From 05551460e6a721efa889c81e06256831239264a1 Mon Sep 17 00:00:00 2001 From: Kazuki Omo Date: Sat, 4 Dec 2021 11:17:11 +0900 Subject: [PATCH] For fixing issue#26, updating contents for supporting CaC 0.1.59. --- .../files/diff_content_for_supporting_rocky8 | 105 +- .../files/installed_OS_is_rocky8.xml | 59 + .../files/rl8/CMakeLists.txt | 26 +- .../kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 2 +- .../ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +- .../files/rl8/product.yml | 1 + .../files/rl8/profiles/e8.profile | 2 +- .../files/rl8/profiles/hipaa.profile | 2 +- .../files/rl8/profiles/ism_o.profile | 1 + .../files/rl8/profiles/ospp.profile | 4 +- .../files/rl8/profiles/pci-dss.profile | 2 +- .../files/rl8/profiles/rht-ccp.profile | 2 +- .../files/rl8/profiles/standard.profile | 2 +- .../files/rl8/profiles/stig.profile | 18 +- .../files/rl8/profiles/stig_gui.profile | 4 +- .../files/rl8/transforms/constants.xslt | 8 - .../files/rocky8-0.1.57.patch | 30 +- .../files/rocky8/CMakeLists.txt | 34 + .../files/rocky8/convert_script.sh | 4 + .../ssg-rhel8-anssi_bp28_high-ks.cfg | 176 +++ .../rocky8/kickstart/ssg-rhel8-cis-ks.cfg | 146 +++ .../rocky8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++ .../rocky8/kickstart/ssg-rhel8-e8-ks.cfg | 125 ++ .../rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 ++ .../rocky8/kickstart/ssg-rhel8-ospp-ks.cfg | 167 +++ .../rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 157 +++ .../rocky8/kickstart/ssg-rhel8-stig-ks.cfg | 167 +++ .../files/rocky8/overlays/srg_support.xml | 173 +++ .../files/rocky8/product.yml | 32 + .../profiles/anssi_bp28_enhanced.profile | 59 + .../rocky8/profiles/anssi_bp28_high.profile | 49 + .../profiles/anssi_bp28_intermediary.profile | 144 +++ .../profiles/anssi_bp28_minimal.profile | 49 + .../files/rocky8/profiles/cis.profile | 1089 +++++++++++++++++ .../files/rocky8/profiles/cjis.profile | 139 +++ .../files/rocky8/profiles/cui.profile | 32 + .../files/rocky8/profiles/e8.profile | 149 +++ .../files/rocky8/profiles/hipaa.profile | 164 +++ .../files/rocky8/profiles/ism_o.profile | 158 +++ .../files/rocky8/profiles/ospp-mls.profile | 25 + .../files/rocky8/profiles/ospp.profile | 443 +++++++ .../files/rocky8/profiles/pci-dss.profile | 147 +++ .../files/rocky8/profiles/rhelh-stig.profile | 13 + .../files/rocky8/profiles/rhelh-vpp.profile | 35 + .../files/rocky8/profiles/rht-ccp.profile | 100 ++ .../files/rocky8/profiles/standard.profile | 67 + .../files/rocky8/profiles/stig.profile | 67 + .../files/rocky8/transforms/cci2html.xsl | 6 + .../files/rocky8/transforms/constants.xslt | 21 + .../transforms/shorthand2xccdf.xslt | 2 +- .../rocky8/transforms/table-add-srgitems.xslt | 7 + .../rocky8/transforms/table-sortbyref.xslt | 6 + .../files/rocky8/transforms/table-srgmap.xslt | 11 + .../files/rocky8/transforms/table-style.xslt | 5 + .../transforms/xccdf-apply-overlay-stig.xslt | 8 + .../rocky8/transforms/xccdf2stigformat.xslt | 7 + .../transforms/xccdf2table-byref.xslt | 2 +- .../rocky8/transforms/xccdf2table-cce.xslt | 9 + .../xccdf2table-profileanssirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 9 + .../xccdf2table-profilecisrefs.xslt | 9 + .../xccdf2table-profilenistrefs-cui.xslt | 8 + .../xccdf2table-profilenistrefs.xslt | 8 + .../rocky8/transforms/xccdf2table-stig.xslt | 9 + .../tools/.add_product_rocky8.sh.swp | Bin 0 -> 12288 bytes 65 files changed, 4666 insertions(+), 135 deletions(-) create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt rename ComplianceAsCode/content_for_supporting_rocky8/files/{rl8 => rocky8}/transforms/shorthand2xccdf.xslt (71%) create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt rename ComplianceAsCode/content_for_supporting_rocky8/files/{rl8 => rocky8}/transforms/xccdf2table-byref.xslt (82%) create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt rename ComplianceAsCode/content_for_supporting_rocky8/files/{rl8 => rocky8}/transforms/xccdf2table-profileanssirefs.xslt (80%) create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt create mode 100644 ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 index 097ac1d8..5da63a85 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8 @@ -1,114 +1,77 @@ diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt ---- content.org/CMakeLists.txt 2021-08-21 18:13:55.050097584 +0900 -+++ content/CMakeLists.txt 2021-08-21 18:21:16.258038611 +0900 -@@ -93,6 +93,7 @@ +--- content.org/CMakeLists.txt 2020-12-25 08:21:12.953946957 +0900 ++++ content/CMakeLists.txt 2020-12-25 08:30:03.918555175 +0900 +@@ -87,6 +87,7 @@ option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - + option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE) -@@ -288,6 +289,7 @@ +@@ -267,6 +268,8 @@ message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}") message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}") message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}") +message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}") - - - -@@ -410,6 +412,10 @@ ++ + + + +@@ -386,6 +389,10 @@ if (SSG_PRODUCT_WRLINUX1019) - add_subdirectory("products/wrlinux1019" "wrlinux1019") + add_subdirectory("wrlinux1019") endif() +if (SSG_PRODUCT_ROCKY8) -+ add_subdirectory("products/rl8" "rl8") ++ add_subdirectory("rocky8") +endif() + - + # ZIP only contains source datastreams and kickstarts, people who # want sources to build from should get the tarball instead. - diff -Nru content.org/build_product content/build_product ---- content.org/build_product 2021-08-21 18:13:55.110097683 +0900 -+++ content/build_product 2021-08-21 18:22:19.417937147 +0900 -@@ -310,6 +310,7 @@ +--- content.org/build_product 2020-12-25 08:21:13.001947373 +0900 ++++ content/build_product 2020-12-25 08:31:11.339141097 +0900 +@@ -294,6 +294,7 @@ + VSEL WRLINUX8 WRLINUX1019 - MACOS1015 + ROCKY8 ) DEFAULT_OVAL_MAJOR_VERSION=5 -diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/checks/oval/install_mcafee_hbss.xml ---- content.org/shared/checks/oval/install_mcafee_hbss.xml 2021-05-03 07:27:50.321760545 +0900 -+++ content/shared/checks/oval/install_mcafee_hbss.xml 2021-05-03 07:29:57.423884084 +0900 -@@ -14,6 +14,7 @@ - multi_platform_sle - multi_platform_ubuntu - multi_platform_wrlinux -+ multi_platform_rl - - McAfee Host-Based Intrusion Detection Software (HBSS) software - should be installed. -diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ---- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml 2021-08-21 18:13:55.326098038 +0900 -+++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml 2021-08-21 18:21:37.030007098 +0900 -@@ -9,11 +9,12 @@ - multi_platform_opensuse - multi_platform_ol - multi_platform_rhcos -- multi_platform_rhel -+ multi_platform_rhel,multi_platform_rl - multi_platform_rhv - multi_platform_sle - multi_platform_ubuntu - multi_platform_wrlinux -+ multi_platform_rl - - Disables IPv6 for all network interfaces. - diff -Nru content.org/ssg/constants.py content/ssg/constants.py ---- content.org/ssg/constants.py 2021-08-21 18:13:55.362098097 +0900 -+++ content/ssg/constants.py 2021-08-21 18:21:16.258038611 +0900 -@@ -24,7 +24,8 @@ - 'sle12', 'sle15', +--- content.org/ssg/constants.py 2020-12-25 08:21:13.281949799 +0900 ++++ content/ssg/constants.py 2020-12-25 08:43:05.253350090 +0900 +@@ -24,6 +24,7 @@ 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'vsel', -- 'wrlinux8', 'wrlinux1019' -+ 'wrlinux8', 'wrlinux1019', -+ 'rl8' + 'wrlinux8', 'wrlinux1019' ++ 'rocky8' ] - + JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname( -@@ -182,6 +183,7 @@ +@@ -167,6 +168,7 @@ "Ubuntu 20.04": "ubuntu2004", "WRLinux 8": "wrlinux8", "WRLinux 1019": "wrlinux1019", -+ "Rocky Linux 8": "rl8", ++ "Rocky Linux 8": "rocky8", } - - -@@ -196,7 +198,7 @@ - } - - MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu", -- "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"] -+ "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"] - - MULTI_PLATFORM_MAPPING = { - "multi_platform_debian": ["debian9", "debian10"], -@@ -212,6 +214,7 @@ + + +@@ -197,6 +199,7 @@ "multi_platform_sle": ["sle12", "sle15"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"], "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"], -+ "multi_platform_rl": ["rl8"], ++ "multi_platform_rocky": ["rocky8"], } - + RHEL_CENTOS_CPE_MAPPING = { -@@ -377,6 +380,7 @@ +@@ -362,6 +365,7 @@ 'ol': 'Oracle Linux', 'ocp': 'Red Hat OpenShift Container Platform', 'rhcos': 'Red Hat Enterprise Linux CoreOS', -+ 'rl': 'Rocky Linux', ++ 'rocky': 'Rocky Linux', } + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml new file mode 100644 index 00000000..cd3f9ca8 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml @@ -0,0 +1,59 @@ + + + + Rocky Linux 8 + + multi_platform_all + + + The operating system installed on the system is + Rocky Linux 8 + + + + + + + + + + + + + + + + + + + unix + + + + + + + + + ^8.*$ + + + redhat-release + + + + + + + + /etc/redhat-release + ^Rocky Linux release (\d)\.\d+$ + 1 + + + 8 + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt index 658eb1ed..08dc5124 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/CMakeLists.txt @@ -1,4 +1,4 @@ -# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way. +# Sometimes our users will try to do: "cd rl8; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") endif() @@ -8,20 +8,16 @@ set(DISA_SRG_TYPE "os") ssg_build_product(${PRODUCT}) -ssg_build_html_table_by_ref(${PRODUCT} "nist") -ssg_build_html_table_by_ref(${PRODUCT} "cui") -ssg_build_html_table_by_ref(${PRODUCT} "cis") -ssg_build_html_table_by_ref(${PRODUCT} "pcidss") -ssg_build_html_table_by_ref(${PRODUCT} "anssi") +ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss") -ssg_build_html_nistrefs_table(${PRODUCT} "standard") -ssg_build_html_nistrefs_table(${PRODUCT} "ospp") -ssg_build_html_nistrefs_table(${PRODUCT} "stig") +ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist") +ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist") +ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") +ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") +ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_enhanced" "${PRODUCT}" "anssi_bp28_enhanced" "anssi") +ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_intermediary" "${PRODUCT}" "anssi_bp28_intermediary" "anssi") +ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_high" "${PRODUCT}" "anssi_bp28_high" "anssi") ssg_build_html_cce_table(${PRODUCT}) @@ -32,7 +28,3 @@ ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig") ssg_build_html_stig_tables_per_profile( ${PRODUCT} "stig_gui") #ssg_build_html_stig_tables(${PRODUCT} "ospp") - -#if (SSG_CENTOS_DERIVATIVES_ENABLED) -# ssg_build_derivative_product(${PRODUCT} "centos" "centos8") -#endif() diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg index b73d5c12..48c5873a 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg @@ -106,7 +106,7 @@ part pv.01 --grow --size=1 volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg index 33bd9dd2..9d7c70d6 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg @@ -106,7 +106,7 @@ part pv.01 --grow --size=1 volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml index f289ab6b..53fb28a1 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/product.yml @@ -2,6 +2,7 @@ product: rl8 full_name: Rocky Linux 8 type: platform +benchmark_id: RL-8 benchmark_root: "../../linux_os/guide" profiles_root: "./profiles" diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile index 37ceeff7..30eb9c59 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/e8.profile @@ -37,7 +37,7 @@ selections: - service_squid_disabled ### Software update -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - ensure_gpgcheck_never_disabled - ensure_gpgcheck_local_packages - ensure_gpgcheck_globally_activated diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile index c42e6982..edfba53e 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/hipaa.profile @@ -86,7 +86,7 @@ selections: - sysctl_kernel_randomize_va_space - rpm_verify_hashes - rpm_verify_permissions -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - ensure_gpgcheck_local_packages diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile index 95cdfc4e..2e78dc87 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ism_o.profile @@ -52,6 +52,7 @@ selections: ## Identifiers 1418 - package_usbguard_installed - service_usbguard_enabled + - usbguard_allow_hid_and_hub ## Authentication hardening ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile index 25991d1c..8936c4d5 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/ospp.profile @@ -113,7 +113,7 @@ selections: - accounts_umask_etc_csh_cshrc ### Software update -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - ensure_gpgcheck_never_disabled @@ -205,7 +205,7 @@ selections: - package_nfs-utils_removed - package_krb5-workstation_removed - package_abrt-addon-kerneloops_removed - - package_abrt-addon-python_removed + - package_python3-abrt-addon_removed - package_abrt-addon-ccpp_removed - package_abrt-plugin-rhtsupport_removed - package_abrt-plugin-logger_removed diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile index b558a8b9..fed33640 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/pci-dss.profile @@ -114,7 +114,7 @@ selections: - accounts_password_pam_lcredit - accounts_password_pam_unix_remember - accounts_maximum_age_login_defs -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - security_patches_up_to_date diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile index ed2b7612..15abd98a 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/rht-ccp.profile @@ -33,7 +33,7 @@ selections: - partition_for_var_log_audit - selinux_state - selinux_policytype -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - security_patches_up_to_date - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile index 5905056e..a63ae2cf 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/standard.profile @@ -8,7 +8,7 @@ description: |- all of these checks should pass. selections: -# - ensure_redhat_gpgkey_installed + - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - rpm_verify_permissions - rpm_verify_hashes diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile index 10dbc150..7fb81894 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R3 + version: V1R4 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R3. + DISA STIG for Red Hat Enterprise Linux 8 V1R4. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of @@ -70,6 +70,8 @@ selections: - var_auditd_disk_error_action=halt - var_auditd_max_log_file_action=syslog - var_auditd_disk_full_action=halt + - var_sssd_certificate_verification_digest_function=sha1 + - login_banner_text=dod_banners ### Enable / Configure FIPS - enable_fips_mode @@ -161,8 +163,6 @@ selections: # RHEL-08-010171 - package_policycoreutils_installed - # RHEL-08-010180 - # RHEL-08-010190 - dir_perms_world_writable_sticky_bits @@ -279,6 +279,7 @@ selections: - install_smartcard_packages # RHEL-08-010400 + - sssd_certificate_verification # RHEL-08-010410 - package_opensc_installed @@ -350,7 +351,6 @@ selections: - partition_for_tmp # RHEL-08-010544 - ### NOTE: Will probably show up in V1R3 - Q3 of 21' - partition_for_var_tmp # RHEL-08-010550 @@ -619,6 +619,8 @@ selections: # RHEL-08-020353 - accounts_umask_etc_bashrc + - accounts_umask_etc_csh_cshrc + - accounts_umask_etc_profile # RHEL-08-030000 - audit_rules_suid_privilege_function @@ -944,7 +946,7 @@ selections: - package_abrt_removed - package_abrt-addon-ccpp_removed - package_abrt-addon-kerneloops_removed - - package_abrt-addon-python_removed + - package_python3-abrt-addon_removed - package_abrt-cli_removed - package_abrt-plugin-logger_removed - package_abrt-plugin-rhtsupport_removed @@ -1158,9 +1160,7 @@ selections: - sysctl_net_core_bpf_jit_harden # RHEL-08-040290 - # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation - # there needs to be a new platform check to identify when postfix is installed or not - # - postfix_prevent_unrestricted_relay + - postfix_prevent_unrestricted_relay # RHEL-08-040300 - aide_verify_ext_attributes diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile index 0fdd7556..e1f0f715 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R3 + version: V1R4 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R4. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt index dc73976b..b9400aff 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/constants.xslt @@ -8,14 +8,6 @@ rhel8 https://www.cisecurity.org/benchmark/red_hat_linux/ -RHEL-8 - - - - - - - diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch index 3617559a..add2beeb 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8-0.1.57.patch @@ -1,7 +1,7 @@ diff -ruN scap-security-guide-0.1.57/build_product b/build_product --- scap-security-guide-0.1.57/build_product 2021-07-27 10:51:15.000000000 -0400 +++ b/build_product 2021-10-16 14:14:27.167238394 -0400 -@@ -297,6 +297,7 @@ +@@ -299,6 +299,7 @@ OPENSUSE RHEL7 RHEL8 @@ -12,7 +12,7 @@ diff -ruN scap-security-guide-0.1.57/build_product b/build_product diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt --- scap-security-guide-0.1.57/CMakeLists.txt 2021-10-16 13:57:11.850990039 -0400 +++ b/CMakeLists.txt 2021-10-16 14:14:00.232789690 -0400 -@@ -92,6 +92,7 @@ +@@ -97,6 +97,7 @@ option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -20,7 +20,7 @@ diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE) -@@ -287,6 +288,7 @@ +@@ -302,6 +303,7 @@ message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}") message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}") message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}") @@ -28,7 +28,7 @@ diff -ruN scap-security-guide-0.1.57/CMakeLists.txt b/CMakeLists.txt -@@ -409,6 +411,10 @@ +@@ -428,6 +430,10 @@ if (SSG_PRODUCT_WRLINUX1019) add_subdirectory("products/wrlinux1019" "wrlinux1019") endif() @@ -70,7 +70,7 @@ diff -ruN scap-security-guide-0.1.57/shared/checks/oval/sysctl_kernel_ipv6_disab diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py --- scap-security-guide-0.1.57/ssg/constants.py 2021-07-27 10:51:15.000000000 -0400 +++ b/ssg/constants.py 2021-10-16 14:14:00.233789707 -0400 -@@ -24,7 +24,8 @@ +@@ -57,7 +57,8 @@ 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'vsel', @@ -80,7 +80,7 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py ] JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname( -@@ -181,6 +182,7 @@ +@@ -224,6 +225,7 @@ "Ubuntu 20.04": "ubuntu2004", "WRLinux 8": "wrlinux8", "WRLinux 1019": "wrlinux1019", @@ -88,16 +88,16 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py } -@@ -195,7 +197,7 @@ - } +@@ -262,7 +264,7 @@ + MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu", -- "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"] -+ "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", "example"] +- "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", ++ "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rl", + "example", "eks"] MULTI_PLATFORM_MAPPING = { - "multi_platform_debian": ["debian9", "debian10"], -@@ -211,6 +213,7 @@ +@@ -280,6 +282,7 @@ "multi_platform_sle": ["sle12", "sle15"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"], "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"], @@ -105,11 +105,9 @@ diff -ruN scap-security-guide-0.1.57/ssg/constants.py b/ssg/constants.py } RHEL_CENTOS_CPE_MAPPING = { -@@ -376,6 +379,7 @@ - 'ol': 'Oracle Linux', +@@ -447,6 +450,7 @@ 'ocp': 'Red Hat OpenShift Container Platform', 'rhcos': 'Red Hat Enterprise Linux CoreOS', + 'eks': 'Amazon Elastic Kubernetes Service', + 'rl': 'Rocky Linux', } - - diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt new file mode 100644 index 00000000..ea8ac38b --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt @@ -0,0 +1,34 @@ +# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way. +if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +set(PRODUCT "rocky8") +set(DISA_SRG_TYPE "os") + +ssg_build_product(${PRODUCT}) + +ssg_build_html_table_by_ref(${PRODUCT} "nist") +ssg_build_html_table_by_ref(${PRODUCT} "cui") +ssg_build_html_table_by_ref(${PRODUCT} "cis") +ssg_build_html_table_by_ref(${PRODUCT} "pcidss") +ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +ssg_build_html_nistrefs_table(${PRODUCT} "standard") +ssg_build_html_nistrefs_table(${PRODUCT} "ospp") +ssg_build_html_nistrefs_table(${PRODUCT} "stig") + +ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") +ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") +ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") +ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") + +ssg_build_html_cce_table(${PRODUCT}) + +ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) + +#ssg_build_html_stig_tables(${PRODUCT} "ospp") + +#if (SSG_CENTOS_DERIVATIVES_ENABLED) +# ssg_build_derivative_product(${PRODUCT} "centos" "centos8") +#endif() diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh new file mode 100644 index 00000000..077a6444 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/convert_script.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +sed s/ + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg new file mode 100644 index 00000000..cf2f392a --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg @@ -0,0 +1,176 @@ +# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8 +# Version: 0.0.1 +# Date: 2020-12-10 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 --fsoptions="noauto" +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow +# Ensure /usr Located On Separate Partition +logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" +# Ensure /opt Located On Separate Partition +logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /srv Located On Separate Partition +logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the +# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +# xccdf-id - ID of the benchmark you want to use. +# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +# profile - ID of the profile to be applied. Use default to apply the default profile. +# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon org_fedora_oscap section which uses content from the +# scap-security-guide on the installation media: +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg new file mode 100644 index 00000000..bf3804b3 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cis-ks.cfg @@ -0,0 +1,146 @@ +# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 8 Server +# Version: 0.0.1 +# Date: 2020-03-30 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg new file mode 100644 index 00000000..6e0f83eb --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-cui-ks.cfg @@ -0,0 +1,167 @@ +# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the +# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +# xccdf-id - ID of the benchmark you want to use. +# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +# profile - ID of the profile to be applied. Use default to apply the default profile. +# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon org_fedora_oscap section which uses content from the +# scap-security-guide on the installation media: +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cui +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg new file mode 100644 index 00000000..591d3026 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-e8-ks.cfg @@ -0,0 +1,125 @@ +# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server +# Version: 0.0.1 +# Date: 2019-11-13 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# Harden installation with Essential Eight profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg new file mode 100644 index 00000000..dc4a44c8 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-hipaa-ks.cfg @@ -0,0 +1,125 @@ +# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server +# Version: 0.0.1 +# Date: 2020-05-25 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +autopart + +# Harden installation with HIPAA profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_hipaa +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg new file mode 100644 index 00000000..119e9836 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-ospp-ks.cfg @@ -0,0 +1,167 @@ +# SCAP Security Guide OSPP profile kickstart for Red Hat Enterprise Linux 8 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the +# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +# xccdf-id - ID of the benchmark you want to use. +# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +# profile - ID of the profile to be applied. Use default to apply the default profile. +# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon org_fedora_oscap section which uses content from the +# scap-security-guide on the installation media: +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ospp +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg new file mode 100644 index 00000000..21a50f52 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-pci-dss-ks.cfg @@ -0,0 +1,157 @@ +# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +# +# PASSWORD TEMPORARILY DISABLED +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" +#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow +# CCE-26557-9: Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26435-8: Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# CCE-26639-5: Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" +# CCE-26215-4: Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" +# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the +# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +# xccdf-id - ID of the benchmark you want to use. +# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +# profile - ID of the profile to be applied. Use default to apply the default profile. +# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon org_fedora_oscap section which uses content from the +# scap-security-guide on the installation media: +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_pci-dss +%end + +# Packages selection (%packages section is required) +%packages +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg new file mode 100644 index 00000000..a3e5e5fe --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/kickstart/ssg-rhel8-stig-ks.cfg @@ -0,0 +1,167 @@ +# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --bootproto dhcp + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Refer to e.g. +# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +# to see how to create encrypted password form for different plaintext password +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +# content - security policies - on the installed system.This add-on has been enabled by default +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# functionality will automatically be installed. However, by default, no policies are enforced, +# meaning that no checks are performed during or after installation unless specifically configured. +# +# Important +# Applying a security policy is not necessary on all systems. This screen should only be used +# when a specific policy is mandated by your organization rules or government regulations. +# Unlike most other commands, this add-on does not accept regular options, but uses key-value +# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +# Values can be optionally enclosed in single quotes (') or double quotes ("). +# +# The following keys are recognized by the add-on: +# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +# - If the content-type is scap-security-guide, the add-on will use content provided by the +# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +# xccdf-id - ID of the benchmark you want to use. +# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +# profile - ID of the profile to be applied. Use default to apply the default profile. +# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +# +# The following is an example %addon org_fedora_oscap section which uses content from the +# scap-security-guide on the installation media: +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_stig +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml new file mode 100644 index 00000000..7c89f520 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/overlays/srg_support.xml @@ -0,0 +1,173 @@ + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml new file mode 100644 index 00000000..b0bfc444 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/product.yml @@ -0,0 +1,32 @@ +product: rocky8 +full_name: Rocky Linux 8 +type: platform + +benchmark_root: "../linux_os/guide" + +profiles_root: "./profiles" + +pkg_manager: "yum" + +init_system: "systemd" + +# The fingerprints below are retrieved from https://access.redhat.com/security/team/key +pkg_release: "PKG_RELASE" +pkg_version: "PKG_VERSION" +aux_pkg_release: "AUX_PKG_RELEASE" +aux_pkg_version: "AUX_PKG_VERSION" + +release_key_fingerprint: "RELEASE_KEY_FINGERPRINT" +auxiliary_key_fingerprint: "AUXILIARY_KEY_FINGERPRINT" +oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml" + +cpes_root: "../shared/applicability" +cpes: + - rhel8: + name: "cpe:/o:rocky:rocky_linux:8" + title: "Rocky Linux 8" + check_id: installed_OS_is_rocky8 + +# Mapping of CPE platform to package +platform_package_overrides: + login_defs: "shadow-utils" diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile new file mode 100644 index 00000000..e7e2f287 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_enhanced.profile @@ -0,0 +1,59 @@ +documentation_complete: true + +title: 'ANSSI BP-028 (enhanced)' + +description: + ANSSI BP-028 compliance at the enhanced level. ANSSI stands for + Agence nationale de la sécurité des systèmes d'information. Based on + https://www.ssi.gouv.fr/. + +extends: anssi_bp28_intermediary + +selections: + # Principle of least privilege + + # Network services partitioning + + # Logging of service activity + + # Access Restrictions on /boot directory + - file_permissions_systemmap + + # Hardened package repositories + + # Boot loader password + - grub2_password + - grub2_uefi_password + + # Installation of secret or trusted elements + + # Disabling the loading of kernel modules + # kernel.modules_disabled = 1 + + # Yama module sysctl configuration + - sysctl_kernel_yama_ptrace_scope + + # Uniqueness and exclusivity of system service accounts + + # User session timeout + - accounts_tmout + - sshd_set_idle_timeout + - sshd_idle_timeout_value=5_minutes + - sshd_set_keepalive + + # umask value + - var_accounts_user_umask=077 + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + + # Executable setuid root + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_sgid + + # Logging activity by auditd + + # Restricting access of deployed services + + # Virtualization components hardening + + # Limiting the number of commands requiring the use of the EXEC option diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile new file mode 100644 index 00000000..ccad93d6 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_high.profile @@ -0,0 +1,49 @@ +documentation_complete: true + +title: 'ANSSI BP-028 (high)' + +description: + ANSSI BP-028 compliance at the high level. ANSSI stands for + Agence nationale de la sécurité des systèmes d'information. Based on + https://www.ssi.gouv.fr/. + +extends: anssi_bp28_enhanced + +selections: + # Using access control features + - selinux_state + - var_selinux_state=enforcing + + # IOMMU Configuration Guidelines + + # Partitioning the syslog service by container + + # Sealing and integrity of files + - package_aide_installed + - aide_build_database + - aide_periodic_cron_checking + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes + + # Enabling SELinux Targeted Policy + - selinux_policytype + - var_selinux_policy_name=targeted + + # Setting SELinux booleans + - sebool_selinuxuser_execheap + - sebool_cups_execmem + - sebool_httpd_execmem + - sebool_boinc_execmem + - sebool_xserver_execmem + - sebool_deny_execmem + - sebool_cluster_use_execmem + - sebool_glance_use_execmem + - sebool_virt_use_execmem + - sebool_selinuxuser_execstack + - sebool_secure_mode_insmod + - sebool_ssh_sysadm_login + + # Uninstalling SELinux Policy Debugging Tools + - package_setroubleshoot_removed + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile new file mode 100644 index 00000000..638e60e0 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_intermediary.profile @@ -0,0 +1,144 @@ +documentation_complete: true + +title: 'ANSSI BP-028 (intermediary)' + +description: + ANSSI BP-028 compliance at the intermediary level. ANSSI stands for + Agence nationale de la sécurité des systèmes d''information. Based on + https://www.ssi.gouv.fr/. + +extends: anssi_bp28_minimal + +selections: + # Minimization of configuration + + # 32 and 64 bit architecture + + # Partitioning type + - partition_for_tmp + - mount_option_tmp_nosuid + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - partition_for_home + - mount_option_home_nosuid + - mount_option_home_nodev + - partition_for_var + - partition_for_var_log + - partition_for_var_tmp + - mount_option_var_tmp_nosuid + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + + # Installation of packages reduced to the bare necessities + + # Accountability of administration + - no_direct_root_logins + - sshd_disable_root_login + + # Hardening and monitoring of services subject to arbitrary flows + + # Setting up network sysctl + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_all_log_martians + # net.ipv4.tcp_rfc1337 = 1 + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + # net.ipv4.ip_local_port_ranges = 32768 65535 + - sysctl_net_ipv4_tcp_syncookies + # net.ipv6.conf.all.router_solicitations = 0 + # net.ipv6.conf.default.router_solicitations = 0 + # net.ipv6.conf.all.accept_ra_rtr_pref = 0 + # net.ipv6.conf.default.accept_ra_rtr_pref = 0 + # net.ipv6.conf.all.accept_ra_pinfo = 0 + # net.ipv6.conf.default.accept_ra_pinfo = 0 + # net.ipv6.conf.all.accept_ra_defrtr = 0 + # net.ipv6.conf.default.accept_ra_defrtr = 0 + # net.ipv6.conf.all.autoconf = 0 + # net.ipv6.conf.default.autoconf = 0 + # net.ipv6.conf.all_accept_redirects = 0 + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route + # net.ipv6.conf.all.max_addresses = 1 + # net.ipv6.conf.default.max_addresses = 1 + + # Setting system sysctl + - sysctl_fs_suid_dumpable + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_kernel_randomize_va_space + # vm.mmap_min_addr = 65536 + # kernel.pid_max = 65536 + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + # kernel.perf_event_paranoid = 2 + # kernel.perf_event_max_sample_rate = 1 + # kernel.perf_cpu_time_max_percent = 1 + + # Disabling service accounts + + # Securing PAM Authentication Network Services + + # Securing access to remote user databases + + # Rights to access sensitive content files + # Sensitive content files should only be readable by users with strict need to know. + - file_owner_etc_shadow + - file_permissions_etc_shadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + - file_permissions_etc_passwd + - file_permissions_etc_group + + # Temporary directories dedicated to accounts + + # Sticky bit and write access rights + + # All writable directories must have all the sticky bit armed. + + + # Securing access for named sockets and pipes + + # Hardening and configuring the syslog + - rsyslog_files_ownership + - rsyslog_files_groupownership + - rsyslog_files_permissions + - ensure_logrotate_activated + - rsyslog_remote_loghost + + # Partitioning the syslog service by chroot + + # Service Activity Logs + + # Dedicated partition for logs + + # Configuring the local messaging service + + # Messaging Aliases for Service Accounts + + # chroot jail and access right for partitioned service + + # Enablement and usage of chroot by a service + + # Group dedicated to the use of sudo + + # Sudo configuration guidelines + + # Privileges of target sudo users + + # Good use of negation in a sudoers file + + # Explicit arguments in sudo specifications diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile new file mode 100644 index 00000000..45cbba8f --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/anssi_bp28_minimal.profile @@ -0,0 +1,49 @@ +documentation_complete: true + +title: 'ANSSI BP-028 (minimal)' + +description: + ANSSI BP-028 compliance at the minimal level. ANSSI stands for + Agence nationale de la sécurité des systèmes d'information. Based on + https://www.ssi.gouv.fr/. + +selections: + # Minimization of installed services + - package_dhcp_removed + - package_sendmail_removed + - package_telnetd_removed + + # In-depth defense principle + - sudo_remove_no_authenticate + + # * centralized logging of events at the systems and services level + - package_rsyslog_installed + - service_rsyslog_enabled + + # Regular updates + - security_patches_up_to_date + + # Package repositories selection + # Only up-to-date official repositories of the distribution must be used. + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + + # Administrator password robustness + + # Applications using PAM + + # Protecting stored passwords + # In the file /etc/login.defs: + # ENCRYPT_METHOD SHA512 + - set_password_hashing_algorithm_logindefs + # SHA_CRYPT_MIN_ROUNDS 65536 + + # Executables with setuid and/or setgid bits + + # In memory services and daemons + + # User authentication running sudo + - sudo_remove_nopasswd + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile new file mode 100644 index 00000000..9ceeb74f --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cis.profile @@ -0,0 +1,1089 @@ +documentation_complete: true + +metadata: + version: 1.0.0 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS Red Hat Enterprise Linux 8 Benchmark' + +description: |- + This profile defines a baseline that aligns to the Center for Internet Security® + Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + +selections: + # Necessary for dconf rules + - dconf_db_up_to_date + + ### Partitioning + - mount_option_home_nodev + + ## 1.1 Filesystem Configuration + + ### 1.1.1 Disable unused filesystems + + #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) + - kernel_module_cramfs_disabled + + #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored) + - kernel_module_vfat_disabled + + #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) + - kernel_module_squashfs_disabled + + #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) + - kernel_module_udf_disabled + + ### 1.1.2 Ensure /tmp is configured (Scored) + - partition_for_tmp + + ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) + - mount_option_tmp_nodev + + ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) + - mount_option_tmp_nosuid + + ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) + - mount_option_tmp_noexec + + ### 1.1.6 Ensure separate partition exists for /var (Scored) + - partition_for_var + + ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) + - partition_for_var_tmp + + ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) + - mount_option_var_tmp_nodev + + ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) + - mount_option_var_tmp_nosuid + + ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) + - mount_option_var_tmp_noexec + + ### 1.1.11 Ensure separate partition exists for /var/log (Scored) + - partition_for_var_log + + ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) + - partition_for_var_log_audit + + ### 1.1.13 Ensure separate partition exists for /home (Scored) + - partition_for_home + + ### 1.1.14 Ensure nodev option set on /home partition (Scored) + - mount_option_home_nodev + + ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) + - mount_option_dev_shm_nodev + + ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) + - mount_option_dev_shm_nosuid + + ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) + - mount_option_dev_shm_noexec + + ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) + - mount_option_nodev_removable_partitions + + ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) + - mount_option_nosuid_removable_partitions + + ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) + - mount_option_noexec_removable_partitions + + ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) + - dir_perms_world_writable_sticky_bits + + ### 1.1.22 Disable Automounting (Scored) + - service_autofs_disabled + + ### 1.1.23 Disable USB Storage (Scored) + - kernel_module_usb-storage_disabled + + ## 1.2 Configure Software Updates + + ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 + + ### 1.2.2 Disable the rhnsd Daemon (Not Scored) + - service_rhnsd_disabled + + ### 1.2.3 Ensure GPG keys are configured (Not Scored) + - ensure_redhat_gpgkey_installed + + ### 1.2.4 Ensure gpgcheck is globally activated (Scored) + - ensure_gpgcheck_globally_activated + + ### 1.2.5 Ensure package manager repositories are configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 + + ## 1.3 Configure sudo + + ### 1.3.1 Ensure sudo is installed (Scored) + - package_sudo_installed + + ### 1.3.2 Ensure sudo commands use pty (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220 + + ### 1.3.3 Ensure sudo log file exists (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221 + + ## 1.4 Filesystem Integrity Checking + + ### 1.4.1 Ensure AIDE is installed (Scored) + - package_aide_installed + + ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) + - aide_periodic_cron_checking + + ## Secure Boot Settings + + ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) + #### chown root:root /boot/grub2/grub.cfg + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + + #### chmod og-rwx /boot/grub2/grub.cfg + - file_permissions_grub2_cfg + + #### chown root:root /boot/grub2/grubenv + # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 + + #### chmod og-rwx /boot/grub2/grubenv + # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 + + ### 1.5.2 Ensure bootloader password is set (Scored) + - grub2_password + + ### 1.5.3 Ensure authentication required for single user mode (Scored) + #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + - require_singleuser_auth + + #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + - require_emergency_target_auth + + ## 1.6 Additional Process Hardening + + ### 1.6.1 Ensure core dumps are restricted (Scored) + #### * hard core 0 + - disable_users_coredumps + + #### fs.suid_dumpable = 0 + - sysctl_fs_suid_dumpable + + #### ProcessSizeMax=0 + - coredump_disable_backtraces + + #### Storage=none + - coredump_disable_storage + + ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled + - sysctl_kernel_randomize_va_space + + ## 1.7 Mandatory Access Control + + ### 1.7.1 Configure SELinux + + #### 1.7.1.1 Ensure SELinux is installed (Scored) + - package_libselinux_installed + + #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) + - grub2_enable_selinux + + #### 1.7.1.3 Ensure SELinux policy is configured (Scored) + - var_selinux_policy_name=targeted + - selinux_policytype + + #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) + - var_selinux_state=enforcing + - selinux_state + + #### 1.7.1.5 Ensure no unconfied services exist (Scored) + - selinux_confinement_of_daemons + + #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) + - package_setroubleshoot_removed + + #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) + - package_mcstrans_removed + + ## Warning Banners + + ### 1.8.1 Command Line Warning Baners + + #### 1.8.1.1 Ensure message of the day is configured properly (Scored) + - banner_etc_motd + + #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) + - banner_etc_issue + + #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 + + #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) + # chmod u-x,go-wx /etc/motd + - file_permissions_etc_motd + + #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) + # chmod u-x,go-wx /etc/issue + - file_permissions_etc_issue + + #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) + # Previously addressed via 'rpm_verify_permissions' rule + + ### 1.8.2 Ensure GDM login banner is configured (Scored) + #### banner-message-enable=true + - dconf_gnome_banner_enabled + + #### banner-message-text='' + - dconf_gnome_login_banner_text + + ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) + - security_patches_up_to_date + + ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) + #- var_system_crypto_policy + - configure_crypto_policy + + ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) + # Previously addressed via 'configure_crypto_policy' rule + + # Services + + ## 2.1 inetd Services + + ### 2.1.1 Ensure xinetd is not installed (Scored) + - package_xinetd_removed + + ## 2.2 Special Purpose Services + + ### 2.2.1 Time Synchronization + + #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) + - package_chrony_installed + + #### 2.2.1.2 Ensure chrony is configured (Scored) + - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user + + ### 2.2.2 Ensure X Window System is not installed (Scored) + - package_xorg-x11-server-common_removed + - xwindows_runlevel_target + + ### 2.2.3 Ensure rsync service is not enabled (Scored) + - service_rsyncd_disabled + + ### 2.2.4 Ensure Avahi Server is not enabled (Scored) + - service_avahi-daemon_disabled + + ### 2.2.5 Ensure SNMP Server is not enabled (Scored) + - service_snmpd_disabled + + ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) + - package_squid_removed + + ### 2.2.7 Ensure Samba is not enabled (Scored) + - service_smb_disabled + + ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) + - service_dovecot_disabled + + ### 2.2.9 Ensure HTTP server is not enabled (Scored) + - service_httpd_disabled + + ### 2.2.10 Ensure FTP Server is not enabled (Scored) + - service_vsftpd_disabled + + ### 2.2.11 Ensure DNS Server is not enabled (Scored) + - service_named_disabled + + ### 2.2.12 Ensure NFS is not enabled (Scored) + - service_nfs_disabled + + ### 2.2.13 Ensure RPC is not enabled (Scored) + - service_rpcbind_disabled + + ### 2.2.14 Ensure LDAP service is not enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 + + ### 2.2.15 Ensure DHCP Server is not enabled (Scored) + - service_dhcpd_disabled + + ### 2.2.16 Ensure CUPS is not enabled (Scored) + - service_cups_disabled + + ### 2.2.17 Ensure NIS Server is not enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 + + ### 2.2.18 Ensure mail transfer agent is configured for + ### local-only mode (Scored) + - postfix_network_listening_disabled + + ## 2.3 Service Clients + + ### 2.3.1 Ensure NIS Client is not installed (Scored) + - package_ypbind_removed + + ### 2.3.2 Ensure telnet client is not installed (Scored) + - package_telnet_removed + + ### Ensure LDAP client is not installed + - package_openldap-clients_removed + + # 3 Network Configuration + + ## 3.1 Network Parameters (Host Only) + + ### 3.1.1 Ensure IP forwarding is disabled (Scored) + #### net.ipv4.ip_forward = 0 + - sysctl_net_ipv4_ip_forward + + #### net.ipv6.conf.all.forwarding = 0 + - sysctl_net_ipv6_conf_all_forwarding + + ### 3.1.2 Ensure packet redirect sending is disabled (Scored) + #### net.ipv4.conf.all.send_redirects = 0 + - sysctl_net_ipv4_conf_all_send_redirects + + #### net.ipv4.conf.default.send_redirects = 0 + - sysctl_net_ipv4_conf_default_send_redirects + + ## 3.2 Network Parameters (Host and Router) + + ### 3.2.1 Ensure source routed packets are not accepted (Scored) + #### net.ipv4.conf.all.accept_source_route = 0 + - sysctl_net_ipv4_conf_all_accept_source_route + + #### net.ipv4.conf.default.accept_source_route = 0 + - sysctl_net_ipv4_conf_default_accept_source_route + + #### net.ipv6.conf.all.accept_source_route = 0 + - sysctl_net_ipv6_conf_all_accept_source_route + + #### net.ipv6.conf.default.accept_source_route = 0 + - sysctl_net_ipv6_conf_default_accept_source_route + + ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) + #### net.ipv4.conf.all.accept_redirects = 0 + - sysctl_net_ipv4_conf_all_accept_redirects + + #### net.ipv4.conf.default.accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + + #### net.ipv6.conf.all.accept_redirects = 0 + - sysctl_net_ipv6_conf_all_accept_redirects + + #### net.ipv6.conf.defaults.accept_redirects = 0 + - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) + #### net.ipv4.conf.all.secure_redirects = 0 + - sysctl_net_ipv4_conf_all_secure_redirects + + #### net.ipv4.cof.default.secure_redirects = 0 + - sysctl_net_ipv4_conf_default_secure_redirects + + ### 3.2.4 Ensure suspicious packets are logged (Scored) + #### net.ipv4.conf.all.log_martians = 1 + - sysctl_net_ipv4_conf_all_log_martians + + #### net.ipv4.conf.default.log_martians = 1 + - sysctl_net_ipv4_conf_default_log_martians + + ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + + ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + + ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) + #### net.ipv4.conf.all.rp_filter = 1 + - sysctl_net_ipv4_conf_all_rp_filter + + #### net.ipv4.conf.default.rp_filter = 1 + - sysctl_net_ipv4_conf_default_rp_filter + + ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) + - sysctl_net_ipv4_tcp_syncookies + + ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) + #### net.ipv6.conf.all.accept_ra = 0 + - sysctl_net_ipv6_conf_all_accept_ra + + #### net.ipv6.conf.default.accept_ra = 0 + - sysctl_net_ipv6_conf_default_accept_ra + + ## 3.3 Uncommon Network Protocols + + ### 3.3.1 Ensure DCCP is disabled (Scored) + - kernel_module_dccp_disabled + + ### Ensure SCTP is disabled (Scored) + - kernel_module_sctp_disabled + + ### 3.3.3 Ensure RDS is disabled (Scored) + - kernel_module_rds_disabled + + ### 3.3.4 Ensure TIPC is disabled (Scored) + - kernel_module_tipc_disabled + + ## 3.4 Firewall Configuration + + ### 3.4.1 Ensure Firewall software is installed + + #### 3.4.1.1 Ensure a Firewall package is installed (Scored) + ##### firewalld + - package_firewalld_installed + + ##### nftables + #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 + + ##### iptables + #- package_iptables_installed + + ### 3.4.2 Configure firewalld + + #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) + - service_firewalld_enabled + + #### 3.4.2.2 Ensure iptables is not enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 + + #### 3.4.2.3 Ensure nftables is not enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 + + #### 3.4.2.4 Ensure default zone is set (Scored) + - set_firewalld_default_zone + + #### 3.4.2.5 Ensure network interfaces are assigned to + #### appropriate zone (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 + + #### 3.4.2.6 Ensure unnecessary services and ports are not + #### accepted (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 + + ### 3.4.3 Configure nftables + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 + + #### 3.4.3.1 Ensure iptables are flushed (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 + + #### 3.4.3.2 Ensure a table exists (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 + + #### 3.4.3.3 Ensure base chains exist (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 + + #### 3.4.3.4 Ensure loopback traffic is configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 + + #### 3.4.3.5 Ensure outbound and established connections are + #### configured (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 + + #### 3.4.3.6 Ensure default deny firewall policy (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 + + #### 3.4.3.7 Ensure nftables service is enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 + + #### 3.4.3.8 Ensure nftables rules are permanent (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 + + ### 3.4.4 Configure iptables + + #### 3.4.4.1 Configure IPv4 iptables + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 + + ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 + + ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 + + ##### 3.4.4.1.3 Ensure outbound and established connections are + ##### configured (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 + + ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 + + #### 3.4.4.2 Configure IPv6 ip6tables + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 + + ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 + + ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 + + ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are + ##### configured (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 + + ## 3.5 Ensure wireless interfaces are disabled (Scored) + - wireless_disable_interfaces + + ## 3.6 Disable IPv6 (Not Scored) + - kernel_module_ipv6_option_disabled + + # Logging and Auditing + + ## 4.1 Configure System Accounting (auditd) + + ### 4.1.1 Ensure auditing is enabled + + #### 4.1.1.1 Ensure auditd is installed (Scored) + - package_audit_installed + + #### 4.1.1.2 Ensure auditd service is enabled (Scored) + - service_auditd_enabled + + #### 4.1.1.3 Ensure auditing for processes that start prior to audit + #### is enabled (Scored) + - grub2_audit_argument + + #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) + - grub2_audit_backlog_limit_argument + + ### 4.1.2 Configure Data Retention + + #### 4.1.2.1 Ensure audit log storage size is configured (Scored) + - auditd_data_retention_max_log_file + + #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) + - auditd_data_retention_max_log_file_action + + #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) + - var_auditd_space_left_action=email + - auditd_data_retention_space_left_action + + ##### action_mail_acct = root + - var_auditd_action_mail_acct=root + - auditd_data_retention_action_mail_acct + + ##### admin_space_left_action = halt + - var_auditd_admin_space_left_action=halt + - auditd_data_retention_admin_space_left_action + + ### 4.1.3 Ensure changes to system administration scope + ### (sudoers) is collected (Scored) + - audit_rules_sysadmin_actions + + ### 4.1.4 Ensure login and logout events are collected (Scored) + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + + ### 4.1.5 Ensure session initiation information is collected (Scored) + - audit_rules_session_events + + ### 4.1.6 Ensure events that modify date and time information + ### are collected (Scored) + #### adjtimex + - audit_rules_time_adjtimex + + #### settimeofday + - audit_rules_time_settimeofday + + #### stime + - audit_rules_time_stime + + #### clock_settime + - audit_rules_time_clock_settime + + #### -w /etc/localtime -p wa + - audit_rules_time_watch_localtime + + ### 4.1.7 Ensure events that modify the system's Mandatory + ### Access Control are collected (Scored) + #### -w /etc/selinux/ -p wa + - audit_rules_mac_modification + + #### -w /usr/share/selinux/ -p wa + # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 + + ### 4.1.8 Ensure events that modify the system's network + ### enironment are collected (Scored) + - audit_rules_networkconfig_modification + + ### 4.1.9 Ensure discretionary access control permission modification + ### events are collected (Scored) + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_fremovexattr + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + # Opinionated selection + - audit_rules_unsuccessful_file_modification_open_by_handle_at + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_opasswd + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) + - audit_rules_media_export + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) + - audit_rules_privileged_commands + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + # Opinionated selection + - audit_rules_file_deletion_events_rmdir + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) + - audit_rules_kernel_module_loading + + ### 4.1.16 Ensure system administrator actions (sudolog) are + ### collected (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 + + ### 4.1.17 Ensure the audit configuration is immutable (Scored) + - audit_rules_immutable + + ## 4.2 Configure Logging + + ### 4.2.1 Configure rsyslog + + #### 4.2.1.1 Ensure rsyslog is installed (Scored) + - package_rsyslog_installed + + #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) + - service_rsyslog_enabled + + #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) + - rsyslog_files_permissions + + #### 4.2.1.4 Ensure logging is configured (Not Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 + + #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote + #### log host (Scored) + - rsyslog_remote_loghost + + #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on + #### designated log hosts (Not Scored) + - rsyslog_nolisten + + ### 4.2.2 Configure journald + + #### 4.2.2.1 Ensure journald is configured to send logs to + #### rsyslog (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 + + #### 4.2.2.2 Ensure journald is configured to compress large + #### log files (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 + + + #### 4.2.2.3 Ensure journald is configured to write logfiles to + #### persistent disk (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 + + ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 + + ## 4.3 Ensure logrotate is conifgured (Not Scored) + - ensure_logrotate_activated + + # 5 Access, Authentication and Authorization + + ## 5.1 Configure cron + + ### 5.1.1 Ensure cron daemon is enabled (Scored) + - service_crond_enabled + + + ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) + # chown root:root /etc/crontab + - file_owner_crontab + - file_groupowner_crontab + # chmod og-rwx /etc/crontab + - file_permissions_crontab + + ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) + # chown root:root /etc/cron.hourly + - file_owner_cron_hourly + - file_groupowner_cron_hourly + # chmod og-rwx /etc/cron.hourly + - file_permissions_cron_hourly + + ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) + # chown root:root /etc/cron.daily + - file_owner_cron_daily + - file_groupowner_cron_daily + # chmod og-rwx /etc/cron.daily + - file_permissions_cron_daily + + ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) + # chown root:root /etc/cron.weekly + - file_owner_cron_weekly + - file_groupowner_cron_weekly + # chmod og-rwx /etc/cron.weekly + - file_permissions_cron_weekly + + ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) + # chown root:root /etc/cron.monthly + - file_owner_cron_monthly + - file_groupowner_cron_monthly + # chmod og-rwx /etc/cron.monthly + - file_permissions_cron_monthly + + ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) + # chown root:root /etc/cron.d + - file_owner_cron_d + - file_groupowner_cron_d + # chmod og-rwx /etc/cron.d + - file_permissions_cron_d + + ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) + + + ## 5.2 SSH Server Configuration + + ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) + # chown root:root /etc/ssh/sshd_config + - file_owner_sshd_config + - file_groupowner_sshd_config + + # chmod og-rwx /etc/ssh/sshd_config + - file_permissions_sshd_config + + ### 5.2.2 Ensure SSH access is limited (Scored) + + + ### 5.2.3 Ensure permissions on SSH private host key files are + ### configured (Scored) + # TO DO: The rule sets to 640, but benchmark wants 600 + - file_permissions_sshd_private_key + # TO DO: check owner of private keys in /etc/ssh is root:root + + ### 5.2.4 Ensure permissions on SSH public host key files are configured + ### (Scored) + - file_permissions_sshd_pub_key + # TO DO: check owner of pub keys in /etc/ssh is root:root + + ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) + - sshd_set_loglevel_info + + ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) + - sshd_disable_x11_forwarding + + ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) + - sshd_disable_rhosts + + ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) + - disable_host_auth + + ### 5.2.10 Ensure SSH root login is disabled (Scored) + - sshd_disable_root_login + + ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) + - sshd_disable_empty_passwords + + ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) + - sshd_do_not_permit_user_env + + ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) + # ClientAliveInterval 300 + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout + + # ClientAliveCountMax 0 + - sshd_set_keepalive + + ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute + ### or less (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 + + ### 5.2.15 Ensure SSH warning banner is configured (Scored) + - sshd_enable_warning_banner + + ### 5.2.16 Ensure SSH PAM is enabled (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 + + ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) + - sshd_disable_tcp_forwarding + + ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 + + ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) + - sshd_set_max_sessions + - var_sshd_max_sessions=4 + + ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) + - configure_ssh_crypto_policy + + ## 5.3 Configure authselect + + + ### 5.3.1 Create custom authselectet profile (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 + + ### 5.3.2 Select authselect profile (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 + + ### 5.3.3 Ensure authselect includes with-faillock (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 + + ## 5.4 Configure PAM + + ### 5.4.1 Ensure password creation requirements are configured (Scored) + # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 + - accounts_password_pam_retry + - var_password_pam_minlen=14 + - accounts_password_pam_minlen + - var_password_pam_minclass=4 + - accounts_password_pam_minclass + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) + - var_accounts_passwords_pam_faillock_unlock_time=900 + - var_accounts_passwords_pam_faillock_deny=5 + - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_deny + + ### 5.4.3 Ensure password reuse is limited (Scored) + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + + ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) + - set_password_hashing_algorithm_systemauth + + ## 5.5 User Accounts and Environment + + ### 5.5.1 Set Shadow Password Suite Parameters + + #### 5.5.1 Ensure password expiration is 365 days or less (Scored) + - var_accounts_maximum_age_login_defs=365 + - accounts_maximum_age_login_defs + + #### 5.5.1.2 Ensure minimum days between password changes is 7 + #### or more (Scored) + - var_accounts_minimum_age_login_defs=7 + - accounts_minimum_age_login_defs + + #### 5.5.1.3 Ensure password expiration warning days is + #### 7 or more (Scored) + - var_accounts_password_warn_age_login_defs=7 + - accounts_password_warn_age_login_defs + + #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) + # TODO: Rule doesn't check list of users + # https://github.com/ComplianceAsCode/content/issues/5536 + - var_account_disable_post_pw_expiration=30 + - account_disable_post_pw_expiration + + #### 5.5.1.5 Ensure all users last password change date is + #### in the past (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 + + ### 5.5.2 Ensure system accounts are secured (Scored) + - no_shelllogin_for_systemaccounts + + ### 5.5.3 Ensure default user shell timeout is 900 seconds + ### or less (Scored) + - var_accounts_tmout=15_min + - accounts_tmout + + ### 5.5.4 Ensure default group for the root account is + ### GID 0 (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 + + ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) + - var_accounts_user_umask=027 + - accounts_umask_etc_bashrc + - accounts_umask_etc_profile + + ## 5.6 Ensure root login is restricted to system console (Not Scored) + - securetty_root_login_console_only + - no_direct_root_logins + + ## 5.7 Ensure access to the su command is restricted (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 + + # System Maintenance + + ## 6.1 System File Permissions + + ### 6.1.1 Audit system file permissions (Not Scored) + - rpm_verify_permissions + - rpm_verify_ownership + + ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) + # chown root:root /etc/passwd + - file_owner_etc_passwd + - file_groupowner_etc_passwd + + # chmod 644 /etc/passwd + - file_permissions_etc_passwd + + ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) + # chown root:root /etc/shadow + - file_owner_etc_shadow + - file_groupowner_etc_shadow + + # chmod o-rwx,g-wx /etc/shadow + - file_permissions_etc_shadow + + ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) + # chown root:root /etc/group + - file_owner_etc_group + - file_groupowner_etc_group + + # chmod 644 /etc/group + - file_permissions_etc_group + + ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) + # chown root:root /etc/gshadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + + # chmod o-rwx,g-rw /etc/gshadow + - file_permissions_etc_gshadow + + ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) + # chown root:root /etc/passwd- + - file_owner_backup_etc_passwd + - file_groupowner_backup_etc_passwd + + # chmod 644 /etc/passwd- + - file_permissions_backup_etc_passwd + + ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) + # chown root:root /etc/shadow- + - file_owner_backup_etc_shadow + - file_groupowner_backup_etc_shadow + + # chmod 0000 /etc/shadow- + - file_permissions_backup_etc_shadow + + ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) + # chown root:root /etc/group- + - file_owner_backup_etc_group + - file_groupowner_backup_etc_group + + # chmod 644 /etc/group- + - file_permissions_backup_etc_group + + ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) + # chown root:root /etc/gshadow- + - file_owner_backup_etc_gshadow + - file_groupowner_backup_etc_gshadow + + # chmod 0000 /etc/gshadow- + - file_permissions_backup_etc_gshadow + + ### 6.1.10 Ensure no world writable files exist (Scored) + - file_permissions_unauthorized_world_writable + + ### 6.1.11 Ensure no unowned files or directories exist (Scored) + - no_files_unowned_by_user + + ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) + - file_permissions_ungroupowned + + ### 6.1.13 Audit SUID executables (Not Scored) + - file_permissions_unauthorized_suid + + ### 6.1.14 Audit SGID executables (Not Scored) + - file_permissions_unauthorized_sgid + + ## 6.2 User and Group Settings + + ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) + - no_legacy_plus_entries_etc_passwd + + ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) + - no_legacy_plus_entries_etc_shadow + + ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) + - no_legacy_plus_entries_etc_group + + ### 6.2.6 Ensure root is the only UID 0 account (Scored) + - accounts_no_uid_except_zero + + ### 6.2.7 Ensure users' home directories permissions are 750 + ### or more restrictive (Scored) + - file_permissions_home_dirs + + ### 6.2.8 Ensure users own their home directories (Scored) + # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 + - file_groupownership_home_directories + + ### 6.2.9 Ensure users' dot files are not group or world + ### writable (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 + + ### 6.2.10 Ensure no users have .forward files (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 + + ### 6.2.11 Ensure no users have .netrc files (Scored) + - no_netrc_files + + ### 6.2.12 Ensure users' .netrc Files are not group or + ### world accessible (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 + + ### 6.2.13 Ensure no users have .rhosts files (Scored) + - no_rsh_trust_files + + ### 6.2.14 Ensure all groups in /etc/passwd exist in + ### /etc/group (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 + + ### 6.2.15 Ensure no duplicate UIDs exist (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 + + ### 6.2.16 Ensure no duplicate GIDs exist (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 + + ### 6.2.17 Ensure no duplicate user names exist (Scored) + - account_unique_name + + ### 6.2.18 Ensure no duplicate group names exist (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 + + ### 6.2.19 Ensure shadow group is empty (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 + + ### 6.2.20 Ensure all users' home directories exist (Scored) + - accounts_user_interactive_home_directory_exists diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile new file mode 100644 index 00000000..56fdc398 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cjis.profile @@ -0,0 +1,139 @@ +documentation_complete: true + +metadata: + version: 5.4 + SMEs: + - carlosmmatos + +reference: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center + +title: 'Criminal Justice Information Services (CJIS) Security Policy' + +description: |- + This profile is derived from FBI's CJIS v5.4 + Security Policy. A copy of this policy can be found at the CJIS Security + Policy Resource Center: + + https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center + +selections: + - service_auditd_enabled + - grub2_audit_argument + - auditd_data_retention_num_logs + - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file_action + - auditd_data_retention_space_left_action + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_action_mail_acct + - auditd_audispd_syslog_plugin_activated + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_usergroup_modification + - audit_rules_networkconfig_modification + - file_permissions_var_log_audit + - file_ownership_var_log_audit + - audit_rules_mac_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_login_events + - audit_rules_session_events + - audit_rules_unsuccessful_file_modification + - audit_rules_privileged_commands + - audit_rules_media_export + - audit_rules_file_deletion_events + - audit_rules_sysadmin_actions + - audit_rules_kernel_module_loading + - audit_rules_immutable + - account_unique_name + - gid_passwd_group_same + - accounts_password_all_shadowed + - no_empty_passwords + - display_login_attempts + - var_accounts_password_minlen_login_defs=12 + - var_accounts_maximum_age_login_defs=90 + - var_password_pam_unix_remember=10 + - var_account_disable_post_pw_expiration=0 + - var_password_pam_minlen=12 + - var_accounts_minimum_age_login_defs=1 + - var_password_pam_difok=6 + - var_accounts_max_concurrent_login_sessions=3 + - account_disable_post_pw_expiration + - accounts_password_pam_minlen + - accounts_minimum_age_login_defs + - accounts_password_pam_difok + - accounts_max_concurrent_login_sessions + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + - file_owner_etc_group + - file_groupowner_etc_group + - file_permissions_etc_group + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_passwd + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + - var_password_pam_retry=5 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_unlock_time=600 + - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank + - sshd_allow_only_protocol2 + - sshd_set_idle_timeout + - sshd_set_keepalive + - disable_host_auth + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_enable_warning_banner + - sshd_do_not_permit_user_env + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy + - kernel_module_dccp_disabled + - kernel_module_sctp_disabled + - service_firewalld_enabled + - set_firewalld_default_zone + - firewalld_sshd_port_enabled + - sshd_idle_timeout_value=30_minutes + - inactivity_timeout_value=30_minutes + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - package_aide_installed + - aide_build_database + - aide_periodic_cron_checking + - rpm_verify_permissions + - rpm_verify_hashes + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - security_patches_up_to_date + - kernel_module_bluetooth_disabled diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile new file mode 100644 index 00000000..bf6d9511 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/cui.profile @@ -0,0 +1,32 @@ +documentation_complete: true + +metadata: + version: TBD + SMEs: + - carlosmmatos + +title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +description: |- + From NIST 800-171, Section 2.2: + Security requirements for protecting the confidentiality of CUI in nonfederal + information systems and organizations have a well-defined structure that + consists of: + + (i) a basic security requirements section; + (ii) a derived security requirements section. + + The basic security requirements are obtained from FIPS Publication 200, which + provides the high-level and fundamental security requirements for federal + information and information systems. The derived security requirements, which + supplement the basic security requirements, are taken from the security controls + in NIST Special Publication 800-53. + + This profile configures Red Hat Enterprise Linux 8 to the NIST Special + Publication 800-53 controls identified for securing Controlled Unclassified + Information (CUI)." + +extends: ospp + +selections: + - inactivity_timeout_value=10_minutes diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile new file mode 100644 index 00000000..552da779 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/e8.profile @@ -0,0 +1,149 @@ +documentation_complete: true + +metadata: + SMEs: + - shaneboulden + +reference: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-linux-environments + +title: 'Australian Cyber Security Centre (ACSC) Essential Eight' + +description: |- + This profile contains configuration checks for Red Hat Enterprise Linux 8 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + + A copy of the Essential Eight in Linux Environments guide can be found at the + ACSC website: + + https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers + +selections: + + ### Remove obsolete packages + - package_talk_removed + - package_talk-server_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_telnet_removed + - service_telnet_disabled + - package_telnet-server_removed + - package_rsh_removed + - package_rsh-server_removed + - service_zebra_disabled + - package_quagga_removed + - service_avahi-daemon_disabled + - package_squid_removed + - service_squid_disabled + + ### Software update + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_globally_activated + - security_patches_up_to_date + - dnf-automatic_security_updates_only + + ### System security settings + - sysctl_kernel_randomize_va_space + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_net_core_bpf_jit_harden + + ### SELinux + - var_selinux_state=enforcing + - selinux_state + - var_selinux_policy_name=targeted + - selinux_policytype + + ### Filesystem integrity + - rpm_verify_hashes + - rpm_verify_permissions + - rpm_verify_ownership + - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits + - file_permissions_library_dirs + - file_ownership_binary_dirs + - file_permissions_binary_dirs + - file_ownership_library_dirs + + ### Passwords + - no_empty_passwords + + ### Partitioning + - mount_option_dev_shm_nodev + - mount_option_dev_shm_nosuid + - mount_option_dev_shm_noexec + + ### Network + - package_firewalld_installed + - service_firewalld_enabled + - network_sniffer_disabled + + ### Admin privileges + - accounts_no_uid_except_zero + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - sudo_require_authentication + + ### Audit + - package_rsyslog_installed + - service_rsyslog_enabled + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_local_events + - auditd_write_logs + - auditd_log_format + - auditd_freq + - auditd_name_format + - audit_rules_login_events_tallylog + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_execution_restorecon + - audit_rules_execution_chcon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_execution_setfiles + - audit_rules_execution_seunshare + - audit_rules_sysadmin_actions + - audit_rules_networkconfig_modification + - audit_rules_usergroup_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_kernel_module_loading + + ### Secure access + - sshd_disable_root_login + - sshd_disable_gssapi_auth + - sshd_print_last_log + - sshd_do_not_permit_user_env + - sshd_disable_rhosts + - sshd_set_loglevel_info + - sshd_disable_empty_passwords + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + + # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography + - var_system_crypto_policy=default_nosha1 + - configure_crypto_policy + - configure_ssh_crypto_policy + + ### Application whitelisting + - package_fapolicyd_installed + - service_fapolicyd_enabled + + ### Backup + - package_rear_installed diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile new file mode 100644 index 00000000..01f1cb75 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/hipaa.profile @@ -0,0 +1,164 @@ +documentation_complete: True + +metadata: + SMEs: + - jjaswanson4 + - carlosmmatos + +reference: https://www.hhs.gov/hipaa/for-professionals/index.html + +title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +description: |- + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ + electronic personal health information that is created, received, used, or + maintained by a covered entity. The Security Rule requires appropriate + administrative, physical and technical safeguards to ensure the + confidentiality, integrity, and security of electronic protected health + information. + + This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security + Rule identified for securing of electronic protected health information. + Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +selections: + - grub2_password + - grub2_uefi_password + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + - file_owner_grub2_cfg + - grub2_disable_interactive_boot + - no_direct_root_logins + - no_empty_passwords + - require_singleuser_auth + - restrict_serial_port_logins + - securetty_root_login_console_only + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_disable_empty_passwords + - sshd_disable_root_login + - libreswan_approved_tunnels + - no_rsh_trust_files + - package_rsh-server_removed + - package_talk_removed + - package_talk-server_removed + - package_telnet_removed + - package_telnet-server_removed + - package_xinetd_removed + - service_crond_enabled + - service_rexec_disabled + - service_rlogin_disabled + - service_telnet_disabled + - service_xinetd_disabled + - service_zebra_disabled + - use_kerberos_security_all_exports + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_set_keepalive + - encrypt_partitions + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_local_packages + - grub2_audit_argument + - service_auditd_enabled + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_su + - audit_rules_immutable + - kernel_module_usb-storage_disabled + - service_autofs_disabled + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + - auditd_data_retention_flush + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlinkat + - audit_rules_file_deletion_events_unlink + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_mac_modification + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile new file mode 100644 index 00000000..a3c427c0 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ism_o.profile @@ -0,0 +1,158 @@ +documentation_complete: true + +metadata: + SMEs: + - shaneboulden + - wcushen + - ahamilto156 + +reference: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-linux-environments + +title: 'Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Official' + +description: |- + This profile contains configuration checks for Red Hat Enterprise Linux 8 + that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) + with the Attorney-General’s Department (AGD)’s applicability marking of OFFICIAL. + + A overview and list of Cyber security guidelines of the + Information Security Manual can be found at the ACSC website: + + https://www.cyber.gov.au/ism + +extends: e8 + +selections: + + ## Operating system configuration + ## Identifiers 1491 + - no_shelllogin_for_systemaccounts + + ## Local administrator accounts + ## Identifiers 1410 + - accounts_password_all_shadowed + + ## Content filtering & Anti virus + ## Identifiers 1341 / 1034 / 1417 / 1288 + - package_aide_installed + + ## Software firewall + ## Identifiers 1416 + - configure_firewalld_ports + ## Removing due to build error + ## - configure_firewalld_rate_limiting + - firewalld_sshd_port_enabled + - set_firewalld_default_zone + + ## Endpoint device control software + ## Identifiers 1418 + - package_usbguard_installed + - service_usbguard_enabled + + ## Authentication hardening + ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 + ## 1561 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431 + - disable_host_auth + - require_emergency_target_auth + - require_singleuser_auth + - sebool_authlogin_nsswitch_use_ldap + - sebool_authlogin_radius + - sshd_disable_kerb_auth + - sshd_set_max_auth_tries + - sssd_enable_smartcards + - accounts_password_minlen_login_defs + - var_password_pam_minlen=14 + - accounts_password_pam_minlen + - accounts_password_pam_minclass + - accounts_password_pam_dcredit + - accounts_password_pam_lcredit + - accounts_password_pam_ocredit + - accounts_password_pam_ucredit + - accounts_password_pam_maxrepeat + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + + ## Password authentication & Protecting credentials + ## Identifiers 1055 / 0418 / 1402 + - network_nmcli_permissions + - configure_kerberos_crypto_policy + - kerberos_disable_no_keytab + - sebool_kerberos_enabled + - sshd_disable_gssapi_auth + - enable_ldap_client + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_systemauth + - accounts_password_warn_age_login_defs + - accounts_maximum_age_login_defs + - accounts_minimum_age_login_defs + + ## System administration & MFA + ## Identifiers 1382 / 1384 / 1386 + - package_sudo_installed + - package_opensc_installed + - var_smartcard_drivers=cac + - configure_opensc_card_drivers + - force_opensc_card_drivers + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + + ## System patching & Applicatoin versions + ## Identifiers 1493 / 1144 / 0940 / 1472 / 1494 / 1495 / 1467 / 1483 + - dnf-automatic_apply_updates + - package_dnf-plugin-subscription-manager_installed + - package_subscription-manager_installed + + ## Centralised logging facility + ## Identifiers 1405 / 0988 + - rsyslog_cron_logging + - rsyslog_files_groupownership + - rsyslog_files_ownership + - rsyslog_files_permissions + - rsyslog_nolisten + - rsyslog_remote_loghost + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert + - package_chrony_installed + - service_chronyd_enabled + - chronyd_or_ntpd_specify_multiple_servers + - chronyd_specify_remote_server + - service_chronyd_or_ntpd_enabled + + ## Events to be logged + ## Identifiers 0584 / 0582 / 0585 / 0586 / 0846 / 0957 + - display_login_attempts + - sebool_auditadm_exec_content + - audit_rules_privileged_commands + - audit_rules_session_events + - audit_rules_unsuccessful_file_modification + - audit_access_failed + - audit_access_success + + ## Web application & Database servers + ## Identifiers 1552 / 1277 + - openssl_use_strong_entropy + + ## Network design and configuration + ## Identifiers 1311 + - service_snmpd_disabled + - snmpd_use_newer_protocol + + ## Wireless networks + ## Identifiers 1315 / 1319 + - wireless_disable_interfaces + - network_ipv6_static_address + + ## ASD Approved Cryptopgraphic Algorithims + ## Identifiers 1446 + - enable_dracut_fips_module + - enable_fips_mode + - var_system_crypto_policy=fips + - configure_crypto_policy + + ## Secure Shell access + ## Identifiers 1506 / 1449 / 0487 + - sshd_allow_only_protocol2 diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile new file mode 100644 index 00000000..d1d1b8af --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp-mls.profile @@ -0,0 +1,25 @@ +documentation_complete: false + +title: 'Protection Profile for General Purpose Operating Systems - MLS Mode' + +description: |- + Placeholder to put MLS specific rules + +extends: ospp + +selections: + + ################################################ + ## MUST INSTALL PACKAGES IN MLS MODE + #cups + #foomatic + #ghostscript + #ghostscript-fonts + #checkpolicy + #mcstrans + #policycoreutils-newrole + #selinux-policy-devel + ##xinetd + #iproute + #iputils + #netlabel_tools diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile new file mode 100644 index 00000000..88cb0edd --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/ospp.profile @@ -0,0 +1,443 @@ +documentation_complete: true + +metadata: + version: 4.2.1 + SMEs: + - comps + - carlosmmatos + - stevegrubb + +reference: https://www.niap-ccevs.org/Profile/PP.cfm + +title: 'Protection Profile for General Purpose Operating Systems' + +description: |- + This profile reflects mandatory configuration controls identified in the + NIAP Configuration Annex to the Protection Profile for General Purpose + Operating Systems (Protection Profile Version 4.2.1). + + This configuration profile is consistent with CNSSI-1253, which requires + U.S. National Security Systems to adhere to certain configuration + parameters. Accordingly, this configuration profile is suitable for + use in U.S. National Security Systems. + +selections: + + ####################################################### + ### GENERAL REQUIREMENTS + ### Things needed to meet OSPP functional requirements. + ####################################################### + + ### Partitioning + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_boot_nodev + - mount_option_boot_nosuid + - partition_for_home + - partition_for_var + - mount_option_var_nodev + - partition_for_var_log + - mount_option_var_log_nodev + - mount_option_var_log_nosuid + - mount_option_var_log_noexec + - partition_for_var_log_audit + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_nosuid + - mount_option_var_log_audit_noexec + + ### Services + # sshd + - sshd_disable_root_login + - sshd_enable_strictmodes + - disable_host_auth + - sshd_disable_empty_passwords + - sshd_disable_kerb_auth + - sshd_disable_gssapi_auth + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - sshd_use_strong_rng + - openssl_use_strong_entropy + + # Time Server + - chronyd_client_only + - chronyd_no_chronyc_network + + ### Network Settings + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv4_tcp_syncookies + + ### systemd + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - service_debug-shell_disabled + + ### umask + - var_accounts_user_umask=027 + - accounts_umask_etc_profile + - accounts_umask_etc_bashrc + - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + + ### Passwords + - var_password_pam_difok=4 + - accounts_password_pam_difok + - var_password_pam_maxrepeat=3 + - accounts_password_pam_maxrepeat + - var_password_pam_maxclassrepeat=4 + - accounts_password_pam_maxclassrepeat + + ### Kernel Config + ## Boot prompt + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_slub_debug_argument + - grub2_page_poison_argument + - grub2_vsyscall_argument + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - grub2_pti_argument + - grub2_kernel_trust_cpu_rng + + ## Security Settings + - sysctl_kernel_kptr_restrict + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_net_core_bpf_jit_harden + - service_kdump_disabled + + ## File System Settings + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + + ### Audit + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_local_events + - auditd_write_logs + - auditd_log_format + - auditd_freq + - auditd_name_format + + ### Module Blacklist + - kernel_module_cramfs_disabled + - kernel_module_bluetooth_disabled + - kernel_module_sctp_disabled + - kernel_module_firewire-core_disabled + - kernel_module_atm_disabled + - kernel_module_can_disabled + - kernel_module_tipc_disabled + + ### rpcbind + + ### Install Required Packages + - package_aide_installed + - package_dnf-automatic_installed + - package_subscription-manager_installed + - package_dnf-plugin-subscription-manager_installed + - package_firewalld_installed + - package_openscap-scanner_installed + - package_policycoreutils_installed + - package_sudo_installed + - package_usbguard_installed + - package_scap-security-guide_installed + - package_audit_installed + - package_crypto-policies_installed + - package_openssh-server_installed + - package_openssh-clients_installed + - package_policycoreutils-python-utils_installed + - package_rsyslog_installed + - package_rsyslog-gnutls_installed + - package_audispd-plugins_installed + - package_chrony_installed + - package_gnutls-utils_installed + + ### Remove Prohibited Packages + - package_sendmail_removed + - package_iprutils_removed + - package_gssproxy_removed + - package_nfs-utils_removed + - package_krb5-workstation_removed + - package_abrt-addon-kerneloops_removed + - package_abrt-addon-python_removed + - package_abrt-addon-ccpp_removed + - package_abrt-plugin-rhtsupport_removed + - package_abrt-plugin-logger_removed + - package_abrt-plugin-sosreport_removed + - package_abrt-cli_removed + - package_abrt_removed + + ### Login + - disable_users_coredumps + - sysctl_kernel_core_pattern + - coredump_disable_storage + - coredump_disable_backtraces + - service_systemd-coredump_disabled + - var_accounts_max_concurrent_login_sessions=10 + - accounts_max_concurrent_login_sessions + - securetty_root_login_console_only + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + - use_pam_wheel_for_su + + ### SELinux Configuration + - var_selinux_state=enforcing + - selinux_state + - var_selinux_policy_name=targeted + - selinux_policytype + + ### Application Whitelisting (RHEL 8) + - package_fapolicyd_installed + - service_fapolicyd_enabled + + ### Configure USBGuard + - service_usbguard_enabled + - configure_usbguard_auditbackend + - usbguard_allow_hid_and_hub + + + ### Enable / Configure FIPS + - enable_fips_mode + - var_system_crypto_policy=fips_ospp + - configure_crypto_policy + - configure_ssh_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy + - configure_kerberos_crypto_policy + - enable_dracut_fips_module + + ####################################################### + ### CONFIGURATION ANNEX TO THE PROTECTION PROFILE + ### FOR GENERAL PURPOSE OPERATING SYSTEMS + ### ANNEX RELEASE 1 + ### FOR PROTECTION PROFILE VERSIONS 4.2 + ### + ### https://www.niap-ccevs.org/MMO/PP/-442ConfigAnnex-/ + ####################################################### + + ## Configure Minimum Password Length to 12 Characters + ## IA-5 (1)(a) / FMT_MOF_EXT.1 + - var_accounts_password_minlen_login_defs=12 + - accounts_password_minlen_login_defs + - var_password_pam_minlen=12 + - accounts_password_pam_minlen + + ## Require at Least 1 Special Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + + ## Require at Least 1 Numeric Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 + - var_password_pam_dcredit=1 + - accounts_password_pam_dcredit + + ## Require at Least 1 Uppercase Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 + - var_password_pam_ucredit=1 + - accounts_password_pam_ucredit + + ## Require at Least 1 Lowercase Character in Password + ## IA-5(1)(a) / FMT_MOF_EXT.1 + - var_password_pam_lcredit=1 + - accounts_password_pam_lcredit + + ## Enable Screen Lock + ## FMT_MOF_EXT.1 + - package_tmux_installed + - configure_bashrc_exec_tmux + - no_tmux_in_shells + - configure_tmux_lock_command + - configure_tmux_lock_after_time + + ## Set Screen Lock Timeout Period to 30 Minutes or Less + ## AC-11(a) / FMT_MOF_EXT.1 + ## We deliberately set sshd timeout to 1 minute before tmux lock timeout + - sshd_idle_timeout_value=14_minutes + - sshd_set_idle_timeout + + ## Disable Unauthenticated Login (such as Guest Accounts) + ## FIA_UAU.1 + - require_singleuser_auth + - grub2_disable_interactive_boot + - grub2_uefi_password + - no_empty_passwords + + ## Set Maximum Number of Authentication Failures to 3 Within 15 Minutes + ## AC-7 / FIA_AFL.1 + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_fail_interval=900 + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_unlock_time=never + - accounts_passwords_pam_faillock_unlock_time + + ## Enable Host-Based Firewall + ## SC-7(12) / FMT_MOF_EXT.1 + - service_firewalld_enabled + + ## Configure Name/Addres of Remote Management Server + ## From Which to Receive Config Settings + ## CM-3(3) / FMT_MOF_EXT.1 + + ## Configure the System to Offload Audit Records to a Log + ## Server + ## AU-4(1) / FAU_GEN.1.1.c + # temporarily dropped + + ## Set Logon Warning Banner + ## AC-8(a) / FMT_MOF_EXT.1 + + ## Audit All Logons (Success/Failure) and Logoffs (Success) + ## CNSSI 1253 Value or DoD-Specific Values: + ## (1) Logons (Success/Failure) + ## (2) Logoffs (Success) + ## AU-2(a) / FAU_GEN.1.1.c + + ## Audit File and Object Events (Unsuccessful) + ## CNSSI 1253 Value or DoD-specific Values: + ## (1) Create (Success/Failure) + ## (2) Access (Success/Failure) + ## (3) Delete (Sucess/Failure) + ## (4) Modify (Success/Failure) + ## (5) Permission Modification (Sucess/Failure) + ## (6) Ownership Modification (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## + ## + ## (1) Create (Success/Failure) + ## (open with O_CREAT) + ## (2) Access (Success/Failure) + ## (3) Delete (Success/Failure) + ## (4) Modify (Success/Failure) + ## (5) Permission Modification (Success/Failure) + ## (6) Ownership Modification (Success/Failure) + + ## Audit User and Group Management Events (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## (1) User add, delete, modify, disable, enable (Success/Failure) + ## (2) Group/Role add, delete, modify (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## + ## Generic User and Group Management Events (Success/Failure) + ## Selection of setuid programs that relate to + ## user accounts. + ## + ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure) + ## + ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure) + ## + ## Audit Privilege or Role Escalation Events (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Privilege/Role escalation (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit All Audit and Log Data Accesses (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Audit and log data access (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Cryptographic Verification of Software (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, + ## etc) initialization (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Kernel Module Loading and Unloading Events (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c + - audit_basic_configuration + - audit_immutable_login_uids + - audit_create_failed + - audit_create_success + - audit_modify_failed + - audit_modify_success + - audit_access_failed + - audit_access_success + - audit_delete_failed + - audit_delete_success + - audit_perm_change_failed + - audit_perm_change_success + - audit_owner_change_failed + - audit_owner_change_success + - audit_ospp_general + - audit_module_load + + ## Enable Automatic Software Updates + ## SI-2 / FMT_MOF_EXT.1 + # Configure dnf-automatic to Install Only Security Updates + - dnf-automatic_security_updates_only + + # Configure dnf-automatic to Install Available Updates Automatically + - dnf-automatic_apply_updates + + # Enable dnf-automatic Timer + - timer_dnf-automatic_enabled + + # Configure TLS for remote logging + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert + + # Prevent Kerberos use by system daemons + - kerberos_disable_no_keytab + + # set ssh client rekey limit + - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + +# configure ssh client to use strong entropy + - ssh_client_use_strong_rng_sh + - ssh_client_use_strong_rng_csh + + # zIPl specific rules + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date + - zipl_audit_argument + - zipl_audit_backlog_limit_argument + - zipl_slub_debug_argument + - zipl_page_poison_argument + - zipl_vsyscall_argument + - zipl_vsyscall_argument.role=unscored + - zipl_vsyscall_argument.severity=info diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile new file mode 100644 index 00000000..d817de88 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/pci-dss.profile @@ -0,0 +1,147 @@ +documentation_complete: true + +metadata: + SMEs: + - carlosmmatos + +reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + +title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8' + +description: |- + Ensures PCI-DSS v3.2.1 security configuration settings are applied. + +selections: + - var_password_pam_unix_remember=4 + - var_account_disable_post_pw_expiration=90 + - var_accounts_passwords_pam_faillock_deny=6 + - var_accounts_passwords_pam_faillock_unlock_time=1800 + - sshd_idle_timeout_value=15_minutes + - var_password_pam_minlen=7 + - var_password_pam_minclass=2 + - var_accounts_maximum_age_login_defs=90 + - var_auditd_num_logs=5 + - service_auditd_enabled + - grub2_audit_argument + - auditd_data_retention_num_logs + - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file_action + - auditd_data_retention_space_left_action + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_action_mail_acct + - package_audispd-plugins_installed + - auditd_audispd_syslog_plugin_activated + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_networkconfig_modification + - file_permissions_var_log_audit + - file_ownership_var_log_audit + - audit_rules_mac_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_login_events + - audit_rules_session_events + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_privileged_commands + - audit_rules_media_export + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_sysadmin_actions + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_immutable + - var_multiple_time_servers=rhel + - service_chronyd_or_ntpd_enabled + - chronyd_or_ntpd_specify_remote_server + - chronyd_or_ntpd_specify_multiple_servers + - rpm_verify_permissions + - rpm_verify_hashes + - install_hids + - rsyslog_files_permissions + - rsyslog_files_ownership + - rsyslog_files_groupownership + - ensure_logrotate_activated + - package_aide_installed + - aide_build_database + - aide_periodic_cron_checking + - account_unique_name + - gid_passwd_group_same + - accounts_password_all_shadowed + - no_empty_passwords + - display_login_attempts + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank + - sshd_set_idle_timeout + - sshd_set_keepalive + - accounts_password_pam_minlen + - accounts_password_pam_dcredit + - accounts_password_pam_ucredit + - accounts_password_pam_lcredit + - accounts_password_pam_unix_remember + - accounts_maximum_age_login_defs + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - security_patches_up_to_date + - package_opensc_installed + - var_smartcard_drivers=cac + - configure_opensc_card_drivers + - force_opensc_card_drivers + - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + - file_owner_etc_group + - file_groupowner_etc_group + - file_permissions_etc_group + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_passwd + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + - package_libreswan_installed + - configure_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy + - configure_ssh_crypto_policy + - configure_kerberos_crypto_policy diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile new file mode 100644 index 00000000..1efca5f4 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-stig.profile @@ -0,0 +1,13 @@ +documentation_complete: true + +title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +description: |- + This *draft* profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH). + +extends: stig + +selections: + - sudo_vdsm_nopasswd + - package_gdm_removed diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile new file mode 100644 index 00000000..2baee6d6 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rhelh-vpp.profile @@ -0,0 +1,35 @@ +documentation_complete: true + +title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + +description: |- + This compliance profile reflects the core set of security + related configuration settings for deployment of Red Hat Enterprise + Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. + Development partners and sponsors include the U.S. National Institute + of Standards and Technology (NIST), U.S. Department of Defense, + the National Security Agency, and Red Hat. + + This baseline implements configuration requirements from the following + sources: + + - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) + - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) + - U.S. Government Configuration Baseline (USGCB) + - NIAP Protection Profile for Virtualization v1.0 (VPP v1.0) + + For any differing configuration requirements, e.g. password lengths, the stricter + security setting was chosen. Security Requirement Traceability Guides (RTMs) and + sample System Security Configuration Guides are provided via the + scap-security-guide-docs package. + + This profile reflects U.S. Government consensus content and is developed through + the ComplianceAsCode project, championed by the National + Security Agency. Except for differences in formatting to accommodate + publishing processes, this profile mirrors ComplianceAsCode + content as minor divergences, such as bugfixes, work through the + consensus and release processes. + +extends: ospp + +selections: [] diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile new file mode 100644 index 00000000..c8457959 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/rht-ccp.profile @@ -0,0 +1,100 @@ +documentation_complete: true + +title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +description: |- + This profile contains the minimum security relevant + configuration settings recommended by Red Hat, Inc for + Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified + Cloud Providers. + +selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted + - file_owner_logfiles_value=root + - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_accounts_password_minlen_login_defs=6 + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_password_warn_age_login_defs=7 + - var_password_pam_retry=3 + - var_password_pam_dcredit=1 + - var_password_pam_ucredit=2 + - var_password_pam_ocredit=2 + - var_password_pam_lcredit=2 + - var_password_pam_difok=3 + - var_password_pam_unix_remember=5 + - var_accounts_user_umask=077 + - login_banner_text=usgcb_default + - partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - selinux_state + - selinux_policytype + - ensure_redhat_gpgkey_installed + - security_patches_up_to_date + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled + - package_aide_installed + - accounts_password_pam_unix_remember + - no_shelllogin_for_systemaccounts + - no_empty_passwords + - accounts_password_all_shadowed + - accounts_no_uid_except_zero + - accounts_password_minlen_login_defs + - accounts_minimum_age_login_defs + - accounts_password_warn_age_login_defs + - accounts_password_pam_retry + - accounts_password_pam_dcredit + - accounts_password_pam_ucredit + - accounts_password_pam_ocredit + - accounts_password_pam_lcredit + - accounts_password_pam_difok + - accounts_passwords_pam_faillock_deny + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - require_singleuser_auth + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + - file_owner_etc_gshadow + - file_groupowner_etc_gshadow + - file_permissions_etc_gshadow + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - file_permissions_etc_passwd + - file_owner_etc_group + - file_groupowner_etc_group + - file_permissions_etc_group + - file_permissions_library_dirs + - file_ownership_library_dirs + - file_permissions_binary_dirs + - file_ownership_binary_dirs + - file_permissions_var_log_audit + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + - grub2_password + - kernel_module_dccp_disabled + - kernel_module_sctp_disabled + - service_firewalld_enabled + - set_firewalld_default_zone + - firewalld_sshd_port_enabled + - service_abrtd_disabled + - service_telnet_disabled + - package_telnet-server_removed + - package_telnet_removed + - sshd_allow_only_protocol2 + - sshd_set_idle_timeout + - sshd_set_keepalive + - disable_host_auth + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_enable_warning_banner + - sshd_do_not_permit_user_env + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile new file mode 100644 index 00000000..a63ae2cf --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/standard.profile @@ -0,0 +1,67 @@ +documentation_complete: true + +title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +description: |- + This profile contains rules to ensure standard security baseline + of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload + all of these checks should pass. + +selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - rpm_verify_permissions + - rpm_verify_hashes + - security_patches_up_to_date + - no_empty_passwords + - file_permissions_unauthorized_sgid + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_world_writable + - accounts_root_path_dirs_no_write + - dir_perms_world_writable_sticky_bits + - mount_option_dev_shm_nodev + - mount_option_dev_shm_nosuid + - partition_for_var_log + - partition_for_var_log_audit + - package_rsyslog_installed + - service_rsyslog_enabled + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_clock_settime + - audit_rules_time_watch_localtime + - audit_rules_usergroup_modification + - audit_rules_networkconfig_modification + - audit_rules_mac_modification + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_unsuccessful_file_modification + - audit_rules_privileged_commands + - audit_rules_media_export + - audit_rules_file_deletion_events + - audit_rules_sysadmin_actions + - audit_rules_kernel_module_loading + - service_abrtd_disabled + - service_atd_disabled + - service_autofs_disabled + - service_ntpdate_disabled + - service_oddjobd_disabled + - service_qpidd_disabled + - service_rdisc_disabled + - configure_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy + - configure_ssh_crypto_policy + - configure_kerberos_crypto_policy diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile new file mode 100644 index 00000000..db1b7127 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/profiles/stig.profile @@ -0,0 +1,67 @@ +documentation_complete: true + +metadata: + version: V1R0.1-Draft + SMEs: + - carlosmmatos + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' + +description: |- + This profile contains configuration checks that align to the + [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: + + - Red Hat Enterprise Linux Server + - Red Hat Enterprise Linux Workstation and Desktop + - Red Hat Enterprise Linux for HPC + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 8 image + +extends: ospp + +selections: + - login_banner_text=dod_banners + - dconf_db_up_to_date + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - banner_etc_issue + - accounts_password_set_min_life_existing + - accounts_password_set_max_life_existing + - account_disable_post_pw_expiration + - account_temp_expire_date + - audit_rules_usergroup_modification_passwd + - sssd_enable_smartcards + - sssd_offline_cred_expiration + - smartcard_configure_cert_checking + - encrypt_partitions + - sysctl_net_ipv4_tcp_syncookies + - clean_components_post_updating + - package_audispd-plugins_installed + - package_libcap-ng-utils_installed + - auditd_audispd_syslog_plugin_activated + - accounts_passwords_pam_faillock_enforce_local + - accounts_password_pam_enforce_local + - accounts_password_pam_enforce_root + + # Configure TLS for remote logging + - package_rsyslog_installed + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert + + # Unselect zIPL rules from OSPP + - "!zipl_bls_entries_only" + - "!zipl_bootmap_is_up_to_date" + - "!zipl_audit_argument" + - "!zipl_audit_backlog_limit_argument" + - "!zipl_page_poison_argument" + - "!zipl_slub_debug_argument" + - "!zipl_vsyscall_argument" + - "!zipl_vsyscall_argument.role=unscored" + - "!zipl_vsyscall_argument.severity=info" diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl new file mode 100644 index 00000000..59d708ad --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/cci2html.xsl @@ -0,0 +1,6 @@ + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt new file mode 100644 index 00000000..0df9c540 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/constants.xslt @@ -0,0 +1,21 @@ + + + + +Red Hat Enterprise Linux 8 +RHEL 8 +RHEL_8_STIG +rhel8 + +https://www.cisecurity.org/benchmark/red_hat_linux/ +RHEL-8 + + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt similarity index 71% rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt index 4b191e90..e017cf6f 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/shorthand2xccdf.xslt +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/shorthand2xccdf.xslt @@ -1,6 +1,6 @@ - + unknown diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt new file mode 100644 index 00000000..e741fb89 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-add-srgitems.xslt @@ -0,0 +1,7 @@ + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt new file mode 100644 index 00000000..bd97ee1c --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-sortbyref.xslt @@ -0,0 +1,6 @@ + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt new file mode 100644 index 00000000..23c2f60a --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-srgmap.xslt @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt new file mode 100644 index 00000000..218d0f75 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 00000000..38b354af --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt new file mode 100644 index 00000000..5421604f --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2stigformat.xslt @@ -0,0 +1,7 @@ + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt similarity index 82% rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt index 1cdb679c..88a53f50 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-byref.xslt +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-byref.xslt @@ -1,7 +1,7 @@ - + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000..1ffb2221 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt similarity index 80% rename from ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt rename to ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt index 6fff5e71..b790974c 100644 --- a/ComplianceAsCode/content_for_supporting_rocky8/files/rl8/transforms/xccdf2table-profileanssirefs.xslt +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileanssirefs.xslt @@ -1,7 +1,7 @@ - + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 00000000..5a104d95 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt new file mode 100644 index 00000000..92cbdf9b --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilecisrefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt new file mode 100644 index 00000000..7596f8b4 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs-cui.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt new file mode 100644 index 00000000..8e97c333 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-profilenistrefs.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt new file mode 100644 index 00000000..2fb56fa7 --- /dev/null +++ b/ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/transforms/xccdf2table-stig.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp b/ComplianceAsCode/content_for_supporting_rocky8/tools/.add_product_rocky8.sh.swp new file mode 100644 index 0000000000000000000000000000000000000000..108f6d3f1de1585f0578e7cbbc51a90092abd357 GIT binary patch literal 12288 zcmeI&F>ezw6aZkSGX(^H;FSzrdU2Z$M8JYNRif$;ff$fZuI+2AIJRZ`+MEz&W9QGn z4`ARI!OTnULaU&PG6ubq-dX4Ky=Q-0ly|oO=J*6ggCWD~;o{a_!>cVe6@{Pq)y(aq zt!32Nh}&1RZ?4*ee0+R5=3_1EXmZ1k{47`_oYXJVkyn~m#tF-__cn2%R2iaIwajJo za@vdrY4W!^^qvGrU`?RTRWaIThr@&Y#hd<<9eDic_1YqOBmoj20TLhq5+DH*AORBi zp9OO0v5$Dbt?rQby0N!5c8@fW011!)36KB@kN^pg011!)36KB@Y@mQpj9qRs_6=k4 z|NrXu|IY`E{lNH+@fqU~V~Eki_TUCqAofHsxxf^!Cr0y|p#V z=4*bw3-3R`yXWk#HL-Pjv72XDG)}Y~wfDWYmHRqfzuyOJ^@esHvd3*-=qN0_J$VI6 zV>y$JcTgFt(}1xcvYbE>4&VhIU3!mC$8WeYRaM?x*w$i; z(rvaIRhORtri1Hr-R2mR0Sm`FmNhPAVXao>>9{m$)x