Improve CIS 6.2.11

The rule accounts_user_dot_no_world_writable_programs is not aligned
with the policy requirement, it checks permissions of files executed by
the dot files. Also, we should clarify the situation about remediation
of .forward and .rhost files.

controls/cis_rhel7.yml

@@ -2558,10 +2558,18 @@ controls:
     levels:
     - l1_server
     - l1_workstation
+    notes: |-
+      According to the RHEL 7 CIS Benchmark guidance, the incompliant .forward
+      and .rhost files should be investigated and remediated manually.
+      However, in other profiles we remediate the rule using the automated
+      remediation.
     status: partial
     # TODO: add rule checking that .bash_history is mode 0600 or more restrictive
     rules:
-    - accounts_user_dot_no_world_writable_programs
+    - accounts_user_dot_group_ownership
+    - accounts_user_dot_user_ownership
+    - file_permission_user_init_files
+    - var_user_initialization_files_regex=all_dotfiles
     - no_forward_files
     - no_rsh_trust_files
     - accounts_users_netrc_file_permissions

linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml

@@ -26,6 +26,7 @@ identifiers:
     cce@sle15: CCE-91408-5
 
 references:
+    cis@rhel7: 6.2.11
     cis@sle12: 6.2.8
     cis@sle15: 6.2.8
     cis@ubuntu2004: 6.2.7

linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml

@@ -25,6 +25,7 @@ identifiers:
     cce@sle15: CCE-91409-3
 
 references:
+    cis@rhel7: 6.2.11
     cis@sle12: 6.2.8
     cis@sle15: 6.2.8
     cis@ubuntu2004: 6.2.7

linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml

@@ -24,6 +24,7 @@ identifiers:
     cce@sle15: CCE-85630-2
 
 references:
+    cis@rhel7: 6.2.11
     disa: CCI-000366
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol7: OL07-00-020710