Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

Merged
merged 8 commits into from Apr 8, 2021
Merged

RHCOS4: Enhance instructions to better reflect how to work with the platform #6796

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bcb922e
rhcos4: Add better instructions for `disable_ctrlaltdel_reboot`
JAORMX Apr 6, 2021
05254e7
rhcos4: Add better instructions for `disable_ctrlaltdel_burstaction`
JAORMX Apr 6, 2021
6b13c0d
rhcos4: Add better instructions for `package_usbguard_installed`
JAORMX Apr 6, 2021
4651558
rhcos4: Replace repetitive MachineConfig footer with macro
JAORMX Apr 6, 2021
a3ff5ad
Modify `describe_service_enabled` template for RHCOS4
JAORMX Apr 6, 2021
aff0b3b
Modify `describe_service_disabled` template for RHCOS4
JAORMX Apr 7, 2021
4ffa281
Add rhcos4-specific instructions in the ocil_service_(enabled|disable…
JAORMX Apr 7, 2021
99b8f66
rhcos4: Add relevant instructions to configure_crypto_policy rule
JAORMX Apr 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -4,7 +4,8 @@ prodtype: ol7,ol8,rhel7,rhel8,sle15

title: 'Disable Avahi Server Software'

description: '{{{ describe_service_disable(service="avahi-daemon") }}}'
description: |-
{{{ describe_service_disable(service="avahi-daemon") }}}

rationale: |-
Because the Avahi daemon service keeps an open network
Expand All @@ -31,7 +32,8 @@ references:
cis-csc: 11,14,3,9
cis@sle15: 2.2.3

ocil: '{{{ ocil_service_disabled(service="avahi-daemon") }}}'
ocil: |-
{{{ ocil_service_disabled(service="avahi-daemon") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_abrtd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -32,7 +32,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="abrtd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="abrtd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_acpid_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -31,7 +31,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="acpid") }}}'
ocil: |-
{{{ ocil_service_disabled(service="acpid") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_certmonger_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -31,7 +31,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="certmonger") }}}'
ocil: |-
{{{ ocil_service_disabled(service="certmonger") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_cgconfig_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -28,7 +28,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="cgconfig") }}}'
ocil: |-
{{{ ocil_service_disabled(service="cgconfig") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_cgred_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -27,7 +27,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="cgred") }}}'
ocil: |-
{{{ ocil_service_disabled(service="cgred") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_cockpit_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -16,7 +16,8 @@ severity: medium

platform: machine

ocil: '{{{ ocil_service_disabled(service="cockpit") }}}'
ocil: |-
{{{ ocil_service_disabled(service="cockpit") }}}

ocil_clause: 'it is not disabled'

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_cpupower_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -30,7 +30,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="cpupower") }}}'
ocil: |-
{{{ ocil_service_disabled(service="cpupower") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_irqbalance_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -28,7 +28,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="irqbalance") }}}'
ocil: |-
{{{ ocil_service_disabled(service="irqbalance") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_kdump_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -43,7 +43,8 @@ references:
ospp: FMT_SMF_EXT.1.1
stigid@rhel8: RHEL-08-010670

ocil: '{{{ ocil_service_disabled(service="kdump") }}}'
ocil: |-
{{{ ocil_service_disabled(service="kdump") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -28,7 +28,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="mdmonitor") }}}'
ocil: |-
{{{ ocil_service_disabled(service="mdmonitor") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_messagebus_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -31,7 +31,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="messagebus") }}}'
ocil: |-
{{{ ocil_service_disabled(service="messagebus") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_netconsole_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -31,7 +31,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="netconsole") }}}'
ocil: |-
{{{ ocil_service_disabled(service="netconsole") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_ntpdate_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -34,7 +34,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="ntpdate") }}}'
ocil: |-
{{{ ocil_service_disabled(service="ntpdate") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_oddjobd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -33,7 +33,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="oddjobd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="oddjobd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_portreserve_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -30,7 +30,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="portreserve") }}}'
ocil: |-
{{{ ocil_service_disabled(service="portreserve") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_psacct_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -31,7 +31,8 @@ references:
iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2
cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9

ocil: '{{{ ocil_service_disabled(service="psacct") }}}'
ocil: |-
{{{ ocil_service_disabled(service="psacct") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_qpidd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -34,7 +34,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="qpidd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="qpidd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_quota_nld_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -34,7 +34,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="quota_nld") }}}'
ocil: |-
{{{ ocil_service_disabled(service="quota_nld") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_rdisc_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -33,7 +33,8 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.12.1.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,3,4,6,8,9

ocil: '{{{ ocil_service_disabled(service="rdisc") }}}'
ocil: |-
{{{ ocil_service_disabled(service="rdisc") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -35,7 +35,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="rhnsd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="rhnsd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -32,7 +32,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="rhsmcertd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="rhsmcertd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_saslauthd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -33,7 +33,8 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9

ocil: '{{{ ocil_service_disabled(service="saslauthd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="saslauthd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_smartd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -30,7 +30,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="smartd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="smartd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/base/service_sysstat_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -32,7 +32,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="sysstat") }}}'
ocil: |-
{{{ ocil_service_disabled(service="sysstat") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -34,7 +34,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_disabled(service="atd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="atd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/cron_and_at/service_cron_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -24,7 +24,8 @@ references:
cis-csc: 11,14,3,9
cis@ubuntu2004: 5.1.1

ocil: '{{{ ocil_service_enabled(service="cron") }}}'
ocil: |-
{{{ ocil_service_enabled(service="cron") }}}

template:
name: service_enabled
Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -32,7 +32,8 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9

ocil: '{{{ ocil_service_enabled(service="crond") }}}'
ocil: |-
{{{ ocil_service_enabled(service="crond") }}}

template:
name: service_enabled
Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -33,7 +33,8 @@ references:
cis-csc: 11,14,3,9
cis@sle15: 2.2.5

ocil: '{{{ ocil_service_disabled(service="dhcpd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="dhcpd") }}}

platform: machine

Expand Down
6 changes: 4 additions & 2 deletions linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -4,7 +4,8 @@ prodtype: rhel7,rhel8,sle15

title: 'Disable named Service'

description: '{{{ describe_service_disable(service="named") }}}'
description: |-
{{{ describe_service_disable(service="named") }}}

rationale: |-
All network services involve some risk of compromise due to
Expand All @@ -29,7 +30,8 @@ references:
cis-csc: 11,14,3,9
cis@sle15: 2.2.8

ocil: '{{{ ocil_service_disabled(service="named") }}}'
ocil: |-
{{{ ocil_service_disabled(service="named") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/docker/service_docker_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -19,7 +19,8 @@ severity: medium
identifiers:
cce@rhel7: CCE-80440-1

ocil: '{{{ ocil_service_enabled(service="docker") }}}'
ocil: |-
{{{ ocil_service_enabled(service="docker") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
View file
Open in desktop
Expand Up @@ -26,7 +26,8 @@ references:

ocil_clause: 'the service is not enabled'

ocil: '{{{ ocil_service_enabled(service="fapolicyd") }}}'
ocil: |-
{{{ ocil_service_enabled(service="fapolicyd") }}}

template:
name: service_enabled
Expand Down
6 changes: 4 additions & 2 deletions linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -4,7 +4,8 @@ prodtype: rhel7,rhel8,sle15

title: 'Disable vsftpd Service'

description: '{{{ describe_service_disable(service="vsftpd") }}}'
description: |-
{{{ describe_service_disable(service="vsftpd") }}}

rationale: |-
Running FTP server software provides a network-based avenue
Expand All @@ -31,7 +32,8 @@ references:
cis-csc: 11,14,3,9
cis@sle15: 2.2.9

ocil: '{{{ ocil_service_disabled(service="vsftpd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="vsftpd") }}}

platform: machine

Expand Down
6 changes: 4 additions & 2 deletions linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
View file
Open in desktop
Expand Up @@ -4,7 +4,8 @@ prodtype: rhel7,rhel8,sle15

title: 'Disable httpd Service'

description: '{{{ describe_service_disable(service="httpd") }}}'
description: |-
{{{ describe_service_disable(service="httpd") }}}

rationale: |-
Running web server software provides a network-based avenue
Expand All @@ -28,7 +29,8 @@ references:
cis-csc: 11,14,3,9
cis@sle15: 2.2.10

ocil: '{{{ ocil_service_disabled(service="httpd") }}}'
ocil: |-
{{{ ocil_service_disabled(service="httpd") }}}

platform: machine

Expand Down
3 changes: 2 additions & 1 deletion .../httpd_configure_os_protect_web_server/httpd_configure_remote_session_encryption/rule.yml
View file
Open in desktop
Expand Up @@ -24,4 +24,5 @@ severity: high
references:
stigid: WG230

ocil: '{{{ ocil_service_enabled(service="sshd") }}}'
ocil: |-
{{{ ocil_service_enabled(service="sshd") }}}