Merge pull request #11487 from vojtapolasek/cis_fixes

various small fixes to RHEL 7 and RHEL 8 CIS

controls/cis_rhel7.yml

@@ -588,11 +588,11 @@ controls:
       - file_permissions_etc_issue_net
 
   - id: 1.7.1
-    title: Ensure GNOME Display Manager is removed (Manual)
+    title: Ensure GNOME Display Manager is removed (Automated)
     levels:
     - l2_server
-    status: manual
-    related_rules:
+    status: automated
+    rules:
       - package_gdm_removed
 
   - id: 1.7.2
@@ -622,7 +622,10 @@ controls:
     - l1_workstation
     status: automated
     rules:
-    - dconf_gnome_screensaver_idle_delay
+      - dconf_gnome_screensaver_idle_delay
+      - dconf_gnome_screensaver_lock_delay
+      - inactivity_timeout_value=15_minutes
+      - var_screensaver_lock_delay=5_seconds
 
   - id: 1.7.5
     title: Ensure GDM screen locks cannot be overridden
@@ -631,6 +634,7 @@ controls:
     - l1_workstation
     status: automated
     rules:
+      - dconf_gnome_session_idle_user_locks
       - dconf_gnome_screensaver_user_locks
 
   - id: 1.7.6
@@ -2265,17 +2269,22 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    status: manual
-    related_rules:
-    - service_rsyslog_enabled
+    status: automated
+    notes: |-
+      This requirement is expected to be manual in the policy because there are valid cases where
+      other solutions are used for logging. rsyslog is the default in RHEL 8 and so far other
+      solutions are not expected to be incompatible with rsyslog. If so, for these particular
+      cases, this rule should be removed for those systems by a tailored file.
+    rules:
+      - service_rsyslog_enabled
 
   - id: 5.1.1.3
     title: Ensure journald is configured to send logs to rsyslog (Manual)
     levels:
     - l1_server
     - l1_workstation
-    status: manual
-    related_rules:
+    status: automated
+    rules:
       - journald_forward_to_syslog
 
   - id: 5.1.1.4
@@ -2490,7 +2499,7 @@ controls:
     - auditd_data_retention_action_mail_acct
     - var_auditd_action_mail_acct=root
     - auditd_data_retention_admin_space_left_action
-    - var_auditd_admin_space_left_action=halt
+    - var_auditd_admin_space_left_action=cis_rhel7
 
   - id: 5.2.3.1
     title: Ensure changes to system administration scope (sudoers) is collected (Automated)

controls/cis_rhel8.yml

@@ -361,6 +361,7 @@ controls:
     status: automated
     rules:
       - ensure_gpgcheck_globally_activated
+      - ensure_gpgcheck_never_disabled
 
   - id: 1.2.3
     title: Ensure repo_gpgcheck is globally activated (Manual)
@@ -2376,8 +2377,8 @@ controls:
     rules:
       - auditd_data_disk_error_action
       - auditd_data_disk_full_action
-      - var_auditd_disk_error_action=single
-      - var_auditd_disk_full_action=single
+      - var_auditd_disk_error_action=cis_rhel8
+      - var_auditd_disk_full_action=cis_rhel8
 
   - id: 5.2.2.4
     title: Ensure system warns when audit logs are low on space (Automated)
@@ -2390,8 +2391,8 @@ controls:
       - auditd_data_retention_admin_space_left_action
       - auditd_data_retention_space_left_action
       - var_auditd_action_mail_acct=root
-      - var_auditd_admin_space_left_action=single
-      - var_auditd_space_left_action=email
+      - var_auditd_admin_space_left_action=cis_rhel8
+      - var_auditd_space_left_action=cis_rhel8
 
   - id: 5.2.3.1
     title: Ensure changes to system administration scope (sudoers) is collected (Automated)

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Verify Group Who Owns /etc/at.allow file'
 
 description: |-

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Verify Permissions on /etc/at.allow file'
 
 {{%  if 'rhel' not in product %}}

linux_os/guide/services/dns/package_dnsmasq_removed/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Uninstall dnsmasq Package'
 
 description: |-

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Record Any Attempts to Run setfacl'
 
 description: |-
@@ -26,6 +25,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-90756-8
     cce@rhel8: CCE-88437-9
     cce@rhel9: CCE-90482-1
     cce@sle12: CCE-83189-1

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml

@@ -8,7 +8,7 @@
 - name: Configure auditd admin_space_left Action on Low Disk Space
   lineinfile:
     dest: /etc/audit/auditd.conf
-    line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}"
+    line: "admin_space_left_action = {{ var_auditd_admin_space_left_action .split('|')[0] }}"
     regexp: '^\s*admin_space_left_action\s*=\s*.*$'
     state: present
     create: yes

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh

@@ -2,6 +2,8 @@
 
 {{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}}
 
+var_auditd_admin_space_left_action="$(echo $var_auditd_admin_space_left_action | cut -d \| -f 1)"
+
 AUDITCONFIG=/etc/audit/auditd.conf
 
 {{{ bash_replace_or_append("$AUDITCONFIG", '^admin_space_left_action', "$var_auditd_admin_space_left_action") }}}

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml

@@ -22,9 +22,17 @@
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state id="state_auditd_data_retention_admin_space_left_action" version="1">
-    <ind:subexpression operation="case insensitive equals" var_ref="var_auditd_admin_space_left_action" />
+    <ind:subexpression operation="pattern match" var_ref="var_auditd_admin_space_left_action_regex" />
   </ind:textfilecontent54_state>
 
+  <local_variable datatype="string" id="var_auditd_admin_space_left_action_regex" version="1"
+  comment="Build regex to be case insensitive">
+    <concat>
+      <literal_component>(?i)</literal_component>
+      <variable_component var_ref="var_auditd_admin_space_left_action"/>
+    </concat>
+  </local_variable>
+
   <external_variable comment="audit admin_space_left_action setting" datatype="string" id="var_auditd_admin_space_left_action" version="1" />
 
 </def-group>

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/tests/admin_space_left_action_email_cis.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# packages = audit
+#
+# remediation = bash
+# profiles = xccdf_org.ssgproject.content_profile_cis
+
+. $SHARED/auditd_utils.sh
+prepare_auditd_test_enviroment
+set_parameters_value /etc/audit/auditd.conf "admin_space_left_action" "email"

linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var

@@ -19,3 +19,4 @@ options:
     rotate: rotate
     ignore: ignore
     cis_rhel7: single|halt
+    cis_rhel8: single|halt

linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var

@@ -22,3 +22,4 @@ options:
     ol8: syslog|single|halt
     rhel8: syslog|single|halt
     cis_rhel7: syslog|single|halt
+    cis_rhel8: syslog|single|halt

linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var

@@ -23,3 +23,4 @@ options:
     ol8: syslog|single|halt
     rhel8: syslog|single|halt
     cis_rhel7: halt|single
+    cis_rhel8: syslog|single|halt

linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var

@@ -19,3 +19,4 @@ options:
     rotate: rotate
     ignore: ignore
     cis_rhel7: email|exec|single|halt
+    cis_rhel8: email|exec|single|halt

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml

@@ -26,6 +26,7 @@ identifiers:
 references:
     ccn@rhel9: A.11.SEC-RHEL7
     cis-csc: 1,12,15,16
+    cis@rhel7: 1.7.4
     cis@rhel8: 1.8.4
     cis@rhel9: 1.8.4
     cis@ubuntu2204: 1.8.5

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml

@@ -29,6 +29,7 @@ identifiers:
 
 references:
     cis-csc: 1,12,15,16
+    cis@rhel7: 1.7.5
     cis@rhel8: 1.8.5
     cis@rhel9: 1.8.5
     cobit5: DSS05.04,DSS05.10,DSS06.10

linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml

@@ -33,7 +33,7 @@ identifiers:
     cce@sle15: CCE-92502-4
 
 references:
-    cis@rhel7: 1.8.1
+    cis@rhel7: 1.7.1
     cis@rhel8: 1.8.1
     cis@rhel9: 1.8.1
     cis@sle12: '1.10'

linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml

@@ -30,6 +30,7 @@ references:
     cis-csc: 11,2,3,9
     cis@alinux2: 1.2.3
     cis@rhel7: 1.2.2
+    cis@rhel8: 1.2.2
     cis@sle12: 1.2.3
     cis@sle15: 1.2.3
     cjis: 5.10.4.1

shared/references/cce-redhat-avail.txt

@@ -3842,4 +3842,3 @@ CCE-90751-9
 CCE-90752-7
 CCE-90753-5
 CCE-90755-0
-CCE-90756-8