - enabled: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.2.2 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.5.yml b/section_4/cis_4.2.2/cis_4.2.2.5.yml deleted file mode 100644 index 2199b31..0000000 --- a/section_4/cis_4.2.2/cis_4.2.2.5.yml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_5 }} -command: - forward_journald_conf: - title: 4.2.2.5 | Ensure journald is not configured to send logs to rsyslog - exec: grep -i forward /etc/systemd/journald.conf - exit-status: 0 - stdout: - - '!/^\s*ForwardToSyslog/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.2.5 - CISv8: - - 8.2 - - 8.9 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.1.yml b/section_4/cis_4.2/cis_3.4.2.1.yml similarity index 100% rename from section_3/cis_3.4.2/cis_3.4.2.1.yml rename to section_4/cis_4.2/cis_3.4.2.1.yml diff --git a/section_3/cis_3.4.2/cis_3.4.2.2.yml b/section_4/cis_4.2/cis_3.4.2.2.yml similarity index 100% rename from section_3/cis_3.4.2/cis_3.4.2.2.yml rename to section_4/cis_4.2/cis_3.4.2.2.yml diff --git a/section_3/cis_3.4.2/cis_3.4.2.5.yml b/section_4/cis_4.2/cis_4.2.1.yml similarity index 56% rename from section_3/cis_3.4.2/cis_3.4.2.5.yml rename to section_4/cis_4.2/cis_4.2.1.yml index 001dc9c..0c91efa 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.5.yml +++ b/section_4/cis_4.2/cis_4.2.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_4_2_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_2_1 }} command: firewall_drop_unncessary_ports_manual: - title: 3.4.2.5 | Ensure firewalld drops unnecessary services and ports | Manual Check Required + title: 4.2.1 | Ensure firewalld drops unnecessary services and ports | Manual Check Required exec: echo "Manual test" exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 3.4.2.5 + - 4.2.1 CISv8: - 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 + {{ end }} {{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.3.yml b/section_4/cis_4.3/cis_4.3.1.yml similarity index 57% rename from section_3/cis_3.4.2/cis_3.4.2.3.yml rename to section_4/cis_4.3/cis_4.3.1.yml index f5f3d16..36194c0 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.3.yml +++ b/section_4/cis_4.3/cis_4.3.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_4_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_3_1 }} command: nftables_base_chain_manual: - title: 3.4.2.3 | Ensure nftables base chains exist | Manual Check Required + title: 4.3.1 | Ensure nftables base chains exist | Manual Check Required exec: echo "Manual test" exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 3.4.2.3 + - 4.3.1 CISv8: - 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 + {{ end }} {{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.6.yml b/section_4/cis_4.3/cis_4.3.2.yml similarity index 55% rename from section_3/cis_3.4.2/cis_3.4.2.6.yml rename to section_4/cis_4.3/cis_4.3.2.yml index 1b9aee8..463f6c7 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.6.yml +++ b/section_4/cis_4.3/cis_4.3.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_4_2_6 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_3_2 }} command: firewall_established_conns_manual: - title: 3.4.2.6 | Ensure nftables established connections are configured | Manual Check Required + title: 4.3.2 | Ensure nftables established connections are configured | Manual Check Required exec: echo "Manual test" exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 3.4.2.6 + - 4.3.2 CISv8: - 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 + {{ end }} {{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.7.yml b/section_4/cis_4.3/cis_4.3.3.yml similarity index 66% rename from section_3/cis_3.4.2/cis_3.4.2.7.yml rename to section_4/cis_4.3/cis_4.3.3.yml index af5f69a..6de0120 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.7.yml +++ b/section_4/cis_4.3/cis_4.3.3.yml @@ -1,8 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_4_2_7 }} - {{ if eq .Vars.rhel9cis_firewall "nftables" }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_3_3 }} command: nftables_default_deny_input: - title: 3.4.2.7 | Ensure nftables default deny firewall policy | nftables + title: 4.3.3 | Ensure nftables default deny firewall policy | nftables exec: systemctl --quiet is-enabled nftables.service && nft list ruleset | grep -E 'hook (input|forward)' | grep -v 'policy drop' exit-status: 0 stdout: @@ -11,11 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 3.4.2.7 + - 4.3.3 CISv8: - 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 {{ end }} {{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.4.yml b/section_4/cis_4.3/cis_4.3.4.yml similarity index 54% rename from section_3/cis_3.4.2/cis_3.4.2.4.yml rename to section_4/cis_4.3/cis_4.3.4.yml index bbf2ef9..4d0f5d4 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.4.yml +++ b/section_4/cis_4.3/cis_4.3.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_3_4_2_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_4_3_4 }} command: firewall_loopback_manual: - title: 3.4.2.4 | Ensure host based firewall loopback traffic is configured | Manual Check Required + title: 4.3.4 | Ensure host based firewall loopback traffic is configured | Manual Check Required exec: echo "Manual test" exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 3.4.2.4 + - 4.3.4 CISv8: - 4.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CA-9 + {{ end }} {{ end }} diff --git a/section_4/cis_4.3/cis_4.3.yml b/section_4/cis_4.3/cis_4.3.yml deleted file mode 100644 index efcc928..0000000 --- a/section_4/cis_4.3/cis_4.3.yml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Vars.rhel9cis_rule_4_3 }} -package: - rsyslog-logrotate: - title: 4.3 | Ensure logrotate is installed - installed: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.3 - CISv8: 8.3 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.1.yml b/section_5/cis_5.1/cis_5.1.1.yml index fa91e2c..b1e5805 100644 --- a/section_5/cis_5.1/cis_5.1.1.yml +++ b/section_5/cis_5.1/cis_5.1.1.yml @@ -1,16 +1,26 @@ -{{ if .Vars.rhel9cis_rule_5_1_1 }} -service: - crond: - title: 5.1.1 | Ensure cron daemon is enabled - running: true - enabled: true +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_1 }} +file: + sshd_config_perms: + title: 5.1.1 | Ensure permissions on /etc/ssh/sshd_config are configured + path: /etc/ssh/sshd_config + exists: true + mode: "0600" + owner: root + group: root meta: server: 1 workstation: 1 CIS_ID: - 5.1.1 - CISv8: 4.1 + CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.10.yml b/section_5/cis_5.1/cis_5.1.10.yml new file mode 100644 index 0000000..b56c522 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.10.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_1_10 }} +file: + sshd_disable_forward: + title: 5.1.10 | Ensure sshd DisableForwarding is enabled | config + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^disableforwarding yes/' + - '!/^disableforwarding no/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.10 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 +command: + ssh_disable_forward_live: + title: 5.1.10 | Ensure sshd DisableForwarding is enabled | live + exec: sshd -T | grep disableforwarding + exit-status: + or: + - 0 + - 1 + stdout: + - '/^disableforwarding yes/' + - '!/^disableforwarding no/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.10 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.11.yml b/section_5/cis_5.1/cis_5.1.11.yml new file mode 100644 index 0000000..4b44325 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.11.yml @@ -0,0 +1,55 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_1_11 }} +file: + sshd_gssapi: + title: 5.1.11 | Ensure sshd GSSAPIAuthentication is disabled | config + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^gssapiauthentication no/' + - '!/^gssapiauthentication yes/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.11 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ssh_gssapi_live: + title: 5.1.10 | Ensure sshd GSSAPIAuthentication is disabled | live + exec: sshd -T | grep gssapiauthentication + exit-status: + or: + - 0 + - 1 + stdout: + - '/^disableforwarding yes/' + - '!/^disableforwarding no/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.10 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.8.yml b/section_5/cis_5.1/cis_5.1.12.yml similarity index 61% rename from section_5/cis_5.2/cis_5.2.8.yml rename to section_5/cis_5.1/cis_5.1.12.yml index a359967..22bba29 100644 --- a/section_5/cis_5.2/cis_5.2.8.yml +++ b/section_5/cis_5.1/cis_5.1.12.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_8 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_12 }} file: ssh_hostbased_auth: - title: 5.2.8 | Ensure SSH HostbasedAuthentication is disabled | config + title: 5.1.12 | Ensure SSH HostbasedAuthentication is disabled | config path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.8 + - 5.1.12 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_hostbased_auth_live: - title: 5.2.8 | Ensure SSH HostbasedAuthentication is disabled | live + title: 5.1.12 | Ensure SSH HostbasedAuthentication is disabled | live exec: sshd -T | grep hostbasedauthentication exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.8 + - 5.1.12 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.11.yml b/section_5/cis_5.1/cis_5.1.13.yml similarity index 59% rename from section_5/cis_5.2/cis_5.2.11.yml rename to section_5/cis_5.1/cis_5.1.13.yml index 4c692b0..573faa9 100644 --- a/section_5/cis_5.2/cis_5.2.11.yml +++ b/section_5/cis_5.1/cis_5.1.13.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_11 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_13 }} file: ssh_rhosts: - title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | config + title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | config path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.11 + - 5.1.13 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_rhosts_live: - title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | live + title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | live exec: sshd -T | grep ignorerhosts exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.11 + - 5.1.13 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.19.yml b/section_5/cis_5.1/cis_5.1.14.yml similarity index 70% rename from section_5/cis_5.2/cis_5.2.19.yml rename to section_5/cis_5.1/cis_5.1.14.yml index f9d5c18..cfdd7ed 100644 --- a/section_5/cis_5.2/cis_5.2.19.yml +++ b/section_5/cis_5.1/cis_5.1.14.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_19 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_14 }} file: sshd_logingrace: - title: 5.2.19 | Ensure SSH LoginGraceTime is set to one minute or less + title: 5.1.14 | Ensure sshd LoginGraceTime is configured path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,16 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.19 + - 5.1.14 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-6 command: ssh_logingrace_live: - title: 5.2.19 | Ensure SSH LoginGraceTime is set to one minute or less | live + title: 5.1.14 | Ensure sshd LoginGraceTime is configured | live exec: sshd -T | grep logingracetime exit-status: or: @@ -31,9 +36,12 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.19 + - 5.1.14 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.15.yml b/section_5/cis_5.1/cis_5.1.15.yml new file mode 100644 index 0000000..2bacc1b --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.15.yml @@ -0,0 +1,51 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_15 }} +file: + sshd_loglevel: + title: 5.1.15 | Ensure SSH LogLevel is appropriate | config + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^LogLevel\s(VERBOSE|INFO)/' + - '!/^LogLevel DEBUG/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.15 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + - SI-5 +command: + ssh_loglevel_live: + title: 5.1.15 | Ensure SSH LogLevel is appropriate | live + exec: sshd -T | grep loglevel + exit-status: + or: + - 0 + - 1 + stdout: + - '/^loglevel\s(VERBOSE|INFO)/' + - '!/^loglevel DEBUG/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.15 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.16.yml b/section_5/cis_5.1/cis_5.1.16.yml similarity index 67% rename from section_5/cis_5.2/cis_5.2.16.yml rename to section_5/cis_5.1/cis_5.1.16.yml index 1744637..61b20d7 100644 --- a/section_5/cis_5.2/cis_5.2.16.yml +++ b/section_5/cis_5.1/cis_5.1.16.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_16 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_16 }} path: sshd_authtries: - title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less + title: 5.1.16 | Ensure sshd MaxAuthTries is configured path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,16 @@ path: server: 1 workstation: 1 CIS_ID: - - 5.2.16 + - 5.1.16 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 command: sshd_authtries_live: - title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less | live + title: 5.1.16 | Ensure sshd MaxAuthTries is configured | live exec: sshd -T | grep maxauthtries exit-status: or: @@ -31,9 +36,12 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.16 + - 5.1.16 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {[ end ]} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.17.yml b/section_5/cis_5.1/cis_5.1.17.yml similarity index 58% rename from section_5/cis_5.2/cis_5.2.17.yml rename to section_5/cis_5.1/cis_5.1.17.yml index 3d6b8f9..0644534 100644 --- a/section_5/cis_5.2/cis_5.2.17.yml +++ b/section_5/cis_5.1/cis_5.1.17.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_17 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_17 }} file: sshd_maxstartups: - title: 5.2.17 | Ensure SSH MaxStartups is configured + title: 5.1.17 | Ensure SSH MaxStartups is configured path: /etc/ssh/sshd_config exists: true contents: @@ -10,14 +13,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.17 + - 5.1.17 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_maxstartups_live: - title: 5.2.17 | Ensure SSH MaxStartups is configured | live + title: 5.1.17 | Ensure SSH MaxStartups is configured | live exec: sshd -T | grep maxstartups exit-status: or: @@ -29,9 +38,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.17 + - 5.1.17 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.18.yml b/section_5/cis_5.1/cis_5.1.18.yml similarity index 63% rename from section_5/cis_5.2/cis_5.2.18.yml rename to section_5/cis_5.1/cis_5.1.18.yml index de65d6c..88138b8 100644 --- a/section_5/cis_5.2/cis_5.2.18.yml +++ b/section_5/cis_5.1/cis_5.1.18.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_18 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_18 }} file: sshd_maxsessions: - title: 5.2.18 | Ensure SSH MaxSessions is limited + title: 5.1.18 | Ensure SSH MaxSessions is limited path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.18 + - 5.1.18 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_maxsessions_live: - title: 5.2.18 | Ensure SSH MaxSessions is limited | live + title: 5.1.18 | Ensure SSH MaxSessions is limited | live exec: sshd -T | grep maxsessions exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.18 + - 5.1.18 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.9.yml b/section_5/cis_5.1/cis_5.1.19.yml similarity index 61% rename from section_5/cis_5.2/cis_5.2.9.yml rename to section_5/cis_5.1/cis_5.1.19.yml index 3ab8d02..f15e7ba 100644 --- a/section_5/cis_5.2/cis_5.2.9.yml +++ b/section_5/cis_5.1/cis_5.1.19.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_9 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_19 }} file: sshs_permitempty_passwd: - title: 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled | config + title: 5.1.19 | Ensure SSH PermitEmptyPasswords is disabled | config path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.9 + - 5.1.9 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_empty_passwd_live: - title: 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled | live + title: 5.1.19 | Ensure SSH PermitEmptyPasswords is disabled | live exec: sshd -T | grep permitemptypasswords exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.9 + - 5.1.19 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.2.yml b/section_5/cis_5.1/cis_5.1.2.yml index f8888a3..8ba3221 100644 --- a/section_5/cis_5.1/cis_5.1.2.yml +++ b/section_5/cis_5.1/cis_5.1.2.yml @@ -1,12 +1,13 @@ -{{ if .Vars.rhel9cis_rule_5_1_2 }} -file: - crontab_perms: - title: 5.1.2 | Ensure permissions on /etc/crontab are configured - path: /etc/crontab - exists: true - owner: root - group: root - mode: "0600" +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_2 }} +command: + /etc/ssh/ssh_host_prv_key_user: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured_user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] meta: server: 1 workstation: 1 @@ -16,4 +17,42 @@ file: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_group: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured_group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_perms: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured_user + exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {[ end ]} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.20.yml b/section_5/cis_5.1/cis_5.1.20.yml new file mode 100644 index 0000000..d552233 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.20.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_20 }} +file: + sshd_permit_root: + title: 5.1.20 | Ensure SSH root login is disabled | config + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^PermitRootLogin no/' + - '!/^PermitRootLogin yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.20 + CISv8: 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 +command: + ssh_permit_root_live: + title: 5.1.20 | Ensure SSH root login is disabled | live + exec: sshd -T | grep permitrootlogin + exit-status: + or: + - 0 + - 1 + stdout: + - '/^permitrootlogin no/' + - '!/^permitrootlogin yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.20 + CISv8: 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.10.yml b/section_5/cis_5.1/cis_5.1.21.yml similarity index 62% rename from section_5/cis_5.2/cis_5.2.10.yml rename to section_5/cis_5.1/cis_5.1.21.yml index 87d12ec..ba0989a 100644 --- a/section_5/cis_5.2/cis_5.2.10.yml +++ b/section_5/cis_5.1/cis_5.1.21.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_10 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_21 }} file: sshd_userenv: - title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | config + title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | config path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.10 + - 5.1.21 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_userenv_live: - title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | live + title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | live exec: sshd -T | grep permituserenvironment exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.10 + - 5.1.21 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.22.yml b/section_5/cis_5.1/cis_5.1.22.yml new file mode 100644 index 0000000..00edc77 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.22.yml @@ -0,0 +1,55 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_22 }} +file: + sshd_usepam: + title: 5.1.22 | Ensure sshd UsePAM is enabled | config + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^UsePAM yes/' + - '!/^UsePAM no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.22 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ssh_usepam_live: + title: 5.1.22 | Ensure sshd UsePAM is enabled | live + exec: sshd -T | grep usepam + exit-status: + or: + - 0 + - 1 + stdout: + - '/^usepam yes/' + - '!/^usepam no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.22 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.3.yml b/section_5/cis_5.1/cis_5.1.3.yml new file mode 100644 index 0000000..9c66d4c --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.3.yml @@ -0,0 +1,58 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_3 }} +command: + /etc/ssh/ssh_host_pub_key_user: + title: 5.1.3 | Ensure permissions on SSH pub host key files are configured_user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_group: + title: 5.1.3 | Ensure permissions on SSH public host key files are configured_group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_perms: + title: 5.1.3 | Ensure permissions on SSH public host key files are configured_user + exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /133 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.4.yml b/section_5/cis_5.1/cis_5.1.4.yml new file mode 100644 index 0000000..2cf55b8 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.4.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_4 }} +command: + no_weak_ssh_ciphers: + title: 5.1.4 | Ensure sshd Ciphers are configured | weak cipher check + exec: sshd -T | grep -Pi --'^ciphers\h+\"?([^#\n\r]+,)?((3des|blowfish|cast128|aes(128|192|256))-cbc|arcfour(128|256)?|rijndael-cbc@lysator\.liu\.se|chacha20-poly1305@openssh\.com)\b' + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.5.yml b/section_5/cis_5.1/cis_5.1.5.yml new file mode 100644 index 0000000..10ef056 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.5.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_5 }} +command: + no_weak_ssh_kex: + title: 5.1.5 | Ensure sshd KexAlgorithms is configured| weak kex check + exec: sshd -T | grep -Pi -- 'kexalgorithms\h+([^#\n\r]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b' + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.6.yml b/section_5/cis_5.1/cis_5.1.6.yml new file mode 100644 index 0000000..d37fac2 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.6.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_6 }} +command: + no_weak_ssh_macs: + title: 5.1.6 | Ensure sshd MACs are configured | weak mac check + exec: sshd -T | grep -Pi -- 'macs\h+([^#\n\r]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b' + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.7.yml b/section_5/cis_5.1/cis_5.1.7.yml new file mode 100644 index 0000000..7b5e5fd --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.7.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_7 }} + {{ if .Vars.rhel9cis_sshd_limited }} +command: + sshd_access_limited: + title: 5.1.7 | Ensure SSH access is limited | config + exec: grep -E "^(Allow|Deny)(User|Group)" {{ .Vars.rhel9_cis_sshd_config_file }} + exit-status: + or: + - 0 + - 1 + stdout: + {{ range .Vars.rhel9cis_sshd_access }} + - {{ . }} + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.15.yml b/section_5/cis_5.1/cis_5.1.8.yml similarity index 58% rename from section_5/cis_5.2/cis_5.2.15.yml rename to section_5/cis_5.1/cis_5.1.8.yml index dcce060..53625b0 100644 --- a/section_5/cis_5.2/cis_5.2.15.yml +++ b/section_5/cis_5.1/cis_5.1.8.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_15 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_8 }} file: sshd_banner: - title: 5.2.15 | Ensure SSH warning banner configured | sshd_default + title: 5.1.8 | Ensure SSH warning banner configured | sshd_default path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.15 + - 5.1.8 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: ssh_configd_banner: - title: 5.3.15 | Ensure SSH warning banner configured | conf.d banner settings + title: 5.3.8 | Ensure SSH warning banner configured | conf.d banner settings exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.15 + - 5.1.8 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.1/cis_5.1.8_9.yml b/section_5/cis_5.1/cis_5.1.8_9.yml deleted file mode 100644 index 03362b0..0000000 --- a/section_5/cis_5.1/cis_5.1.8_9.yml +++ /dev/null @@ -1,63 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_1_8 }} -file: - cron_deny_users: - title: 5.1.8 | Ensure cron is restricted to authorized users - path: /etc/cron.deny - exists: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.1.8 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - cron_allow_users: - title: 5.1.8 | Ensure cron is restricted to authorized users - path: /etc/cron.allow - exists: true - owner: root - group: root - mode: "0600" - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.1.8 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} -{{ if .Vars.rhel9cis_rule_5_1_9 }} - at_deny_users: - title: 5.1.9 | Ensure at is restricted to authorized users - path: /etc/at.deny - exists: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.1.8 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - at_allow_users: - title: 5.1.9 | Ensure at is restricted to authorized users - path: /etc/at.allow - exists: true - owner: root - group: root - mode: "0600" - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.1.8 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.20.yml b/section_5/cis_5.1/cis_5.1.9.yml similarity index 60% rename from section_5/cis_5.2/cis_5.2.20.yml rename to section_5/cis_5.1/cis_5.1.9.yml index f0b88ef..92eb32a 100644 --- a/section_5/cis_5.2/cis_5.2.20.yml +++ b/section_5/cis_5.1/cis_5.1.9.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_2_20 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_1_9 }} file: sshd_clientalive: - title: 5.2.20 | Ensure SSH Idle Timeout Interval is configured + title: 5.1.9 | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured path: /etc/ssh/sshd_config exists: true contents: @@ -11,14 +14,20 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.2.20 + - 5.1.9 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 command: sshd_clientalive_live: - title: 5.2.20 | Ensure SSH Idle Timeout Interval is configured | live + title: 5.1.9 | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | live exec: sshd -T | grep clientalive exit-status: or: @@ -31,9 +40,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.2.20 + - 5.1.9 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.1.yml b/section_5/cis_5.2/cis_5.2.1.yml index 734c95f..3d22e97 100644 --- a/section_5/cis_5.2/cis_5.2.1.yml +++ b/section_5/cis_5.2/cis_5.2.1.yml @@ -1,19 +1,21 @@ -{{ if .Vars.rhel9cis_rule_5_2_1 }} -file: - sshd_config_perms: - title: 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured - path: /etc/ssh/sshd_config - exists: true - mode: "0600" - owner: root - group: root +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_1}} +package: + sudo: + title: 5.2.1 | Ensure sudo is installed + installed: true meta: server: 1 workstation: 1 CIS_ID: - 5.2.1 - CISv8: 3.3 + CISv8: 5.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.12.yml b/section_5/cis_5.2/cis_5.2.12.yml deleted file mode 100644 index 9e978c2..0000000 --- a/section_5/cis_5.2/cis_5.2.12.yml +++ /dev/null @@ -1,41 +0,0 @@ -{{ if .Vars.rhel9cis_level_2 }} - {{ if .Vars.rhel9cis_rule_5_2_12 }} -file: - sshd_x11: - title: 5.2.12 | Ensure SSH X11 forwarding is disabled | config - path: /etc/ssh/sshd_config - exists: true - contents: - - '/^X11Forwarding no/' - - '!/^X11Forwarding yes/' - meta: - server: 2 - workstation: 1 - CIS_ID: - - 5.2.12 - CISv8: 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -command: - ssh_x11_live: - title: 5.2.12 | Ensure SSH X11 forwarding is disabled | live - exec: sshd -T | grep x11forwarding - exit-status: - or: - - 0 - - 1 - stdout: - - '/^x11forwarding no/' - - '!/^x11forwarding yes/' - meta: - server: 2 - workstation: 1 - CIS_ID: - - 5.2.12 - CISv8: 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.13.yml b/section_5/cis_5.2/cis_5.2.13.yml deleted file mode 100644 index a7e4e4b..0000000 --- a/section_5/cis_5.2/cis_5.2.13.yml +++ /dev/null @@ -1,41 +0,0 @@ -{{ if .Vars.rhel9cis_level_2 }} - {{ if .Vars.rhel9cis_rule_5_2_13 }} -file: - sshd_tcpforwarding: - title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled - path: /etc/ssh/sshd_config - exists: true - contents: - - '/^AllowTcpForwarding no/' - - '!/^AllowTcpForwarding yes/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 5.2.13 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -command: - sshd_tcpforwarding_live: - title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled | live - exec: sshd -T | grep allowtcpforward - exit-status: - or: - - 0 - - 1 - stdout: - - '/^allowtcpforwarding no/' - - '!/^allowtcpforwarding yes/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 5.2.13 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.14.yml b/section_5/cis_5.2/cis_5.2.14.yml deleted file mode 100644 index 65efee8..0000000 --- a/section_5/cis_5.2/cis_5.2.14.yml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_2_14 }} -file: - sshd_crypto: - title: 5.2.14 | Ensure system-wide crypto policy is not over-ridden - path: /etc/ssh/sshd_config - exists: true - contents: - - '!/^CRYPTO_POLICY/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.14 - CISv8: 3.10 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.2.yml b/section_5/cis_5.2/cis_5.2.2.yml index 5a755b5..50825f8 100644 --- a/section_5/cis_5.2/cis_5.2.2.yml +++ b/section_5/cis_5.2/cis_5.2.2.yml @@ -1,45 +1,25 @@ -{{ if .Vars.rhel9cis_rule_5_2_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_2 }} command: - /etc/ssh/ssh_host_prv_key_user: - title: 5.2.2 | Ensure permissions on SSH private host key files are configured_user - exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys" + pty_sudoers_d: + title: 5.2.2 | Ensure sudo commands use pty + exec: export PTY=`grep -q -Ei '^\s*Defaults\s+(\[^#]+,\s*)?use_pty' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi exit-status: 0 - stdout: ['!/./'] + stdout: + - 'OK' meta: server: 1 workstation: 1 CIS_ID: - 5.2.2 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - /etc/ssh/ssh_host_prv_key_group: - title: 5.2.2 | Ensure permissions on SSH private host key files are configured_group - exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys" - exit-status: 0 - stdout: ['!/./'] - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.2 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - /etc/ssh/ssh_host_prv_key_perms: - title: 5.2.2 | Ensure permissions on SSH private host key files are configured_user - exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms" - exit-status: 0 - stdout: ['!/./'] - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.2 - CISv8: 3.3 + CISv8: + - 5.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.3.yml b/section_5/cis_5.2/cis_5.2.3.yml index ee60079..911cfb2 100644 --- a/section_5/cis_5.2/cis_5.2.3.yml +++ b/section_5/cis_5.2/cis_5.2.3.yml @@ -1,45 +1,26 @@ -{{ if .Vars.rhel9cis_rule_5_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_3 }} command: - /etc/ssh/ssh_host_pub_key_user: - title: 5.2.3 | Ensure permissions on SSH pub host key files are configured_user - exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys" + log_sudoers_d: + title: 5.2.3 | Ensure sudo log file exists | sudoers.d + exec: export LOG=`grep -q -Esi '^\s*Defaults\s+([^#]+,\s*)?logfile=' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $LOG == 0 ]];then echo OK ;fi exit-status: 0 - stdout: ['!/./'] + stdout: + - 'OK' meta: server: 1 workstation: 1 CIS_ID: - 5.2.3 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - /etc/ssh/ssh_host_pub_key_group: - title: 5.2.3 | Ensure permissions on SSH public host key files are configured_group - exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys" - exit-status: 0 - stdout: ['!/./'] - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.3 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - /etc/ssh/ssh_host_pub_key_perms: - title: 5.2.3 | Ensure permissions on SSH public host key files are configured_user - exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /133 ); echo $keyperms" - exit-status: 0 - stdout: ['!/./'] - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.3 - CISv8: 3.3 + CISv8: + - 8.5 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.4.yml b/section_5/cis_5.2/cis_5.2.4.yml index b36320d..846b555 100644 --- a/section_5/cis_5.2/cis_5.2.4.yml +++ b/section_5/cis_5.2/cis_5.2.4.yml @@ -1,25 +1,28 @@ -{{ if .Vars.rhel9cis_rule_5_2_4 }} - {{ if .Vars.rhel9cis_sshd_limited }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_2_4 }} command: - sshd_access_limited: - title: 5.2.4 | Ensure SSH access is limited | config - exec: grep -E "^(Allow|Deny)(User|Group)" {{ .Vars.rhel9_cis_sshd_config_file }} + nopasswd_sudoers_d: + title: 5.2.4 | Ensure users must provide password for escalation + exec: grep -R NOPASSWD /etc/sudoers /etc/sudoers.d/* | grep -v '.*\:#' exit-status: or: - 0 - 1 stdout: - {{ range .Vars.rhel9cis_sshd_access }} - - {{ . }} - {{ end }} + - '!/.*/' meta: - server: 1 - workstation: 1 + server: 2 + workstation: 2 CIS_ID: - 5.2.4 - CISv8: 3.3 + CISv8: + - 5.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-6 {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.5.yml b/section_5/cis_5.2/cis_5.2.5.yml index 555fc0f..ead2f28 100644 --- a/section_5/cis_5.2/cis_5.2.5.yml +++ b/section_5/cis_5.2/cis_5.2.5.yml @@ -1,39 +1,28 @@ -{{ if .Vars.rhel9cis_rule_5_2_5 }} -file: - sshd_loglevel: - title: 5.2.5 | Ensure SSH LogLevel is appropriate | config - path: /etc/ssh/sshd_config - exists: true - contents: - - '/^LogLevel\s(VERBOSE|INFO)/' - - '!/^LogLevel DEBUG/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.5 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_5 }} command: - ssh_loglevel_live: - title: 5.2.5 | Ensure SSH LogLevel is appropriate | live - exec: sshd -T | grep loglevel + authenticate_sudoers: + title: 5.2.5 | Ensure re-authentication for privilege escalation is not disabled globally + exec: 'grep -r "^[^#].*\!authenticate" /etc/sudoers*' exit-status: or: - 0 - 1 stdout: - - '/^loglevel\s(VERBOSE|INFO)/' - - '!/^loglevel DEBUG/' + - '!/.*/' meta: server: 1 workstation: 1 CIS_ID: - 5.2.5 - CISv8: 8.2 + CISv8: + - 5.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.6.yml b/section_5/cis_5.2/cis_5.2.6.yml index 16f9919..8c64083 100644 --- a/section_5/cis_5.2/cis_5.2.6.yml +++ b/section_5/cis_5.2/cis_5.2.6.yml @@ -1,39 +1,25 @@ -{{ if .Vars.rhel9cis_rule_5_2_6 }} -file: - sshd_usepam: - title: 5.2.6 | Ensure SSH PAM is enabled | config - path: /etc/ssh/sshd_config - exists: true - contents: - - '/^UsePAM yes/' - - '!/^UsePAM no/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.2.6 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_6 }} command: - ssh_usepam_live: - title: 5.2.6 | Ensure SSH PAM is enabled | live - exec: sshd -T | grep usepam - exit-status: - or: - - 0 - - 1 + sudo_timeout: + title: 5.2.6 | Ensure sudo authentication timeout is configured correctly + exec: grep -rP "timestamp_timeout=\K[0-9]*" /etc/sudoers* + exit-status: 0 stdout: - - '/^usepam yes/' - - '!/^usepam no/' + - '!/timestamp_timeout=(-1|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})/' + - '/timestamp_timeout=([5-9]|1[0-5])/' meta: server: 1 workstation: 1 CIS_ID: - 5.2.6 - CISv8: 4.1 + CISv8: + - 5.4 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.7.yml b/section_5/cis_5.2/cis_5.2.7.yml index 649ea11..9c84800 100644 --- a/section_5/cis_5.2/cis_5.2.7.yml +++ b/section_5/cis_5.2/cis_5.2.7.yml @@ -1,39 +1,45 @@ -{{ if .Vars.rhel9cis_rule_5_2_7 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_2_7 }} file: - sshd_permit_root: - title: 5.2.7 | Ensure SSH root login is disabled | config - path: /etc/ssh/sshd_config + restrict_su: + title: 5.2.7 | Ensure access to the su command is restricted + path: /etc/pam.d/su exists: true contents: - - '/^PermitRootLogin no/' - - '!/^PermitRootLogin yes/' + - '/^auth.*required.*pam_wheel.so\suse_uid\sgroup={{ .Vars.rhel9cis_sugroup }}/' meta: server: 1 workstation: 1 CIS_ID: - 5.2.7 - CISv8: 5.4 + CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 command: - ssh_permit_root_live: - title: 5.2.7 | Ensure SSH root login is disabled | live - exec: sshd -T | grep permitrootlogin - exit-status: - or: - - 0 - - 1 + sugroup_etc_group: + title: 5.2.7 | Ensure access to the su command is restricted + exec: grep {{ .Vars.rhel9cis_sugroup }} /etc/group + exit-status: 0 stdout: - - '/^permitrootlogin no/' - - '!/^permitrootlogin yes/' + - '/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:$/' + - '!/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:.*/' meta: server: 1 workstation: 1 CIS_ID: - 5.2.7 - CISv8: 5.4 + CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.1.yml b/section_5/cis_5.3.1/cis_5.3.1.1.yml new file mode 100644 index 0000000..a6712df --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_1_1 }} +package: + pam_version: + title: 5.3.1.1 | Ensure latest version of pam is installed + installed: true + name: pam + versions: + semver-constraint: ">1.5.1-18" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.1 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.3.1/cis_5.3.1.2.yml b/section_5/cis_5.3.1/cis_5.3.1.2.yml new file mode 100644 index 0000000..9435a9a --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_1_2 }} +package: + authselect_version: + title: 5.3.1.2 | Ensure latest version of authselect is installed + installed: true + name: authselect + versions: + semver-constraint: ">1.2.6-1" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.3.yml b/section_5/cis_5.3.1/cis_5.3.1.3.yml new file mode 100644 index 0000000..18d1816 --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.3.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_1_3 }} +package: + libpam-pwquality: + title: 5.3.1.3 | Ensure latest version of libpwquality is installed + installed: true + versions: + semver-constraint: ">1.4.4-7" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.3 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.1.yml b/section_5/cis_5.3.2/cis_5.3.2.1.yml new file mode 100644 index 0000000..151aa2f --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.1.yml @@ -0,0 +1,57 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_2_1 }} +file: + passwd_auth_authselect_modules: + title: 5.3.2.1 | Ensure active authselect profile includes pam modules + path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth + exists: true + contents: + - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}' + - 'auth sufficient pam_unix.so {if not "without-nullok":nullok}' + - 'auth required pam_faillock.so authfail {include if "with-faillock"}' + - 'account required pam_faillock.so {include if "with-faillock"}' + - 'account required pam_unix.so' + - 'password requisite pam_pwquality.so local_users_only' + - 'password required pam_pwhistory.so use_authtok' + - 'password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok' + - 'session required pam_unix.so' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: 16.2 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + system_auth_authselect_modules: + title: 5.3.2.1 | Ensure active authselect profile includes pam modules + path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth + exists: true + contents: + - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}' + - 'auth sufficient pam_unix.so {if not "without-nullok":nullok}' + - 'auth required pam_faillock.so authfail {include if "with-faillock"}' + - 'account required pam_faillock.so {include if "with-faillock"}' + - 'account required pam_unix.so' + - 'password requisite pam_pwquality.so local_users_only' + - 'password required pam_pwhistory.so use_authtok' + - 'password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok' + - 'session required pam_unix.so' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: 16.2 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.2.yml b/section_5/cis_5.3.2/cis_5.3.2.2.yml new file mode 100644 index 0000000..b153381 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.2.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_2_2 }} +file: + passwd_auth_faillock: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/password-auth + exists: true + contents: + - '/auth\s+required\s+pam_faillock.so preauth silent/' + - '/auth\s+required\s+pam_faillock.so authfail/' + - '/account\s+required\s+pam_faillock.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + system_auth_faillock: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/system-auth + exists: true + contents: + - '/auth\s+required\s+pam_faillock.so preauth silent/' + - '/auth\s+required\s+pam_faillock.so authfail/' + - '/account\s+required\s+pam_faillock.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.3.yml b/section_5/cis_5.3.2/cis_5.3.2.3.yml new file mode 100644 index 0000000..ee64f7d --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.3.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_2_3 }} +file: + passwd_auth_pwquality: + title: 5.3.2.3 | Ensure pam_pwquality module is enabled + path: /etc/pam.d/password-auth + exists: true + contents: + - '/password\s+requisite\s+pam_pwquality.so local_users_only/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + system_auth_pwquality: + title: 5.3.2.3 | Ensure pam_pwquality module is enabled + path: /etc/pam.d/system-auth + exists: true + contents: + - '/password\s+requisite\s+pam_pwquality.so local_users_only/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.4.yml b/section_5/cis_5.3.2/cis_5.3.2.4.yml new file mode 100644 index 0000000..5fc32a4 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.4.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_2_4 }} +file: + passwd_auth_pwhistory: + title: 5.3.2.4 | Ensure pam_pwhistory module is enabled + path: /etc/pam.d/password-auth + exists: true + contents: + - '/password\s+required\s+pam_pwhistory.so use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.4 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + system_auth_pwhistory: + title: 5.3.2.4 | Ensure pam_pwhistory module is enabled + path: /etc/pam.d/system-auth + exists: true + contents: + - '/password\s+required\s+pam_pwhistory.so use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.4 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.5.yml b/section_5/cis_5.3.2/cis_5.3.2.5.yml new file mode 100644 index 0000000..cb5c233 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.5.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_2_5 }} +file: + passwd_auth_pam_unix: + title: 5.3.2.5 | Ensure pam_unix module is enabled + path: /etc/pam.d/password-auth + exists: true + contents: + - '/auth\s+sufficient\s+pam_unix.so/' + - '/account\s+required\s+pam_unix.so/' + - '/password\s+sufficient\s+pam_unix.so sha512 shadow use_authtok/' + - '/session\s+required\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + system_auth_pam_unix: + title: 5.3.2.5 | Ensure pam_unix module is enabled + path: /etc/pam.d/system-auth + exists: true + contents: + - '/auth\s+sufficient\s+pam_unix.so/' + - '/account\s+required\s+pam_unix.so/' + - '/password\s+sufficient\s+pam_unix.so sha512 shadow use_authtok/' + - '/session\s+required\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.5 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml new file mode 100644 index 0000000..24590bd --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_1_1 }} +file: + faillock_attempts_deny: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^deny\s*=\s*[1-5]$/' + - '!/^deny\s*=\s*([5-9]|[0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_attempts_deny_removed: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?deny\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml new file mode 100644 index 0000000..7e59c85 --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_1_2 }} +file: + faillock_unlock_time: + title: 5.3.3.1.2 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^unlock_time\s*=\s*([1-9]|[1-9][0-9]|[1-8][0-9]{1,2}|900)$/' + - '!/^unlock_time\s*=\s*(90[1-9]|9[1-9][0-9]|[1-9][0-9][0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_unlock_time_removed: + title: 5.3.3.1.2 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?unlock_time\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml new file mode 100644 index 0000000..bb0e079 --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml @@ -0,0 +1,44 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_3_3_1_3 }} +file: + faillock_even_root: + title: 5.3.3.1.3 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^(even_deny_root|root_unlock_time\s*=\s*([6-9][0-9]|[1-3][0-9]{2,2}))/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_even_root_removed: + title: 5.3.3.1.3 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?(even_deny_root|root_unlock_time)' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml new file mode 100644 index 0000000..f9c9d0c --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml @@ -0,0 +1,44 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_1 }} +command: + password_character_changed: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + exec: grep -Psi -- '^\h*difok\h*=\h*([2-9]|[1-9][0-9]+)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:difok\s*=\s*[2-9]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + passwd_change_not_pamd: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + exec: grep -Psi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?difok\s*=\s*([0-1])\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exists: true + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml new file mode 100644 index 0000000..b61b06e --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_2 }} +command: + password_minlen: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*minlen\h*=\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minlen\s*=\s*(1[4-9]|[2-4][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_minlen_not_pamd: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?minlen\h*=\h*([0-9]|1[0-3])\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml new file mode 100644 index 0000000..5d740b5 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml @@ -0,0 +1,51 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_3 }} +command: + password_complex: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\h*(minclass|[dulo]credit)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minclass\s*=\s*([4-9]|[1-9][0-9])/' + - '!/.*\:minclass\s*=\s*[0-3])/' + or: + - '/.*\:(d|l|o|u)credit\s*=\s*-\d/' + - '!/.*\:(d|l|o|u)credit\s*=\s*\d/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_complex_not_pamd: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?(minclass=\d*|[dulo]credit=-?\d*)\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml new file mode 100644 index 0000000..dde2843 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_4 }} +command: + password_consecutive_characters: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\s*maxrepeat\s*=\s*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxrepeat\s*=\s*[1-3]/' + - '!/.*\:maxrepeat\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + consecutive_characters_not_pamd: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?maxrepeat\s*=\s*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml new file mode 100644 index 0000000..70e3da8 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_5 }} +command: + password_maxseq: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\s*maxsequence\s*=\s*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxsequence\s*=\s*[1-3]/' + - '!/.*\:maxsequence\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + maxseq_not_pamd: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?maxsequence\s*=\s*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml new file mode 100644 index 0000000..bbef6a8 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_6 }} +command: + password_dictchk: + title: 5.3.3.2.6 | Ensure password dictionary check is enabled + exec: grep -Psi -- '^\s*dictcheck\s*=' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:dictchk\s*=\s*1/' + - '!/.*\:dictchk\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + dictchk_not_pamd: + title: 5.3.3.2.6 | Ensure password dictionary check is enabled + exec: grep -Psi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?dictcheck\s*=\s*0\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml new file mode 100644 index 0000000..3adc4b3 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_2_7 }} +command: + password_quality_enforce_root: + title: 5.3.3.2.7 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\s*enforce_for_root\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:enforce_for_root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml new file mode 100644 index 0000000..233df15 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_3_1 }} +file: + pwhistory_remember: + title: 5.3.3.3.1 | Ensure password history remember is configured + path: /etc/security/pwhistory.conf + exists: true + contents: + - '/^remember\s*=\s*(2[4-9]|[3-9][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_remember_pam_configs: + title: 5.3.3.3.1 | Ensure password history remember is configured | pam_configs + exec: grep -Pi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=(2[0-3]|1[0-9]|[0-9])\b' /etc/pam.d/system-auth /etc/pam.d/password-auth + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml new file mode 100644 index 0000000..f66aa2f --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_3_2 }} +file: + pwhistory_enforce_for_root: + title: 5.3.3.3.2 | Ensure password history is enforced for the root user + path: /etc/security/pwhistory.conf + exists: true + contents: + - '/^enforce_for_root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml new file mode 100644 index 0000000..dd6338b --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_3_3 }} +file: + pwhistory_use_authtok_password-auth: + title: 5.3.3.3.3 | Ensure pam_pwhistory includes use_authtok | password-auth + path: /etc/pam.d/password-auth + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +pwhistory_use_authtok_system-auth: + title: 5.3.3.3.3 | Ensure pam_pwhistory includes use_authtok | system-auth + path: /etc/pam.d/system-auth + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml new file mode 100644 index 0000000..d88d513 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_4_1 }} +file: + pam_unix_nullok_password-auth: + title: 5.3.3.4.1 | Ensure pam_unix does not include nullok | password-auth + file: /etc/pam.d/password-auth + exists: true + contents: + - '!/.*pam_unix.so.*nullok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + pam_unix_nullok_system-auth: + title: 5.3.3.4.1 | Ensure pam_unix does not include nullok | system-auth + file: /etc/pam.d/system-auth + exists: true + contents: + - '!/.*pam_unix.so.*nullok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml new file mode 100644 index 0000000..29cdd8d --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_4_2 }} +file: + pam_unix_remember_password-auth: + title: 5.3.3.4.2 | Ensure pam_unix does not include remember | password-auth + file: /etc/pam.d/password-auth + exists: true + contents: + - '!/.*pam_unix.so.*remember/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + pam_unix_remember_system-auth: + title: 5.3.3.4.2 | Ensure pam_unix does not include remember | system-auth + file: /etc/pam.d/system-auth + exists: true + contents: + - '!/.*pam_unix.so.*remember/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml new file mode 100644 index 0000000..97ed4d4 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_4_3 }} +file: + pam_unix_strong_password_password-auth: + title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm | password-auth + path: /etc.pam.d/password-auth + exists: true + contents: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*(yescrypt|sha512)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.3 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + pam_unix_strong_password_system-auth: + title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm | system-auth + path: /etc.pam.d/system-auth + exists: true + contents: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*(yescrypt|sha512)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.3 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml new file mode 100644 index 0000000..f7f60f1 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_3_3_4_4 }} +file: + pam_unix_use_authtok_password-auth: + title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok | password-auth + path: /etc/pam.d/password-auth + exists: true + contents: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + pam_unix_use_authtok_system-auth: + title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok | system-auth + path: /etc/pam.d/system-auth + exists: true + contents: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.1.yml b/section_5/cis_5.3/cis_5.3.1.yml deleted file mode 100644 index 4e4b7fa..0000000 --- a/section_5/cis_5.3/cis_5.3.1.yml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_1}} -package: - sudo: - title: 5.3.1 | Ensure sudo is installed - installed: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.1 - CISv8: 5.4 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.2.yml b/section_5/cis_5.3/cis_5.3.2.yml deleted file mode 100644 index 0907a43..0000000 --- a/section_5/cis_5.3/cis_5.3.2.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_2 }} -command: - pty_sudoers_d: - title: 5.3.2 | Ensure sudo commands use pty - exec: export PTY=`grep -q -Ei '^\s*Defaults\s+(\[^#]+,\s*)?use_pty' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi - exit-status: 0 - stdout: - - 'OK' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.2 - CISv8: - - 5.4 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.3.yml b/section_5/cis_5.3/cis_5.3.3.yml deleted file mode 100644 index 402bf67..0000000 --- a/section_5/cis_5.3/cis_5.3.3.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_3 }} -command: - log_sudoers_d: - title: 5.3.3 | Ensure sudo log file exists | sudoers.d - exec: export LOG=`grep -q -Esi '^\s*Defaults\s+([^#]+,\s*)?logfile=' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $LOG == 0 ]];then echo OK ;fi - exit-status: 0 - stdout: - - 'OK' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.3 - CISv8: - - 8.5 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.4.yml b/section_5/cis_5.3/cis_5.3.4.yml deleted file mode 100644 index ce2e161..0000000 --- a/section_5/cis_5.3/cis_5.3.4.yml +++ /dev/null @@ -1,24 +0,0 @@ -{{ if .Vars.rhel9cis_level_2 }} - {{ if .Vars.rhel9cis_rule_5_3_4 }} -command: - nopasswd_sudoers_d: - title: 5.3.4 | Ensure users must provide password for escalation - exec: grep -R NOPASSWD /etc/sudoers /etc/sudoers.d/* | grep -v '.*\:#' - exit-status: - or: - - 0 - - 1 - stdout: - - '!/.*/' - meta: - server: 2 - workstation: 2 - CIS_ID: - - 5.3.4 - CISv8: - - 5.4 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.5.yml b/section_5/cis_5.3/cis_5.3.5.yml deleted file mode 100644 index 1ef862f..0000000 --- a/section_5/cis_5.3/cis_5.3.5.yml +++ /dev/null @@ -1,22 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_5 }} -command: - authenticate_sudoers: - title: 5.3.5 | Ensure re-authentication for privilege escalation is not disabled globally - exec: 'grep -r "^[^#].*\!authenticate" /etc/sudoers*' - exit-status: - or: - - 0 - - 1 - stdout: - - '!/.*/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.5 - CISv8: - - 5.4 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.6.yml b/section_5/cis_5.3/cis_5.3.6.yml deleted file mode 100644 index 3d9f3ff..0000000 --- a/section_5/cis_5.3/cis_5.3.6.yml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_6 }} -command: - sudo_timeout: - title: 5.3.6 | Ensure sudo authentication timeout is configured correctly - exec: grep -rP "timestamp_timeout=\K[0-9]*" /etc/sudoers* - exit-status: 0 - stdout: - - '!/timestamp_timeout=(-1|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})/' - - '/timestamp_timeout=([5-9]|1[0-5])/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.6 - CISv8: - - 5.4 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.7.yml b/section_5/cis_5.3/cis_5.3.7.yml deleted file mode 100644 index 0e8fbc0..0000000 --- a/section_5/cis_5.3/cis_5.3.7.yml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_3_7 }} -file: - restrict_su: - title: 5.3.7 | Ensure access to the su command is restricted - path: /etc/pam.d/su - exists: true - contents: - - '/^auth.*required.*pam_wheel.so\suse_uid\sgroup={{ .Vars.rhel9cis_sugroup }}/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.7 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -command: - sugroup_etc_group: - title: 5.3.7 | Ensure access to the su command is restricted - exec: grep {{ .Vars.rhel9cis_sugroup }} /etc/group - exit-status: 0 - stdout: - - '/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:$/' - - '!/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:.*/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.3.7 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.6/cis_5.6.1.1.yml b/section_5/cis_5.4.1/cis_5.4.1.1.yml similarity index 64% rename from section_5/cis_5.6/cis_5.6.1.1.yml rename to section_5/cis_5.4.1/cis_5.4.1.1.yml index 074dbee..572ad54 100644 --- a/section_5/cis_5.6/cis_5.6.1.1.yml +++ b/section_5/cis_5.4.1/cis_5.4.1.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_6_1_1 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_1 }} command: login_defs_max_days: - title: 5.6.1.1 | Ensure password expiration is 365 days or less + title: 5.4.1.1 | Ensure password expiration is configured exec: grep PASS_MAX_DAYS /etc/login.defs exit-status: 0 stdout: @@ -12,13 +15,19 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.1 + - 5.4.1.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 check_user_expiry: - title: 5.6.1.1 | Ensure password expiration is 365 days or less | check_users + title: 5.4.1.1 | Ensure password expiration is configured | check_users exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,5" exit-status: 0 stdout: @@ -27,9 +36,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.1 + - 5.4.1.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.6/cis_5.6.1.2.yml b/section_5/cis_5.4.1/cis_5.4.1.2.yml similarity index 59% rename from section_5/cis_5.6/cis_5.6.1.2.yml rename to section_5/cis_5.4.1/cis_5.4.1.2.yml index 1a26609..488a653 100644 --- a/section_5/cis_5.6/cis_5.6.1.2.yml +++ b/section_5/cis_5.4.1/cis_5.4.1.2.yml @@ -1,23 +1,28 @@ -{{ if .Vars.rhel9cis_rule_5_6_1_2 }} -command: +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_2 }} +file: login_defs_min_days: - title: 5.6.1.2 | Ensure minimum days between password changes is configured - exec: grep PASS_MIN_DAYS /etc/login.defs - exit-status: 0 - stdout: + title: 5.4.1.2 | Ensure minimum password days is configured + path: /etc/login.defs + exists: true + contents: - '/^PASS_MIN_DAYS\s{{ .Vars.rhel9cis_pass.min_days }}/' - '!/^PASS_MIN_DAYS\s0/' meta: server: 1 workstation: 1 CIS_ID: - - 5.6.1.2 + - 5.4.1.2 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA +command: check_users_MIN_DAYS: - title: 5.6.1.2 | Ensure minimum days between password changes is configured | check users + title: 5.4.1.2 | Ensure minimum password days is configured | check users exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,4" exit-status: 0 stdout: @@ -26,9 +31,11 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.2 + - 5.4.1.2 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_5/cis_5.6/cis_5.6.1.3.yml b/section_5/cis_5.4.1/cis_5.4.1.3.yml similarity index 62% rename from section_5/cis_5.6/cis_5.6.1.3.yml rename to section_5/cis_5.4.1/cis_5.4.1.3.yml index c13819a..bebb7c8 100644 --- a/section_5/cis_5.6/cis_5.6.1.3.yml +++ b/section_5/cis_5.4.1/cis_5.4.1.3.yml @@ -1,10 +1,13 @@ -{{ if .Vars.rhel9cis_rule_5_6_1_3 }} -command: +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_3 }} +file: login_defs_warn_age: - title: 5.6.1.3 | Ensure password expiration warning days is 7 or more - exec: grep PASS_WARN_AGE /etc/login.defs - exit-status: 0 - stdout: + title: 5.4.1.3 | Ensure password expiration warning days is configured + path: /etc/login.defs + exists: true + contents: - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass.warn_age }}$/' - '/^PASS_WARN_AGE\s+(7|[1-9][0-9]{1,3})$/' - '!/^PASS_WARN_AGE\s+[1-6]$/' @@ -12,13 +15,15 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.3 + - 5.4.1.3 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA +command: check_users_MAX_DAYS: - title: 5.6.1.3 | Ensure password expiration warning days is 7 or more | check_users + title: 5.4.1.3 | Ensure password expiration warning days is configured | check_users exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,6" exit-status: 0 stdout: @@ -28,9 +33,11 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.3 + - 5.4.1.3 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.4.yml b/section_5/cis_5.4.1/cis_5.4.1.4.yml new file mode 100644 index 0000000..2d5fdcc --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.4.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_4 }} +file: + login_defs_hashing: + title: 5.4.1.4 | Ensure password expiration warning days is configured + path: /etc/login.defs + exists: true + contents: + - '/^ENCRYPT_METHOD (SHA512|YESCRYPT)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.6/cis_5.6.1.4.yml b/section_5/cis_5.4.1/cis_5.4.1.5.yml similarity index 54% rename from section_5/cis_5.6/cis_5.6.1.4.yml rename to section_5/cis_5.4.1/cis_5.4.1.5.yml index ee045a8..dd491da 100644 --- a/section_5/cis_5.6/cis_5.6.1.4.yml +++ b/section_5/cis_5.4.1/cis_5.4.1.5.yml @@ -1,34 +1,40 @@ -{{ if .Vars.rhel9cis_rule_5_6_1_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_5 }} command: inactive_passwd: - title: 5.6.1.4 | Ensure inactive password lock is 30 days or less + title: 5.4.1.5 | Ensure inactive password lock is configured exec: useradd -D | grep INACTIVE exit-status: 0 stdout: - - '/^INACTIVE=([1-9]|[0-2][0-9]|30)/' + - '/^INACTIVE=([1-9]|[0-3][0-9]|4[0-5])/' meta: server: 1 workstation: 1 CIS_ID: - - 5.6.1.4 + - 5.4.1.5 CISv8: 5.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA inactive_users: - title: 5.6.1.4 | Ensure inactive password lock is 30 days or less + title: 5.4.1.5 | Ensure inactive password lock is configured exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f7" exit-status: 0 stdout: - - '!/^(0|3[1-9]|[4-9][0-9]{2,})/' - - '/([1-9]|[1-2][0-9]|30)/' + - '!/^(0|4[6-9]|[5-9][0-9]{2,})/' + - '/([1-9]|[0-3][0-9]|4[0-5])/' meta: server: 1 workstation: 1 CIS_ID: - - 5.6.1.4 + - 5.4.1.5 CISv8: 5.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_5/cis_5.6/cis_5.6.1.5.yml b/section_5/cis_5.4.1/cis_5.4.1.6.yml similarity index 67% rename from section_5/cis_5.6/cis_5.6.1.5.yml rename to section_5/cis_5.4.1/cis_5.4.1.6.yml index 7225997..4c6576a 100644 --- a/section_5/cis_5.6/cis_5.6.1.5.yml +++ b/section_5/cis_5.4.1/cis_5.4.1.6.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_5_6_1_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_1_6 }} command: passwd_chg_past: - title: 5.6.1.5 | Ensure all users last password change date is in the past + title: 5.4.1.6 | Ensure all users last password change date is in the past exec: 'for usr in `cut -d: -f1 /etc/shadow`; do [[ $(chage --list $usr | grep "^Last password change" | cut -d: -f2) > $(date) ]] && echo "Failed" ; done' exit-status: 1 stdout: @@ -10,9 +13,11 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.6.1.5 + - 5.4.1.6 CISv8: 5.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_5/cis_5.6/cis_5.6.3.yml b/section_5/cis_5.4.1/cis_5.6.3.yml similarity index 100% rename from section_5/cis_5.6/cis_5.6.3.yml rename to section_5/cis_5.4.1/cis_5.6.3.yml diff --git a/section_5/cis_5.6/cis_5.6.4.yml b/section_5/cis_5.4.1/cis_5.6.4.yml similarity index 100% rename from section_5/cis_5.6/cis_5.6.4.yml rename to section_5/cis_5.4.1/cis_5.6.4.yml diff --git a/section_5/cis_5.6/cis_5.6.5.yml b/section_5/cis_5.4.1/cis_5.6.5.yml similarity index 100% rename from section_5/cis_5.6/cis_5.6.5.yml rename to section_5/cis_5.4.1/cis_5.6.5.yml diff --git a/section_5/cis_5.6/cis_5.6.6.yml b/section_5/cis_5.4.1/cis_5.6.6.yml similarity index 100% rename from section_5/cis_5.6/cis_5.6.6.yml rename to section_5/cis_5.4.1/cis_5.6.6.yml diff --git a/section_6/cis_6.2/cis_6.2.9.yml b/section_5/cis_5.4.2/cis_5.4.2.1.yml similarity index 51% rename from section_6/cis_6.2/cis_6.2.9.yml rename to section_5/cis_5.4.2/cis_5.4.2.1.yml index f9499c0..4ce2199 100644 --- a/section_6/cis_6.2/cis_6.2.9.yml +++ b/section_5/cis_5.4.2/cis_5.4.2.1.yml @@ -1,18 +1,29 @@ -{{ if .Vars.rhel9cis_rule_6_2_9 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_1 }} command: uid_0_check: - title: 6.2.9 | Ensure root is the only UID 0 account + title: 5.4.2.1 | Ensure root is the only UID 0 account exec: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" exit-status: 0 stdout: - 'root' + - '!/[^root]/' meta: server: 1 workstation: 1 CIS_ID: - - 6.2.9 + - 5.4.2.1 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.2.yml b/section_5/cis_5.4.2/cis_5.4.2.2.yml new file mode 100644 index 0000000..1237d8f --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.2.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_2 }} +command: + gid_0_check: + title: 5.4.2.2 | Ensure root is the only GID 0 account + exec: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4=='0') {print $1\":\"$4}' /etc/passwd" + exit-status: 0 + stdout: + - 'root' + - '!/[^root]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.3.yml b/section_5/cis_5.4.2/cis_5.4.2.3.yml new file mode 100644 index 0000000..ce214cb --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_3 }} +command: + group_root_only_0: + title: 5.4.2.3 | Ensure group root is the only GID 0 group + exec: "awk -F: '$3=='0'{print $1\":\"$3}' /etc/group" + exit-status: 0 + stdout: ['root:0'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.4.yml b/section_5/cis_5.4.2/cis_5.4.2.4.yml new file mode 100644 index 0000000..51c0704 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.4.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_4 }} +command: + root_passwd_set: + title: 5.4.2.4 | Ensure root account access is controlled + exec: "passwd -S root | awk '$2 ~ /^P/ {print \"OK Password\"}'" + exit-status: 0 + stdout: ['OK Password'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.8.yml b/section_5/cis_5.4.2/cis_5.4.2.5.yml similarity index 58% rename from section_6/cis_6.2/cis_6.2.8.yml rename to section_5/cis_5.4.2/cis_5.4.2.5.yml index 6690706..8d16c51 100644 --- a/section_6/cis_6.2/cis_6.2.8.yml +++ b/section_5/cis_5.4.2/cis_5.4.2.5.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_8 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_5 }} command: root_path_check: - title: 6.2.8 | Ensure root PATH Integrity + title: 5.4.2.5 | Ensure root PATH Integrity exec: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" exit-status: 0 stdout: @@ -10,9 +13,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.8 + - 5.4.2.5 CISv8: NA CISv8_IG1: NA CISv8_IG2: NA CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.6.yml b/section_5/cis_5.4.2/cis_5.4.2.6.yml new file mode 100644 index 0000000..70ac681 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.6.yml @@ -0,0 +1,26 @@ +--- + + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_6 }} +command: + root_umask_bash_profile: + title: 5.4.2.6 | Ensure root user umask is configured + exec: grep -i umask /root/.bash_profile /root/bashrc + stdout: + - '/umask 00(2|7)7/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.4.2/cis_5.4.2.7.yml b/section_5/cis_5.4.2/cis_5.4.2.7.yml new file mode 100644 index 0000000..fa08a4a --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.7.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_2_7 }} +command: + secure_system_accts: + title: 5.4.2.7 | Ensure system accounts do not have a valid login shell + exec: "awk -F: '$3<1000' /etc/passwd | grep -Ev 'root|sync|halt|shutdown|nfsnobody|/sbin/nologin|/bin/false'" + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-2(5) + - AC-3 + - AC-11 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.1.yml b/section_5/cis_5.4.3/cis_5.4.3.1.yml new file mode 100644 index 0000000..364644c --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.1.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_4_3_1 }} +file: + nologin_not_in_shells: + title: 5.4.3.1 | Ensure nologin is not listed in /etc/shells + exists: true + path: /etc/shells + contents: + - '!/.*nologin/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.4.3.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.2.yml b/section_5/cis_5.4.3/cis_5.4.3.2.yml new file mode 100644 index 0000000..1406ba3 --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_3_2 }} +command: + check_timeout: + title: 5.4.3.2 | Ensure default user shell timeout is configured + exec: 'grep TMOUT /etc/profile.d/*.sh /etc/profile /etc/profile.d/*.sh| cut -d ":" -f2' + exit-status: 0 + stdout: + - '/^(readonly |)TMOUT/' + - '/TMOUT=([1-8][0-9]{0,2}|900)$/' + - '/export TMOUT/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.2 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.3.yml b/section_5/cis_5.4.3/cis_5.4.3.3.yml new file mode 100644 index 0000000..b949cbb --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_5_4_3_3 }} +command: + umask_profile_scripts: + title: 5.4.3.3 | Ensure default user umask is configured + exec: 'grep -i "^\s*umask" /etc/profile /etc/profile.d/*.sh /etc/login.defs | cut -d ":" -f 2' + exit-status: 0 + stdout: + - '/(?i)umask\s+0[2-7][7]/' + - '!/(?i)umask\s+[7][0-1][0-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.1.yml b/section_5/cis_5.4/cis_5.4.1.yml deleted file mode 100644 index 30e9d65..0000000 --- a/section_5/cis_5.4/cis_5.4.1.yml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Vars.rhel9cis_authselect_custom_profile_create }} - {{ if .Vars.rhel9cis_rule_5_4_1}} -command: - custom_profile: - title: 5.4.1 | Ensure custom authselect profile is used - exec: head -1 /etc/authselect/authselect.conf | grep 'custom/' - exit-status: 0 - stdout: - - '/^custom\/{{ .Vars.rhel9cis_authselect.default_file_to_copy }}/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.4.1 - CISv8: 16.2 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.2.yml b/section_5/cis_5.4/cis_5.4.2.yml deleted file mode 100644 index 55f942d..0000000 --- a/section_5/cis_5.4/cis_5.4.2.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Vars.rhel9cis_authselect_custom_profile_select }} - {{ if .Vars.rhel9cis_rule_5_4_2 }} -file: - password_auth_faillock: - title: 5.4.2 | Ensure authselect includes with-faillock - path: /etc/authselect/password-auth - exists: true - contents: - - '/auth\s+required\s+pam_failock.so/' - - '/auth\s+required\s+pam_failock.so preauth silent/' - - '/auth\s+required\s+pam_failock.so authfail/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.4.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - system_auth_faillock: - title: 5.4.2 | Ensure authselect includes with-faillock - path: /etc/authselect/system-auth - exists: true - contents: - - '/auth\s+required\s+pam_failock.so/' - - '/auth\s+required\s+pam_failock.so preauth silent/' - - '/auth\s+required\s+pam_failock.so authfail/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.4.2 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.yml b/section_5/cis_5.5/cis_5.5.1.yml deleted file mode 100644 index cb1b143..0000000 --- a/section_5/cis_5.5/cis_5.5.1.yml +++ /dev/null @@ -1,36 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_5_1 }} -command: - min_pwquality: - title: 5.5.1 | Ensure password creation requirements are configured | pwquality - exec: cat /etc/security/pwquality.conf - exit-status: 0 - stdout: - - '/^minlen( |)=( |){{ .Vars.rhel9cis_pam_password.minlen }}/' - - '!/^minlen( |)=( |)(^[0-9]|1[0-3])/' - - '/^minclass( |)=( |){{ .Vars.rhel9cis_pam_password.minclass }}/' - - '!/^minclass( |)=( |)[0-3]/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.1 - CISv8: 5.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - passwd_create: - title: 5.5.1 | Ensure password creation requirements are configured | enforce - exec: 'grep -E "password.*enforce" /etc/pam.d/password-auth /etc/pam.d/system-auth | cut -d ":" -f2' - exit-status: 0 - stdout: - - '/^password\s+requisite\s+pam_pwquality.so\stry_first_pass\slocal_users_only\senforce_for_root\sretry={{ .Vars.rhel9cis_pam_passwd_retry }}/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.1 - CISv8: 5.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.2.yml b/section_5/cis_5.5/cis_5.5.2.yml deleted file mode 100644 index 564d413..0000000 --- a/section_5/cis_5.5/cis_5.5.2.yml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_5_2 }} -file: - faillock_lockout: - title: 5.5.2 | Ensure lockout for failed password attempts is configured - path: /etc/security/faillock.conf - exists: true - contents: - - '/^deny( |)=( |)[0-5]/' - - '/^unlock_time( |)=( |)(0|9[0-9]{2,})$/' - - '!/^unlock_time( |)=( |)([1-9]|[1-8][0-9]{1,2})$/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.2 - CISv8: 6.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.3.yml b/section_5/cis_5.5/cis_5.5.3.yml deleted file mode 100644 index f4c648d..0000000 --- a/section_5/cis_5.5/cis_5.5.3.yml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_5_3 }} - {{ if .Vars.rhel9cis_pwhistory_so }} -command: - pwreuse_pamd_system_auth: - title: 5.5.3 | Ensure password reuse is limited - exec: grep -Ei "^password.*remember" /etc/pam.d/system-auth - exit-status: 0 - stdout: - - '/^password\s+(sufficient|requisite)\s+(pam_pwhistory.so|pam_unix.so)\stry_first_pass\s.*\sremember={{ .Vars.rhel9cis_passwd_remember }}/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.3 - CISv8: 5.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.4.yml b/section_5/cis_5.5/cis_5.5.4.yml deleted file mode 100644 index d4208fe..0000000 --- a/section_5/cis_5.5/cis_5.5.4.yml +++ /dev/null @@ -1,66 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_5_4 }} -command: - pamd_system_auth_sha: - title: 5.5.4 | Ensure password hashing algorithm is SHA-512 or yescrypt | system-auth - exec: grep -Ei "sha512|yescrypt" /etc/pam.d/system-auth - exit-status: 0 - stdout: - - '/^password\s+(requisite|required|sufficient)\s+pam_unix.so\s.*(sha512|yescrypt)/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.4 - CISv8: 3.11 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -file: - password_auth_hash_algo: - title: 5.5.4 | Ensure password hashing algorithm is SHA-512 or yescrypt | passwd-auth - path: /etc/pam.d/password-auth - exists: true - contents: - - '/^password\s+(requisite|required|sufficient)\s+pam_unix.so\s.*(sha512|yescrypt)/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.4 - CISv8: 3.11 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - libuser_hash_algo: - title: 5.5.4 | Ensure password hashing algorithm is SHA-512 | passwd-auth - path: /etc/libuser.conf - exists: true - contents: - - '/^crypt_style( |)=( |)(sha512|yescrypt)/' - - '!/^crypt_style( |)=( |)md5/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.4 - CISv8: 3.11 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - login_defs_hash_algo: - title: 5.5.4 | Ensure password hashing algorithm is SHA-512 | login.defs - path: /etc/login.defs - exists: true - contents: - - '/^ENCRYPT_METHOD (SHA512|yescrypt)/' - - '!/^ENCRYPT_METHOD MD5/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.4 - CISv8: 3.11 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.6/cis_5.6.2.yml b/section_5/cis_5.6/cis_5.6.2.yml deleted file mode 100644 index 6c8cdf6..0000000 --- a/section_5/cis_5.6/cis_5.6.2.yml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Vars.rhel9cis_rule_5_6_2 }} -command: - secure_system_accts: - title: 5.6.2 | Ensure system accounts are secured - exec: "/awk -F: '$3<1000' /etc/passwd | egrep -v 'root|sync|halt|shutdown|/sbin/nologin|/bin/false'/" - exit-status: 1 - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.5.2 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - secure_system_LK: - title: 5.6.2 | Ensure system accounts are secured - exec: "/awk -F: '$3<1000' /etc/passwd | egrep -wv 'root' | cut -d: -f1 | xargs -I '{}' passwd -S '{}' | egrep -cvw 'LK|L'/" - exit-status: 1 - stdout: - - '0' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 5.6.2 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.1.yml b/section_6/cis_6.1/cis_6.1.1.yml index 610f856..8021e98 100644 --- a/section_6/cis_6.1/cis_6.1.1.yml +++ b/section_6/cis_6.1/cis_6.1.1.yml @@ -1,19 +1,23 @@ -{{ if .Vars.rhel9cis_rule_6_1_1 }} -file: - etc_passwd_perms: - title: 6.1.1 | Ensure permissions on /etc/passwd are configured - path: /etc/passwd - exists: true - mode: "0644" - owner: root - group: root +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_1_1 }} +package: + aide_installed: + title: 6.1.1 | Ensure AIDE is installed + installed: true + name: aide meta: server: 1 workstation: 1 CIS_ID: - 6.1.1 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false CISv8_IG3: true + NIST800-53R5: + - AU-2 + {{ end }} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.10.yml b/section_6/cis_6.1/cis_6.1.10.yml deleted file mode 100644 index 40ea09d..0000000 --- a/section_6/cis_6.1/cis_6.1.10.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_10 }} -command: - unowned_dirs: - title: 6.1.10 | Ensure no unowned files or directories exist - exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/.*/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.1.10 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.11.yml b/section_6/cis_6.1/cis_6.1.11.yml deleted file mode 100644 index eb62316..0000000 --- a/section_6/cis_6.1/cis_6.1.11.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_11 }} -command: - no_ungrouped: - title: 6.1.11 | Ensure no ungrouped files or directories exist - exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.1.11 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.13.yml b/section_6/cis_6.1/cis_6.1.13.yml deleted file mode 100644 index 72397e5..0000000 --- a/section_6/cis_6.1/cis_6.1.13.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_13 }} -command: - audit_suid_exec: - title: 6.1.13 | Audit SUID executables - exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.1.13 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.14.yml b/section_6/cis_6.1/cis_6.1.14.yml deleted file mode 100644 index d7621e7..0000000 --- a/section_6/cis_6.1/cis_6.1.14.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_14 }} -command: - audit_sgid: - title: 6.1.14 | Audit SGID executables - exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000" - timeout: {{ .Vars.timeout_ms }} - exit-status: 0 - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.1.14 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.15.yml b/section_6/cis_6.1/cis_6.1.15.yml deleted file mode 100644 index 8d2fd9e..0000000 --- a/section_6/cis_6.1/cis_6.1.15.yml +++ /dev/null @@ -1,23 +0,0 @@ -{{ if .Vars.rhel9cis_level_2 }} - {{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_15 }} -command: - rpm_filecheck: - title: 6.1.15 | Audit system file permissions - exec: rpm -Va --nomtime --nosize --nomd5 --nolinkto > /tmp/cis_rpmcheck; grep -vcw c /tmp/cis_rpmcheck - exit-status: 0 - stdout: - - '0' - timeout: {{ .Vars.timeout_ms }} - meta: - server: 2 - workstation: 2 - CIS_ID: - - 6.1.15 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} -{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.2.yml b/section_6/cis_6.1/cis_6.1.2.yml index 390b4df..95542a6 100644 --- a/section_6/cis_6.1/cis_6.1.2.yml +++ b/section_6/cis_6.1/cis_6.1.2.yml @@ -1,19 +1,70 @@ -{{ if .Vars.rhel9cis_rule_6_1_2 }} -file: - passwd-_perms: - title: 6.1.2 | Ensure permissions on /etc/passwd- are configured - path: /etc/passwd- - exists: true - mode: "0644" - owner: root - group: root +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_config_aide }} + {{ if .Vars.rhel9cis_rule_6_1_2 }} + {{ if eq .Vars.rhel9_aide_scan "cron" }} +command: + aide_cron: + title: 6.1.2 | Ensure filesystem integrity is regularly checked + exit-status: + or: + - 0 + - 2 + exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*" + stdout: + - '!/^#/' + {{ end }} meta: server: 1 workstation: 1 CIS_ID: - 6.1.2 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false CISv8_IG3: true + NIST800-53R5: + - AU-2 +# Can be enabled if using timer and service files +service: + {{ if eq .Vars.rhel9_aide_scan "timer" }} + aidecheck: + title: 6.1.2 | Ensure filesystem integrity is regularly checked + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + aidecheck.timer: + title: 6.1.2 | Ensure filesystem integrity is regularly checked + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + {{ end }} + {{ end }} + {{ end }} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.3.yml b/section_6/cis_6.1/cis_6.1.3.yml index 9229cac..6b79e07 100644 --- a/section_6/cis_6.1/cis_6.1.3.yml +++ b/section_6/cis_6.1/cis_6.1.3.yml @@ -1,19 +1,32 @@ -{{ if .Vars.rhel9cis_rule_6_1_3 }} -file: - etcgroup_perms: - title: 6.1.3 | Ensure permissions on /etc/group are configured - path: /etc/group - exists: true - mode: "0644" - owner: root - group: root +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_1_3 }} +command: + audit_bins_crypto_aide: + title: 6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools + exec: grep /sbin/au /etc/aide.conf + exit-status: + or: + - 0 + - 2 + stdout: + - '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512' meta: server: 1 workstation: 1 CIS_ID: - 6.1.3 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false CISv8_IG3: true + {{ end }} {{ end }} + diff --git a/section_6/cis_6.1/cis_6.1.9.yml b/section_6/cis_6.1/cis_6.1.9.yml deleted file mode 100644 index b72dfa1..0000000 --- a/section_6/cis_6.1/cis_6.1.9.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_1_9 }} -command: - world_writable: - title: 6.1.9 | Ensure no world writable files exist - exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.1.9 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.6.yml b/section_6/cis_6.2.2.x/cis_4.2.2.6.yml similarity index 100% rename from section_4/cis_4.2.2/cis_4.2.2.6.yml rename to section_6/cis_6.2.2.x/cis_4.2.2.6.yml diff --git a/section_4/cis_4.2.2/cis_4.2.2.7.yml b/section_6/cis_6.2.2.x/cis_4.2.2.7.yml similarity index 100% rename from section_4/cis_4.2.2/cis_4.2.2.7.yml rename to section_6/cis_6.2.2.x/cis_4.2.2.7.yml diff --git a/section_6/cis_6.2.2.x/cis_6.2.2.1.1.yml b/section_6/cis_6.2.2.x/cis_6.2.2.1.1.yml new file mode 100644 index 0000000..eb464b9 --- /dev/null +++ b/section_6/cis_6.2.2.x/cis_6.2.2.1.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_1_1 }} +package: + systemd-journal-remote: + title: 6.2.2.1.1 | Ensure systemd-journal-remote is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.2.yml b/section_6/cis_6.2.2.x/cis_6.2.2.1.2.yml similarity index 61% rename from section_4/cis_4.2.2/cis_4.2.2.1.2.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.1.2.yml index 491f77e..50092bb 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.1.2.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.1.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_1_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_1_2 }} file: journald_remote_config: - title: 4.2.2.1.2 | Ensure systemd-journal-remote is configured + title: 6.2.2.1.2 | Ensure systemd-journal-upload authentication is configured path: /etc/systemd/journal-upload.conf exists: true contents: @@ -13,9 +16,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 4.2.2.1.2 + - 6.2.2.1.2 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.3.yml b/section_6/cis_6.2.2.x/cis_6.2.2.1.3.yml similarity index 50% rename from section_4/cis_4.2.2/cis_4.2.2.1.3.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.1.3.yml index 3d01bef..8f4c0e4 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.1.3.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.1.3.yml @@ -1,16 +1,23 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_1_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_1_3 }} service: systemd-journal-upload.service: - title: 4.2.2.1.3 | Ensure systemd-journal-remote is enabled + title: 6.2.2.1.3 | Ensure systemd-journal-upload is enabled and active running: true enabled: true meta: server: 1 workstation: 1 CIS_ID: - - 4.2.2.1.3 + - 6.2.2.1.3 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.4.yml b/section_6/cis_6.2.2.x/cis_6.2.2.1.4.yml similarity index 58% rename from section_4/cis_4.2.2/cis_4.2.2.1.4.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.1.4.yml index cf929de..80de900 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.1.4.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.1.4.yml @@ -1,23 +1,30 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_1_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_1_4 }} service: systemd-journal-remote.socket: - title: 4.2.2.1.4 | Ensure journald is not configured to recieve logs from a remote client + title: 6.2.2.1.4 | Ensure systemd-journal-remote service is not in use running: false enabled: false meta: server: 1 workstation: 1 CIS_ID: - - 4.2.2.1.4 + - 6.2.2.1.4 CISv8: - 4.8 - 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 command: journald_socket_masked: - title: 4.2.2.1.4 | Ensure journald is not configured to recieve logs from a remote client + title: 6.2.2.1.4 | Ensure systemd-journal-remote service is not in use exec: systemctl is-enabled systemd-journal-remote.socket exit-status: 1 stdout: @@ -26,11 +33,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.2.1.4 + - 6.2.2.1.4 CISv8: - 4.8 - 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.3.yml b/section_6/cis_6.2.2.x/cis_6.2.2.2.yml similarity index 58% rename from section_4/cis_4.2.1/cis_4.2.1.3.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.2.yml index 75778be..3281bf9 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.3.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_2 }} file: journald_syslog: - title: 4.2.1.3 | Ensure journald is configured to send logs to rsyslog + title: 6.2.2.2 | Ensure journald is configured to send logs to rsyslog path: /etc/systemd/journald.conf exists: true contents: @@ -11,11 +14,17 @@ file: server: 1 workstation: 1 CIS_ID: - - 4.2.1.3 + - 6.2.2.2 CISv8: - 8.2 - 8.9 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-6 + - AU-7 + - AU-12 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.3.yml b/section_6/cis_6.2.2.x/cis_6.2.2.3.yml similarity index 64% rename from section_4/cis_4.2.2/cis_4.2.2.3.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.3.yml index d794b66..805e203 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.3.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.3.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_3 }} command: compress_journald_conf: - title: 4.2.2.3 | Ensure journald is configured to compress large log files + title: 6.2.2.3 | Ensure journald is configured to compress large log files exec: grep -i compress /etc/systemd/journald.conf exit-status: 0 stdout: @@ -11,11 +14,14 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.2.3 + - 6.2.2.3 CISv8: - 8.2 - 8.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-4 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.2/cis_4.2.2.4.yml b/section_6/cis_6.2.2.x/cis_6.2.2.4.yml similarity index 58% rename from section_4/cis_4.2.2/cis_4.2.2.4.yml rename to section_6/cis_6.2.2.x/cis_6.2.2.4.yml index e6ffc7a..734bfe6 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.4.yml +++ b/section_6/cis_6.2.2.x/cis_6.2.2.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_2_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_2_4 }} command: storage_journald_conf: - title: 4.2.2.4 | Ensure journald is configured to write logfiles to persistent disk + title: 6.2.2.4 | Ensure journald Storage is configured exec: grep -i storage /etc/systemd/journald.conf exit-status: 0 stdout: @@ -10,9 +13,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.2.4 + - 6.2.2.4 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} {{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.1.yml b/section_6/cis_6.2.3/cis_6.2.3.1.yml new file mode 100644 index 0000000..fb33e17 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_1 }} +package: + rsyslog: + title: 6.2.3.1 | Ensure rsyslog is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.3.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.2.yml b/section_6/cis_6.2.3/cis_6.2.3.2.yml new file mode 100644 index 0000000..4774d1a --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_2 }} +service: + rsyslog: + title: 6.2.3.2 | Ensure rsyslog service is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.3.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.3.yml b/section_6/cis_6.2.3/cis_6.2.3.3.yml new file mode 100644 index 0000000..149b83d --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_3 }} +command: + forward_journald_conf: + title: 6.2.3.3 | Ensure journald is not configured to send logs to rsyslog + exec: grep -i forward /etc/systemd/journald.conf /etc/systemd/journald.conf.d/ + exit-status: 0 + stdout: + - '!/^\.*:ForwardToSyslog/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.3.3 + CISv8: + - 8.2 + - 8.9 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-2 + - AU-4 + - AU-12 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.4.yml b/section_6/cis_6.2.3/cis_6.2.3.4.yml similarity index 64% rename from section_4/cis_4.2.1/cis_4.2.1.4.yml rename to section_6/cis_6.2.3/cis_6.2.3.4.yml index d8c0b77..bfd150f 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.4.yml +++ b/section_6/cis_6.2.3/cis_6.2.3.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_4 }} command: perms_rsyslog_d: - title: 4.2.1.4 | Ensure rsyslog default file permissions configured + title: 6.2.3.4 | Ensure rsyslog default file permissions configured exec: 'grep -s ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' exit-status: 0 stdout: @@ -11,11 +14,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.1.4 + - 6.2.3.4 CISv8: - 3.3 - 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AC-6 + - MP-2 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.5.yml b/section_6/cis_6.2.3/cis_6.2.3.5.yml similarity index 78% rename from section_4/cis_4.2.1/cis_4.2.1.5.yml rename to section_6/cis_6.2.3/cis_6.2.3.5.yml index 60d7529..8d07fbb 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.5.yml +++ b/section_6/cis_6.2.3/cis_6.2.3.5.yml @@ -1,14 +1,16 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_5 }} file: /etc/rsyslog.conf: - title: 4.2.1.5 | Ensure logging is configured + title: 6.2.3.5 | Ensure logging is configured exists: true contents: - '/^\*.emerg\s+:omusrmsg:\*/' - '/auth,authpriv.\*\s+/var/log/secure/' - '/^mail.\*\s+-/var/log/mail/' - '/^mail.info\s+-/var/log/mail.info/' - - '/^mail.warning\s+-/var/log/mail.warning/' - '/^mail.err\s+/var/log/mail.err/' - '/^cron.\*\s+/var/log/cron/' - '/^*.=warning;\*.=err\s+-/var/log/warn/' @@ -22,9 +24,14 @@ file: server: 1 workstation: 1 CIS_ID: - - 4.2.1.5 + - 6.2.3.5 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} {{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.6.yml b/section_6/cis_6.2.3/cis_6.2.3.6.yml similarity index 67% rename from section_4/cis_4.2.1/cis_4.2.1.6.yml rename to section_6/cis_6.2.3/cis_6.2.3.6.yml index 53659db..f1eace4 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.6.yml +++ b/section_6/cis_6.2.3/cis_6.2.3.6.yml @@ -1,8 +1,11 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_6 }} - {{ if not .Vars.rhel9cis_remote_log_server }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_6 }} + {{ if not .Vars.rhel9cis_remote_log_server }} command: remote_syslog: - title: 4.2.1.6 | Ensure rsyslog is configured to send logs to a remote host + title: 6.2.3.6 | Ensure rsyslog is configured to send logs to a remote host exec: 'grep -E "action.*omfwd.*target" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' exit-status: or: @@ -15,10 +18,13 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.1.6 + - 6.2.3.6 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-6 + {{ end }} {{ end }} {{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.7.yml b/section_6/cis_6.2.3/cis_6.2.3.7.yml similarity index 65% rename from section_4/cis_4.2.1/cis_4.2.1.7.yml rename to section_6/cis_6.2.3/cis_6.2.3.7.yml index 87fd8fe..18d6221 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.7.yml +++ b/section_6/cis_6.2.3/cis_6.2.3.7.yml @@ -1,9 +1,12 @@ -{{ if .Vars.rhel9cis_rule_4_2_1_7 }} - {{ if not .Vars.rhel9cis_remote_log_server }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_7 }} + {{ if not .Vars.rhel9cis_remote_log_server }} command: local_syslog_module: - title: 4.2.1.7 | Ensure rsyslog is not configured to recieve logs from a remote client | module + title: 6.2.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | module exec: grep "imtcp" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -Ev ":#|port=" exit-status: or: @@ -16,15 +19,20 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.1.7 + - 6.2.3.7 CISv8: - 4.8 - 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 local_syslog_input: - title: 4.2.1.7 | Ensure rsyslog is not configured to recieve logs from a remote client | server/port + title: 6.2.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | server/port exec: grep -E "imtcp\" port|InputTCPServerRun" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -v ":#" exit-status: or: @@ -37,12 +45,18 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.1.7 + - 6.2.3.7 CISv8: - 4.8 - 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 + {{ end }} {{ end }} {{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.8.yml b/section_6/cis_6.2.3/cis_6.2.3.8.yml new file mode 100644 index 0000000..9006d90 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.8.yml @@ -0,0 +1,31 @@ + +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_3_8 }} +command: + rsyslog_logrotate: + title: 6.2.3.8 | Ensure rsyslog logrotate is configured + exec: grep -A9 "rsyslog/*.log" /etc/logrotate.conf /etc/logrotate.d/* + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/.*: rotate/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.3.8 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2.3/cis_4.2.3.yml b/section_6/cis_6.2.4/cis_6.2.4.1.yml similarity index 64% rename from section_4/cis_4.2.3/cis_4.2.3.yml rename to section_6/cis_6.2.4/cis_6.2.4.1.yml index 53eb138..559d1e8 100644 --- a/section_4/cis_4.2.3/cis_4.2.3.yml +++ b/section_6/cis_6.2.4/cis_6.2.4.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_2_4_1 }} command: logfile_configured: - title: 4.2.3 | Ensure permissions on all logfiles are configured + title: 6.2.4.1 | Ensure permissions on all logfiles are configured exec: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" + | grep -Ev "[b,u,w]tmp.*|lastllog" exit-status: or: @@ -12,9 +15,11 @@ command: server: 1 workstation: 1 CIS_ID: - - 4.2.3 + - 6.2.4.1 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-8 {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.10.yml b/section_6/cis_6.2/cis_6.2.10.yml deleted file mode 100644 index 992550d..0000000 --- a/section_6/cis_6.2/cis_6.2.10.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_2_10 }} -command: - home_dirs_exist: - title: 6.2.10 | Ensure all users' home directories exist - exec: pwck -r | grep -v journal | grep "does not exist" - timeout: {{ .Vars.timeout_ms }} - exit-status: 1 - stdout: - - '!/does not exist/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.10 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.11.yml b/section_6/cis_6.2/cis_6.2.11.yml deleted file mode 100644 index 29c6a8f..0000000 --- a/section_6/cis_6.2/cis_6.2.11.yml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Vars.run_heavy_tests }} - {{ if .Vars.rhel9cis_rule_6_2_11 }} -command: - home_dirs_owned: - title: 6.2.11 | Ensure users own their home directories - exec: "getent passwd {1000..60000} | awk -F: '{ print $1 \" \" $6 }' | while read user dir; do if [ $user != 'ftpd' ]; then owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"home dir for $user owned by $owner\"; fi; fi; done" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.11 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true - {{ end }} -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.12.yml b/section_6/cis_6.2/cis_6.2.12.yml deleted file mode 100644 index eb0444f..0000000 --- a/section_6/cis_6.2/cis_6.2.12.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_6_2_12 }} -command: - home_dirs_restrict: - title: 6.2.12 | Ensure local interactive user home directories are mode 750 or more restrictive - exec: "for i in `getent passwd {1000..60000} | awk '{split($0,a,\":\");print a[6]}'`; do stat -c \"%a %n\" $i ; done" - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '/^7(0|5)0\s/' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.12 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.13.yml b/section_6/cis_6.2/cis_6.2.13.yml deleted file mode 100644 index 433ff69..0000000 --- a/section_6/cis_6.2/cis_6.2.13.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_6_2_13 }} -command: - dot_netrc_perms: - title: 6.2.13 | Ensure no local interactive user has .netrc files - exec: 'find /home/ -name .netrc' - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.13 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.14.yml b/section_6/cis_6.2/cis_6.2.14.yml deleted file mode 100644 index a6b3788..0000000 --- a/section_6/cis_6.2/cis_6.2.14.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_6_2_14 }} -command: - dot_forward_files: - title: 6.2.14 | Ensure no local interactive user has .forward files - exec: 'find /home/ -name .forward' - timeout: {{ .Vars.timeout_ms }} - exit-status: 0 - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.14 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.15.yml b/section_6/cis_6.2/cis_6.2.15.yml deleted file mode 100644 index 3452a9e..0000000 --- a/section_6/cis_6.2/cis_6.2.15.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_6_2_15 }} -command: - dot_netrc_files: - title: 6.2.15 | Ensure no local interactive user has .rhosts files - exec: 'find /home/ -name .rhosts' - exit-status: 0 - timeout: {{ .Vars.timeout_ms }} - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.15 - CISv8: 4.1 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.16.yml b/section_6/cis_6.2/cis_6.2.16.yml deleted file mode 100644 index af7c4b7..0000000 --- a/section_6/cis_6.2/cis_6.2.16.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if .Vars.rhel9cis_rule_6_2_16 }} -command: - dot_file_perms: - title: 6.2.16 | Ensure local interactive user dot files are not group or world writable - exec: 'find /home/ -name "\.*" -perm /g+w,o+w' - timeout: {{ .Vars.timeout_ms }} - exit-status: 0 - stdout: - - '!/./' - meta: - server: 1 - workstation: 1 - CIS_ID: - - 6.2.16 - CISv8: 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_4/cis_4.1.1/cis_4.1.1.1.yml b/section_6/cis_6.3.1.x/cis_6.3.1.1.yml similarity index 51% rename from section_4/cis_4.1.1/cis_4.1.1.1.yml rename to section_6/cis_6.3.1.x/cis_6.3.1.1.yml index 5408382..c80018b 100644 --- a/section_4/cis_4.1.1/cis_4.1.1.1.yml +++ b/section_6/cis_6.3.1.x/cis_6.3.1.1.yml @@ -1,31 +1,45 @@ -{{ if .Vars.rhel9cis_rule_4_1_1_1 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_1_1 }} package: audit: - title: 4.1.1.1 | Ensure auditd is installed | auditd + title: 6.3.1.1 | Ensure auditd is installed | auditd installed: true meta: server: 2 workstation: 2 CIS_ID: - - 4.1.1.1 + - 6.3.1.1 CISv8: - 8.2 - 8.5 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 audit-libs: - title: 4.1.1.1 | Ensure auditd is installed | audit-libs + title: 6.3.1.1 | Ensure auditd is installed | audit-libs installed: true meta: server: 2 workstation: 2 CIS_ID: - - 4.1.1.1 + - 6.3.1.1 CISv8: - 8.2 - 8.5 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.1/cis_4.1.1.2.yml b/section_6/cis_6.3.1.x/cis_6.3.1.2.yml similarity index 67% rename from section_4/cis_4.1.1/cis_4.1.1.2.yml rename to section_6/cis_6.3.1.x/cis_6.3.1.2.yml index 3d55105..9287696 100644 --- a/section_4/cis_4.1.1/cis_4.1.1.2.yml +++ b/section_6/cis_6.3.1.x/cis_6.3.1.2.yml @@ -1,22 +1,25 @@ -{{ if .Vars.rhel9cis_rule_4_1_1_2 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_1_2 }} command: audit_default_grub: - title: 4.1.1.2 | Ensure auditing for processes that start prior to auditd is enabled | config + title: 6.3.1.2 | Ensure auditing for processes that start prior to auditd is enabled | config exec: grep audit= /etc/default/grub exit-status: 0 stdout: - '/^GRUB_CMDLINE_LINUX=.*\saudit=1.*/' meta: server: 2 - workstation: 2 CIS_ID: - - 4.1.1.2 + - 6.3.1.2 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA grubby_audit_1: - title: 4.1.1.2 | Ensure auditing for processes that start prior to auditd is enabled | live + title: 6.3.1.2 | Ensure auditing for processes that start prior to auditd is enabled | live exec: grubby --info=ALL | grep -Po 'audit=1' exit-status: 0 stdout: @@ -25,9 +28,11 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.1.2 + - 6.3.1.2 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: NA + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.1/cis_4.1.1.3.yml b/section_6/cis_6.3.1.x/cis_6.3.1.3.yml similarity index 62% rename from section_4/cis_4.1.1/cis_4.1.1.3.yml rename to section_6/cis_6.3.1.x/cis_6.3.1.3.yml index d1438bb..b329dbc 100644 --- a/section_4/cis_4.1.1/cis_4.1.1.3.yml +++ b/section_6/cis_6.3.1.x/cis_6.3.1.3.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_1_3 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_1_3 }} command: audit_backlog_default_grub: - title: 4.1.1.3 | Ensure audit_backlog_limit is sufficient | default + title: 6.3.1.3 | Ensure audit_backlog_limit is sufficient | default exec: grep audit_backlog /etc/default/grub exit-status: 0 stdout: @@ -10,9 +13,14 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.1.3 + - 6.3.1.3 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.1.x/cis_6.3.1.4.yml b/section_6/cis_6.3.1.x/cis_6.3.1.4.yml new file mode 100644 index 0000000..5f88318 --- /dev/null +++ b/section_6/cis_6.3.1.x/cis_6.3.1.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_1_4 }} +service: + auditd: + title: 6.3.1.4 | Ensure auditd service is enabled and active + enabled: true + running: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.1.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.2/cis_4.1.2.1.yml b/section_6/cis_6.3.2.x/cis_6.3.2.1.yml similarity index 60% rename from section_4/cis_4.1.2/cis_4.1.2.1.yml rename to section_6/cis_6.3.2.x/cis_6.3.2.1.yml index 246f5f6..387371f 100644 --- a/section_4/cis_4.1.2/cis_4.1.2.1.yml +++ b/section_6/cis_6.3.2.x/cis_6.3.2.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_2_1 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_2_1 }} command: max_log_auditd_conf: - title: 4.1.2.1 | Ensure audit log storage size is configured + title: 6.3.2.1 | Ensure audit log storage size is configured exec: grep max_log_file /etc/audit/auditd.conf exit-status: 0 stdout: @@ -10,9 +13,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.2.1 + - 6.3.2.1 CISv8: 8.3 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.2/cis_4.1.2.2.yml b/section_6/cis_6.3.2.x/cis_6.3.2.2.yml similarity index 62% rename from section_4/cis_4.1.2/cis_4.1.2.2.yml rename to section_6/cis_6.3.2.x/cis_6.3.2.2.yml index 437fd2c..c541de8 100644 --- a/section_4/cis_4.1.2/cis_4.1.2.2.yml +++ b/section_6/cis_6.3.2.x/cis_6.3.2.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_2_2 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_2_2 }} command: max_log_action_auditd_conf: - title: 4.1.2.2 | Ensure audit logs are not automatically deleted + title: 6.3.2.2 | Ensure audit logs are not automatically deleted exec: grep max_log_file_action /etc/audit/auditd.conf exit-status: 0 stdout: @@ -10,9 +13,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.2.2 + - 6.3.2.2 CISv8: 8.3 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.2.x/cis_6.3.2.3.yml b/section_6/cis_6.3.2.x/cis_6.3.2.3.yml new file mode 100644 index 0000000..ad38493 --- /dev/null +++ b/section_6/cis_6.3.2.x/cis_6.3.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_2_3 }} +command: + logs_full_auditd_conf: + title: 6.3.2.3 | Ensure system is disabled when audit logs are full + exec: grep disk_full_action /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/disk_full_action\s*=\s*(halt|single)/' + - '/disk_error_action\s*=\s*(syslog|halt|single)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.2.3 + CISv8: + - 8.2 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.2.x/cis_6.3.2.4.yml b/section_6/cis_6.3.2.x/cis_6.3.2.4.yml new file mode 100644 index 0000000..f7121c3 --- /dev/null +++ b/section_6/cis_6.3.2.x/cis_6.3.2.4.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_2_4 }} +command: + logs_low_space_auditd_conf: + title: 6.3.2.4 | Ensure system is disabled when audit logs are full + exec: grep space_left_action /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/space_left_action\s*=\s*(email|exec|single|halt)/' + - '/admin_space_left_action\s*=\s*(halt|single)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.2.4 + CISv8: + - 8.2 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-8 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.1.yml b/section_6/cis_6.3.3.x/cis_6.3.3.1.yml similarity index 70% rename from section_4/cis_4.1.3/cis_4.1.3.1.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.1.yml index 05a3fed..55faf77 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.1.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_1 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_1 }} command: auditd_admin_scope_cnf: - title: 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | conf_check + title: 6.3.3.1 | Ensure changes to system administration scope (sudoers) is collected | conf_check exec: grep scope /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -11,13 +14,15 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.1 + - 6.3.3.1 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 auditd_admin_scope_live: - title: 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | running + title: 6.3.3.1 | Ensure changes to system administration scope (sudoers) is collected | running exec: auditctl -l | grep scope exit-status: 0 stdout: @@ -27,9 +32,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.1 + - 6.3.3.1 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.10.yml b/section_6/cis_6.3.3.x/cis_6.3.3.10.yml similarity index 68% rename from section_4/cis_4.1.3/cis_4.1.3.10.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.10.yml index d33f053..af21f04 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.10.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.10.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_10 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_10 }} command: auditd_mounts_cnf: - title: 4.1.3.10 | Ensure successful file system mounts are collected | conf check + title: 6.3.3.10 | Ensure successful file system mounts are collected | conf check exec: grep mounts /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -11,25 +14,30 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.10 + - 6.3.3.10 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-6 auditd_mounts_live: - title: 4.1.3.10 | Ensure successful file system mounts are collected | running + title: 6.3.3.10 | Ensure successful file system mounts are collected | running exec: auditctl -l | grep mounts exit-status: 0 stdout: - - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts' - - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts' + - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=mounts' + - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=mounts' meta: server: 2 workstation: 2 CIS_ID: - - 4.1.3.10 + - 6.3.3.10 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.11.yml b/section_6/cis_6.3.3.x/cis_6.3.3.11.yml similarity index 71% rename from section_4/cis_4.1.3/cis_4.1.3.11.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.11.yml index ba372d6..75f338c 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.11.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.11.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_11 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_11 }} command: auditd_sessions_cnf: - title: 4.1.3.11 | Ensure session initiation information is collected | conf check + title: 6.3.3.11 | Ensure session initiation information is collected | conf check exec: grep session /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -12,13 +15,15 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.11 + - 6.3.3.11 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 auditd_session_live: - title: 4.1.3.11 | Ensure session initiation information is collected | running + title: 6.3.3.11 | Ensure session initiation information is collected | running exec: auditctl -l | grep session exit-status: 0 stdout: @@ -29,9 +34,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.11 + - 6.3.3.11 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.12.yml b/section_6/cis_6.3.3.x/cis_6.3.3.12.yml similarity index 69% rename from section_4/cis_4.1.3/cis_4.1.3.12.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.12.yml index 5445aa6..33f95e6 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.12.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.12.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_12 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_12 }} command: auditd_logins_cnf: - title: 4.1.3.12 | Ensure login and logout events are collected | conf check + title: 6.3.3.12 | Ensure login and logout events are collected | conf check exec: grep logins /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -11,13 +14,15 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.12 + - 6.3.3.12 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 auditd_logins_live: - title: 4.1.3.12 | Ensure login and logout events are collected | running + title: 6.3.3.12 | Ensure login and logout events are collected | running exec: auditctl -l | grep logins exit-status: 0 stdout: @@ -27,9 +32,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.12 + - 6.3.3.12 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {[ end ]} {{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.13.yml b/section_6/cis_6.3.3.x/cis_6.3.3.13.yml new file mode 100644 index 0000000..62aaefe --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.13.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_13 }} +command: + auditd_delete_cnf: + title: 6.3.3.13 | Ensure file deletion events by users are collected | conf check + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/' + - '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.13 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC-7 + auditd_delete_live: + title: 6.3.3.13 | Ensure file deletion events by users are collected | running + exec: auditctl -l | grep delete + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/' + - '/-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.13 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC_7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.14.yml b/section_6/cis_6.3.3.x/cis_6.3.3.14.yml similarity index 67% rename from section_4/cis_4.1.3/cis_4.1.3.14.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.14.yml index b61aa2a..9d63a02 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.14.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.14.yml @@ -1,8 +1,11 @@ -{{ if not .Vars.rhel9cis_selinux_disable }} - {{ if .Vars.rhel9cis_rule_4_1_3_14 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if not .Vars.rhel9cis_selinux_disable }} + {{ if .Vars.rhel9cis_rule_6_3_3_14 }} command: auditd_MAC_cnf: - title: 4.1.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected + title: 6.3.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected exec: grep MAC-policy /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -12,13 +15,16 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.14 + - 6.3.3.14 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 auditd_MAC_live: - title: 4.1.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected + title: 6.3.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected exec: auditctl -l | grep MAC-policy exit-status: 0 stdout: @@ -28,10 +34,14 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.14 + - 6.3.3.14 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} {{ end }} {{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.15.yml b/section_6/cis_6.3.3.x/cis_6.3.3.15.yml new file mode 100644 index 0000000..02e3be3 --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.15.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_15 }} +command: + auditd_chcon_cnf: + title: 6.3.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | config + exec: grep chcon /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.15 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + auditd_chcon_live: + title: 6.3.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | running + exec: auditctl -l | grep chcon + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.15 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.16.yml b/section_6/cis_6.3.3.x/cis_6.3.3.16.yml new file mode 100644 index 0000000..f3c5416 --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.16.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_16 }} +command: + auditd_setfacl_cnf: + title: 6.3.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | config + exec: grep setfacl /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.16 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + auditd_setfacl_live: + title: 6.3.3.16 |Ensure successful and unsuccessful attempts to use the setfacl command are recorded | running + exec: auditctl -l | grep setfacl + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295)-F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.16 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.17.yml b/section_6/cis_6.3.3.x/cis_6.3.3.17.yml similarity index 53% rename from section_4/cis_4.1.3/cis_4.1.3.17.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.17.yml index c561d75..ac3318e 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.17.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.17.yml @@ -1,33 +1,45 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_17 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_17 }} command: auditd_chacl_cnf: - title: 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | config + title: 6.3.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | config exec: grep chacl /etc/audit/rules.d/*.rules exit-status: 0 stdout: - - '/-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295) -k priv_cmd/' + - '/[^#]-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_chng/' meta: server: 2 workstation: 2 CIS_ID: - - 4.1.3.17 + - 6.3.3.17 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 auditd_chacl_live: - title: 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | running + title: 6.3.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | running exec: auditctl -l | grep chacl exit-status: 0 stdout: - - '-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd' + - '-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_chng' meta: server: 2 workstation: 2 CIS_ID: - - 4.1.3.17 + - 6.3.3.17 CISv8: 8.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.18.yml b/section_6/cis_6.3.3.x/cis_6.3.3.18.yml new file mode 100644 index 0000000..c477574 --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.18.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_18 }} +command: + auditd_usermod_cnf: + title: 6.3.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | config + exec: grep usermod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.18 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + auditd_usermod_live: + title: 6.3.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | running + exec: auditctl -l | grep usermod + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.18 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.19.yml b/section_6/cis_6.3.3.x/cis_6.3.3.19.yml new file mode 100644 index 0000000..5332543 --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.19.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_19 }} +command: + auditd_module_cnf: + title: 6.3.3.19 | Ensure kernel module loading unloading and modification is collected | conf check + exec: grep modules /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k kernel_modules/' + - '/[^#]-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k kernel_modules/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.19 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_admin_module_live: + title: 6.3.3.19 | Ensure kernel module loading unloading and modification is collected | running + exec: auditctl -l | grep modules + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=kernel_modules/' + - '/-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=kernel_modules/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.19 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.2.yml b/section_6/cis_6.3.3.x/cis_6.3.3.2.yml new file mode 100644 index 0000000..a8bdf2b --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.2.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_2 }} +command: + auditd_other_user_cnf: + title: 6.3.3.2 | Ensure actions as another user are always logged | conf_check + exec: grep user_emu /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F arch=b64 -C euid!=uid -F auid!=(unset|-1|auid!=4294967295) -S execve -k user_emulation/' + - '/[^#]-a always,exit -F arch=b32 -C euid!=uid -F auid!=(unset|-1|auid!=4294967295) -S execve -k user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_other_user_live: + title: 6.3.3.2 | Ensure actions as another user are always logged | running + exec: auditctl -l | grep user_emu + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=(unset|-1|auid!=4294967295) -F key=user_emulation/' + - '/-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=(unset|-1|auid!=4294967295) -F key=user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.20.yml b/section_6/cis_6.3.3.x/cis_6.3.3.20.yml similarity index 55% rename from section_4/cis_4.1.3/cis_4.1.3.20.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.20.yml index 2305771..b08e5b6 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.20.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.20.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_20 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_20 }} command: auditd_immutable: - title: 4.1.3.20 | Ensure the audit configuration is immutable + title: 6.3.3.20 | Ensure the audit configuration is immutable exec: 'grep "-e 2" /etc/audit/rules.d/*.rules | tail -1' exit-status: 0 stdout: @@ -10,9 +13,14 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.20 + - 6.3.3.20 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.21.yml b/section_6/cis_6.3.3.x/cis_6.3.3.21.yml similarity index 61% rename from section_4/cis_4.1.3/cis_4.1.3.21.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.21.yml index 41b74ba..5ef7bc6 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.21.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.21.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_21 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_21 }} command: auditd_conf_vs_live: - title: 4.1.3.21 | Ensure the running and on disk configuration is the same + title: 6.3.3.21 | Ensure the running and on disk configuration is the same exec: /usr/sbin/augenrules --check exit-status: 0 stdout: @@ -10,9 +13,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.21 + - 6.3.3.21 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.3.yml b/section_6/cis_6.3.3.x/cis_6.3.3.3.yml similarity index 72% rename from section_4/cis_4.1.3/cis_4.1.3.3.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.3.yml index 6016023..164f9a6 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.3.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.3.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_3 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_3 }} command: auditd_sudolog_cnf: - title: 4.1.3.3 | Ensure events that modify the sudo log file are collected | conf_check + title: 6.3.3.3 | Ensure events that modify the sudo log file are collected | conf_check exec: grep sudo_log /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -10,13 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.3 + - 6.3.3.3 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true auditd_sudolog_live: - title: 4.1.3.3 | Ensure events that modify the sudo log file are collected | running + title: 6.3.3.3 | Ensure events that modify the sudo log file are collected | running exec: auditctl -l | grep sudo_log exit-status: 0 stdout: @@ -25,9 +28,10 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.3 + - 6.3.3.3 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.4.yml b/section_6/cis_6.3.3.x/cis_6.3.3.4.yml similarity index 75% rename from section_4/cis_4.1.3/cis_4.1.3.4.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.4.yml index d35a089..4fa87bb 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.4.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_4 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_4 }} command: auditd_time_cnf: - title: 4.1.3.4 | Ensure events that modify date and time information are collected | conf check + title: 6.3.3.4 | Ensure events that modify date and time information are collected | conf check exec: grep time-change /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -12,13 +15,16 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.4 + - 6.3.3.4 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 auditd_time_live: - title: 4.1.3.4 | Ensure events that modify date and time information are collected | running + title: 6.3.3.4 | Ensure events that modify date and time information are collected | running exec: auditctl -l | grep time-change exit-status: 0 stdout: @@ -29,9 +35,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.4 + - 6.3.3.4 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.5.yml b/section_6/cis_6.3.3.x/cis_6.3.3.5.yml similarity index 79% rename from section_4/cis_4.1.3/cis_4.1.3.5.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.5.yml index 6111fac..5e67f8b 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.5.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.5.yml @@ -1,11 +1,14 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_5 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_5 }} command: auditd_locale_cnf: - title: 4.1.3.5 | Ensure events that modify the system's network environment are collected | conf check + title: 6.3.3.5 | Ensure events that modify the system's network environment are collected | conf check exec: grep system-locale /etc/audit/rules.d/*.rules exit-status: 0 stdout: - - '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale' + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale' - '-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale' - '-w /etc/issue -p wa -k system-locale' - '-w /etc/issue.net -p wa -k system-locale' @@ -16,13 +19,16 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.5 + - 6.3.3.5 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 auditd_locale_live: - title: 4.1.3.5 | Ensure events that modify the system's network environment are collected | running + title: 6.3.3.5 | Ensure events that modify the system's network environment are collected | running exec: auditctl -l | grep system-locale exit-status: 0 stdout: @@ -37,9 +43,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.5 + - 6.3.3.5 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.6.yml b/section_6/cis_6.3.3.x/cis_6.3.3.6.yml similarity index 64% rename from section_4/cis_4.1.3/cis_4.1.3.6.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.6.yml index 6d70648..48284b4 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.6.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.6.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_6 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_6 }} command: auditd_priv_cmds_cnf: - title: 4.1.3.6 | Ensure use of privileged commands is collected | Manual Check Required + title: 6.3.3.6 | Ensure use of privileged commands is collected | Manual Check Required exec: echo "Manual - Please investigate privilege commands are collected as per documentation" exit-status: 0 stdout: @@ -10,9 +13,12 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.3.6 + - 6.3.3.6 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.7.yml b/section_6/cis_6.3.3.x/cis_6.3.3.7.yml new file mode 100644 index 0000000..a0b3182 --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.7.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_7 }} +command: + auditd_access_cnf: + title: 6.3.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | conf check + exec: grep access /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k access/' + - '/[^#]-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k access/' + - '/[^#]-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k access/' + - '/[^#]-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.7 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_access_live: + title: 6.3.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | running + exec: auditctl -l | grep access + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=access/' + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=access/' + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=access/' + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.7 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.3/cis_4.1.3.8.yml b/section_6/cis_6.3.3.x/cis_6.3.3.8.yml similarity index 63% rename from section_4/cis_4.1.3/cis_4.1.3.8.yml rename to section_6/cis_6.3.3.x/cis_6.3.3.8.yml index 3276f0b..55ad05b 100644 --- a/section_4/cis_4.1.3/cis_4.1.3.8.yml +++ b/section_6/cis_6.3.3.x/cis_6.3.3.8.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_3_8 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_8 }} command: auditd_identity_cnf: - title: 4.1.3.8 | Ensure events that modify user/group information are collected | conf check + title: 6.3.3.8 | Ensure events that modify user/group information are collected | conf check exec: grep identity /etc/audit/rules.d/*.rules exit-status: 0 stdout: @@ -10,17 +13,22 @@ command: - '-w /etc/gshadow -p wa -k identity' - '-w /etc/shadow -p wa -k identity' - '-w /etc/security/opasswd -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' meta: server: 2 workstation: 2 CIS_ID: - - 4.1.3.8 + - 6.3.3.8 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 auditd_identity_live: - title: 4.1.3.8 | Ensure events that modify user/group information are collected | running + title: 6.3.3.8 | Ensure events that modify user/group information are collected | running exec: auditctl -l | grep identity exit-status: 0 stdout: @@ -29,13 +37,19 @@ command: - '-w /etc/gshadow -p wa -k identity' - '-w /etc/shadow -p wa -k identity' - '-w /etc/security/opasswd -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' meta: server: 2 workstation: 2 CIS_ID: - - 4.1.3.8 + - 6.3.3.8 CISv8: 8.5 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.3.x/cis_6.3.3.9.yml b/section_6/cis_6.3.3.x/cis_6.3.3.9.yml new file mode 100644 index 0000000..3bfbddf --- /dev/null +++ b/section_6/cis_6.3.3.x/cis_6.3.3.9.yml @@ -0,0 +1,53 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_3_9 }} +command: + auditd_perms_cnf: + title: 6.3.3.9 | Ensure discretionary access control permission modification events are collected | conf check + exec: grep perm_mod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/[^#]-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/[^#]-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/[^#]-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/[^#]-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/[^#]-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/[^#]-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.9 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_perms_live: + title: 6.3.3.9 | Ensure discretionary access control permission modification events are collected | running + exec: auditctl -l | grep perm_mod + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3.9 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.4.yml b/section_6/cis_6.3.4/cis_6.3.4.1.yml similarity index 59% rename from section_4/cis_4.1.4/cis_4.1.4.4.yml rename to section_6/cis_6.3.4/cis_6.3.4.1.yml index 5f5693b..a148c0e 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.4.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_4 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_1 }} command: - audit_logfile_dir_perms: - title: 4.1.4.4 | Ensure the audit log directory is 0750 or more restrictive + audit_logfile_perms: + title: 6.3.4.1 | Ensure the audit log file directory mode is configured exec: for dir in `dirname \`grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'\``; do stat -Lc " %n_%a" $dir; done exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.4 + - 6.3.4.1 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.10.yml b/section_6/cis_6.3.4/cis_6.3.4.10.yml similarity index 63% rename from section_4/cis_4.1.4/cis_4.1.4.10.yml rename to section_6/cis_6.3.4/cis_6.3.4.10.yml index 4baeadb..7e292b8 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.10.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.10.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_10 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_10 }} command: audit_tools_group: - title: 4.1.4.10 | Ensure audit tools are owned by root + title: 6.3.4.10 | Ensure audit tools group owner is configured exec: stat -c "%n_%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.10 + - 6.3.4.10 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.1.yml b/section_6/cis_6.3.4/cis_6.3.4.2.yml similarity index 64% rename from section_4/cis_4.1.4/cis_4.1.4.1.yml rename to section_6/cis_6.3.4/cis_6.3.4.2.yml index ff2f43f..0bc5886 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.1.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_1 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} +{{ if .Vars.rhel9cis_rule_6_3_4_2 }} command: audit_logfile_perms: - title: 4.1.4.1 | Ensure audit log files are mode 0640 or less permissive + title: 6.3.4.2 | Ensure audit log files mode is configured exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%a" $file; done exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.1 + - 6.3.4.2 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.2.yml b/section_6/cis_6.3.4/cis_6.3.4.3.yml similarity index 64% rename from section_4/cis_4.1.4/cis_4.1.4.2.yml rename to section_6/cis_6.3.4/cis_6.3.4.3.yml index 76650ca..b5b0e7d 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.2.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.3.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_2 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_3 }} command: audit_logfile_owner: - title: 4.1.4.2 | Ensure only authorized users own audit log files + title: 6.3.4.3 | Ensure only authorized users own audit log files exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%U" $file; done exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.2 + - 6.3.4.3 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.3.yml b/section_6/cis_6.3.4/cis_6.3.4.4.yml similarity index 67% rename from section_4/cis_4.1.4/cis_4.1.4.3.yml rename to section_6/cis_6.3.4/cis_6.3.4.4.yml index 069ed1a..85069a4 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.3.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_3 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_4 }} command: audit_logfile_group_setting: - title: 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files + title: 6.3.4.4 | Ensure audit log files group owner is configured exec: grep log_group /etc/audit/audit* | awk '{ print $NF}' exit-status: 0 stdout: @@ -10,14 +13,16 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.3 + - 6.3.4.4 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA audit_logfile_group: - title: 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files + title: 6.3.4.4 | Ensure audit log files group owner is configured exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n_%G" $file; done exit-status: 0 stdout: @@ -26,10 +31,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.3 + - 6.3.4.4 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.5.yml b/section_6/cis_6.3.4/cis_6.3.4.5.yml similarity index 63% rename from section_4/cis_4.1.4/cis_4.1.4.5.yml rename to section_6/cis_6.3.4/cis_6.3.4.5.yml index de46422..956ba7c 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.5.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.5.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_5 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_5 }} command: audit_conf_perms: - title: 4.1.4.5 | Ensure audit configuration files are 640 or more restrictive + title: 6.3.4.5 | Ensure audit configuration files mode is configured exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%a" $file; done exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.5 + - 6.3.4.5 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} {{ end }} diff --git a/section_6/cis_6.3.4/cis_6.3.4.6.yml b/section_6/cis_6.3.4/cis_6.3.4.6.yml new file mode 100644 index 0000000..2a1a413 --- /dev/null +++ b/section_6/cis_6.3.4/cis_6.3.4.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_6 }} +command: + audit_conf_owner: + title: 6.3.4.6 | Ensure audit configuration files owner is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.4.6 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.7.yml b/section_6/cis_6.3.4/cis_6.3.4.7.yml similarity index 62% rename from section_4/cis_4.1.4/cis_4.1.4.7.yml rename to section_6/cis_6.3.4/cis_6.3.4.7.yml index 5cd0f4a..531c8a8 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.7.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.7.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_7 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_7 }} command: audit_conf_group: - title: 4.1.4.7 | Ensure audit configuration files belong to group root + title: 6.3.4.7 | Ensure audit configuration files group owner is configured exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.7 + - 6.3.4.7 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.8.yml b/section_6/cis_6.3.4/cis_6.3.4.8.yml similarity index 65% rename from section_4/cis_4.1.4/cis_4.1.4.8.yml rename to section_6/cis_6.3.4/cis_6.3.4.8.yml index 0f0814b..aa37ab2 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.8.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.8.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_8 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_8 }} command: audit_tools_perms: - title: 4.1.4.8 | Ensure audit tools are 755 or more restrictive + title: 6.3.4.8 | Ensure audit tools mode is configured exec: stat -c "%n_%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.8 + - 6.3.4.8 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} {{ end }} diff --git a/section_4/cis_4.1.4/cis_4.1.4.9.yml b/section_6/cis_6.3.4/cis_6.3.4.9.yml similarity index 64% rename from section_4/cis_4.1.4/cis_4.1.4.9.yml rename to section_6/cis_6.3.4/cis_6.3.4.9.yml index 15a986d..ab3aab1 100644 --- a/section_4/cis_4.1.4/cis_4.1.4.9.yml +++ b/section_6/cis_6.3.4/cis_6.3.4.9.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_4_1_4_9 }} +--- + +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_6_3_4_9 }} command: audit_tools_owner: - title: 4.1.4.9 | Ensure audit tools are owned by root + title: 6.3.4.9 | Ensure audit tools owner is configured exec: stat -c "%n_%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules exit-status: 0 stdout: @@ -10,10 +13,13 @@ command: server: 2 workstation: 2 CIS_ID: - - 4.1.4.9 + - 6.3.4.9 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - NA + {{ end }} {{ end }} diff --git a/section_7/cis_7.1/cis_7.1.1.yml b/section_7/cis_7.1/cis_7.1.1.yml new file mode 100644 index 0000000..fa3c29b --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.1.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_1 }} +file: + etc_passwd_perms: + title: 7.1.1 | Ensure permissions on /etc/passwd are configured + path: /etc/passwd + exists: true + mode: "0744" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.10.yml b/section_7/cis_7.1/cis_7.1.10.yml new file mode 100644 index 0000000..a4c0bce --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.10.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_10 }} +file: + etc_security_opasswd_perms: + title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured + path: /etc/security/opasswd + exists: true + mode: "0600" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.10 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + etc_security_opasswd__old_perms: + title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured | old passwd + path: /etc/security/opasswd.old + exists: true + mode: "0600" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.10 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.12.yml b/section_7/cis_7.1/cis_7.1.11.yml similarity index 53% rename from section_6/cis_6.1/cis_6.1.12.yml rename to section_7/cis_7.1/cis_7.1.11.yml index d0e2971..9cfbe9b 100644 --- a/section_6/cis_6.1/cis_6.1.12.yml +++ b/section_7/cis_7.1/cis_7.1.11.yml @@ -1,9 +1,12 @@ -{{ if .Vars.run_heavy_tests }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_7_1_11 }} command: - {{ if .Vars.rhel9cis_rule_6_1_12 }} sticky_bit: - title: 6.1.12 | Ensure sticky bit is set on all world-writable directories - exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" + title: 7.1.11 | Ensure world writable files and directories are secured + exec: "df --local -P | awk '{if (NR!=1) print $7}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" exit-status: or: - 0 @@ -15,10 +18,14 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.1.12 + - 7.1.11 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} {{ end }} diff --git a/section_7/cis_7.1/cis_7.1.12.yml b/section_7/cis_7.1/cis_7.1.12.yml new file mode 100644 index 0000000..3b87eab --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.12.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_7_1_12 }} +command: + unowned_ungrouped_dirs: + title: 7.1.12 | Ensure no files or directories without an owner and a group exist + exec: "df --local -P | awk {'if (NR!=1) print $7'} | xargs -I '{}' find '{}' -xdev \( -nouser -o -nogroup \)" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.12 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.13.yml b/section_7/cis_7.1/cis_7.1.13.yml new file mode 100644 index 0000000..d0041fc --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.13.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_7_1_13 }} +command: + audit_sgid_suid: + title: 7.1.13 | Ensure SUID and SGID files are reviewed + exec: "df --local -P | awk '{if (NR!=1) print $7}' | xargs -I '{}' find '{}' -xdev -type f -perm \( -2000 -o -4000 \)" + timeout: {{ .Vars.timeout_ms }} + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.13 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.2.yml b/section_7/cis_7.1/cis_7.1.2.yml new file mode 100644 index 0000000..7ecec02 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_2 }} +file: + passwd-_perms: + title: 7.1.2 | Ensure permissions on /etc/passwd- are configured + path: /etc/passwd- + exists: true + mode: "0744" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.3.yml b/section_7/cis_7.1/cis_7.1.3.yml new file mode 100644 index 0000000..1e71890 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_6_1_3 }} +file: + etcgroup_perms: + title: 6.1.3 | Ensure permissions on /etc/group are configured + path: /etc/group + exists: true + mode: "0644" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.4.yml b/section_7/cis_7.1/cis_7.1.4.yml similarity index 52% rename from section_6/cis_6.1/cis_6.1.4.yml rename to section_7/cis_7.1/cis_7.1.4.yml index 2ffca86..69b37a9 100644 --- a/section_6/cis_6.1/cis_6.1.4.yml +++ b/section_7/cis_7.1/cis_7.1.4.yml @@ -1,19 +1,26 @@ -{{ if .Vars.rhel9cis_rule_6_1_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_4 }} file: etcgroup-_perms: - title: 6.1.4 | Ensure permissions on /etc/group- are configured + title: 7.1.4 | Ensure permissions on /etc/group- are configured path: /etc/group- exists: true - mode: "0644" + mode: "0744" owner: root group: root meta: server: 1 workstation: 1 CIS_ID: - - 6.1.4 + - 7.1.4 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.5.yml b/section_7/cis_7.1/cis_7.1.5.yml similarity index 56% rename from section_6/cis_6.1/cis_6.1.5.yml rename to section_7/cis_7.1/cis_7.1.5.yml index 4255634..99daef3 100644 --- a/section_6/cis_6.1/cis_6.1.5.yml +++ b/section_7/cis_7.1/cis_7.1.5.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_1_5 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_5 }} file: etc_shadow_perms: - title: 6.1.5 | Ensure permissions on /etc/shadow are configured + title: 7.1.5 | Ensure permissions on /etc/shadow are configured path: /etc/shadow exists: true mode: "0000" @@ -11,9 +14,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 6.1.5 + - 7.1.5 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.6.yml b/section_7/cis_7.1/cis_7.1.6.yml similarity index 56% rename from section_6/cis_6.1/cis_6.1.6.yml rename to section_7/cis_7.1/cis_7.1.6.yml index 2866e51..7022ece 100644 --- a/section_6/cis_6.1/cis_6.1.6.yml +++ b/section_7/cis_7.1/cis_7.1.6.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_1_6 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_7 }} file: etc_shadow-_perms: - title: 6.1.6 | Ensure permissions on /etc/shadow- are configured + title: 7.1.7 | Ensure permissions on /etc/shadow- are configured path: /etc/shadow- exists: true mode: "0000" @@ -11,9 +14,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 6.1.6 + - 7.1.6 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {[ end ]} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.7.yml b/section_7/cis_7.1/cis_7.1.7.yml similarity index 56% rename from section_6/cis_6.1/cis_6.1.7.yml rename to section_7/cis_7.1/cis_7.1.7.yml index 1d0dd47..129e89c 100644 --- a/section_6/cis_6.1/cis_6.1.7.yml +++ b/section_7/cis_7.1/cis_7.1.7.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_1_7 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_7 }} file: etc_gshadow_perms: - title: 6.1.7 | Ensure permissions on /etc/gshadow are configured + title: 7.1.7 | Ensure permissions on /etc/gshadow are configured path: /etc/gshadow exists: true mode: "0000" @@ -11,9 +14,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 6.1.7 + - 7.1.7 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_6/cis_6.1/cis_6.1.8.yml b/section_7/cis_7.1/cis_7.1.8.yml similarity index 56% rename from section_6/cis_6.1/cis_6.1.8.yml rename to section_7/cis_7.1/cis_7.1.8.yml index 9f0d1db..ccbfaf7 100644 --- a/section_6/cis_6.1/cis_6.1.8.yml +++ b/section_7/cis_7.1/cis_7.1.8.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_1_8 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_8 }} file: etc_gshadow-_perms: - title: 6.1.8 | Ensure permissions on /etc/gshadow- are configured + title: 7.1.8 | Ensure permissions on /etc/gshadow- are configured path: /etc/gshadow- exists: true mode: "0000" @@ -11,9 +14,13 @@ file: server: 1 workstation: 1 CIS_ID: - - 6.1.8 + - 7.1.8 CISv8: 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} {{ end }} diff --git a/section_7/cis_7.1/cis_7.1.9.yml b/section_7/cis_7.1/cis_7.1.9.yml new file mode 100644 index 0000000..56ba603 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.9.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_1_9 }} +file: + etc_shells_perms: + title: 7.1.9 | Ensure permissions on /etc/shells are configured + path: /etc/shells + exists: true + mode: "0644" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.1.yml b/section_7/cis_7.2/cis_7.2.1.yml similarity index 62% rename from section_6/cis_6.2/cis_6.2.1.yml rename to section_7/cis_7.2/cis_7.2.1.yml index f0e002d..9b5ecc4 100644 --- a/section_6/cis_6.2/cis_6.2.1.yml +++ b/section_7/cis_7.2/cis_7.2.1.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_1 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_1 }} command: accts_use_shadowed: - title: 6.2.1 | Ensure accounts in /etc/passwd use shadowed passwords + title: 7.2.1 | Ensure accounts in /etc/passwd use shadowed passwords exec: "awk -F: '($2 != \"x\" ) { print $1 \" is not set to shadowed passwords \"}' /etc/passwd" exit-status: 0 stdout: @@ -10,9 +13,12 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.1 + - 7.2.1 CISv8: NA CISv8_IG1: NA CISv8_IG2: NA CISv8_IG3: NA + NIST800-53R5: + - IA-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.2.yml b/section_7/cis_7.2/cis_7.2.2.yml similarity index 60% rename from section_6/cis_6.2/cis_6.2.2.yml rename to section_7/cis_7.2/cis_7.2.2.yml index 32704c6..e71ad9d 100644 --- a/section_6/cis_6.2/cis_6.2.2.yml +++ b/section_7/cis_7.2/cis_7.2.2.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_2 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_2 }} command: nopasswd_shadow: - title: 6.2.2 | Ensure /etc/shadow password fields are not empty + title: 7.2.2 | Ensure /etc/shadow password fields are not empty exec: cat /etc/shadow | cut -d ':' -f2 exit-status: 0 stdout: @@ -11,9 +14,12 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.2 + - 7.2.2 CISv8: 5.2 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.3.yml b/section_7/cis_7.2/cis_7.2.3.yml similarity index 58% rename from section_6/cis_6.2/cis_6.2.3.yml rename to section_7/cis_7.2/cis_7.2.3.yml index 9054147..e983cc6 100644 --- a/section_6/cis_6.2/cis_6.2.3.yml +++ b/section_7/cis_7.2/cis_7.2.3.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_3 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_3 }} command: passwd_group_exist: - title: 6.2.3 | Ensure all groups in /etc/passwd exist in /etc/group + title: 7.2.3 | Ensure all groups in /etc/passwd exist in /etc/group exec: "comm -23 <(awk -F: '{print $4}' /etc/passwd | sort -u) <(awk -F: '{print $3}' /etc/group | sort -u)" exit-status: 0 stdout: @@ -10,9 +13,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.3 + - 7.2.3 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.4.yml b/section_7/cis_7.2/cis_7.2.4.yml similarity index 53% rename from section_6/cis_6.2/cis_6.2.4.yml rename to section_7/cis_7.2/cis_7.2.4.yml index 45aaa22..9861852 100644 --- a/section_6/cis_6.2/cis_6.2.4.yml +++ b/section_7/cis_7.2/cis_7.2.4.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_4 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_4 }} command: no_dup_uid: - title: 6.2.4 | Ensure no duplicate UIDs exist + title: 7.2.4 | Ensure no duplicate UIDs exist exec: "cat /etc/passwd | cut -d: -f3 | uniq -d" exit-status: 0 stdout: @@ -10,9 +13,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.4 + - 7.2.4 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.5.yml b/section_7/cis_7.2/cis_7.2.5.yml similarity index 73% rename from section_6/cis_6.2/cis_6.2.5.yml rename to section_7/cis_7.2/cis_7.2.5.yml index 256de14..bb61080 100644 --- a/section_6/cis_6.2/cis_6.2.5.yml +++ b/section_7/cis_7.2/cis_7.2.5.yml @@ -1,7 +1,7 @@ -{{ if .Vars.rhel9cis_rule_6_2_5 }} +{{ if .Vars.rhel9cis_rule_7_2_5 }} command: no_dup_gid: - title: 6.2.5 | Ensure no duplicate GIDs exist + title: 7.2.5 | Ensure no duplicate GIDs exist exec: "cat /etc/group | cut -d: -f3 | uniq -d" exit-status: 0 stdout: @@ -10,7 +10,7 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.5 + - 7.2.5 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true diff --git a/section_6/cis_6.2/cis_6.2.6.yml b/section_7/cis_7.2/cis_7.2.6.yml similarity index 53% rename from section_6/cis_6.2/cis_6.2.6.yml rename to section_7/cis_7.2/cis_7.2.6.yml index 71b64f2..9185219 100644 --- a/section_6/cis_6.2/cis_6.2.6.yml +++ b/section_7/cis_7.2/cis_7.2.6.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_6 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_6 }} command: no_dup_username: - title: 6.2.6 | Ensure no duplicate user names exist + title: 7.2.6 | Ensure no duplicate user names exist exec: "cat /etc/passwd | cut -d: -f1 | uniq -d" exit-status: 0 stdout: @@ -10,9 +13,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.6 + - 7.2.6 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {[ end ]} {{ end }} diff --git a/section_6/cis_6.2/cis_6.2.7.yml b/section_7/cis_7.2/cis_7.2.7.yml similarity index 53% rename from section_6/cis_6.2/cis_6.2.7.yml rename to section_7/cis_7.2/cis_7.2.7.yml index 9a831dc..b635aef 100644 --- a/section_6/cis_6.2/cis_6.2.7.yml +++ b/section_7/cis_7.2/cis_7.2.7.yml @@ -1,7 +1,10 @@ -{{ if .Vars.rhel9cis_rule_6_2_7 }} +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_7_2_7 }} command: no_dup_groupname: - title: 6.2.7 | Ensure no duplicate group names exist + title: 7.2.7 | Ensure no duplicate group names exist exec: "cat /etc/group | cut -d: -f1 | uniq -d" exit-status: 0 stdout: @@ -10,9 +13,16 @@ command: server: 1 workstation: 1 CIS_ID: - - 6.2.7 + - 7.2.7 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} {{ end }} diff --git a/section_7/cis_7.2/cis_7.2.8.yml b/section_7/cis_7.2/cis_7.2.8.yml new file mode 100644 index 0000000..bc4edd7 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.8.yml @@ -0,0 +1,60 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_7_2_8 }} +command: + home_dirs_exist: + title: 7.2.8 | Ensure all users' home directories exist | exist + exec: pwck -r | grep -v journal | grep "does not exist" + timeout: {{ .Vars.timeout_ms }} + exit-status: 1 + stdout: + - '!/does not exist/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + home_dirs_owned: + title: 7.2.8 | Ensure all users' home directories exist | owned + exec: "getent passwd {1000..60000} | awk -F: '{ print $1 \" \" $6 }' | while read user dir; do if [ $user != 'ftpd' ]; then owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"home dir for $user owned by $owner\"; fi; fi; done" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + home_dirs_restrict: + title: 7.2.8 | Ensure all users' home directories exist | permissions + exec: "for i in `getent passwd {1000..60000} | awk '{split($0,a,\":\");print a[6]}'`; do stat -c \"%a %n\" $i ; done" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '/^7(0|5)0\s/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.9.yml b/section_7/cis_7.2/cis_7.2.9.yml new file mode 100644 index 0000000..67d4f0a --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.9.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_7_2_9 }} +command: + dot_netrc_perms: + title: 7.2.9 | Ensure local interactive user dot files access is configured + exec: 'find /home/ -name \(.netrc -o .rhost -o .netrc \)' + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/vars/CIS.yml b/vars/CIS.yml index e255792..d0ac0ed 100644 --- a/vars/CIS.yml +++ b/vars/CIS.yml @@ -137,52 +137,67 @@ rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true -# section 2 -# Services -# 2.1 Time Synchronization +# Section 2 rules are controling Services (Special Purpose Services, and service clients) +## Configure Server Services rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true -# 2.2 Special Purpose Services +rhel9cis_rule_2_1_3: true +rhel9cis_rule_2_1_4: true +rhel9cis_rule_2_1_5: true +rhel9cis_rule_2_1_6: true +rhel9cis_rule_2_1_7: true +rhel9cis_rule_2_1_8: true +rhel9cis_rule_2_1_9: true +rhel9cis_rule_2_1_10: true +rhel9cis_rule_2_1_11: true +rhel9cis_rule_2_1_12: true +rhel9cis_rule_2_1_13: true +rhel9cis_rule_2_1_14: true +rhel9cis_rule_2_1_15: true +rhel9cis_rule_2_1_16: true +rhel9cis_rule_2_1_17: true +rhel9cis_rule_2_1_18: true +rhel9cis_rule_2_1_19: true +rhel9cis_rule_2_1_20: true +rhel9cis_rule_2_1_21: true +rhel9cis_rule_2_1_22: true + +## Configure Client Services rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true rhel9cis_rule_2_2_5: true -rhel9cis_rule_2_2_6: true -rhel9cis_rule_2_2_7: true -rhel9cis_rule_2_2_8: true -rhel9cis_rule_2_2_9: true -rhel9cis_rule_2_2_10: true -rhel9cis_rule_2_2_11: true -rhel9cis_rule_2_2_12: true -rhel9cis_rule_2_2_13: true -rhel9cis_rule_2_2_14: true -rhel9cis_rule_2_2_15: true -rhel9cis_rule_2_2_16: true -rhel9cis_rule_2_2_17: true -rhel9cis_rule_2_2_18: true -rhel9cis_rule_2_2_19: true -rhel9cis_rule_2_2_20: true -# 2.3 service clients + +## Configure Time Synchronization rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true -rhel9cis_rule_2_3_4: true -rhel9cis_rule_2_3_5: true -rhel9cis_rule_2_3_6: true -rhel9cis_rule_2_4: true # todo +## Job Schedulers +### cron +rhel9cis_rule_2_4_1_1: true +rhel9cis_rule_2_4_1_2: true +rhel9cis_rule_2_4_1_3: true +rhel9cis_rule_2_4_1_4: true +rhel9cis_rule_2_4_1_5: true +rhel9cis_rule_2_4_1_6: true +rhel9cis_rule_2_4_1_7: true +rhel9cis_rule_2_4_1_8: true +### at +rhel9cis_rule_2_4_2_1: true -# Section 3 rules -# 3.1 Disable unused network protocols and devices +# Section 3 Network +## Network Devices rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true -rhel9cis_rule_3_1_4: true -# 3.2 Network Parameters (Host Only) +## Network Kernel Modules rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true -# 3.3 Network Parameters (Host and Router) +rhel9cis_rule_3_2_3: true +rhel9cis_rule_3_2_4: true +# Network Kernel Parameters rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true @@ -192,99 +207,24 @@ rhel9cis_rule_3_3_6: true rhel9cis_rule_3_3_7: true rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true -# 3.4.1 Configure a firewall utility -rhel9cis_rule_3_4_1_1: true -rhel9cis_rule_3_4_1_2: true +rhel9cis_rule_3_3_10: true +rhel9cis_rule_3_3_11: true -# 3.4.1 Configure firewall rules -rhel9cis_rule_3_4_2_1: true -rhel9cis_rule_3_4_2_2: true -rhel9cis_rule_3_4_2_3: true -rhel9cis_rule_3_4_2_4: true -rhel9cis_rule_3_4_2_5: true -rhel9cis_rule_3_4_2_6: true -rhel9cis_rule_3_4_2_7: true +# Section 4 Firewalls +## Firewall utility +rhel9cis_rule_4_1_1: true +rhel9cis_rule_4_1_2: true +## Configure firewalld +rhel9cis_rule_4_2_1: true +rhel9cis_rule_4_2_2: true +# Configure nftables +rhel9cis_rule_4_3_1: true +rhel9cis_rule_4_3_2: true +rhel9cis_rule_4_3_3: true +rhel9cis_rule_4_3_4: true - -# Section 4 rules -# 4.1 Configure System Accounting (auditd) -# 4.1.1 Ensure auditing is enabled -rhel9cis_rule_4_1_1_1: true -rhel9cis_rule_4_1_1_2: true -rhel9cis_rule_4_1_1_3: true -rhel9cis_rule_4_1_1_4: true - -# 4.1.2 Configure Data retention -rhel9cis_rule_4_1_2_1: true -rhel9cis_rule_4_1_2_2: true -rhel9cis_rule_4_1_2_3: true - -# 4.1.3 Configure auditd rules -rhel9cis_rule_4_1_3_1: true -rhel9cis_rule_4_1_3_2: true -rhel9cis_rule_4_1_3_3: true -rhel9cis_rule_4_1_3_4: true -rhel9cis_rule_4_1_3_5: true -rhel9cis_rule_4_1_3_6: true -rhel9cis_rule_4_1_3_7: true -rhel9cis_rule_4_1_3_8: true -rhel9cis_rule_4_1_3_9: true -rhel9cis_rule_4_1_3_10: true -rhel9cis_rule_4_1_3_11: true -rhel9cis_rule_4_1_3_12: true -rhel9cis_rule_4_1_3_13: true -rhel9cis_rule_4_1_3_14: true -rhel9cis_rule_4_1_3_15: true -rhel9cis_rule_4_1_3_16: true -rhel9cis_rule_4_1_3_17: true -rhel9cis_rule_4_1_3_18: true -rhel9cis_rule_4_1_3_19: true -rhel9cis_rule_4_1_3_20: true -rhel9cis_rule_4_1_3_21: true - -# 4.1.4 Configure auditd file access -rhel9cis_rule_4_1_4_1: true -rhel9cis_rule_4_1_4_2: true -rhel9cis_rule_4_1_4_3: true -rhel9cis_rule_4_1_4_4: true -rhel9cis_rule_4_1_4_5: true -rhel9cis_rule_4_1_4_6: true -rhel9cis_rule_4_1_4_7: true -rhel9cis_rule_4_1_4_8: true -rhel9cis_rule_4_1_4_9: true -rhel9cis_rule_4_1_4_10: true - - -# 4.2.1 Configure rsyslog -rhel9cis_rule_4_2_1_1: true -rhel9cis_rule_4_2_1_2: true -rhel9cis_rule_4_2_1_3: true -rhel9cis_rule_4_2_1_4: true -rhel9cis_rule_4_2_1_5: true -rhel9cis_rule_4_2_1_6: true -rhel9cis_rule_4_2_1_7: true - -# 4.2.2 Configure journald -rhel9cis_rule_4_2_2_1_1: true -rhel9cis_rule_4_2_2_1_2: true -rhel9cis_rule_4_2_2_1_3: true -rhel9cis_rule_4_2_2_1_4: true -rhel9cis_rule_4_2_2_2: true - -rhel9cis_rule_4_2_2_3: true -rhel9cis_rule_4_2_2_4: true -rhel9cis_rule_4_2_2_5: true -rhel9cis_rule_4_2_2_6: true -rhel9cis_rule_4_2_2_7: true -rhel9cis_rule_4_2_3: true - -# 4.3 Logrotate -rhel9cis_rule_4_3: true - - -# Section 5 -# Authentication and Authorization -# 5.1 Configure time-based job schedulers +## Section 5 +## 5.1. Configure SSH Server rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -294,8 +234,19 @@ rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true rhel9cis_rule_5_1_9: true - -# 5.2 Configure SSH Server +rhel9cis_rule_5_1_10: true +rhel9cis_rule_5_1_11: true +rhel9cis_rule_5_1_12: true +rhel9cis_rule_5_1_13: true +rhel9cis_rule_5_1_14: true +rhel9cis_rule_5_1_15: true +rhel9cis_rule_5_1_16: true +rhel9cis_rule_5_1_17: true +rhel9cis_rule_5_1_18: true +rhel9cis_rule_5_1_19: true +rhel9cis_rule_5_1_20: true +rhel9cis_rule_5_1_21: true +## 5.2 Configure Privilege Escalation rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true @@ -303,89 +254,158 @@ rhel9cis_rule_5_2_4: true rhel9cis_rule_5_2_5: true rhel9cis_rule_5_2_6: true rhel9cis_rule_5_2_7: true -rhel9cis_rule_5_2_8: true -rhel9cis_rule_5_2_9: true -rhel9cis_rule_5_2_10: true -rhel9cis_rule_5_2_11: true -rhel9cis_rule_5_2_12: true -rhel9cis_rule_5_2_13: true -rhel9cis_rule_5_2_14: true -rhel9cis_rule_5_2_15: true -rhel9cis_rule_5_2_16: true -rhel9cis_rule_5_2_17: true -rhel9cis_rule_5_2_18: true -rhel9cis_rule_5_2_19: true -rhel9cis_rule_5_2_20: true -# 5.3 Configure privilege escalation -rhel9cis_rule_5_3_1: true -rhel9cis_rule_5_3_2: true -rhel9cis_rule_5_3_3: true -rhel9cis_rule_5_3_4: true -rhel9cis_rule_5_3_5: true -rhel9cis_rule_5_3_6: true -rhel9cis_rule_5_3_7: true +# 5.3.1.x Configure PAM software packages +rhel9cis_rule_5_3_1_1: true +rhel9cis_rule_5_3_1_2: true +rhel9cis_rule_5_3_1_3: true +# 5.3.2 Configure authselect +rhel9cis_rule_5_3_2_1: true +rhel9cis_rule_5_3_2_2: true +rhel9cis_rule_5_3_2_3: true +rhel9cis_rule_5_3_2_4: true +# 5.3.3.1 Configure pam_faillock module +rhel9cis_rule_5_3_3_1_1: true +rhel9cis_rule_5_3_3_1_2: true +rhel9cis_rule_5_3_3_1_3: true +# 5.3.3.2 Configure pam_pwquality module +rhel9cis_rule_5_3_3_2_1: true +rhel9cis_rule_5_3_3_2_2: true +rhel9cis_rule_5_3_3_2_3: true +rhel9cis_rule_5_3_3_2_4: true +rhel9cis_rule_5_3_3_2_5: true +rhel9cis_rule_5_3_3_2_6: true +rhel9cis_rule_5_3_3_2_7: true +rhel9cis_rule_5_3_3_2_8: true +# 5.3.3.3 Configure pam_pwhistory module +# This are added as part of 5.3.2.4 using jinja2 template +rhel9cis_rule_5_3_3_3_1: true +rhel9cis_rule_5_3_3_3_2: true +rhel9cis_rule_5_3_3_3_3: true +# 5.3.3.4 Configure pam_unix module +rhel9cis_rule_5_3_3_4_1: true +rhel9cis_rule_5_3_3_4_2: true +rhel9cis_rule_5_3_3_4_3: true +rhel9cis_rule_5_3_3_4_4: true +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +rhel9cis_rule_5_4_1_1: true +rhel9cis_rule_5_4_1_2: true +rhel9cis_rule_5_4_1_3: true +rhel9cis_rule_5_4_1_4: true +rhel9cis_rule_5_4_1_5: true +rhel9cis_rule_5_4_1_6: true +# 5.4.2 Configure root and system accounts and environment +rhel9cis_rule_5_4_2_1: true +rhel9cis_rule_5_4_2_2: true +rhel9cis_rule_5_4_2_3: true +rhel9cis_rule_5_4_2_4: true +rhel9cis_rule_5_4_2_5: true +rhel9cis_rule_5_4_2_6: true +rhel9cis_rule_5_4_2_7: true +rhel9cis_rule_5_4_2_8: true +# 5.4.2 Configure user default environment +rhel9cis_rule_5_4_3_1: true +rhel9cis_rule_5_4_3_2: true +rhel9cis_rule_5_4_3_3: true -# 5.4 Configure authselect - -rhel9cis_rule_5_4_1: true -rhel9cis_rule_5_4_2: true - -# 5.5 Configure PAM -rhel9cis_rule_5_5_1: true -# This also used the is_pre82_release variable based on OS release -rhel9cis_rule_5_5_2: true -rhel9cis_rule_5_5_3: true -rhel9cis_rule_5_5_4: true - -# 5.6 User Accounts and Environment -# 5.6.1 Set Shadow Password Suite Parameters -rhel9cis_rule_5_6_1_1: true -rhel9cis_rule_5_6_1_2: true -rhel9cis_rule_5_6_1_3: true -rhel9cis_rule_5_6_1_4: true -rhel9cis_rule_5_6_1_5: true -rhel9cis_rule_5_6_2: true -rhel9cis_rule_5_6_3: true -rhel9cis_rule_5_6_4: true -rhel9cis_rule_5_6_5: true -rhel9cis_rule_5_6_6: true - -# Section 6 -# 6 System Maintenance -# 6.1 System File Permissions +# Section 6 Logging and Auditing +## 6.1 Configure Integrity Checking rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true -rhel9cis_rule_6_1_4: true -rhel9cis_rule_6_1_5: true -rhel9cis_rule_6_1_6: true -rhel9cis_rule_6_1_7: true -rhel9cis_rule_6_1_8: true -rhel9cis_rule_6_1_9: true -rhel9cis_rule_6_1_10: true -rhel9cis_rule_6_1_11: true -rhel9cis_rule_6_1_12: true -rhel9cis_rule_6_1_13: true -rhel9cis_rule_6_1_14: true -rhel9cis_rule_6_1_15: true +## 6.2.1 Configure systemd-journald service +rhel9cis_rule_6_2_1_1: true +rhel9cis_rule_6_2_1_2: true +rhel9cis_rule_6_2_1_3: true +rhel9cis_rule_6_2_1_4: true +## 6.2.2.x Configure journald +rhel9cis_rule_6_2_2_1_1: true +rhel9cis_rule_6_2_2_1_2: true +rhel9cis_rule_6_2_2_1_3: true +rhel9cis_rule_6_2_2_1_4: true +rhel9cis_rule_6_2_2_2: true +rhel9cis_rule_6_2_2_3: true +rhel9cis_rule_6_2_2_4: true +## 6.2.3 Configure rsyslog +rhel9cis_rule_6_2_3_1: true +rhel9cis_rule_6_2_3_2: true +rhel9cis_rule_6_2_3_3: true +rhel9cis_rule_6_2_3_4: true +rhel9cis_rule_6_2_3_5: true +rhel9cis_rule_6_2_3_6: true +rhel9cis_rule_6_2_3_7: true +## 6.2.4 Configure Logfiles +rhel9cis_rule_6_2_4_1: true +## 6.3 Configure Auditing +## 6.3.1 Configure auditd Service +rhel9cis_rule_6_3_1_1: true +rhel9cis_rule_6_3_1_2: true +rhel9cis_rule_6_3_1_3: true +rhel9cis_rule_6_3_1_4: true +## 6.3.2 Configure Data Retention +rhel9cis_rule_6_3_2_1: true +rhel9cis_rule_6_3_2_2: true +rhel9cis_rule_6_3_2_3: true +rhel9cis_rule_6_3_2_4: true +## 6.3.3 Configure auditd Rules +rhel9cis_rule_6_3_3_1: true +rhel9cis_rule_6_3_3_2: true +rhel9cis_rule_6_3_3_3: true +rhel9cis_rule_6_3_3_4: true +rhel9cis_rule_6_3_3_5: true +rhel9cis_rule_6_3_3_6: true +rhel9cis_rule_6_3_3_7: true +rhel9cis_rule_6_3_3_8: true +rhel9cis_rule_6_3_3_9: true +rhel9cis_rule_6_3_3_10: true +rhel9cis_rule_6_3_3_11: true +rhel9cis_rule_6_3_3_12: true +rhel9cis_rule_6_3_3_13: true +rhel9cis_rule_6_3_3_14: true +rhel9cis_rule_6_3_3_15: true +rhel9cis_rule_6_3_3_16: true +rhel9cis_rule_6_3_3_17: true +rhel9cis_rule_6_3_3_18: true +rhel9cis_rule_6_3_3_19: true +rhel9cis_rule_6_3_3_20: true +rhel9cis_rule_6_3_3_21: true +## 6.3.4 Configure auditd File Access +rhel9cis_rule_6_3_4_1: true +rhel9cis_rule_6_3_4_2: true +rhel9cis_rule_6_3_4_3: true +rhel9cis_rule_6_3_4_4: true +rhel9cis_rule_6_3_4_5: true +rhel9cis_rule_6_3_4_6: true +rhel9cis_rule_6_3_4_7: true +rhel9cis_rule_6_3_4_8: true +rhel9cis_rule_6_3_4_9: true +rhel9cis_rule_6_3_4_10: true -# 6.2 User and Group Settings -rhel9cis_rule_6_2_1: true -rhel9cis_rule_6_2_2: true -rhel9cis_rule_6_2_3: true -rhel9cis_rule_6_2_4: true -rhel9cis_rule_6_2_5: true -rhel9cis_rule_6_2_6: true -rhel9cis_rule_6_2_7: true -rhel9cis_rule_6_2_8: true -rhel9cis_rule_6_2_9: true -rhel9cis_rule_6_2_10: true -rhel9cis_rule_6_2_11: true -rhel9cis_rule_6_2_12: true -rhel9cis_rule_6_2_13: true -rhel9cis_rule_6_2_14: true -rhel9cis_rule_6_2_15: true -rhel9cis_rule_6_2_16: true +# Section 7 System Maintenance +## 7.1 System File Permissions +rhel9cis_rule_7_1_1: true +rhel9cis_rule_7_1_2: true +rhel9cis_rule_7_1_3: true +rhel9cis_rule_7_1_4: true +rhel9cis_rule_7_1_5: true +rhel9cis_rule_7_1_6: true +rhel9cis_rule_7_1_7: true +rhel9cis_rule_7_1_8: true +rhel9cis_rule_7_1_9: true +rhel9cis_rule_7_1_10: true +rhel9cis_rule_7_1_11: true +rhel9cis_rule_7_1_12: true +rhel9cis_rule_7_1_13: true +## 7.2 Local User and Group Settings +rhel9cis_rule_7_2_1: true +rhel9cis_rule_7_2_2: true +rhel9cis_rule_7_2_3: true +rhel9cis_rule_7_2_4: true +rhel9cis_rule_7_2_5: true +rhel9cis_rule_7_2_6: true +rhel9cis_rule_7_2_7: true +rhel9cis_rule_7_2_8: true +rhel9cis_rule_7_2_9: true ############ @@ -410,40 +430,69 @@ rhel922cis_screensaver_idle_delay: 900 # Set max value for idle-delay in second rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # Section 2 -## 2.2 Special Purposes -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: false -### Service configuration booleans set true to keep service +# Service configuration +# Options are +# Service +# - false - removes package +# - true - leaves package installed +# Mask +# - false - leaves service in current status +# - true - sets service name to masked +rhel9cis_autofs_services: false +rhel9cis_autofs_mask: true rhel9cis_avahi_server: false -rhel9cis_cups_server: false +rhel9cis_avahi_mask: false rhel9cis_dhcp_server: false +rhel9cis_dhcp_mask: false rhel9cis_dns_server: false +rhel9cis_dns_mask: false rhel9cis_dnsmasq_server: false -rhel9cis_vsftpd_server: false -rhel9cis_tftp_server: false -rhel9cis_httpd_server: false -rhel9cis_nginx_server: false -rhel9cis_dovecot_server: false -rhel9cis_imap_server: false +rhel9cis_dnsmasq_mask: false rhel9cis_samba_server: false -rhel9cis_squid_server: false -rhel9cis_snmp_server: false +rhel9cis_samba_mask: false +rhel9cis_ftp_server: false +rhel9cis_ftp_mask: false +rhel9cis_message_server: false # This is for messaging dovecot and cyrus-imap +rhel9cis_message_mask: false +rhel9cis_nfs_server: true +rhel9cis_nfs_mask: true +rhel9cis_nis_server: true # set to mask if nis client required +rhel9cis_nis_mask: false +rhel9cis_print_server: false # replaces cups +rhel9cis_print_mask: false +rhel9cis_rpc_server: true +rhel9cis_rpc_mask: true +rhel9cis_rsync_server: false +rhel9cis_rsync_mask: false +rhel9cis_net_snmp_server: false +rhel9cis_net_snmp_mask: false rhel9cis_telnet_server: false +rhel9cis_telnet_mask: false +rhel9cis_tftp_server: false +rhel9cis_tftp_mask: false +rhel9cis_squid_server: false +rhel9cis_squid_mask: false +rhel9cis_httpd_server: false +rhel9cis_httpd_mask: false +rhel9cis_nginx_server: false +rhel9cis_nginx_mask: false +rhel9cis_xinetd_server: false +rhel9cis_xinetd_mask: false +rhel9cis_xwindow_server: false # will remove mask not an option rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# -rhel9cis_use_nfs_server: false -rhel9cis_use_nfs_service: false -rhel9cis_use_rpc_server: false -rhel9cis_use_rpc_service: false -rhel9cis_use_rsync_server: false -rhel9cis_use_rsync_service: false +## Section 2.3 Service clients + +rhel9cis_ftp_client: false +rhel9cis_openldap_clients_required: false +rhel9cis_ypbind_required: false # Same package as NIS server +rhel9cis_telnet_required: false +rhel9cis_tftp_client: false #### 2.3 Service clients -rhel9cis_telnet_required: false +rhel9cis_telnet_client: false rhel9cis_openldap_clients_required: false +rhel9cis_nis_client: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false