diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 80a9fd338..ddfdd487b 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -288,7 +288,7 @@ checks: - CCE-3977-6 condition: any rules: - - 'f:/etc/grub.conf -> !r:selinux=0;' + - 'f:/etc/grub.conf -> r:selinux=0;' # 1.4.2 Set selinux state - id: 5518 title: "Set the SELinux State" @@ -302,7 +302,7 @@ checks: - CCE-3999-0 condition: any rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing;' + - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;' # 1.4.3 Set seliux policy - id: 5519 title: "Set the SELinux Policy" @@ -316,7 +316,7 @@ checks: - CCE-3624-4 condition: any rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;' + - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;' # 1.4.4 Remove SETroubleshoot - id: 5520 title: "Remove SETroubleshoot" @@ -711,8 +711,8 @@ checks: - CCE-4155-8 condition: any rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' ############################################### # 4.2 Modify Network Parameters (Host and Router) ############################################### diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 6dc07b671..628f4293b 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -82,7 +82,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec;' # 1.1.6 Build considerations - Partition scheme. - id: 6004 title: "Ensure separate partition exists for /var" @@ -249,7 +249,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/grub.conf -> !r:selinux=0;' + - 'f:/etc/grub.conf -> r:selinux=0;' # 1.6.1.2 Set selinux state - id: 6017 title: "Ensure the SELinux state is enforcing" @@ -262,7 +262,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing;' + - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;' # 1.6.1.3 Set seliux policy - id: 6018 title: "Ensure SELinux policy is configured" @@ -274,7 +274,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;' + - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;' # 1.6.1.4 Remove SETroubleshoot - id: 6019 title: "Ensure SETroubleshoot is not installed" @@ -631,8 +631,8 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### @@ -676,6 +676,7 @@ checks: condition: any rules: - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 0;' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6048 title: "Ensure broadcast ICMP requests are ignored" diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index cff79728c..62ba7892c 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -566,8 +566,8 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' # Section 3.2 - Network Parameters (Host and Router) - id: 7044 title: "Ensure source routed packets are not accepted" @@ -704,7 +704,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;' + - 'f:/etc/ssh/sshd_config -> !r:^\s*MaxAuthTries\s+4\s*$;' - id: 7055 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." @@ -740,7 +740,7 @@ checks: - pci_dss: "4.1" condition: any rules: - - 'f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;' + - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitRootLogin\.+no;' - id: 7058 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." @@ -752,7 +752,7 @@ checks: - pci_dss: "4.1" condition: any rules: - - 'f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;' + - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitEmptyPasswords\.+no;' # Section 6.2 - User and Group Settings - id: 7059 title: "Ensure password fields are not empty" diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index c73f7ad1c..f71be20f9 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -585,8 +585,8 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' # Section 3.2 - Network Parameters (Host and Router) - id: 7545 title: "Ensure source routed packets are not accepted"