Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,9 @@ controls:
levels:
- moderate
rules:
- accounts_tmout
- no_invalid_shell_accounts_unlocked
- no_password_auth_for_systemaccounts
- no_shelllogin_for_systemaccounts
- inactivity_timeout_value=15_minutes
- var_accounts_tmout=15_min
status: automated
- id: ac-2.6
title: Dynamic Privilege Management
Expand Down Expand Up @@ -210,6 +207,7 @@ controls:
- package_libselinux_installed
- package_mcstrans_removed
- package_setroubleshoot_removed
- rsyslog_filecreatemode
- rsyslog_files_groupownership
- rsyslog_files_ownership
- rsyslog_files_permissions
Expand All @@ -219,9 +217,6 @@ controls:
- sysctl_fs_protected_hardlinks
- sysctl_fs_protected_symlinks
- use_pam_wheel_group_for_su
- var_accounts_user_umask=027
- var_pam_wheel_group_for_su=cis
- var_selinux_policy_name=targeted
status: automated
- id: ac-3.1
title: Restricted Access to Privileged Functions
Expand Down Expand Up @@ -497,13 +492,6 @@ controls:
rules:
- account_password_pam_faillock_password_auth
- account_password_pam_faillock_system_auth
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time
- accounts_passwords_pam_faillock_unlock_time_with_zero
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_passwords_pam_faillock_dir=run
- var_accounts_passwords_pam_faillock_root_unlock_time=60
- var_accounts_passwords_pam_faillock_unlock_time=900
status: automated
- id: ac-7.1
title: Automatic Account Lock
Expand Down Expand Up @@ -564,7 +552,6 @@ controls:
- dconf_gnome_screensaver_lock_delay
- dconf_gnome_screensaver_user_locks
- dconf_gnome_session_idle_user_locks
- var_screensaver_lock_delay=5_seconds
status: automated
- id: ac-11.1
title: Pattern-hiding Displays
Expand Down
28 changes: 4 additions & 24 deletions shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ controls:
- auditd_data_retention_action_mail_acct
- auditd_data_retention_admin_space_left_action
- auditd_data_retention_space_left_action
- ensure_journald_and_rsyslog_not_active_together
- grub2_audit_backlog_limit_argument
- journald_disable_forward_to_syslog
- package_aide_installed
Expand All @@ -33,10 +32,6 @@ controls:
- service_systemd-journal-upload_enabled
- service_systemd-journald_enabled
- socket_systemd-journal-remote_disabled
- var_audit_backlog_limit=8192
- var_auditd_action_mail_acct=root
- var_auditd_admin_space_left_action=cis_rhel10
- var_auditd_space_left_action=cis_rhel10
status: automated
- id: au-2.1
title: Compilation of Audit Records from Multiple Sources
Expand Down Expand Up @@ -113,7 +108,6 @@ controls:
- audit_rules_usergroup_modification_pamd
- audit_rules_usergroup_modification_passwd
- audit_rules_usergroup_modification_shadow
- chronyd_run_as_chrony_user
- chronyd_specify_remote_server
- directory_permissions_var_log_audit
- file_groupownership_audit_binaries
Expand All @@ -125,8 +119,6 @@ controls:
- sudo_custom_logfile
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sshd_max_auth_tries_value=4
- var_multiple_time_servers=rhel
status: automated
- id: au-3.1
title: Additional Audit Information
Expand Down Expand Up @@ -160,8 +152,6 @@ controls:
rules:
- auditd_data_disk_error_action
- auditd_data_disk_full_action
- var_auditd_disk_error_action=cis_rhel10
- var_auditd_disk_full_action=cis_rhel10
status: automated
- id: au-5.1
title: Storage Capacity Warning
Expand Down Expand Up @@ -264,8 +254,6 @@ controls:
rules:
- auditd_data_retention_max_log_file
- auditd_data_retention_max_log_file_action
- var_auditd_max_log_file=8
- var_auditd_max_log_file_action=keep_logs
status: automated
- id: au-8.1
title: Synchronization with Authoritative Time Source
Expand All @@ -281,9 +269,6 @@ controls:
- low
rules:
- audit_rules_immutable
- file_groupownership_audit_configuration
- file_ownership_audit_binaries
- file_ownership_audit_configuration
status: automated
- id: au-9.1
title: Hardware Write-once Media
Expand All @@ -299,17 +284,14 @@ controls:
title: Cryptographic Protection
levels:
- high
rules:
- aide_check_audit_tools
status: automated
rules: []
status: pending
- id: au-9.4
title: Access by Subset of Privileged Users
levels:
- moderate
rules:
- file_group_ownership_var_log_audit
- file_permissions_var_log_audit
status: automated
rules: []
status: pending
- id: au-9.5
title: Dual Authorization
rules: []
Expand Down Expand Up @@ -377,7 +359,6 @@ controls:
- audit_rules_dac_modification_lsetxattr
- audit_rules_dac_modification_removexattr
- audit_rules_dac_modification_setxattr
- audit_rules_continue_loading
- audit_rules_execution_chcon
- audit_rules_file_deletion_events_rename
- audit_rules_file_deletion_events_renameat
Expand Down Expand Up @@ -407,7 +388,6 @@ controls:
- audit_rules_usergroup_modification_pamd
- audit_rules_usergroup_modification_passwd
- audit_rules_usergroup_modification_shadow
- audit_sudo_log_events
- file_permissions_audit_configuration
- grub2_audit_argument
- service_auditd_enabled
Expand Down
41 changes: 0 additions & 41 deletions shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,6 @@ controls:
- sysctl_net_ipv6_conf_default_accept_ra
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_source_route
- sshd_idle_timeout_value=5_minutes
- sysctl_net_ipv4_tcp_syncookies_value=enabled
- var_accounts_maximum_age_login_defs=365
- var_sshd_max_sessions=10
- var_sshd_set_keepalive=1
- var_sshd_set_maxstartups=10:30:60
- var_user_initialization_files_regex=all_dotfiles
status: automated
- id: cm-2
title: Baseline Configuration
Expand Down Expand Up @@ -227,7 +220,6 @@ controls:
- banner_etc_motd_cis
- coredump_disable_backtraces
- coredump_disable_storage
- dconf_db_up_to_date
- dconf_gnome_disable_user_list
- disable_host_auth
- disable_users_coredumps
Expand Down Expand Up @@ -256,7 +248,6 @@ controls:
- service_rpcbind_disabled
- sshd_disable_gssapi_auth
- sshd_set_login_grace_time
- sysctl_fs_suid_dumpable
- sysctl_kernel_kptr_restrict
- sysctl_kernel_randomize_va_space
- sysctl_kernel_yama_ptrace_scope
Expand Down Expand Up @@ -285,32 +276,6 @@ controls:
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv6_conf_default_forwarding
- cis_banner_text=cis
- dconf_login_banner_contents=cis_default
- dconf_login_banner_text=cis_banners
- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv4_conf_all_log_martians_value=enabled
- sysctl_net_ipv4_conf_all_rp_filter_value=enabled
- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
- sysctl_net_ipv4_conf_default_forwarding_value=disabled
- sysctl_net_ipv4_conf_default_log_martians_value=enabled
- sysctl_net_ipv4_conf_default_rp_filter_value=enabled
- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
- sysctl_net_ipv6_conf_all_accept_ra_value=disabled
- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_all_forwarding_value=disabled
- sysctl_net_ipv6_conf_default_accept_ra_value=disabled
- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_default_forwarding_value=disabled
- var_accounts_user_umask=027
- var_sshd_set_login_grace_time=60
status: automated
- id: cm-6.1
title: Automated Management, Application, and Verification
Expand Down Expand Up @@ -338,7 +303,6 @@ controls:
- low
rules:
- dconf_gnome_disable_autorun
- disable_weak_deps
- file_ownership_var_log_audit_stig
- has_nonlocal_mta
- kernel_module_atm_disabled
Expand Down Expand Up @@ -366,14 +330,11 @@ controls:
- package_cyrus-imapd_removed
- package_dovecot_removed
- package_ftp_removed
- package_gdm_removed
- package_httpd_removed
- package_kea_removed
- package_net-snmp_removed
- package_nginx_removed
- package_openldap-clients_removed
- package_postfix_installed
- package_sequoia-sq_installed
- package_telnet-server_removed
- package_telnet_removed
- package_tftp-server_removed
Expand All @@ -393,8 +354,6 @@ controls:
- service_dnsmasq_disabled
- sshd_disable_forwarding
- wireless_disable_interfaces
- xwayland_disabled
- var_postfix_inet_interfaces=loopback-only
status: automated
- id: cm-7.1
title: Periodic Review
Expand Down
26 changes: 2 additions & 24 deletions shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,8 @@ controls:
title: Identifier Management
levels:
- low
rules:
- account_disable_post_pw_expiration
- accounts_set_post_pw_existing
- var_account_disable_post_pw_expiration=45
status: automated
rules: []
status: pending
- id: ia-4.1
title: Prohibit Account Identifiers as Public Identifiers
rules: []
Expand Down Expand Up @@ -154,36 +151,21 @@ controls:
rules:
- accounts_minimum_age_login_defs
- accounts_password_all_shadowed
- accounts_password_last_change_is_in_past
- accounts_password_pam_dictcheck
- accounts_password_pam_difok
- accounts_password_pam_enforce_root
- accounts_password_pam_maxrepeat
- accounts_password_pam_maxsequence
- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_modules_in_authselect_profile
- accounts_password_pam_pwhistory_enforce_for_root
- accounts_password_pam_pwhistory_use_authtok
- accounts_password_pam_unix_authtok
- accounts_password_set_min_life_existing
- accounts_password_set_warn_age_existing
- accounts_password_warn_age_login_defs
- ensure_root_password_configured
- no_empty_passwords_etc_shadow
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_systemauth
- var_accounts_minimum_age_login_defs=1
- var_accounts_password_warn_age_login_defs=7
- var_password_hashing_algorithm=cis_rhel10
- var_password_hashing_algorithm_pam=cis_rhel10
- var_password_pam_dictcheck=1
- var_password_pam_difok=2
- var_password_pam_maxrepeat=3
- var_password_pam_maxsequence=3
- var_password_pam_minclass=4
- var_password_pam_minlen=14
status: automated
- id: ia-5.1
title: Password-based Authentication
Expand All @@ -193,9 +175,6 @@ controls:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- accounts_password_pam_unix_enabled
- accounts_password_pam_unix_no_remember
- var_password_pam_remember=24
- var_password_pam_remember_control_flag=requisite_or_required
status: automated
- id: ia-5.2
title: Public Key-based Authentication
Expand Down Expand Up @@ -339,7 +318,6 @@ controls:
- low
rules:
- sudo_require_reauthentication
- var_sudo_timestamp_timeout=15_minutes
status: automated
- id: ia-12
title: Identity Proofing
Expand Down
Loading