Merge pull request #11452 from jan-cerny/rhel7_cis_section_6

Align RHEL 7 CIS control file with CIS v4.0.0 - Section 6
ComplianceAsCode · Jan 25, 2024 · 1cab60c · 1cab60c
2 parents beaee38 + a2c8a2c
commit 1cab60c
Show file tree

Hide file tree

Showing 47 changed files with 130 additions and 166 deletions.
diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -2824,22 +2824,6 @@ controls:
     - aide_periodic_cron_checking
 
   - id: 6.1.1
-    title: Ensure world writable files and directories are secured (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
-    - dir_perms_world_writable_sticky_bits
-
-  - id: 10.1.1 # TODO: Fix
-    title: Audit system file permissions (Manual)
-    levels:
-    - l2_server
-    - l2_workstation
-    status: manual
-
-  - id: 6.1.2
     title: Ensure permissions on /etc/passwd are configured (Automated)
     levels:
     - l1_server
@@ -2850,7 +2834,7 @@ controls:
     - file_owner_etc_passwd
     - file_permissions_etc_passwd
 
-  - id: 6.1.3
+  - id: 6.1.2
     title: Ensure permissions on /etc/passwd- are configured (Automated)
     levels:
     - l1_server
@@ -2861,38 +2845,49 @@ controls:
     - file_owner_backup_etc_passwd
     - file_permissions_backup_etc_passwd
 
+  - id: 6.1.3
+    title: Ensure permissions on /etc/group are configured (Automated)
+    levels:
+    - l1_server
+    - l1_workstation
+    status: automated
+    rules:
+    - file_groupowner_etc_group
+    - file_owner_etc_group
+    - file_permissions_etc_group
+
   - id: 6.1.4
-    title: Ensure permissions on /etc/shadow are configured (Automated)
+    title: Ensure permissions on /etc/group- are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - file_groupowner_etc_shadow
-    - file_owner_etc_shadow
-    - file_permissions_etc_shadow
+    - file_groupowner_backup_etc_group
+    - file_owner_backup_etc_group
+    - file_permissions_backup_etc_group
 
   - id: 6.1.5
-    title: Ensure permissions on /etc/shadow- are configured (Automated)
+    title: Ensure permissions on /etc/shadow are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - file_groupowner_backup_etc_shadow
-    - file_owner_backup_etc_shadow
-    - file_permissions_backup_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_owner_etc_shadow
+    - file_permissions_etc_shadow
 
   - id: 6.1.6
-    title: Ensure permissions on /etc/gshadow- are configured (Automated)
+    title: Ensure permissions on /etc/shadow- are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - file_groupowner_backup_etc_gshadow
-    - file_owner_backup_etc_gshadow
-    - file_permissions_backup_etc_gshadow
+    - file_groupowner_backup_etc_shadow
+    - file_owner_backup_etc_shadow
+    - file_permissions_backup_etc_shadow
 
   - id: 6.1.7
     title: Ensure permissions on /etc/gshadow are configured (Automated)
@@ -2906,66 +2901,70 @@ controls:
     - file_permissions_etc_gshadow
 
   - id: 6.1.8
-    title: Ensure permissions on /etc/group are configured (Automated)
+    title: Ensure permissions on /etc/gshadow- are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - file_groupowner_etc_group
-    - file_owner_etc_group
-    - file_permissions_etc_group
+    - file_groupowner_backup_etc_gshadow
+    - file_owner_backup_etc_gshadow
+    - file_permissions_backup_etc_gshadow
 
   - id: 6.1.9
-    title: Ensure permissions on /etc/group- are configured (Automated)
+    title: Ensure permissions on /etc/shells are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - file_groupowner_backup_etc_group
-    - file_owner_backup_etc_group
-    - file_permissions_backup_etc_group
+    - file_owner_etc_shells
+    - file_groupowner_etc_shells
+    - file_permissions_etc_shells
 
   - id: 6.1.10
-    title: Ensure no world writable files exist (Automated)
+    title: Ensure permissions on /etc/security/opasswd are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
-    status: automated
+    status: partial
     rules:
-    - file_permissions_unauthorized_world_writable
+    # We need another rule that checks /etc/security/opasswd.old
+    - file_etc_security_opasswd
 
   - id: 6.1.11
-    title: Ensure no unowned files or directories exist (Automated)
+    title: Ensure world writable files and directories are secured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - no_files_unowned_by_user
+    - file_permissions_unauthorized_world_writable
+    - dir_perms_world_writable_sticky_bits
 
   - id: 6.1.12
-    title: Ensure no ungrouped files or directories exist (Automated)
+    title: Ensure no unowned or ungrouped files or directories exist (Automated)
     levels:
     - l1_server
     - l1_workstation
-    status: automated
+    status: partial
     rules:
+    # TODO: add rules for unowned/ungrouped directories
+    - no_files_unowned_by_user
     - file_permissions_ungroupowned
 
   - id: 6.1.13
-    title: Audit SUID executables (Manual)
+    title: Ensure SUID and SGID files are reviewed (Manual)
     levels:
     - l1_server
     - l1_workstation
     status: manual
 
   - id: 6.1.14
-    title: Audit SGID executables (Manual)
+    title: Audit system file permissions (Manual)
     levels:
-    - l1_server
-    - l1_workstation
+    - l2_server
+    - l2_workstation
     status: manual
 
   - id: 6.2.1
@@ -2996,49 +2995,51 @@ controls:
     - gid_passwd_group_same
 
   - id: 6.2.4
-    title: Ensure shadow group is empty (Automated)
+    title: Ensure no duplicate UIDs exist (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-      - ensure_shadow_group_empty
+    - account_unique_id
 
   - id: 6.2.5
-    title: Ensure no duplicate user names exist (Automated)
+    title: Ensure no duplicate GIDs exist (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - account_unique_name
+      - group_unique_id
 
   - id: 6.2.6
-    title: Ensure no duplicate group names exist (Automated)
+    title: Ensure no duplicate user names exist (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-      - group_unique_name
+    - account_unique_name
 
   - id: 6.2.7
-    title: Ensure no duplicate UIDs exist (Automated)
+    title: Ensure no duplicate group names exist (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
-    - account_unique_id
+      - group_unique_name
 
   - id: 6.2.8
-    title: Ensure no duplicate GIDs exist (Automated)
+    title: Ensure root path integrity (Automated)
     levels:
     - l1_server
     - l1_workstation
-    status: automated
+    status: partial
     rules:
-      - group_unique_id
+    # TODO: add non root owned directories
+    - accounts_root_path_dirs_no_write
+    - root_path_no_dot
 
   - id: 6.2.9
     title: Ensure root is the only UID 0 account (Automated)
@@ -3050,77 +3051,33 @@ controls:
     - accounts_no_uid_except_zero
 
   - id: 6.2.10
-    title: Ensure root PATH Integrity (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
-    - accounts_root_path_dirs_no_write
-    - root_path_no_dot
-
-  - id: 6.2.11
-    title: Ensure all users' home directories exist (Automated)
+    title: Ensure local interactive user home directories are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
     status: automated
     rules:
     - accounts_user_interactive_home_directory_exists
-
-  - id: 6.2.12
-    title: Ensure users own their home directories (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
     - file_ownership_home_directories
-
-  - id: 6.2.13
-    title: Ensure users' home directories permissions are 750 or more restrictive (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
     - file_permissions_home_directories
 
-  - id: 6.2.14
-    title: Ensure users' dot files are not group or world writable (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
-      - accounts_user_dot_no_world_writable_programs
-
-  - id: 6.2.15
-    title: Ensure no users have .forward files (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    rules:
-      - no_forward_files
-
-  - id: 6.2.16
-    title: Ensure no users have .netrc files (Automated)
-    levels:
-    - l1_server
-    - l1_workstation
-    status: automated
-    notes: <-
-      The rule is checking only for existence of files, not for their permissions.
-    rules:
-    - no_netrc_files
-
-  - id: 6.2.17
-    title: Ensure no users have .rhosts files (Automated)
+  - id: 6.2.11
+    title: Ensure local interactive user dot files access is configured (Automated)
     levels:
     - l1_server
     - l1_workstation
-    status: automated
-    notes: The rule also removes /etc/hosts.equiv
+    notes: |-
+      According to the RHEL 7 CIS Benchmark guidance, the incompliant .forward
+      and .rhost files should be investigated and remediated manually.
+      However, in other profiles we remediate the rule using the automated
+      remediation.
+    status: partial
+    # TODO: add rule checking that .bash_history is mode 0600 or more restrictive
     rules:
+    - accounts_user_dot_group_ownership
+    - accounts_user_dot_user_ownership
+    - file_permission_user_init_files
+    - var_user_initialization_files_regex=all_dotfiles
+    - no_forward_files
     - no_rsh_trust_files
+    - accounts_users_netrc_file_permissions
diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml
@@ -29,7 +29,7 @@ references:
     cis-csc: 11,12,14,15,3,8,9
     cis@alinux2: 6.2.14
     cis@alinux3: 6.2.10
-    cis@rhel7: 6.2.17
+    cis@rhel7: 6.2.11
     cis@rhel8: 6.2.11
     cis@rhel9: 6.2.15
     cis@sle12: 6.2.12

diff --git a/...ide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/...ide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
@@ -22,7 +22,7 @@ identifiers:
 
 references:
     cis@alinux2: 6.2.18
-    cis@rhel7: 6.2.5
+    cis@rhel7: 6.2.6
     cis@rhel8: 6.2.6
     cis@rhel9: 6.2.6
     cis@sle12: 6.2.16

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -20,7 +20,7 @@ identifiers:
 references:
     cis@alinux2: 6.2.16
     cis@alinux3: 6.2.12
-    cis@rhel7: 6.2.7
+    cis@rhel7: 6.2.4
     cis@rhel8: 6.2.4
     cis@rhel9: 6.2.4
     cis@sle12: 6.2.14

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml
@@ -20,7 +20,7 @@ identifiers:
 references:
     cis@alinux2: 6.2.17
     cis@alinux3: 6.2.13
-    cis@rhel7: 6.2.8
+    cis@rhel7: 6.2.5
     cis@rhel8: 6.2.5
     cis@rhel9: 6.2.5
     cis@sle12: 6.2.15

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
@@ -19,7 +19,7 @@ identifiers:
 references:
     cis@alinux2: 6.2.19
     cis@alinux3: 6.2.15
-    cis@rhel7: 6.2.6
+    cis@rhel7: 6.2.7
     cis@rhel8: 6.2.7
     cis@rhel9: 6.2.7
     cis@sle12: 6.2.17

diff --git a/...os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/...os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml
@@ -25,7 +25,7 @@ identifiers:
 references:
     cis@alinux2: 6.2.11
     cis@alinux3: 6.2.7
-    cis@rhel7: 6.2.15
+    cis@rhel7: 6.2.11
     cis@rhel8: 6.2.11
     cis@rhel9: 6.2.14
     cis@sle12: 6.2.9