diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 3c6bb2b7f30..46cd46f5ff0 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2824,22 +2824,6 @@ controls: - aide_periodic_cron_checking - id: 6.1.1 - title: Ensure world writable files and directories are secured (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - dir_perms_world_writable_sticky_bits - - - id: 10.1.1 # TODO: Fix - title: Audit system file permissions (Manual) - levels: - - l2_server - - l2_workstation - status: manual - - - id: 6.1.2 title: Ensure permissions on /etc/passwd are configured (Automated) levels: - l1_server @@ -2850,7 +2834,7 @@ controls: - file_owner_etc_passwd - file_permissions_etc_passwd - - id: 6.1.3 + - id: 6.1.2 title: Ensure permissions on /etc/passwd- are configured (Automated) levels: - l1_server @@ -2861,38 +2845,49 @@ controls: - file_owner_backup_etc_passwd - file_permissions_backup_etc_passwd + - id: 6.1.3 + title: Ensure permissions on /etc/group are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + - id: 6.1.4 - title: Ensure permissions on /etc/shadow are configured (Automated) + title: Ensure permissions on /etc/group- are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_etc_shadow - - file_owner_etc_shadow - - file_permissions_etc_shadow + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group - id: 6.1.5 - title: Ensure permissions on /etc/shadow- are configured (Automated) + title: Ensure permissions on /etc/shadow are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_backup_etc_shadow - - file_owner_backup_etc_shadow - - file_permissions_backup_etc_shadow + - file_groupowner_etc_shadow + - file_owner_etc_shadow + - file_permissions_etc_shadow - id: 6.1.6 - title: Ensure permissions on /etc/gshadow- are configured (Automated) + title: Ensure permissions on /etc/shadow- are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_backup_etc_gshadow - - file_owner_backup_etc_gshadow - - file_permissions_backup_etc_gshadow + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow - id: 6.1.7 title: Ensure permissions on /etc/gshadow are configured (Automated) @@ -2906,66 +2901,70 @@ controls: - file_permissions_etc_gshadow - id: 6.1.8 - title: Ensure permissions on /etc/group are configured (Automated) + title: Ensure permissions on /etc/gshadow- are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_etc_group - - file_owner_etc_group - - file_permissions_etc_group + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow - id: 6.1.9 - title: Ensure permissions on /etc/group- are configured (Automated) + title: Ensure permissions on /etc/shells are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - file_groupowner_backup_etc_group - - file_owner_backup_etc_group - - file_permissions_backup_etc_group + - file_owner_etc_shells + - file_groupowner_etc_shells + - file_permissions_etc_shells - id: 6.1.10 - title: Ensure no world writable files exist (Automated) + title: Ensure permissions on /etc/security/opasswd are configured (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial rules: - - file_permissions_unauthorized_world_writable + # We need another rule that checks /etc/security/opasswd.old + - file_etc_security_opasswd - id: 6.1.11 - title: Ensure no unowned files or directories exist (Automated) + title: Ensure world writable files and directories are secured (Automated) levels: - l1_server - l1_workstation status: automated rules: - - no_files_unowned_by_user + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits - id: 6.1.12 - title: Ensure no ungrouped files or directories exist (Automated) + title: Ensure no unowned or ungrouped files or directories exist (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial rules: + # TODO: add rules for unowned/ungrouped directories + - no_files_unowned_by_user - file_permissions_ungroupowned - id: 6.1.13 - title: Audit SUID executables (Manual) + title: Ensure SUID and SGID files are reviewed (Manual) levels: - l1_server - l1_workstation status: manual - id: 6.1.14 - title: Audit SGID executables (Manual) + title: Audit system file permissions (Manual) levels: - - l1_server - - l1_workstation + - l2_server + - l2_workstation status: manual - id: 6.2.1 @@ -2996,49 +2995,51 @@ controls: - gid_passwd_group_same - id: 6.2.4 - title: Ensure shadow group is empty (Automated) + title: Ensure no duplicate UIDs exist (Automated) levels: - l1_server - l1_workstation status: automated rules: - - ensure_shadow_group_empty + - account_unique_id - id: 6.2.5 - title: Ensure no duplicate user names exist (Automated) + title: Ensure no duplicate GIDs exist (Automated) levels: - l1_server - l1_workstation status: automated rules: - - account_unique_name + - group_unique_id - id: 6.2.6 - title: Ensure no duplicate group names exist (Automated) + title: Ensure no duplicate user names exist (Automated) levels: - l1_server - l1_workstation status: automated rules: - - group_unique_name + - account_unique_name - id: 6.2.7 - title: Ensure no duplicate UIDs exist (Automated) + title: Ensure no duplicate group names exist (Automated) levels: - l1_server - l1_workstation status: automated rules: - - account_unique_id + - group_unique_name - id: 6.2.8 - title: Ensure no duplicate GIDs exist (Automated) + title: Ensure root path integrity (Automated) levels: - l1_server - l1_workstation - status: automated + status: partial rules: - - group_unique_id + # TODO: add non root owned directories + - accounts_root_path_dirs_no_write + - root_path_no_dot - id: 6.2.9 title: Ensure root is the only UID 0 account (Automated) @@ -3050,77 +3051,33 @@ controls: - accounts_no_uid_except_zero - id: 6.2.10 - title: Ensure root PATH Integrity (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_root_path_dirs_no_write - - root_path_no_dot - - - id: 6.2.11 - title: Ensure all users' home directories exist (Automated) + title: Ensure local interactive user home directories are configured (Automated) levels: - l1_server - l1_workstation status: automated rules: - accounts_user_interactive_home_directory_exists - - - id: 6.2.12 - title: Ensure users own their home directories (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_ownership_home_directories - - - id: 6.2.13 - title: Ensure users' home directories permissions are 750 or more restrictive (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - file_permissions_home_directories - - id: 6.2.14 - title: Ensure users' dot files are not group or world writable (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - accounts_user_dot_no_world_writable_programs - - - id: 6.2.15 - title: Ensure no users have .forward files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - rules: - - no_forward_files - - - id: 6.2.16 - title: Ensure no users have .netrc files (Automated) - levels: - - l1_server - - l1_workstation - status: automated - notes: <- - The rule is checking only for existence of files, not for their permissions. - rules: - - no_netrc_files - - - id: 6.2.17 - title: Ensure no users have .rhosts files (Automated) + - id: 6.2.11 + title: Ensure local interactive user dot files access is configured (Automated) levels: - l1_server - l1_workstation - status: automated - notes: The rule also removes /etc/hosts.equiv + notes: |- + According to the RHEL 7 CIS Benchmark guidance, the incompliant .forward + and .rhost files should be investigated and remediated manually. + However, in other profiles we remediate the rule using the automated + remediation. + status: partial + # TODO: add rule checking that .bash_history is mode 0600 or more restrictive rules: + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles + - no_forward_files - no_rsh_trust_files + - accounts_users_netrc_file_permissions diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml index 8a6c7d2b0ac..9b0f6ecee11 100644 --- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml @@ -29,7 +29,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@alinux2: 6.2.14 cis@alinux3: 6.2.10 - cis@rhel7: 6.2.17 + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 cis@rhel9: 6.2.15 cis@sle12: 6.2.12 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml index e2a9ffa0395..ef96ca614fe 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml @@ -22,7 +22,7 @@ identifiers: references: cis@alinux2: 6.2.18 - cis@rhel7: 6.2.5 + cis@rhel7: 6.2.6 cis@rhel8: 6.2.6 cis@rhel9: 6.2.6 cis@sle12: 6.2.16 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index c1a16bee27e..5b4362c2bea 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@alinux2: 6.2.16 cis@alinux3: 6.2.12 - cis@rhel7: 6.2.7 + cis@rhel7: 6.2.4 cis@rhel8: 6.2.4 cis@rhel9: 6.2.4 cis@sle12: 6.2.14 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml index 8ad81e647c2..4b4f4dc1681 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@alinux2: 6.2.17 cis@alinux3: 6.2.13 - cis@rhel7: 6.2.8 + cis@rhel7: 6.2.5 cis@rhel8: 6.2.5 cis@rhel9: 6.2.5 cis@sle12: 6.2.15 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml index c5c738cf556..0beebcc679e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml @@ -19,7 +19,7 @@ identifiers: references: cis@alinux2: 6.2.19 cis@alinux3: 6.2.15 - cis@rhel7: 6.2.6 + cis@rhel7: 6.2.7 cis@rhel8: 6.2.7 cis@rhel9: 6.2.7 cis@sle12: 6.2.17 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml index 25d57cd990f..534864d1ea1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml @@ -25,7 +25,7 @@ identifiers: references: cis@alinux2: 6.2.11 cis@alinux3: 6.2.7 - cis@rhel7: 6.2.15 + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 cis@rhel9: 6.2.14 cis@sle12: 6.2.9 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml index 6063ddc2ed0..6f58e3ebbef 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml @@ -27,7 +27,6 @@ references: cis-csc: 1,11,12,14,15,16,18,3,5 cis@alinux2: 6.2.12 cis@alinux3: 6.2.8 - cis@rhel7: 6.2.16 cis@rhel8: 6.2.13,6.2.15 cis@rhel9: 6.2.13 cis@sle12: 6.2.10 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml index 8626fdb5cc6..a10f796e8aa 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@sle15: CCE-91408-5 references: + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 cis@sle12: 6.2.8 cis@sle15: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 11dc1815e7f..77e55d4b037 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -28,7 +28,7 @@ identifiers: references: cis@alinux2: 6.2.10 cis@alinux3: 6.2.6 - cis@rhel7: 6.2.14 + cis@rhel7: 6.2.11 cis@rhel8: 6.2.12 cis@rhel9: 6.2.16 cis@sle12: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml index bad8e150aab..240887a6e1a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@sle15: CCE-91409-3 references: + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 cis@sle12: 6.2.8 cis@sle15: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index 4fe113268f9..867aebb8a10 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -29,7 +29,7 @@ identifiers: references: cis@alinux2: 6.2.7 cis@alinux3: 6.2.16 - cis@rhel7: 6.2.11 + cis@rhel7: 6.2.10 cis@rhel8: 6.2.10 cis@rhel9: 6.2.10 cis@sle12: 6.2.5 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml index 64cb36d50c0..cd60d6a3181 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_netrc_file_permissions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,sle12,sle15 +prodtype: rhel7,rhel8,sle12,sle15 title: "Ensure users' .netrc Files are not group or world accessible" @@ -19,11 +19,13 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-89524-3 cce@rhel8: CCE-87369-5 cce@sle12: CCE-92446-4 cce@sle15: CCE-92697-2 references: + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 cis@sle12: 6.2.11 cis@sle15: 6.2.11 diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml index d8664852eeb..f930d89dc67 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis@alinux2: 6.2.9 cis@alinux3: 6.2.5 - cis@rhel7: 6.2.12 + cis@rhel7: 6.2.10 cis@rhel8: 6.2.10 cis@rhel9: 6.2.11 cis@sle12: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 98fa5aa9c14..23bb35efb52 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@sle15: CCE-85630-2 references: + cis@rhel7: 6.2.11 cis@rhel8: 6.2.11 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 333fa891006..a2d432ae2ad 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis@alinux2: 6.2.8 cis@alinux3: 6.2.4 - cis@rhel7: 6.2.13 + cis@rhel7: 6.2.10 cis@rhel8: 6.2.10 cis@rhel9: 6.2.12 cis@sle12: 6.2.6 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml index c0496297e8a..41cfb325c93 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml @@ -26,7 +26,7 @@ references: cis-csc: 11,3,9 cis@alinux2: 6.2.6 cis@alinux3: 6.2.2 - cis@rhel7: 6.2.10 + cis@rhel7: 6.2.8 cis@rhel8: 6.2.8 cis@rhel9: 6.2.8 cis@sle12: 6.2.4 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml index 043bf8097fb..0f99895b1d6 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml @@ -30,7 +30,7 @@ references: cis-csc: 11,3,9 cis@alinux2: 6.2.6 cis@alinux3: 6.2.2 - cis@rhel7: 6.2.10 + cis@rhel7: 6.2.8 cis@rhel8: 6.2.8 cis@rhel9: 6.2.8 cis@sle12: 6.2.4 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 619cfda7b1e..22c99ad45c8 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -38,7 +38,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 1.1.18 cis@alinux3: 6.1.2 - cis@rhel7: 6.1.1 + cis@rhel7: 6.1.11 cis@rhel8: 6.1.11 cis@rhel9: 6.1.12 cis@sle12: 1.1.22 diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml index 579148fb620..fd636dcea15 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml @@ -28,7 +28,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.10 cis@alinux3: 6.1.11 - cis@rhel7: 6.1.10 + cis@rhel7: 6.1.11 cis@rhel8: 6.1.11 cis@rhel9: 6.1.9 cis@sle12: 6.1.8 diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index 9e701ea1b71..5778006d24e 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -35,7 +35,7 @@ references: anssi: BP28(R55) cis-csc: 11,12,13,14,15,16,18,3,5,9 cis@alinux2: 6.1.11 - cis@rhel7: 6.1.11 + cis@rhel7: 6.1.12 cis@rhel8: 6.1.12 cis@rhel9: 6.1.10 cis@sle12: 6.1.9 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index 019d4b57454..513cc0d5a43 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,sle12,sle15 +prodtype: rhel7,rhel8,sle12,sle15 title: 'Verify Permissions and Ownership of Old Passwords File' @@ -15,11 +15,13 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-87198-8 cce@rhel8: CCE-86140-1 cce@sle12: CCE-83172-7 cce@sle15: CCE-85572-6 references: + cis@rhel7: 6.1.10 cis@rhel8: 6.1.3 disa: CCI-000200 nist@sle12: IA-5(1)(e),IA-5(1).1(v) diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml index 6c201568c54..e4295b86987 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux2: 6.1.8 cis@alinux3: 6.1.9 - cis@rhel7: 6.1.9 + cis@rhel7: 6.1.4 cis@rhel8: 6.1.5 cis@rhel9: 6.1.4 cis@sle12: 6.1.7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml index 0b950b1ba65..aef8fcc93eb 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml @@ -26,7 +26,7 @@ identifiers: references: cis@alinux2: 6.1.9 cis@alinux3: 6.1.10 - cis@rhel7: 6.1.6 + cis@rhel7: 6.1.8 cis@rhel8: 6.1.9 cis@rhel9: 6.1.8 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml index 49b4f8a3255..ba74266e2f7 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux2: 6.1.6 cis@alinux3: 6.1.7 - cis@rhel7: 6.1.3 + cis@rhel7: 6.1.2 cis@rhel8: 6.1.2 cis@rhel9: 6.1.2 cis@sle12: 6.1.5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml index 2340c4f1f19..5f5fbb14031 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml @@ -27,7 +27,7 @@ identifiers: references: cis@alinux2: 6.1.7 cis@alinux3: 6.1.8 - cis@rhel7: 6.1.5 + cis@rhel7: 6.1.6 cis@rhel8: 6.1.7 cis@rhel9: 6.1.6 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml index 5fd842bf912..c79497aab57 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml @@ -21,7 +21,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.4 cis@alinux3: 6.1.5 - cis@rhel7: 6.1.8 + cis@rhel7: 6.1.3 cis@rhel8: 6.1.4 cis@rhel9: 6.1.3 cis@sle12: 6.1.4 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml index 62885072ecf..e237bfa84f9 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.2 - cis@rhel7: 6.1.2 + cis@rhel7: 6.1.1 cis@rhel8: 6.1.1 cis@rhel9: 6.1.1 cis@sle12: 6.1.2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml index 112e778a2aa..47bdc2fdd84 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml @@ -27,7 +27,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.3 cis@alinux3: 6.1.4 - cis@rhel7: 6.1.4 + cis@rhel7: 6.1.5 cis@rhel8: 6.1.6 cis@rhel9: 6.1.5 cis@sle12: 6.1.3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml index ad2b600122a..e7e4642260f 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8 +prodtype: rhel7,rhel8 title: 'Verify Group Who Owns /etc/shells File' @@ -14,9 +14,11 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86624-4 cce@rhel8: CCE-87030-3 references: + cis@rhel7: 6.1.9 cis@rhel8: 6.1.10 nist: AC-3,MP-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml index 60d5b782ed2..015ed415102 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux2: 6.1.8 cis@alinux3: 6.1.9 - cis@rhel7: 6.1.9 + cis@rhel7: 6.1.4 cis@rhel8: 6.1.5 cis@rhel9: 6.1.4 cis@sle12: 6.1.7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml index 12784c9fc52..c1062180009 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis@alinux2: 6.1.9 cis@alinux3: 6.1.10 - cis@rhel7: 6.1.6 + cis@rhel7: 6.1.8 cis@rhel8: 6.1.9 cis@rhel9: 6.1.8 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml index 69dacb6210a..b747d066ef7 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux2: 6.1.6 cis@alinux3: 6.1.7 - cis@rhel7: 6.1.3 + cis@rhel7: 6.1.2 cis@rhel8: 6.1.2 cis@rhel9: 6.1.2 cis@sle12: 6.1.5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml index f132988dc40..f7ac1b7b94f 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml @@ -21,7 +21,7 @@ identifiers: references: cis@alinux2: 6.1.7 cis@alinux3: 6.1.8 - cis@rhel7: 6.1.5 + cis@rhel7: 6.1.6 cis@rhel8: 6.1.7 cis@rhel9: 6.1.6 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml index 437c104bcb3..f1bdab9496a 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml @@ -21,7 +21,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.4 cis@alinux3: 6.1.5 - cis@rhel7: 6.1.8 + cis@rhel7: 6.1.3 cis@rhel8: 6.1.4 cis@rhel9: 6.1.3 cis@sle12: 6.1.4 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml index 9fdf59450ad..d72df49d783 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml @@ -20,7 +20,7 @@ identifiers: references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.2 - cis@rhel7: 6.1.2 + cis@rhel7: 6.1.1 cis@rhel8: 6.1.1 cis@rhel9: 6.1.1 cis@sle12: 6.1.2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml index 1aaecc2ffe1..262a97acead 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml @@ -25,7 +25,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.3 cis@alinux3: 6.1.4 - cis@rhel7: 6.1.4 + cis@rhel7: 6.1.5 cis@rhel8: 6.1.6 cis@rhel9: 6.1.5 cis@sle12: 6.1.3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml index 1934faf7705..a5ea3abb156 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8 +prodtype: rhel7,rhel8 title: 'Verify Who Owns /etc/shells File' @@ -14,9 +14,11 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86622-8 cce@rhel8: CCE-87055-0 references: + cis@rhel7: 6.1.9 cis@rhel8: 6.1.10 nist: AC-3,MP-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml index 81d2276befc..0f2f254cbe5 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml @@ -22,7 +22,7 @@ identifiers: references: cis@alinux2: 6.1.8 cis@alinux3: 6.1.9 - cis@rhel7: 6.1.9 + cis@rhel7: 6.1.4 cis@rhel8: 6.1.5 cis@rhel9: 6.1.4 cis@sle12: 6.1.7 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml index 355efa818ff..d21a5e4f499 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml @@ -29,7 +29,7 @@ identifiers: references: cis@alinux2: 6.1.9 cis@alinux3: 6.1.10 - cis@rhel7: 6.1.6 + cis@rhel7: 6.1.8 cis@rhel8: 6.1.9 cis@rhel9: 6.1.8 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml index d005dd398fc..b09bd26542e 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml @@ -22,7 +22,7 @@ identifiers: references: cis@alinux2: 6.1.6 cis@alinux3: 6.1.7 - cis@rhel7: 6.1.3 + cis@rhel7: 6.1.2 cis@rhel8: 6.1.2 cis@rhel9: 6.1.2 cis@sle12: 6.1.5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index 3071d51f4be..60d1d68ccec 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -30,7 +30,7 @@ identifiers: references: cis@alinux2: 6.1.7 cis@alinux3: 6.1.8 - cis@rhel7: 6.1.5 + cis@rhel7: 6.1.6 cis@rhel8: 6.1.7 cis@rhel9: 6.1.6 cis@sle12: 6.1.6 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml index 9bebde31085..55cd710d660 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml @@ -23,7 +23,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.4 cis@alinux3: 6.1.5 - cis@rhel7: 6.1.8 + cis@rhel7: 6.1.3 cis@rhel8: 6.1.4 cis@rhel9: 6.1.3 cis@sle12: 6.1.4 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml index 0659d8eac5e..46ec78190ec 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml @@ -24,7 +24,7 @@ references: anssi: BP28(R36) cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.2 - cis@rhel7: 6.1.2 + cis@rhel7: 6.1.1 cis@rhel8: 6.1.1 cis@rhel9: 6.1.1 cis@sle12: 6.1.2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index 7fa591d8806..87e957dbadb 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -34,7 +34,7 @@ references: cis-csc: 12,13,14,15,16,18,3,5 cis@alinux2: 6.1.3 cis@alinux3: 6.1.4 - cis@rhel7: 6.1.4 + cis@rhel7: 6.1.5 cis@rhel8: 6.1.6 cis@rhel9: 6.1.5 cis@sle12: 6.1.3 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml index d59daf0dfdb..a34dae6dc4b 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8 +prodtype: rhel7,rhel8 title: 'Verify Permissions on /etc/shells File' @@ -14,9 +14,11 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86626-9 cce@rhel8: CCE-86634-3 references: + cis@rhel7: 6.1.9 cis@rhel8: 6.1.10 nist: AC-3,MP-2 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f801858c511..eece32c9d6d 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -291,9 +291,6 @@ CCE-86610-3 CCE-86613-7 CCE-86619-4 CCE-86620-2 -CCE-86622-8 -CCE-86624-4 -CCE-86626-9 CCE-86627-7 CCE-86628-5 CCE-86629-3 @@ -723,7 +720,6 @@ CCE-87194-7 CCE-87195-4 CCE-87196-2 CCE-87197-0 -CCE-87198-8 CCE-87199-6 CCE-87200-2 CCE-87201-0 @@ -2747,7 +2743,6 @@ CCE-89520-1 CCE-89521-9 CCE-89522-7 CCE-89523-5 -CCE-89524-3 CCE-89525-0 CCE-89526-8 CCE-89527-6