From 52b2313e3966edbce04acb96010cebe673724656 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 19 Jan 2024 15:37:00 +0100 Subject: [PATCH] Improve CIS 6.2.11 The rule accounts_user_dot_no_world_writable_programs is not aligned with the policy requirement, it checks permissions of files executed by the dot files. Also, we should clarify the situation about remediation of .forward and .rhost files. --- controls/cis_rhel7.yml | 10 +++++++++- .../accounts_user_dot_group_ownership/rule.yml | 1 + .../accounts_user_dot_user_ownership/rule.yml | 1 + .../file_permission_user_init_files/rule.yml | 1 + 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml index 8a1e5aa6f924..b3dbe37496f3 100644 --- a/controls/cis_rhel7.yml +++ b/controls/cis_rhel7.yml @@ -2558,10 +2558,18 @@ controls: levels: - l1_server - l1_workstation + notes: |- + According to the RHEL 7 CIS Benchmark guidance, the incompliant .forward + and .rhost files should be investigated and remediated manually. + However, in other profiles we remediate the rule using the automated + remediation. status: partial # TODO: add rule checking that .bash_history is mode 0600 or more restrictive rules: - - accounts_user_dot_no_world_writable_programs + - accounts_user_dot_group_ownership + - accounts_user_dot_user_ownership + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles - no_forward_files - no_rsh_trust_files - accounts_users_netrc_file_permissions diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml index abf32c96434f..b0706486be39 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@sle15: CCE-91408-5 references: + cis@rhel7: 6.2.11 cis@sle12: 6.2.8 cis@sle15: 6.2.8 cis@ubuntu2004: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml index 1c1fb61fdcf8..e06f08f4221a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@sle15: CCE-91409-3 references: + cis@rhel7: 6.2.11 cis@sle12: 6.2.8 cis@sle15: 6.2.8 cis@ubuntu2004: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index eed6623b4fd1..08d042de1c12 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@sle15: CCE-85630-2 references: + cis@rhel7: 6.2.11 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020710