Update CIS RHEL8 Benchmark for v2.0.0 #9154
Conversation
Reviewed the first chapter from RHEL8 CIS v2.0.0 and updated the relevant rules.
Reviewed the second chapter from RHEL8 CIS v2.0.0 and updated the relevant rules
Reviewed the third chapter from RHEL8 CIS v2.0.0 and updated the relevant rules
Reviewed the fourth chapter from RHEL8 CIS v2.0.0 and updated the relevant rules
…on rules Reviewed the fifth chapter from RHEL8 CIS v2.0.0 and updated the relevant rules
Reviewed the sixth chapter from RHEL8 CIS v2.0.0 and updated the relevant rules
The current version of CIS RHEL8 Benchmark is v2.0.0. However, the version used in the project was still v1.0.1. This commit updated all requirements in alignment to v2.0.0. Some requirements were removed, others included and many of them just have their IDs updated. Although some pending requirements were updated to automated status where it was noticed a new rule was already available, this commit is not intended to update the profile coverage but simply update the requirements in alignment to v2.0.0. Profile coverage is out of scope in this commit.
marcusburghardt
added
RHEL8
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
Looking at test results, there are two problems: Missing CIS references: Missing CCE in RHEL8 and RHEL9 |
Right, I just saw them and will fix now. |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs:
--- old datastream
+++ new datastream
@@ -4,6 +4,7 @@
register: users_nopasswd
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
+ - CCE-85953-8
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- high_severity
@@ -21,6 +22,7 @@
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- users_nopasswd.stdout_lines | length > 0
tags:
+ - CCE-85953-8
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- high_severity
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs:
--- old datastream
+++ new datastream
@@ -15,6 +15,7 @@
- '"iptables-ipv6" in ansible_facts.packages'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
+ - CCE-85955-3
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs:
--- old datastream
+++ new datastream
@@ -15,6 +15,7 @@
- '"iptables" in ansible_facts.packages'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
+ - CCE-85961-1
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_httpd_removed' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
name: httpd
state: absent
tags:
+ - CCE-85970-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_dovecot_removed' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
name: dovecot
state: absent
tags:
+ - CCE-85976-9
- disable_strategy
- low_complexity
- low_disruption
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_samba_removed' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
name: samba
state: absent
tags:
+ - CCE-85978-5
- disable_strategy
- low_complexity
- low_disruption
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
name: net-snmp
state: absent
tags:
+ - CCE-85980-1
- disable_strategy
- low_complexity
- low_disruption |
|
The |
During the review of the CIS RHEL8 v2.0.0 some existing rules were liked to requirements. The CI tests identified rules without CCE or CIS reference for RHEL8. This commit fix the missing CCEs and references.
The service_iptables_enabled and service_ip6tables_enabled rules were initially included during the v2.0.0 review but during the tests they returned errors bacause the respective services are not present. These requirements will be reviewed separately.
marcusburghardt
force-pushed
the
rhel8-cis-200
branch
from
c4c5fdd
to
b82df92
Compare
|
Code Climate has analyzed commit b82df92 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
|
@marcusburghardt: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Tested with CIS Server Level 2 kickstart test, results are fine. AutoMatus failing test is expected, because service_iptables_enabled can't be tested in properly tested in container.
I have found only misalignment in 5.3.5 requirement's title, but that can be updated in another PR.
There was a problem hiding this comment.
Most of the changes here are related to references and those type of changes have really low risk in breaking something in the automated content. New rules selected into the controls file are easily testable and no changes to the automated content are being performed.
I find this a very low risk to be merged as it is.
| status: automated | ||
| rules: | ||
| - journald_forward_to_syslog | ||
| - service_systemd-journald_enabled |
There was a problem hiding this comment.
systemd-journald rule is needed, because service_systemd-journald_enabled fails on package systemd-journald is installed now.
There was a problem hiding this comment.
The systemd-journald service unit is part of systemd package. If the packagename is not informed to the template, the servicename is used as packagename by default. I will update the rule in another PR.
| status: automated | ||
| rules: | ||
| status: pending | ||
| related_rules: | ||
| - service_iptables_enabled |
There was a problem hiding this comment.
These services can be obtained from the iptables-services packages.
| - service_avahi-daemon_disabled | ||
|
|
||
| # NEEDS RULE | ||
| - id: 2.2.4 | ||
| title: Ensure CUPS is not enabled (Automated) |
There was a problem hiding this comment.
| title: Ensure CUPS is not enabled (Automated) | |
| title: Ensure CUPS is not installed (Automated) |
| - l1_workstation | ||
| status: automated | ||
| rules: | ||
| - package_iptables_installed |
| - sudo_require_authentication | ||
|
|
||
| - id: 5.3.5 | ||
| title: Ensure users must provide password for escalation (Automated) |
There was a problem hiding this comment.
| title: Ensure users must provide password for escalation (Automated) | |
| title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) |
yuumasato
added
the
Highlight
Description:
The current version of CIS RHEL8 Benchmark is v2.0.0.
However, the version used in the project was still v1.0.1. This commit updated all requirements in alignment to v2.0.0. Some requirements were removed, others included and many of them just have their IDs updated.
Although some pending requirements were updated to automated status where it was noticed a new rule was already available, this commit is not intended to update the profile coverage but simply update the requirements in alignment to v2.0.0. Profile coverage is out of scope in this PR.
Rationale:
Once the controlfile is in alignment to the current Benchmark version, we can more efficiently work on coverage.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2058203
Fixes #9090
Review Hints:
The review process shouldn't be hard, but may be time-consuming. I tried to mitigate a little bit by splitting the updates by Chapters. So, my recommendation is to review the PR commit by commit, sequentially.