From 4bfe06272e5ef76c9e44deb6cad2f61ccd0b63c3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 14 Jun 2026 15:48:03 +0000 Subject: [PATCH] Update NIST 800-53 CIS reference from latest mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This automated update regenerates the CIS→NIST reference file from the latest OSCAL catalog and CIS benchmark mappings. Changes: +342/-321 lines in CIS reference files ⚠️ MANUAL ACTION REQUIRED: Review the diff and manually update the product control files. Generated by: Weekly NIST 800-53 Sync Workflow Co-Authored-By: github-actions[bot] --- .../nist_800_53_cis_reference_rhel10/ac.yml | 15 +-- .../nist_800_53_cis_reference_rhel10/au.yml | 28 +---- .../nist_800_53_cis_reference_rhel10/cm.yml | 41 ------- .../nist_800_53_cis_reference_rhel10/ia.yml | 26 +---- .../other.yml | 107 ++++++++++++++++++ .../nist_800_53_cis_reference_rhel10/sc.yml | 6 +- .../nist_800_53_cis_reference_rhel8/ac.yml | 14 --- .../nist_800_53_cis_reference_rhel8/au.yml | 26 +---- .../nist_800_53_cis_reference_rhel8/cm.yml | 44 ------- .../nist_800_53_cis_reference_rhel8/ia.yml | 29 +---- .../nist_800_53_cis_reference_rhel8/other.yml | 106 +++++++++++++++++ .../nist_800_53_cis_reference_rhel8/sc.yml | 6 +- .../nist_800_53_cis_reference_rhel9/ac.yml | 15 +-- .../nist_800_53_cis_reference_rhel9/au.yml | 26 +---- .../nist_800_53_cis_reference_rhel9/cm.yml | 39 ------- .../nist_800_53_cis_reference_rhel9/ia.yml | 26 +---- .../nist_800_53_cis_reference_rhel9/other.yml | 103 +++++++++++++++++ .../nist_800_53_cis_reference_rhel9/sc.yml | 6 +- 18 files changed, 342 insertions(+), 321 deletions(-) create mode 100644 shared/references/controls/nist_800_53_cis_reference_rhel10/other.yml create mode 100644 shared/references/controls/nist_800_53_cis_reference_rhel8/other.yml create mode 100644 shared/references/controls/nist_800_53_cis_reference_rhel9/other.yml diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml index e052dceaf7a..35774c93d3f 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml @@ -41,12 +41,9 @@ controls: levels: - moderate rules: - - accounts_tmout - no_invalid_shell_accounts_unlocked - no_password_auth_for_systemaccounts - no_shelllogin_for_systemaccounts - - inactivity_timeout_value=15_minutes - - var_accounts_tmout=15_min status: automated - id: ac-2.6 title: Dynamic Privilege Management @@ -210,6 +207,7 @@ controls: - package_libselinux_installed - package_mcstrans_removed - package_setroubleshoot_removed + - rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions @@ -219,9 +217,6 @@ controls: - sysctl_fs_protected_hardlinks - sysctl_fs_protected_symlinks - use_pam_wheel_group_for_su - - var_accounts_user_umask=027 - - var_pam_wheel_group_for_su=cis - - var_selinux_policy_name=targeted status: automated - id: ac-3.1 title: Restricted Access to Privileged Functions @@ -497,13 +492,6 @@ controls: rules: - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time - - accounts_passwords_pam_faillock_unlock_time_with_zero - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_dir=run - - var_accounts_passwords_pam_faillock_root_unlock_time=60 - - var_accounts_passwords_pam_faillock_unlock_time=900 status: automated - id: ac-7.1 title: Automatic Account Lock @@ -564,7 +552,6 @@ controls: - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - - var_screensaver_lock_delay=5_seconds status: automated - id: ac-11.1 title: Pattern-hiding Displays diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml index 5708017ad86..ee3db4284b9 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml @@ -22,7 +22,6 @@ controls: - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_space_left_action - - ensure_journald_and_rsyslog_not_active_together - grub2_audit_backlog_limit_argument - journald_disable_forward_to_syslog - package_aide_installed @@ -33,10 +32,6 @@ controls: - service_systemd-journal-upload_enabled - service_systemd-journald_enabled - socket_systemd-journal-remote_disabled - - var_audit_backlog_limit=8192 - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=cis_rhel10 - - var_auditd_space_left_action=cis_rhel10 status: automated - id: au-2.1 title: Compilation of Audit Records from Multiple Sources @@ -113,7 +108,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - chronyd_run_as_chrony_user - chronyd_specify_remote_server - directory_permissions_var_log_audit - file_groupownership_audit_binaries @@ -125,8 +119,6 @@ controls: - sudo_custom_logfile - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - - sshd_max_auth_tries_value=4 - - var_multiple_time_servers=rhel status: automated - id: au-3.1 title: Additional Audit Information @@ -160,8 +152,6 @@ controls: rules: - auditd_data_disk_error_action - auditd_data_disk_full_action - - var_auditd_disk_error_action=cis_rhel10 - - var_auditd_disk_full_action=cis_rhel10 status: automated - id: au-5.1 title: Storage Capacity Warning @@ -264,8 +254,6 @@ controls: rules: - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file=8 - - var_auditd_max_log_file_action=keep_logs status: automated - id: au-8.1 title: Synchronization with Authoritative Time Source @@ -281,9 +269,6 @@ controls: - low rules: - audit_rules_immutable - - file_groupownership_audit_configuration - - file_ownership_audit_binaries - - file_ownership_audit_configuration status: automated - id: au-9.1 title: Hardware Write-once Media @@ -299,17 +284,14 @@ controls: title: Cryptographic Protection levels: - high - rules: - - aide_check_audit_tools - status: automated + rules: [] + status: pending - id: au-9.4 title: Access by Subset of Privileged Users levels: - moderate - rules: - - file_group_ownership_var_log_audit - - file_permissions_var_log_audit - status: automated + rules: [] + status: pending - id: au-9.5 title: Dual Authorization rules: [] @@ -377,7 +359,6 @@ controls: - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - - audit_rules_continue_loading - audit_rules_execution_chcon - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_renameat @@ -407,7 +388,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - audit_sudo_log_events - file_permissions_audit_configuration - grub2_audit_argument - service_auditd_enabled diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml index d43e634aaa4..3fdf322b55b 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml @@ -62,13 +62,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - - sshd_idle_timeout_value=5_minutes - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - var_accounts_maximum_age_login_defs=365 - - var_sshd_max_sessions=10 - - var_sshd_set_keepalive=1 - - var_sshd_set_maxstartups=10:30:60 - - var_user_initialization_files_regex=all_dotfiles status: automated - id: cm-2 title: Baseline Configuration @@ -227,7 +220,6 @@ controls: - banner_etc_motd_cis - coredump_disable_backtraces - coredump_disable_storage - - dconf_db_up_to_date - dconf_gnome_disable_user_list - disable_host_auth - disable_users_coredumps @@ -256,7 +248,6 @@ controls: - service_rpcbind_disabled - sshd_disable_gssapi_auth - sshd_set_login_grace_time - - sysctl_fs_suid_dumpable - sysctl_kernel_kptr_restrict - sysctl_kernel_randomize_va_space - sysctl_kernel_yama_ptrace_scope @@ -285,32 +276,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - sysctl_net_ipv6_conf_default_forwarding - - cis_banner_text=cis - - dconf_login_banner_contents=cis_default - - dconf_login_banner_text=cis_banners - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_forwarding_value=disabled - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_forwarding_value=disabled - - var_accounts_user_umask=027 - - var_sshd_set_login_grace_time=60 status: automated - id: cm-6.1 title: Automated Management, Application, and Verification @@ -338,7 +303,6 @@ controls: - low rules: - dconf_gnome_disable_autorun - - disable_weak_deps - file_ownership_var_log_audit_stig - has_nonlocal_mta - kernel_module_atm_disabled @@ -366,14 +330,11 @@ controls: - package_cyrus-imapd_removed - package_dovecot_removed - package_ftp_removed - - package_gdm_removed - package_httpd_removed - package_kea_removed - package_net-snmp_removed - package_nginx_removed - package_openldap-clients_removed - - package_postfix_installed - - package_sequoia-sq_installed - package_telnet-server_removed - package_telnet_removed - package_tftp-server_removed @@ -393,8 +354,6 @@ controls: - service_dnsmasq_disabled - sshd_disable_forwarding - wireless_disable_interfaces - - xwayland_disabled - - var_postfix_inet_interfaces=loopback-only status: automated - id: cm-7.1 title: Periodic Review diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml index 25435cbd93b..5771ce3c383 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml @@ -104,11 +104,8 @@ controls: title: Identifier Management levels: - low - rules: - - account_disable_post_pw_expiration - - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=45 - status: automated + rules: [] + status: pending - id: ia-4.1 title: Prohibit Account Identifiers as Public Identifiers rules: [] @@ -154,7 +151,6 @@ controls: rules: - accounts_minimum_age_login_defs - accounts_password_all_shadowed - - accounts_password_last_change_is_in_past - accounts_password_pam_dictcheck - accounts_password_pam_difok - accounts_password_pam_enforce_root @@ -162,28 +158,14 @@ controls: - accounts_password_pam_maxsequence - accounts_password_pam_minclass - accounts_password_pam_minlen - - accounts_password_pam_modules_in_authselect_profile - accounts_password_pam_pwhistory_enforce_for_root - accounts_password_pam_pwhistory_use_authtok - accounts_password_pam_unix_authtok - accounts_password_set_min_life_existing - - accounts_password_set_warn_age_existing - - accounts_password_warn_age_login_defs - - ensure_root_password_configured - no_empty_passwords_etc_shadow - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth - - var_accounts_minimum_age_login_defs=1 - - var_accounts_password_warn_age_login_defs=7 - - var_password_hashing_algorithm=cis_rhel10 - - var_password_hashing_algorithm_pam=cis_rhel10 - - var_password_pam_dictcheck=1 - - var_password_pam_difok=2 - - var_password_pam_maxrepeat=3 - - var_password_pam_maxsequence=3 - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 status: automated - id: ia-5.1 title: Password-based Authentication @@ -193,9 +175,6 @@ controls: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth - accounts_password_pam_unix_enabled - - accounts_password_pam_unix_no_remember - - var_password_pam_remember=24 - - var_password_pam_remember_control_flag=requisite_or_required status: automated - id: ia-5.2 title: Public Key-based Authentication @@ -339,7 +318,6 @@ controls: - low rules: - sudo_require_reauthentication - - var_sudo_timestamp_timeout=15_minutes status: automated - id: ia-12 title: Identity Proofing diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/other.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/other.yml new file mode 100644 index 00000000000..36cf7186fe2 --- /dev/null +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/other.yml @@ -0,0 +1,107 @@ +# NIST 800-53 OTHER Family: CIS Items Without NIST Mapping +controls: + - id: CIS_UNMAPPED + title: CIS Benchmark Items Without NIST 800-53 Mapping + notes: | + These CIS items do not have explicit NIST 800-53 mappings in the benchmark PDFs. + They are included here to ensure complete CIS coverage when using nist_800_53:all. + rules: + - account_disable_post_pw_expiration + - accounts_password_last_change_is_in_past + - accounts_password_pam_modules_in_authselect_profile + - accounts_password_pam_unix_no_remember + - accounts_password_set_warn_age_existing + - accounts_password_warn_age_login_defs + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time + - accounts_passwords_pam_faillock_unlock_time_with_zero + - accounts_set_post_pw_existing + - accounts_tmout + - aide_check_audit_tools + - audit_rules_continue_loading + - audit_sudo_log_events + - chronyd_run_as_chrony_user + - cis_banner_text=cis + - dconf_db_up_to_date + - dconf_login_banner_contents=cis_default + - dconf_login_banner_text=cis_banners + - disable_weak_deps + - ensure_journald_and_rsyslog_not_active_together + - ensure_root_password_configured + - file_group_ownership_var_log_audit + - file_groupownership_audit_configuration + - file_ownership_audit_binaries + - file_ownership_audit_configuration + - file_permissions_var_log_audit + - inactivity_timeout_value=15_minutes + - package_gdm_removed + - package_postfix_installed + - package_sequoia-sq_installed + - service_firewalld_enabled + - sshd_idle_timeout_value=5_minutes + - sshd_max_auth_tries_value=4 + - sysctl_fs_suid_dumpable + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_forwarding_value=disabled + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_forwarding_value=disabled + - var_account_disable_post_pw_expiration=45 + - var_accounts_maximum_age_login_defs=365 + - var_accounts_minimum_age_login_defs=1 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_dir=run + - var_accounts_passwords_pam_faillock_root_unlock_time=60 + - var_accounts_passwords_pam_faillock_unlock_time=900 + - var_accounts_tmout=15_min + - var_accounts_user_umask=027 + - var_audit_backlog_limit=8192 + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=cis_rhel10 + - var_auditd_disk_error_action=cis_rhel10 + - var_auditd_disk_full_action=cis_rhel10 + - var_auditd_max_log_file=8 + - var_auditd_max_log_file_action=keep_logs + - var_auditd_space_left_action=cis_rhel10 + - var_multiple_time_servers=rhel + - var_pam_wheel_group_for_su=cis + - var_password_hashing_algorithm=cis_rhel10 + - var_password_hashing_algorithm_pam=cis_rhel10 + - var_password_pam_dictcheck=1 + - var_password_pam_difok=2 + - var_password_pam_maxrepeat=3 + - var_password_pam_maxsequence=3 + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + - var_password_pam_remember=24 + - var_password_pam_remember_control_flag=requisite_or_required + - var_postfix_inet_interfaces=loopback-only + - var_screensaver_lock_delay=5_seconds + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + - var_sshd_max_sessions=10 + - var_sshd_set_keepalive=1 + - var_sshd_set_login_grace_time=60 + - var_sshd_set_maxstartups=10:30:60 + - var_sudo_timestamp_timeout=15_minutes + - var_user_initialization_files_regex=all_dotfiles + - xwayland_disabled + status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/sc.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/sc.yml index 1cea755d3a4..6dfd04888b9 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/sc.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/sc.yml @@ -28,7 +28,6 @@ controls: rules: - selinux_not_disabled - selinux_state - - var_selinux_state=enforcing status: automated - id: sc-3.1 title: Hardware Separation @@ -93,9 +92,8 @@ controls: title: Boundary Protection levels: - low - rules: - - service_firewalld_enabled - status: automated + rules: [] + status: pending - id: sc-7.1 title: Physically Separated Subnetworks rules: [] diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml index 78c4fc76330..626d2184c4b 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml @@ -41,12 +41,9 @@ controls: levels: - moderate rules: - - accounts_tmout - no_invalid_shell_accounts_unlocked - no_password_auth_for_systemaccounts - no_shelllogin_for_systemaccounts - - inactivity_timeout_value=15_minutes - - var_accounts_tmout=15_min status: automated - id: ac-2.6 title: Dynamic Privilege Management @@ -224,9 +221,6 @@ controls: - sysctl_fs_protected_hardlinks - sysctl_fs_protected_symlinks - use_pam_wheel_group_for_su - - var_accounts_user_umask=027 - - var_pam_wheel_group_for_su=cis - - var_selinux_policy_name=targeted status: automated - id: ac-3.1 title: Restricted Access to Privileged Functions @@ -502,13 +496,6 @@ controls: rules: - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time - - accounts_passwords_pam_faillock_unlock_time_with_zero - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_dir=run - - var_accounts_passwords_pam_faillock_root_unlock_time=60 - - var_accounts_passwords_pam_faillock_unlock_time=900 status: automated - id: ac-7.1 title: Automatic Account Lock @@ -569,7 +556,6 @@ controls: - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - - var_screensaver_lock_delay=5_seconds status: automated - id: ac-11.1 title: Pattern-hiding Displays diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml index aba4aa5b8ec..67e0e2cdd60 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml @@ -33,9 +33,6 @@ controls: - service_systemd-journal-upload_enabled - service_systemd-journald_enabled - socket_systemd-journal-remote_disabled - - var_audit_backlog_limit=8192 - - var_auditd_admin_space_left_action=cis_rhel8 - - var_auditd_space_left_action=cis_rhel8 status: automated - id: au-2.1 title: Compilation of Audit Records from Multiple Sources @@ -106,7 +103,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - chronyd_run_as_chrony_user - chronyd_specify_remote_server - directory_permissions_var_log_audit - file_groupownership_audit_binaries @@ -119,8 +115,6 @@ controls: - sudo_custom_logfile - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - - sshd_max_auth_tries_value=4 - - var_multiple_time_servers=rhel status: automated - id: au-3.1 title: Additional Audit Information @@ -154,8 +148,6 @@ controls: rules: - auditd_data_disk_error_action - auditd_data_disk_full_action - - var_auditd_disk_error_action=cis_rhel8 - - var_auditd_disk_full_action=cis_rhel8 status: automated - id: au-5.1 title: Storage Capacity Warning @@ -258,8 +250,6 @@ controls: rules: - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file=8 - - var_auditd_max_log_file_action=keep_logs status: automated - id: au-8.1 title: Synchronization with Authoritative Time Source @@ -275,9 +265,6 @@ controls: - low rules: - audit_rules_immutable - - file_groupownership_audit_configuration - - file_ownership_audit_binaries - - file_ownership_audit_configuration status: automated - id: au-9.1 title: Hardware Write-once Media @@ -293,17 +280,14 @@ controls: title: Cryptographic Protection levels: - high - rules: - - aide_check_audit_tools - status: automated + rules: [] + status: pending - id: au-9.4 title: Access by Subset of Privileged Users levels: - moderate - rules: - - file_group_ownership_var_log_audit - - file_permissions_var_log_audit - status: automated + rules: [] + status: pending - id: au-9.5 title: Dual Authorization rules: [] @@ -370,7 +354,6 @@ controls: - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - - audit_rules_continue_loading - audit_rules_execution_chcon - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_renameat @@ -400,7 +383,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - audit_sudo_log_events - file_permissions_audit_configuration - grub2_audit_argument - service_auditd_enabled diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml index 84616532e88..9bfcab54c52 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml @@ -62,13 +62,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - - sshd_idle_timeout_value=5_minutes - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - var_accounts_maximum_age_login_defs=365 - - var_sshd_max_sessions=10 - - var_sshd_set_keepalive=1 - - var_sshd_set_maxstartups=10:30:60 - - var_user_initialization_files_regex=all_dotfiles status: automated - id: cm-2 title: Baseline Configuration @@ -227,11 +220,9 @@ controls: - banner_etc_motd_cis - coredump_disable_backtraces - coredump_disable_storage - - dconf_db_up_to_date - dconf_gnome_disable_user_list - disable_host_auth - disable_users_coredumps - - enable_authselect - file_groupowner_efi_grub2_cfg - file_groupowner_efi_user_cfg - file_groupowner_grub2_cfg @@ -267,7 +258,6 @@ controls: - service_rpcbind_disabled - sshd_disable_gssapi_auth - sshd_set_login_grace_time - - sysctl_fs_suid_dumpable - sysctl_kernel_kptr_restrict - sysctl_kernel_randomize_va_space - sysctl_kernel_yama_ptrace_scope @@ -296,33 +286,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - sysctl_net_ipv6_conf_default_forwarding - - cis_banner_text=cis - - dconf_login_banner_contents=cis_default - - dconf_login_banner_text=cis_banners - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_forwarding_value=disabled - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_default_forwarding_value=disabled - - var_accounts_user_umask=027 - - var_authselect_profile=sssd - - var_sshd_set_login_grace_time=60 status: automated - id: cm-6.1 title: Automated Management, Application, and Verification @@ -350,9 +313,7 @@ controls: - low rules: - dconf_gnome_disable_autorun - - disable_weak_deps - file_ownership_var_log_audit_stig - - gnome_gdm_disable_xdmcp - has_nonlocal_mta - kernel_module_atm_disabled - kernel_module_can_disabled @@ -375,18 +336,15 @@ controls: - mount_option_tmp_nodev - mount_option_tmp_noexec - mount_option_tmp_nosuid - - package_authselect_installed - package_bind_removed - package_cyrus-imapd_removed - package_dhcp_removed - package_dovecot_removed - package_ftp_removed - - package_gdm_removed - package_httpd_removed - package_net-snmp_removed - package_nginx_removed - package_openldap-clients_removed - - package_pam_installed - package_telnet-server_removed - package_telnet_removed - package_tftp-server_removed @@ -409,8 +367,6 @@ controls: - service_dnsmasq_disabled - sshd_disable_forwarding - wireless_disable_interfaces - - xwayland_disabled - - var_postfix_inet_interfaces=loopback-only status: automated - id: cm-7.1 title: Periodic Review diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml index 11c56277f99..56cf85dba52 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml @@ -104,11 +104,8 @@ controls: title: Identifier Management levels: - low - rules: - - account_disable_post_pw_expiration - - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=45 - status: automated + rules: [] + status: pending - id: ia-4.1 title: Prohibit Account Identifiers as Public Identifiers rules: [] @@ -152,38 +149,20 @@ controls: levels: - low rules: - - accounts_minimum_age_login_defs - accounts_password_all_shadowed - - accounts_password_last_change_is_in_past - accounts_password_pam_dictcheck - accounts_password_pam_difok - accounts_password_pam_enforce_root - accounts_password_pam_maxrepeat - accounts_password_pam_maxsequence - - accounts_password_pam_minclass - accounts_password_pam_minlen - - accounts_password_pam_modules_in_authselect_profile - accounts_password_pam_pwhistory_enforce_for_root - accounts_password_pam_pwhistory_use_authtok - accounts_password_pam_unix_authtok - - accounts_password_set_min_life_existing - - accounts_password_set_warn_age_existing - - accounts_password_warn_age_login_defs - - ensure_root_password_configured - no_empty_passwords_etc_shadow - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth - - var_accounts_minimum_age_login_defs=1 - - var_accounts_password_warn_age_login_defs=7 - - var_password_hashing_algorithm=cis_rhel8 - - var_password_hashing_algorithm_pam=cis_rhel8 - - var_password_pam_dictcheck=1 - - var_password_pam_difok=2 - - var_password_pam_maxrepeat=3 - - var_password_pam_maxsequence=3 - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 status: automated - id: ia-5.1 title: Password-based Authentication @@ -193,9 +172,6 @@ controls: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth - accounts_password_pam_unix_enabled - - accounts_password_pam_unix_no_remember - - var_password_pam_remember=24 - - var_password_pam_remember_control_flag=requisite_or_required status: automated - id: ia-5.2 title: Public Key-based Authentication @@ -339,7 +315,6 @@ controls: - low rules: - sudo_require_reauthentication - - var_sudo_timestamp_timeout=15_minutes status: automated - id: ia-12 title: Identity Proofing diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/other.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/other.yml new file mode 100644 index 00000000000..b55ad66d222 --- /dev/null +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/other.yml @@ -0,0 +1,106 @@ +# NIST 800-53 OTHER Family: CIS Items Without NIST Mapping +controls: + - id: CIS_UNMAPPED + title: CIS Benchmark Items Without NIST 800-53 Mapping + notes: | + These CIS items do not have explicit NIST 800-53 mappings in the benchmark PDFs. + They are included here to ensure complete CIS coverage when using nist_800_53:all. + rules: + - account_disable_post_pw_expiration + - accounts_password_last_change_is_in_past + - accounts_password_pam_modules_in_authselect_profile + - accounts_password_pam_unix_no_remember + - accounts_password_set_warn_age_existing + - accounts_password_warn_age_login_defs + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time + - accounts_passwords_pam_faillock_unlock_time_with_zero + - accounts_set_post_pw_existing + - accounts_tmout + - aide_check_audit_tools + - audit_rules_continue_loading + - audit_sudo_log_events + - chronyd_run_as_chrony_user + - cis_banner_text=cis + - dconf_db_up_to_date + - dconf_login_banner_contents=cis_default + - dconf_login_banner_text=cis_banners + - disable_weak_deps + - enable_authselect + - ensure_root_password_configured + - file_group_ownership_var_log_audit + - file_groupownership_audit_configuration + - file_ownership_audit_binaries + - file_ownership_audit_configuration + - file_permissions_var_log_audit + - gnome_gdm_disable_xdmcp + - inactivity_timeout_value=15_minutes + - package_authselect_installed + - package_gdm_removed + - package_pam_installed + - service_firewalld_enabled + - sshd_idle_timeout_value=5_minutes + - sshd_max_auth_tries_value=4 + - sysctl_fs_suid_dumpable + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_forwarding_value=disabled + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_forwarding_value=disabled + - var_account_disable_post_pw_expiration=45 + - var_accounts_maximum_age_login_defs=365 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_dir=run + - var_accounts_passwords_pam_faillock_root_unlock_time=60 + - var_accounts_passwords_pam_faillock_unlock_time=900 + - var_accounts_tmout=15_min + - var_accounts_user_umask=027 + - var_audit_backlog_limit=8192 + - var_auditd_admin_space_left_action=cis_rhel8 + - var_auditd_disk_error_action=cis_rhel8 + - var_auditd_disk_full_action=cis_rhel8 + - var_auditd_max_log_file=8 + - var_auditd_max_log_file_action=keep_logs + - var_auditd_space_left_action=cis_rhel8 + - var_authselect_profile=sssd + - var_multiple_time_servers=rhel + - var_pam_wheel_group_for_su=cis + - var_password_hashing_algorithm=cis_rhel8 + - var_password_hashing_algorithm_pam=cis_rhel8 + - var_password_pam_dictcheck=1 + - var_password_pam_difok=2 + - var_password_pam_maxrepeat=3 + - var_password_pam_maxsequence=3 + - var_password_pam_minlen=14 + - var_password_pam_remember=24 + - var_password_pam_remember_control_flag=requisite_or_required + - var_postfix_inet_interfaces=loopback-only + - var_screensaver_lock_delay=5_seconds + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + - var_sshd_max_sessions=10 + - var_sshd_set_keepalive=1 + - var_sshd_set_login_grace_time=60 + - var_sshd_set_maxstartups=10:30:60 + - var_sudo_timestamp_timeout=15_minutes + - var_user_initialization_files_regex=all_dotfiles + - xwayland_disabled + status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/sc.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/sc.yml index 1cea755d3a4..6dfd04888b9 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/sc.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/sc.yml @@ -28,7 +28,6 @@ controls: rules: - selinux_not_disabled - selinux_state - - var_selinux_state=enforcing status: automated - id: sc-3.1 title: Hardware Separation @@ -93,9 +92,8 @@ controls: title: Boundary Protection levels: - low - rules: - - service_firewalld_enabled - status: automated + rules: [] + status: pending - id: sc-7.1 title: Physically Separated Subnetworks rules: [] diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml index 7e4e5d5edd9..980877dd637 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml @@ -41,12 +41,9 @@ controls: levels: - moderate rules: - - accounts_tmout - no_invalid_shell_accounts_unlocked - no_password_auth_for_systemaccounts - no_shelllogin_for_systemaccounts - - inactivity_timeout_value=15_minutes - - var_accounts_tmout=15_min status: automated - id: ac-2.6 title: Dynamic Privilege Management @@ -203,6 +200,7 @@ controls: - package_libselinux_installed - package_mcstrans_removed - package_setroubleshoot_removed + - rsyslog_filecreatemode - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_files_permissions @@ -210,9 +208,6 @@ controls: - selinux_policytype - sshd_limit_user_access - use_pam_wheel_group_for_su - - var_accounts_user_umask=027 - - var_pam_wheel_group_for_su=cis - - var_selinux_policy_name=targeted status: automated - id: ac-3.1 title: Restricted Access to Privileged Functions @@ -488,13 +483,6 @@ controls: rules: - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_dir=run - - var_accounts_passwords_pam_faillock_root_unlock_time=60 - - var_accounts_passwords_pam_faillock_unlock_time=900 status: automated - id: ac-7.1 title: Automatic Account Lock @@ -555,7 +543,6 @@ controls: - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - - var_screensaver_lock_delay=5_seconds status: automated - id: ac-11.1 title: Pattern-hiding Displays diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml index 0f98811a7f5..9a4568aab14 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml @@ -30,10 +30,6 @@ controls: - service_auditd_enabled - service_systemd-journald_enabled - socket_systemd-journal-remote_disabled - - var_audit_backlog_limit=8192 - - var_auditd_action_mail_acct=root - - var_auditd_admin_space_left_action=cis_rhel9 - - var_auditd_space_left_action=cis_rhel9 status: automated - id: au-2.1 title: Compilation of Audit Records from Multiple Sources @@ -106,7 +102,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - chronyd_run_as_chrony_user - chronyd_specify_remote_server - directory_permissions_var_log_audit - file_groupownership_audit_binaries @@ -119,8 +114,6 @@ controls: - sudo_custom_logfile - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - - sshd_max_auth_tries_value=4 - - var_multiple_time_servers=rhel status: automated - id: au-3.1 title: Additional Audit Information @@ -154,8 +147,6 @@ controls: rules: - auditd_data_disk_error_action - auditd_data_disk_full_action - - var_auditd_disk_error_action=cis_rhel9 - - var_auditd_disk_full_action=cis_rhel9 status: automated - id: au-5.1 title: Storage Capacity Warning @@ -258,8 +249,6 @@ controls: rules: - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - - var_auditd_max_log_file=6 - - var_auditd_max_log_file_action=keep_logs status: automated - id: au-8.1 title: Synchronization with Authoritative Time Source @@ -275,9 +264,6 @@ controls: - low rules: - audit_rules_immutable - - file_groupownership_audit_configuration - - file_ownership_audit_binaries - - file_ownership_audit_configuration status: automated - id: au-9.1 title: Hardware Write-once Media @@ -293,17 +279,14 @@ controls: title: Cryptographic Protection levels: - high - rules: - - aide_check_audit_tools - status: automated + rules: [] + status: pending - id: au-9.4 title: Access by Subset of Privileged Users levels: - moderate - rules: - - file_group_ownership_var_log_audit - - file_permissions_var_log_audit - status: automated + rules: [] + status: pending - id: au-9.5 title: Dual Authorization rules: [] @@ -399,7 +382,6 @@ controls: - audit_rules_usergroup_modification_pamd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - - audit_sudo_log_events - file_permissions_audit_configuration - grub2_audit_argument - service_auditd_enabled diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml index 3ccb12b8cd2..deb10ee8f48 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml @@ -62,13 +62,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - - sshd_idle_timeout_value=5_minutes - - sysctl_net_ipv4_tcp_syncookies_value=enabled - - var_accounts_maximum_age_login_defs=365 - - var_sshd_max_sessions=10 - - var_sshd_set_keepalive=1 - - var_sshd_set_maxstartups=10:30:60 - - var_user_initialization_files_regex=all_dotfiles status: automated - id: cm-2 title: Baseline Configuration @@ -225,10 +218,8 @@ controls: - banner_etc_motd_cis - coredump_disable_backtraces - coredump_disable_storage - - dconf_db_up_to_date - dconf_gnome_disable_user_list - disable_host_auth - - enable_authselect - file_groupowner_grub2_cfg - file_groupowner_user_cfg - file_groupownership_sshd_private_key @@ -279,31 +270,6 @@ controls: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - - cis_banner_text=cis - - dconf_login_banner_contents=cis_default - - dconf_login_banner_text=cis_banners - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - var_accounts_user_umask=027 - - var_authselect_profile=sssd - - var_sshd_set_login_grace_time=60 status: automated - id: cm-6.1 title: Automated Management, Application, and Verification @@ -332,7 +298,6 @@ controls: rules: - dconf_gnome_disable_autorun - file_ownership_var_log_audit_stig - - gnome_gdm_disable_xdmcp - has_nonlocal_mta - kernel_module_cramfs_disabled - kernel_module_dccp_disabled @@ -356,12 +321,10 @@ controls: - package_dhcp_removed - package_dovecot_removed - package_ftp_removed - - package_gdm_removed - package_httpd_removed - package_net-snmp_removed - package_nginx_removed - package_openldap-clients_removed - - package_postfix_installed - package_telnet-server_removed - package_telnet_removed - package_tftp-server_removed @@ -378,10 +341,8 @@ controls: - service_bluetooth_disabled - service_cups_disabled - service_dnsmasq_disabled - - service_nftables_disabled - sshd_disable_forwarding - wireless_disable_interfaces - - var_postfix_inet_interfaces=loopback-only status: automated - id: cm-7.1 title: Periodic Review diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml index 79e8a0420c1..1373a207998 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml @@ -104,11 +104,8 @@ controls: title: Identifier Management levels: - low - rules: - - account_disable_post_pw_expiration - - accounts_set_post_pw_existing - - var_account_disable_post_pw_expiration=45 - status: automated + rules: [] + status: pending - id: ia-4.1 title: Prohibit Account Identifiers as Public Identifiers rules: [] @@ -154,7 +151,6 @@ controls: rules: - accounts_minimum_age_login_defs - accounts_password_all_shadowed - - accounts_password_last_change_is_in_past - accounts_password_pam_dictcheck - accounts_password_pam_difok - accounts_password_pam_enforce_root @@ -162,27 +158,13 @@ controls: - accounts_password_pam_maxsequence - accounts_password_pam_minclass - accounts_password_pam_minlen - - accounts_password_pam_modules_in_authselect_profile - accounts_password_pam_pwhistory_enforce_for_root - accounts_password_set_min_life_existing - - accounts_password_set_warn_age_existing - - accounts_password_warn_age_login_defs - - ensure_root_password_configured - no_empty_passwords_etc_shadow - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth - - var_accounts_minimum_age_login_defs=1 - - var_accounts_password_warn_age_login_defs=7 - - var_password_hashing_algorithm=SHA512 - - var_password_hashing_algorithm_pam=sha512 - - var_password_pam_dictcheck=1 - - var_password_pam_difok=2 - - var_password_pam_maxrepeat=3 - - var_password_pam_maxsequence=3 - - var_password_pam_minclass=4 - - var_password_pam_minlen=14 status: automated - id: ia-5.1 title: Password-based Authentication @@ -191,9 +173,6 @@ controls: rules: - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth - - accounts_password_pam_unix_no_remember - - var_password_pam_remember=24 - - var_password_pam_remember_control_flag=requisite_or_required status: automated - id: ia-5.2 title: Public Key-based Authentication @@ -337,7 +316,6 @@ controls: - low rules: - sudo_require_reauthentication - - var_sudo_timestamp_timeout=15_minutes status: automated - id: ia-12 title: Identity Proofing diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/other.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/other.yml new file mode 100644 index 00000000000..0bef765387a --- /dev/null +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/other.yml @@ -0,0 +1,103 @@ +# NIST 800-53 OTHER Family: CIS Items Without NIST Mapping +controls: + - id: CIS_UNMAPPED + title: CIS Benchmark Items Without NIST 800-53 Mapping + notes: | + These CIS items do not have explicit NIST 800-53 mappings in the benchmark PDFs. + They are included here to ensure complete CIS coverage when using nist_800_53:all. + rules: + - account_disable_post_pw_expiration + - accounts_password_last_change_is_in_past + - accounts_password_pam_modules_in_authselect_profile + - accounts_password_pam_unix_no_remember + - accounts_password_set_warn_age_existing + - accounts_password_warn_age_login_defs + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time + - accounts_passwords_pam_faillock_unlock_time + - accounts_set_post_pw_existing + - accounts_tmout + - aide_check_audit_tools + - audit_sudo_log_events + - chronyd_run_as_chrony_user + - cis_banner_text=cis + - dconf_db_up_to_date + - dconf_login_banner_contents=cis_default + - dconf_login_banner_text=cis_banners + - enable_authselect + - ensure_root_password_configured + - file_group_ownership_var_log_audit + - file_groupownership_audit_configuration + - file_ownership_audit_binaries + - file_ownership_audit_configuration + - file_permissions_var_log_audit + - gnome_gdm_disable_xdmcp + - inactivity_timeout_value=15_minutes + - package_gdm_removed + - package_postfix_installed + - service_firewalld_enabled + - service_nftables_disabled + - sshd_idle_timeout_value=5_minutes + - sshd_max_auth_tries_value=4 + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - var_account_disable_post_pw_expiration=45 + - var_accounts_maximum_age_login_defs=365 + - var_accounts_minimum_age_login_defs=1 + - var_accounts_password_warn_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_dir=run + - var_accounts_passwords_pam_faillock_root_unlock_time=60 + - var_accounts_passwords_pam_faillock_unlock_time=900 + - var_accounts_tmout=15_min + - var_accounts_user_umask=027 + - var_audit_backlog_limit=8192 + - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_disk_full_action=cis_rhel9 + - var_auditd_max_log_file=6 + - var_auditd_max_log_file_action=keep_logs + - var_auditd_space_left_action=cis_rhel9 + - var_authselect_profile=sssd + - var_multiple_time_servers=rhel + - var_pam_wheel_group_for_su=cis + - var_password_hashing_algorithm=SHA512 + - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_dictcheck=1 + - var_password_pam_difok=2 + - var_password_pam_maxrepeat=3 + - var_password_pam_maxsequence=3 + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + - var_password_pam_remember=24 + - var_password_pam_remember_control_flag=requisite_or_required + - var_postfix_inet_interfaces=loopback-only + - var_screensaver_lock_delay=5_seconds + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + - var_sshd_max_sessions=10 + - var_sshd_set_keepalive=1 + - var_sshd_set_login_grace_time=60 + - var_sshd_set_maxstartups=10:30:60 + - var_sudo_timestamp_timeout=15_minutes + - var_user_initialization_files_regex=all_dotfiles + status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/sc.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/sc.yml index 293932de092..ef059df1d8a 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/sc.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/sc.yml @@ -27,7 +27,6 @@ controls: rules: - selinux_not_disabled - selinux_state - - var_selinux_state=enforcing status: automated - id: sc-3.1 title: Hardware Separation @@ -92,9 +91,8 @@ controls: title: Boundary Protection levels: - low - rules: - - service_firewalld_enabled - status: automated + rules: [] + status: pending - id: sc-7.1 title: Physically Separated Subnetworks rules: []