diff --git a/controls/anssi.yml b/controls/anssi.yml index 9fc4c7a0033..ddcbc880fa0 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1,8 +1,8 @@ policy: 'ANSSI-BP-028' title: 'Configuration Recommendations of a GNU/Linux System' id: anssi -version: '1.2' -source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf +version: '2.0' +source: https://www.ssi.gouv.fr/uploads/2019/02/fr_np_linux_configuration-v2.0.pdf levels: - id: minimal - id: intermediary @@ -17,477 +17,333 @@ levels: controls: - id: R1 + title: Hardware Support levels: - - minimal - title: Minimization of installed services + - enhanced description: >- - Only the components strictly necessary to the service provided by the system should - be installed. - Those whose presence can not be justified should be disabled, removed or deleted. - status: partial # The list of essential services is not objective. + It is recommended to apply the configuration recommendations for Hardware suppport + mentioned in ANSSI DAT-24. notes: >- - Performing a minimal install is a good starting point, but doesn't provide any assurance - over any package installed later. - Manual review is required to assess if the installed services are minimal. - In general, use of obsolete or insecure services is not recommended and we remove some - of these in this recommendation. + This requirement can be checked, but remediation requires manual reinstall of the OS. + The content automation cannot really configure the BIOS, but can in some cases, + check settings that are visible to the OS. Like for example the NX/DX setting. + status: automated rules: - - package_dhcp_removed - - package_rsh_removed - - package_rsh-server_removed - - package_sendmail_removed - - package_talk_removed - - package_talk-server_removed - - package_telnet_removed - - package_telnet-server_removed - - package_tftp_removed - - package_tftp-server_removed - - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed + # From ANSSI DAT-24 + # R1 and R2 Prefer 64 bit OS + - prefer_64bit_os + # R3 If using 32 bit OS, PAE mode should be enabled + - install_PAE_kernel_on_x86-32 + # R5 It is recommended to use hardware and OS that support SMEP + - grub2_nosmep_argument_absent + # R6 It is recommended to use hardware and OS that support SMAP + - grub2_nosmap_argument_absent + # R7 It is recommended to use hardware and OS that support AES-NI + - package_dracut-fips-aesni_installed + + # R8 It is recommended to use hardware with support for hardware random number generator + # R9 Disable VT-x AMD-V technologies + # TODO: can we reliably check cpuinfo flags? + # R10 IOMMU must enabled if the hardware supports it - id: R2 + title: Hardware configuration levels: - intermediary - title: Minimization of configuration description: >- - Services are often installed with default configurations that enable features potentially - problematic from a security point of view. - The features configured at the level of launched services should be limited to the strict - minimum. - automated: no + It is recommended to apply the configuration recommendations for BIOS/UEFI mentioned in + ANSSI DAT-24. notes: >- - Define a list of most problematic components or features to be hardened or restricted. + Configurations recommended for this requirement are to be performed at the BIOS level. + status: manual + #rules: + # From ANSSI DAT-24 + # R11 Password protect the BIOS + # R12 Deactivate peripherals not needed + # R13 The boot order list should give highest preference to component on which final OS is installed + # R14 Enable NX/XD bit + # - bios_enable_execution_restrictions # Doesn't have check + # R15 Disable VT-x/AMD-V functionality + # R16 Enable IOMMU - id: R3 + title: UEFI Secure boot activation levels: - - enhanced - title: Principle of least privilege + - intermediary description: >- - The services and executables available on the system must be analyzed in order to - know the privileges they require, and must then be configured and integrated to use - the bare necessities. - status: partial # The system can be restricted even more with selinux-booleans or other technologies + It is recommended to apply UEFI Secure Boot configuration of the distribution. notes: >- - SELinux policies limit the privileges of services and daemons to only what they require. - rules: - - selinux_state - - var_selinux_state=enforcing + Enabling Secure Boot requires one to navigate the BIOS, and we don't have + the means to automate it. + status: manual - id: R4 + title: Replacing of preloaded keys levels: - high - title: Using access control features description: >- - It is recommended to use the mandatory access control (MAC) features in - addition to the traditional Unix user model (DAC), or possibly combine - them with partitioning mechanisms. + It is recommended to replace the UEFI preloaded keys with new keys used to sign; + the bootloader and Linux kernel, or; the image of the Linux kernel in EFI format. notes: >- - Other partitioning mechanisms can include chroot and containers and are not contemplated - in this requirement. - status: partial - rules: - - selinux_state - - var_selinux_state=enforcing + This requirement is not generally automatable. The Machine Owner Key (MOK) could + be used to add keys to the Secure Boot db key database but manual interaction is + required to navigate the UEFI console and input the key password. + On systems where MOK utility is not supported, one will need to access the UEFI + firmware interface to add new keys. + We have no automation support for UEFI interfaces and the steps for each hardware + manufacturer can vary. + status: manual - id: R5 + title: Boot loader password levels: - - minimal - title: Defense in-depth principle + - intermediary description: >- - Under Unix and derivatives, defense in depth must be based on a combination of - barriers that must be kept independent of each other. - status: partial - notes: >- - Defense in-depth can be broadly divided into three areas - physical, technical and - administrative. The security profile is best suited to protect the technical area. - Among the barriers that can be implemented within the technical area are antivirus software, - authentication, multi-factor authentication, encryption, logging, auditing, sandboxing, - intrusion detection systems, firewalls and vulnerability scanners. - The selection below is not in any way exaustive and should be adapted to the system's needs. + A password protecting the boot loader must exist. + This password must prevent any user from changing their configuration options. + status: automated rules: - - sudo_remove_no_authenticate - - package_rsyslog_installed - - service_rsyslog_enabled - - - var_authselect_profile=sssd - - enable_authselect - related_rules: - - package_audit_installed - - service_auditd_enabled - - package_ntp_installed - - package_firewalld_installed - - service_firewalld_enabled - - sssd_enable_smartcards + - grub2_password + - grub2_uefi_password - id: R6 + title: Protecting kernel command line parameters levels: - - enhanced - title: Network services partitioning + - high description: >- - Network services should as much as possible be hosted on isolated environments. - This avoids having other potentially affected services if one of them gets - compromised under the same environment. + It is recommended that UEFI Secure Boot is used to protect the Linux Kernel + command line parameters during boot. notes: >- - Manual analysis is required to determine if services are hosted appropriately in - separate or isolated system while maintaining functionality. - automated: no + To protect the Linux Kernel command line one needs to create an Unified Kernel Image and use + it with the UEFI Secure Boot mechanism. + To check if the Kernel image contains the kernel command one needs to inspect the binary, on + the command line one can use the objdump command. But unfortunately OVAL is not able to + inspect kernel images. + Also, it is not trivial to automate creation of such image or configuration of the + Secure Boot mechanism. + status: manual - id: R7 + title: IOMMU Configuration Guidelines levels: - enhanced - title: Logging of service activity description: >- - The activities of the running system and services must be logged and - archived on an external, non-local system. + The iommu = force directive must be added to the list of kernel parameters + during startup in addition to those already present in the configuration + files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). status: automated rules: - # The default remote loghost is logcollector. - # Change the default value to the hostname or IP of the system to send the logs to - - rsyslog_remote_loghost + - grub2_enable_iommu_force - id: R8 + title: Memory configuration options levels: - - minimal - title: Regular updates - notes: Check the vendor CVE feed and configure automatic install of security related updates. + - intermediary status: automated rules: - - security_patches_up_to_date - - package_dnf-automatic_installed - - timer_dnf-automatic_enabled - # Configure dnf-automatic to Install Available Updates Automatically - - dnf-automatic_apply_updates - # Configure dnf-automatic to Install Only Security Updates - - dnf-automatic_security_updates_only + # l1tf=full,force to enable countermeasure for L1 Terminal Fault vulnerabilyt, or + # l1tf=off to maximize performance, when system is not a hypervisor or VMs are trusted + - grub2_l1tf_argument + - var_l1tf_options=full_force + + # page_poison=on: activate the poisoning of the pages of the page allocator (buddy allocator) + - grub2_page_poison_argument + + # pti=on: force the use of Page Table Isolation (PTI) including on processors claiming not to + # be affected by the Meltdown vulnerability; + - grub2_pti_argument + + # slab_nomerge=yes (equivalent to CONFIG_SLAB_MERGE_DEFAULT=n): disables the merging of slab + # caches (dynamic memory allocations) of identical size. + - grub2_slab_nomerge_argument + + # slub_debug=F,Z,P: activate certain options for checking slabs caches (dynamic memory allocation) + - grub2_slub_debug_argument + - var_slub_debug_options=FZP + + # spec_store_bypass_disable=seccomp: force the system to use the default countermeasure + # (on an x86 system supporting seccomp) for the Specter v4 (Speculative Store Bypass) vulnerability + - grub2_spec_store_bypass_disable_argument + - var_spec_store_bypass_disable_options=seccomp + + # spectre_v2=on: force the system to use a countermeasure for the Specter v2 (Branch Target Injection) vulnerability. + - grub2_spectre_v2_argument + + # mds=full,nosmt: force the system to use Microarchitectural Data Sampling (MDS) to mitigate + # the vulnerabilities of Intel processors. + - grub2_mds_argument + - var_mds_options=full_nosmt + + # mce=0: force a kernel panic on uncorrected errors reported by Machine Check support. + - grub2_mce_argument + + # page_alloc.shuffle=1: enables Page allocator randomization + - grub2_page_alloc_shuffle_argument + + # rng_core.default_quality=500: increase confidence in TPM's HWRNG for robust and fast Linux + # CSPRNG initialization by crediting half of the entropy it provides. + - grub2_rng_core_default_quality_argument + - var_rng_core_default_quality=500 + + # Forbidden to map memory in low addresses (0) + # vm.mmap_min_addr = 65536 + - sysctl_vm_mmap_min_addr + - id: R9 + title: Kernel configuration options levels: - intermediary - title: Hardware configuration - notes: >- - Configurations recommended for this requirement are to be performed at the BIOS level. - The content automation cannot really configure the BIOS, but can in some cases, - check settings that are visible to the OS. Like for example the NX/DX setting. - status: partial + status: automated rules: - - sysctl_kernel_exec_shield - - bios_enable_execution_restrictions - - install_PAE_kernel_on_x86-32 + # Restrict access to the dmesg buffer (equivalent to + # CONFIG_SECURITY_DMESG_RESTRICT=y) + - sysctl_kernel_dmesg_restrict + + # Hide kernel addresses in /proc and various other interfaces, + # including from privileged users + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kptr_restrict_value=2 + + # Explicitly specify the process id space supported by the kernel, + # 65536 being an example value + # kernel.pid_max=65536 + - sysctl_kernel_pid_max + + # Restricts the use of the perf system + # kernel.perf_event_max_sample_rate = 1 + # kernel.perf_cpu_time_max_percent = 1 + - sysctl_kernel_perf_event_max_sample_rate + - sysctl_kernel_perf_cpu_time_max_percent + + # Prohibit unprivileged access to the perf_event_open () system call. + # With a value greater than 2, we impose the possession of + # CAP_SYS_ADMIN, in order to collect the perf events. + # kernel.perf_event_paranoid = 2 + - sysctl_kernel_perf_event_paranoid + + # Activate ASLR + - sysctl_kernel_randomize_va_space + + # Disable Magic System Request Key combinations + # kernel.sysrq = 0 + - sysctl_kernel_sysrq + + # Restrict kernel BPF usage to privileged users + # kernel.unprivileged_bpf_disabled=1 + - sysctl_kernel_unprivileged_bpf_disabled + + # Completely shut down the system if the Linux kernel behaves + # unexpectedly + # kernel.panic_on_oops=1 + - sysctl_kernel_panic_on_oops - id: R10 + title: Disabling the loading of kernel modules levels: - - intermediary - title: 32 and 64 bit architecture - description: When the machine supports 64-bit operating systems, prefer it. - notes: This requirement can be checked, but remediation requires manual reinstall of the OS. + - enhanced + description: >- + The loading of the kernel modules can be blocked by the activation of the + sysctl kernel.modules_disabled: + Prohibition of loading modules (except those already loaded to this point) + kernel.modules_disabled = 1 status: automated rules: - - prefer_64bit_os + - sysctl_kernel_modules_disabled - id: R11 + title: Yama module sysctl configuration levels: - - high - title: IOMMU Configuration Guidelines + - intermediary description: >- - The iommu = force directive must be added to the list of kernel parameters - during startup in addition to those already present in the configuration - files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). + It is recommended to load the Yama security module at startup (by example + passing the security = yama argument to the kernel) and configure the + sysctl kernel.yama.ptrace_scope to a value of at least 1. status: automated rules: - - grub2_enable_iommu_force + - sysctl_kernel_yama_ptrace_scope - id: R12 + title: IPv4 configuration options levels: - intermediary - title: Partitioning type - status: partial + status: automated rules: - # this covers nodev options - - mount_option_nodev_nonroot_local_partitions - # The recommended partitioning type is as follows: - # / Root partition, contains the rest of the tree - # /boot nosuid, nodev, noexec (optional noauto) Contains the kernel and the bootloader. No access required once the boot finished (except update) - - partition_for_boot - - mount_option_boot_nosuid - - mount_option_boot_noexec - # The noauto option rule breaks checking of the other mount options - # Commented until rules for /boot mount_option handles this use case - # - mount_option_boot_noauto + # Mitigation of the dispersion effect of the kernel JIT at the cost of a + # compromise on the associated performance. + # net.core.bpf_jit_harden=2 + - sysctl_net_core_bpf_jit_harden - # /opt nosuid, nodev (optional ro) Additional packages to the system. Read-only editing if not used - - partition_for_opt - - mount_option_opt_nosuid + # No routing between interfaces + # net.ipv4.ip_forward = 0 + - sysctl_net_ipv4_ip_forward - # /tmp nosuid, nodev, noexec Temporary files. Must contain only non-executable elements. Cleaned after reboot - - partition_for_tmp - - mount_option_tmp_nosuid - - mount_option_tmp_noexec + # Consider as invalid the packets received from outside whose source + # is the 127/8 network. + # net.ipv4.conf.all.accept_local=0 + - sysctl_net_ipv4_conf_all_accept_local - # /srv nosuid, nodev (noexec, optional ro) Contains files served by a service type web, ftp, etc - - partition_for_srv - - mount_option_srv_nosuid + # Deny receipt of ICMP redirect packets + # net.ipv4.conf.all.accept_redirects = 0 + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects - # /home nosuid, nodev, noexec Contains the HOME users. Read-only editing if not in use - - partition_for_home - - mount_option_home_nosuid - - mount_option_home_noexec + # net.ipv4.conf.default.accept_redirects = 0 + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects - # /usr nodev Contains the majority of utilities and system files - - partition_for_usr + # net.ipv4.conf.all.secure_redirects = 0 + - sysctl_net_ipv4_conf_all_secure_redirects + # net.ipv4.conf.default.secure_redirects = 0 + - sysctl_net_ipv4_conf_default_secure_redirects - # /var nosuid, nodev, noexec Partition containing variable files during the life of the system (mails, PID files, databases of a service) - - partition_for_var - - mount_option_var_nosuid - - mount_option_var_noexec + # net.ipv4.conf. all.shared_media=0 + - sysctl_net_ipv4_conf_all_shared_media + - sysctl_net_ipv4_conf_all_shared_media_value=disabled - # /var/log nosuid, nodev, noexec Contains system logs - - partition_for_var_log - - mount_option_var_log_noexec - - mount_option_var_log_nosuid + - sysctl_net_ipv4_conf_default_shared_media + - sysctl_net_ipv4_conf_default_shared_media_value=disabled - # /var/tmp nosuid, nodev, noexec Temporary files kept after extinction - - partition_for_var_tmp - - mount_option_var_tmp_nosuid - - mount_option_var_tmp_noexec + # Deny the source routing header information supplied by the + # packet to determine its route. + # net.ipv4.conf.all.accept_source_route = 0 + - sysctl_net_ipv4_conf_all_accept_source_route + # net.ipv4.conf.default.accept_source_route = 0 + - sysctl_net_ipv4_conf_default_accept_source_route - related_rules: - # /proc hidepid = 2 Contains process information and the system - - mount_option_proc_hidepid - - var_mount_option_proc_hidepid=2 + # Prevent the Linux kernel from handling the ARP table globally. + - sysctl_net_ipv4_conf_all_arp_filter - - id: R13 - levels: - - enhanced - title: Access Restrictions on the /boot directory - description: >- - When possible, the /boot partition should not be mounted. In any case, access to - the /boot directory must only be allowed to the root user. - notes: >- - The rule disabling auto-mount for /boot is commented until the rules checking for other - /boot mount options are updated to handle this usecase. - automated: no - #rules: - #- mount_option_boot_noauto + # Respond to ARP requests only if the source and destination address are on the + # same network and come from the same interface on which the packet was received. + # Note that the configuration of this option is to be studied according to the + # use case. + - sysctl_net_ipv4_conf_all_arp_ignore + - sysctl_net_ipv4_conf_all_arp_ignore_value=2 - - id: R14 - levels: - - intermediary - title: Installation of packages reduced to the bare necessities - description: >- - The selection of packages installed should be as small as possible, - limiting itself to select only what is required. - notes: >- - It is not possible to automatically decide in general way if a package is required or not for given system. - As a future improvement, there could be rules assisting assessment by listing the installed packages. - automated: no + # Refuse the routing of packets whose source or destination address is that + # of the local loopback. + # net.ipv4.conf.all.route_localnet=0 + - sysctl_net_ipv4_conf_all_route_localnet - - id: R15 - levels: - - minimal - title: Choice of package repositories - description: Only up-to-date official repositories of the distribution must be used. - notes: >- - It is not trivial to distinguish an official repository from an unofficial one. - We cannot draw conclusions from the repo name or URL of the repo (as they can be arbitrary or behind a proxy). - One approach to check the origin of installed packages is to check the signature of the packages. - If the public key of a repository is not installed, the repo is not trusted. - status: partial - rules: - - ensure_gpgcheck_never_disabled - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_local_packages - - ensure_redhat_gpgkey_installed - - ensure_oracle_gpgkey_installed - - ensure_suse_gpgkey_installed + # Ignore gratuitous ARP requests. + # net.ipv4.conf.all.drop_gratuitous_arp=1 + - sysctl_net_ipv4_conf_all_drop_gratuitous_arp - - id: R16 - levels: - - enhanced - title: Hardened package repositories - description: >- - When the distribution provides several types of repositories, preference - should be given to those containing packages subject to additional - hardening measures. - Between two packages providing the same service, those subject to hardening - (at compilation, installation, or default configuration) must be preferred. - automated: no - - - id: R17 - levels: - - enhanced - title: Boot loader password - description: >- - A boot loader to protect the password boot must be to be privileged. - This password must prevent any user from changing their configuration options. - status: automated # without remediation - rules: - - grub2_password - - grub2_uefi_password - - - id: R18 - levels: - - minimal - title: Administrator password robustness - notes: >- - The rules selected below establish a general password strength baseline of 100 bits, - inspired by DAT-NT-001 and the "Password Strenght Calculator" - (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/). - - The baseline should be reviewed and tailored to the system's use case and needs. - status: partial - rules: - # Renew passwords every 90 days - - var_accounts_maximum_age_login_defs=90 - - accounts_maximum_age_login_defs - - # Ensure passwords with minimum of 18 characters - - var_password_pam_minlen=18 - - accounts_password_pam_minlen - - cracklib_accounts_password_pam_minlen - # Require at Least 1 Special Character in Password - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit - - cracklib_accounts_password_pam_ocredit - # Require at Least 1 Numeric Character in Password - - var_password_pam_dcredit=1 - - accounts_password_pam_dcredit - - cracklib_accounts_password_pam_dcredit - # Require at Least 1 Uppercase Character in Password - - var_password_pam_ucredit=1 - - accounts_password_pam_ucredit - - cracklib_accounts_password_pam_ucredit - # Require at Least 1 Lowercase Character in Password - - var_password_pam_lcredit=1 - - accounts_password_pam_lcredit - - cracklib_accounts_password_pam_lcredit - - # Lock out users after 3 failed authentication attempts within 15 min - - var_accounts_passwords_pam_faillock_fail_interval=900 - - accounts_passwords_pam_faillock_interval - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_deny_root - # same as above but for pam_tally2 module - - var_password_pam_tally2=5 - - accounts_passwords_pam_tally2 - - accounts_passwords_pam_tally2_deny_root - # Automatically unlock users after 15 min to prevent DoS - - var_accounts_passwords_pam_faillock_unlock_time=900 - - accounts_passwords_pam_faillock_unlock_time - - # Do not reuse last two passwords - - var_password_pam_remember=2 - - var_password_pam_remember_control_flag=requisite - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - - - id: R19 - levels: - - intermediary - title: Accountability of administration - notes: >- - By disabling direct root logins proper accountability is ensured. - Users will first login, then escalate to privileged (root) access. - Change of privilege operations must be based on executables to monitor the activities - performed (for example sudo). - status: automated - rules: - - no_direct_root_logins - - sshd_disable_root_login - - package_sudo_installed - - audit_rules_privileged_commands_sudo - - # This rule should be present in the profile at least once - - sshd_use_directory_configuration - - - id: R20 - levels: - - enhanced - title: Installation of secret or trusted elements - description: >- - All secret elements or those contributing to the authentication mechanisms - must be set up as soon as the system is installed: account and administration - passwords, root authority certificates, public keys, or certificates of the - host (and their respective private key). - notes: >- - This concerns two aspects, the first is administrative, and involves prompt - installation of secrets or trusted elements by the sysadmin. - The second involves removal of any default secret or trusted element - configured by the operating system during install process, e.g. default - known passwords. - automated: no - - - id: R21 - levels: - - intermediary - title: Hardening and monitoring of services subject to arbitrary flows - notes: >- - SELinux can provide confinement and monitoring of services, and AIDE provides - basic integrity checking. System logs are configured as part of R43. - Hardening of particular services should be done on a case by case basis and is - not automated by this content. - status: partial - rules: - - selinux_state - - var_selinux_state=enforcing - - package_aide_installed - - aide_build_database - - - id: R22 - levels: - - intermediary - title: Setting up network sysctl - status: automated - rules: - # No routing between interfaces - # net.ipv4.ip_forward = 0 - - sysctl_net_ipv4_ip_forward - - # Reverse path filtering + # Check that the source address of packets received on a given interface + # would have been contacted via this same interface. # net.ipv4.conf.all.rp_filter = 1 - sysctl_net_ipv4_conf_all_rp_filter - # net.ipv4.conf.default.rp_filter = 1 - sysctl_net_ipv4_conf_default_rp_filter - # Do not send ICMP redirects + # A non-routing equipment has no reason to receive a flow for which it is not the recipient + # and therefore to send an ICMP redirect packet. # net.ipv4.conf.all.send_redirects = 0 - sysctl_net_ipv4_conf_all_send_redirects - # net.ipv4.conf.default.send_redirects = 0 - sysctl_net_ipv4_conf_default_send_redirects - # Deny source routing packets - # net.ipv4.conf.all.accept_source_route = 0 - - sysctl_net_ipv4_conf_all_accept_source_route - - # net.ipv4.conf.default.accept_source_route = 0 - - sysctl_net_ipv4_conf_default_accept_source_route - - # Do not accept ICMPs of redirect type - # net.ipv4.conf.all.accept_redirects = 0 - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_all_accept_redirects - - # net.ipv4.conf.all.secure_redirects = 0 - - sysctl_net_ipv4_conf_all_secure_redirects - - # net.ipv4.conf.default.accept_redirects = 0 - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_accept_redirects - - # net.ipv4.conf.default.secure_redirects = 0 - - sysctl_net_ipv4_conf_default_secure_redirects - - # Log packets with abnormal IPs - # net.ipv4.conf.all.log_martians = 1 - - sysctl_net_ipv4_conf_all_log_martians - - # RFC 1337 - # net.ipv4.tcp_rfc1337 = 1 - - sysctl_net_ipv4_tcp_rfc1337 - # Ignore responses that do not comply with RFC 1122 # net.ipv4.icmp_ignore_bogus_error_responses = 1 - sysctl_net_ipv4_icmp_ignore_bogus_error_responses @@ -496,10 +352,23 @@ controls: # net.ipv4.ip_local_port_range = 32768 65535 - sysctl_net_ipv4_ip_local_port_range + # RFC 1337 + # net.ipv4.tcp_rfc1337 = 1 + - sysctl_net_ipv4_tcp_rfc1337 + # Use SYN cookies # net.ipv4.tcp_syncookies = 1 - sysctl_net_ipv4_tcp_syncookies + - id: R13 + title: Disabling IPv6 + levels: + - intermediary + notes: >- + When IPv6 is not in use, disable it, otherwise secure the IPv6 stack. + This control hardens the IPv6 stack, to disable it use the related rules instead. + status: automated + rules: # Disable support for "router solicitations" # net.ipv6.conf.all.router_solicitations = 0 # net.ipv6.conf.default.router_solicitations = 0 @@ -550,118 +419,354 @@ controls: - sysctl_net_ipv6_conf_all_max_addresses - sysctl_net_ipv6_conf_default_max_addresses - - id: R23 + related_rules: + # Rules to select when disabling the IPv6 stack. + - sysctl_net_ipv6_conf_all_disable_ipv6 + - sysctl_net_ipv6_conf_default_disable_ipv6 + + - id: R14 + title: File system configuration options levels: - intermediary - title: Setting up system sysctl + notes: >- + The rule for the /proc file system is not implemented status: automated rules: - # Disabling SysReq - # kernel.sysrq = 0 - - sysctl_kernel_sysrq - - # No core dump of executable setuid + # Disable coredump creation for setuid executables - sysctl_fs_suid_dumpable - # Prohibit links to find links to files - # the current user is not the owner - # Can prevent some programs from working properly + # Available from version 4.19 of the Linux kernel, allows to prohibit + # opening FIFOs and "regular" files that are not owned by the user + # in sticky folders for everyone to write. + # fs.protected_fifos=2 + - sysctl_fs_protected_fifos + # fs.protected_regular=2 + - sysctl_fs_protected_regular + + # Restrict the creation of symbolic links to files that the user owns. - sysctl_fs_protected_symlinks + + # Restrict the creation of hard links to files whose user is owner. - sysctl_fs_protected_hardlinks - # Activation of the ASLR - - sysctl_kernel_randomize_va_space + - id: R15 + title: Compile options for memory management + levels: + - high + status: automated + notes: >- + The special case of direct access to physical memory is not handled. + rules: + - kernel_config_strict_kernel_rwx + - kernel_config_debug_wx + - kernel_config_debug_fs + - kernel_config_stackprotector + - kernel_config_stackprotector_strong + - kernel_config_sched_stack_end_check + - kernel_config_hardened_usercopy + - kernel_config_hardened_usercopy_fallback + - kernel_config_vmap_stack + - kernel_config_refcount_full + - kernel_config_fortify_source + - kernel_config_acpi_custom_method + - kernel_config_devkmem + - kernel_config_proc_kcore + - kernel_config_compat_vdso + - kernel_config_security_dmesg_restrict + - kernel_config_retpoline + - kernel_config_legacy_vsyscall_none + - kernel_config_legacy_vsyscall_emulate + - kernel_config_legacy_vsyscall_xonly + - kernel_config_x86_vsyscall_emulation - # Prohibit mapping of memory in low addresses (0) - # vm.mmap_min_addr = 65536 - - sysctl_vm_mmap_min_addr + - id: R16 + title: Compile options for kernel data structures + levels: + - high + status: automated + rules: + - kernel_config_debug_credentials + - kernel_config_debug_notifiers + - kernel_config_debug_list + - kernel_config_debug_sg + - kernel_config_bug_on_data_corruption - # Larger choice space for PID values - # kernel.pid_max = 65536 - - sysctl_kernel_pid_max + - id: R17 + title: Compile options for the memory allocator + levels: + - high + status: automated + rules: + - kernel_config_slab_freelist_random + - kernel_config_slab_freelist_hardened + - kernel_config_slab_merge_default + - kernel_config_slub_debug + - kernel_config_page_poisoning + - kernel_config_page_poisoning_no_sanity + - kernel_config_page_poisoning_zero + - kernel_config_compat_brk - # Obfuscation of addresses memory kernel - - sysctl_kernel_kptr_restrict + - id: R18 + title: Compile options for the management of kernel module + levels: + - high + status: automated + rules: + - kernel_config_strict_module_rwx + - kernel_config_module_sig + - kernel_config_module_sig_force + - kernel_config_module_sig_all + - kernel_config_module_sig_sha512 + - kernel_config_module_sig_hash + - kernel_config_module_sig_key - # Access restriction to the dmesg buffer - - sysctl_kernel_dmesg_restrict + - id: R19 + title: Compile options for abnormal situations + levels: + - high + status: automated + rules: + - kernel_config_bug + - kernel_config_panic_on_oops + - kernel_config_panic_timeout - # Disallow kernel profiling by unprivileged users - - sysctl_kernel_perf_event_paranoid + - id: R20 + title: Compile options for kernel security functions + levels: + - high + status: automated + rules: + - kernel_config_seccomp + - kernel_config_seccomp_filter + - kernel_config_security + - kernel_config_security_yama + - kernel_config_security_writable_hooks - # Restricts the use of the perf system - # kernel.perf_event_paranoid = 2 - # kernel.perf_event_max_sample_rate = 1 - # kernel.perf_cpu_time_max_percent = 1 - - sysctl_kernel_perf_event_paranoid - - sysctl_kernel_perf_event_max_sample_rate - - sysctl_kernel_perf_cpu_time_max_percent + - id: R21 + title: Compile options for the compiler plugins + levels: + - high + status: automated + rules: + - kernel_config_gcc_plugin_latent_entropy + - kernel_config_gcc_plugin_stackleak + - kernel_config_gcc_plugin_structleak + - kernel_config_gcc_plugin_structleak_byref_all + - kernel_config_gcc_plugin_randstruct - - - id: R24 + - id: R22 + title: Compile options for the IP stack levels: - - enhanced - title: Disabling the loading of kernel modules - description: >- - The loading of the kernel modules can be blocked by the activation of the - sysctl kernel.modules_disabledconf: - Prohibition of loading modules (except those already loaded to this point) - kernel.modules_disabled = 1 - status: automated # without remediation + - high + notes: >- + This control doesn't disable the IPv6 stack, to disable it select the related rule. + status: automated rules: - - sysctl_kernel_modules_disabled + - kernel_config_syn_cookies + related_rules: + - kernel_config_ipv6 + + - id: R23 + title: Compile options for various kernel behaviors + levels: + - high + notes: >- + As R18 configures hardened management of kernel modules we don't check nor remediate + for CONFIG_MODULES=n + status: automated + rules: + - kernel_config_kexec + - kernel_config_hibernation + - kernel_config_binfmt_misc + - kernel_config_legacy_ptys + + + - id: R24 + title: Compile options for 32-bit architectures + levels: + - high + notes: >- + Unless a X86 32bit kernel is explicitly supported by one of products in the project, this + requirement is set to not applicable. + status: not applicable - id: R25 + title: Compile options for x86_64 architectures levels: - - enhanced - title: Yama module sysctl configuration - description: >- - It is recommended to load the Yama security module at startup (by example - passing the security = yama argument to the kernel) and configure the - sysctl kernel.yama.ptrace_scope to a value of at least 1. + - high status: automated rules: - - sysctl_kernel_yama_ptrace_scope + # TODO: add support for variable for config_default_mmap_min_addr + # CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + - kernel_config_default_mmap_min_addr + - kernel_config_randomize_base + - kernel_config_randomize_memory + - kernel_config_page_table_isolation + - kernel_config_ia32_emulation + - kernel_config_modify_ldt_syscall - id: R26 + title: Compile options for ARM architectures levels: - - enhanced - title: Disabling unused user accounts - description: >- - Unused user accounts must be disabled at the system level. + - high notes: >- - The definition of unused user accounts is broad. It can include accounts - whose owners don't use the system anymore, or users created by services - or applications that should not be used. - automated: no + Unless a ARM 32bit kernel is explicitly supported by one of products in the project, this + requirement is set to not applicable. + status: not applicable - id: R27 - title: Disabling service accounts + title: Compile options for ARM 64 architectures levels: - - intermediary - notes: >- - It is difficult to generally identify the system's service accounts. - UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values - are not enforced by the OS and can be changed over time. - Assisting rules could list users which are not disabled for manual review. - automated: no + - high + status: automated + rules: + # CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 + - kernel_config_randomize_base + - kernel_config_arm64_sw_ttbr0_pan + - kernel_config_unmap_kernel_at_el0 - id: R28 + title: Partitioning type levels: - - enhanced - title: Uniqueness and exclusivity of system service accounts - description: >- - Each service must have its own system account and be dedicated to it exclusively. - notes: >- - It is not trivial to identify whether a user account is a service account. - UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values - are not enforced by the OS and can be changed over time. - automated: no + - intermediary + status: automated + rules: + # this covers nodev options + - mount_option_nodev_nonroot_local_partitions + # The recommended partitioning type is as follows: + # / Root partition, contains the rest of the tree + # /boot nosuid, nodev, noexec (optional noauto) Contains the kernel and the bootloader. No access required once the boot finished (except update) + - partition_for_boot + - mount_option_boot_nosuid + - mount_option_boot_noexec + # The noauto option rule breaks checking of the other mount options + # Commented until rules for /boot mount_option handles this use case + # - mount_option_boot_noauto + + # /opt nosuid, nodev (optional ro) Additional packages to the system. Read-only editing if not used + - partition_for_opt + - mount_option_opt_nosuid + + # /tmp nosuid, nodev, noexec Temporary files. Must contain only non-executable elements. Cleaned after reboot + - partition_for_tmp + - mount_option_tmp_nosuid + - mount_option_tmp_noexec + + # /srv nosuid, nodev (noexec, optional ro) Contains files served by a service type web, ftp, etc + - partition_for_srv + - mount_option_srv_nosuid + + # /home nosuid, nodev, noexec Contains the HOME users. Read-only editing if not in use + - partition_for_home + - mount_option_home_nosuid + - mount_option_home_noexec + + # /usr nodev Contains the majority of utilities and system files + - partition_for_usr + + # /var nosuid, nodev, noexec Partition containing variable files during the life of the system (mails, PID files, databases of a service) + - partition_for_var + - mount_option_var_nosuid + - mount_option_var_noexec + + # /var/log nosuid, nodev, noexec Contains system logs + - partition_for_var_log + - mount_option_var_log_noexec + - mount_option_var_log_nosuid + + # /var/tmp nosuid, nodev, noexec Temporary files kept after extinction + - partition_for_var_tmp + - mount_option_var_tmp_nosuid + - mount_option_var_tmp_noexec + + related_rules: + # /proc hidepid = 2 Contains process information and the system + - mount_option_proc_hidepid + - var_mount_option_proc_hidepid=2 - id: R29 + title: Access Restrictions on /boot levels: - enhanced + description: >- + When possible, the /boot partition should not be mounted. In any case, access to + the /boot directory must only be allowed to the root user. + notes: >- + The rule disabling auto-mount for /boot is commented until the rules checking for other + /boot mount options are updated to handle this usecase. + status: supported + #rules: + #- mount_option_boot_noauto + + - id: R30 + title: Removal of unused user accounts + levels: + - minimal + description: >- + Unused user accounts must be deleted from the system. + notes: >- + The definition of unused user accounts is broad. It can include accounts + whose owners don't use the system anymore, or users created by services + or applications that should not be used. + Automation by itself cannot discern which accounts are used or not. + status: manual + + - id: R31 + title: User password strength + levels: + - minimal + notes: >- + The rules selected below establish a general password strength baseline of 100 bits, + inspired by DAT-NT-001 and the "Password Strenght Calculator" + (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/). + + The baseline should be reviewed and tailored to the system's use case and needs. + status: automated + rules: + # enable authselect to support following rules + - enable_authselect + + # Renew passwords every 90 days + - var_accounts_maximum_age_login_defs=90 + - accounts_maximum_age_login_defs + + # Ensure passwords with minimum of 18 characters + - var_password_pam_minlen=18 + - accounts_password_pam_minlen + # Enforce password lenght for new accounts + - var_accounts_password_minlen_login_defs=18 + - accounts_password_minlen_login_defs + # Require at Least 1 Special Character in Password + - var_password_pam_ocredit=1 + - accounts_password_pam_ocredit + # Require at Least 1 Numeric Character in Password + - var_password_pam_dcredit=1 + - accounts_password_pam_dcredit + # Require at Least 1 Uppercase Character in Password + - var_password_pam_ucredit=1 + - accounts_password_pam_ucredit + # Require at Least 1 Lowercase Character in Password + - var_password_pam_lcredit=1 + - accounts_password_pam_lcredit + + # Lock out users after 3 failed authentication attempts within 15 min + - var_accounts_passwords_pam_faillock_fail_interval=900 + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_deny_root + # Automatically unlock users after 15 min to prevent DoS + - var_accounts_passwords_pam_faillock_unlock_time=900 + - accounts_passwords_pam_faillock_unlock_time + + # Do not reuse last two passwords + - var_password_pam_unix_remember=2 + - accounts_password_pam_unix_remember + + - id: R32 title: User session timeout + levels: + - intermediary description: >- Remote user sessions (shell access, graphical clients) must be closed after a certain period of inactivity. @@ -675,7 +780,7 @@ controls: The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to "don't disconnect network inactive sessions". The server either probes for the client liveness or keeps inactive sessions connected. - status: automated + status: supported rules: - accounts_tmout - var_accounts_tmout=10_min @@ -683,55 +788,51 @@ controls: - sshd_idle_timeout_value=10_minutes - sshd_set_keepalive - - id: R30 - levels: - - minimal - title: Applications using PAM - notes: >- - Manual review is necessary to decide if the list of applications using PAM is minimal. - Asssising rules could be created to list all applications using PAM for manual review. - automated: no - - - id: R31 - title: Securing PAM Authentication Network Services + - id: R33 + title: Use of dedicated administration accounts levels: - intermediary - # rules: TBD - - - id: R32 - levels: - - minimal - title: Protecting stored passwords - description: Any password must be protected by cryptographic mechanisms. notes: >- - The selection of rules doesn't cover the use of hardware devices to protect the passwords. + By disabling direct root logins proper accountability is ensured. + Users will login first, then escalate to privileged (root) access. + Change of privilege operations must be based on executables to monitor the activities + performed (for example sudo). + Nonetheless, the content automation cannot ensure that each administrator was given a + nominative administration account separate from his normal user account. status: automated rules: - # ENCRYPT_METHOD, system default is SHA512 - - set_password_hashing_algorithm_systemauth - # The default salt size is secure enough: - # https://bugzilla.redhat.com/show_bug.cgi?id=1229472 - # SHA_CRYPT_MIN_ROUNDS 65536 - - var_password_pam_unix_rounds=65536 - - accounts_password_pam_unix_rounds_system_auth - - accounts_password_pam_unix_rounds_password_auth + - no_direct_root_logins + - sshd_disable_root_login + - package_sudo_installed + - audit_rules_privileged_commands_sudo - - id: R33 - title: Securing access to remote user databases + - id: R34 + title: Deactivation of service accounts levels: - intermediary - # rules: TBD + notes: >- + It is difficult to generally identify the system's service accounts. + UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + Assisting rules could list users which are not disabled for manual review. + status: manual - - id: R34 - title: Separation of System Accounts and Directory Administrator + - id: R35 + title: Uniqueness and exclusivity of system service accounts levels: - intermediary - # rules: TBD + description: >- + Each service must have its own system account and be dedicated to it exclusively. + notes: >- + It is not trivial to identify whether a user account is a service account. + UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + status: manual - - id: R35 + - id: R36 + title: umask value levels: - enhanced - title: umask value description: >- The system umask must be set to 0027 (by default, any created file can only be read by the user and his group, and be editable only by his owner). @@ -743,15 +844,181 @@ controls: The different values are set in a conditional clause in a shell script (e.g. /etc/profile or /etc/bashrc). The current implementation checks and fixes both umask to the same value. - status: partial + status: supported rules: - var_accounts_user_umask=077 - accounts_umask_etc_login_defs - accounts_umask_etc_profile - accounts_umask_etc_bashrc - - id: R36 - title: Rights to access sensitive content files + - id: R37 + title: Using access control features + levels: + - enhanced + description: >- + It is recommended to use the mandatory access control (MAC) features in + addition to the traditional Unix user model (DAC), or possibly combine + them with partitioning mechanisms. + notes: >- + Other partitioning mechanisms can include chroot and containers and are not contemplated + in this requirement. + status: automated + rules: + - selinux_state + - var_selinux_state=enforcing + + - id: R38 + title: Group dedicated to the use of sudo + levels: + - enhanced + description: >- + A group dedicated to the use of sudo must be created, and only members of this + group are allowed to execute sudo. + notes: >- + The rules below create and configure a group named sudogrp, to change the group customize the + value of var_sudo_dedicated_group. + status: automated + rules: + - sudo_dedicated_group + - var_sudo_dedicated_group=sudogrp + + - id: R39 + title: Sudo configuration guidelines + levels: + - intermediary + status: automated + rules: + - sudo_add_noexec + - sudo_add_requiretty + - sudo_add_use_pty + - sudo_add_umask + - var_sudo_umask=0077 + - sudo_add_ignore_dot + - sudo_add_env_reset + + - id: R40 + title: User authentication running sudo + levels: + - minimal + description: >- + The calling user must be authenticated before running any command with sudo. + status: automated + rules: + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + + - id: R41 + title: Limiting the number of commands requiring the use of the EXEC option + levels: + - enhanced + description: >- + The commands requiring the execution of sub-processes (EXEC tag) must be + explicitly listed and their use should be reduced to a strict minimum. + notes: >- + Human review is required to assess if the set of commands requiring EXEC is minimal. + An auxiliary rule could list rules containing EXEC tag, for analysis. + status: manual + + - id: R42 + title: Good use of negation in a sudoers file + levels: + - intermediary + description: The sudoers configuration rules should not involve negation. + status: automated + rules: + - sudoers_no_command_negation + + - id: R43 + title: Explicit arguments in sudo specifications + levels: + - intermediary + status: automated + rules: + - sudoers_explicit_command_args + + - id: R44 + title: Editing files with sudo + levels: + - intermediary + description: A file requiring sudo to be edited, must be edited through the sudoedit command. + notes: >- + In R62 we established that the sudoers files should not use negations, thus the approach + for this requirement is to ensure that sudoedit is the only text editor allowed. + But it is difficult to ensure that allowed binaries aren't text editors without human + review. + status: manual + + - id: R45 + title: Enable AppArmor security profiles + levels: + - enhanced + description: >- + All AppArmor security profiles on the system must be enabled by default. + status: not applicable + + - id: R46 + title: Activate SELinux with the Targeted Policy + levels: + - high + description: >- + It is recommended to enable the targeted policy when the distribution + supports it and that it does not operate another security module than SELinux. + status: automated + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + + - id: R47 + title: Containment of unprivileged interactive users + levels: + - high + description: >- + Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. + notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. + status: manual + + - id: R48 + title: Setting SELinux booleans + levels: + - high + description: >- + It is recommended to set the following Booleans: + allow_execheap to off, forbids processes to make their heap executable; + allow_execmem to off, forbids processes to have both write and execute rights on memory pages; + allow_execstack to off, forbids processes to make their stack executable; + secure_mode_insmod to on, prohibits dynamic loading of modules by any process; + ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role. + notes: + In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the + boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not + available, deny_execmem provides the same functionality. + status: automated + rules: + - var_selinuxuser_execheap=off + - sebool_selinuxuser_execheap + - var_deny_execmem=on + - sebool_deny_execmem + - var_selinuxuser_execstack=off + - sebool_selinuxuser_execstack + - var_secure_mode_insmod=on + - sebool_secure_mode_insmod + - sebool_ssh_sysadm_login + + - id: R49 + title: Uninstalling SELinux Policy Debugging Tools + levels: + - high + description: >- + SELinux policy manipulation and debugging tools should not be installed + on a machine in production. + status: automated + rules: + - package_setroubleshoot_removed + - package_setroubleshoot-server_removed + - package_setroubleshoot-plugins_removed + + - id: R50 + title: Rights to access sensitive files and directories levels: - intermediary status: automated @@ -764,10 +1031,69 @@ controls: - file_permissions_etc_group - file_permissions_sshd_private_key - - id: R37 + - id: R51 + title: Sensitive and trusted files + levels: + - enhanced + description: >- + All sensitive files and those contributing to the authentication mechanisms + must be set up as soon as the system is installed. If default secrets are + preconfigured, they must be replaced during, or immediately after, the + installation phase of the system. + notes: >- + This concerns two aspects, the first is administrative, and involves prompt + installation of secrets or trusted elements by the sysadmin. + The second involves removal of any default secret or trusted element + configured by the operating system during install process, e.g. default + known passwords. + status: documentation + + - id: R52 + title: Securing access for named sockets and pipes + levels: + - intermediary + notes: We cannot easily automate securing of named sockets and pipes in a general way. + status: manual + + - id: R53 + title: Files or directories without a known user or group + levels: + - minimal + status: automated + rules: + - file_permissions_ungroupowned + - no_files_unowned_by_user + + - id: R54 + title: Sticky bit and write access rights levels: - minimal + status: automated + rules: + - dir_perms_world_writable_sticky_bits + - dir_perms_world_writable_root_owned + - file_permissions_unauthorized_world_writable + + - id: R55 + title: Temporary directories dedicated to accounts + levels: + - intermediary + description: >- + Each user or service account must have its own temporary directory + and dispose of it exclusively. + notes: The approach of the selected rules is to use and configure pam_namespace module. + status: automated + rules: + - enable_pam_namespace + - accounts_polyinstantiated_tmp + - accounts_polyinstantiated_var_tmp + - var_polyinstantiation_enabled=on + - sebool_polyinstantiation_enabled + + - id: R56 title: Executables with setuid and setgid bits + levels: + - minimal notes: >- Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set. This requirement considers apropriate for setuid and setgid bits the binaries that are installed from @@ -779,70 +1105,204 @@ controls: - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid - - id: R38 + - id: R57 + title: Executable with special rights setuid root and setgid root levels: - enhanced - title: Executable setuid root description: >- - Setuid executables should be as small as possible. When it is expected - that only the administrators of the machine execute them, the setuid bit - must be removed and prefer them commands like su or sudo, which can be monitored - # rules: TBD + The executables with setuid executables root and setgid root special rights should be as few as possible. + When only administrators are expected to execute them, these special rights should + be removed and prefer them commands like su or sudo, which can be monitored + notes: There could be rules to list all executables with setuid root or setgid root rights. + status: manual - - id: R39 + - id: R58 + title: Installation of packages reduced to the bare necessities levels: - - intermediary - title: Temporary directories dedicated to accounts + - minimal description: >- - Each user or service account must have its own temporary directory - and dispose of it exclusively. - notes: The approach of the selected rules is to use and configure pam_namespace module. + The selection of packages installed should be as small as possible, + limiting itself to select only what is required. + notes: >- + It is not possible to automatically decide in general way if a package is required or not for given system. + As a future improvement, there could be rules assisting assessment by listing the installed packages. + status: manual + + - id: R59 + title: Official package repositories + levels: + - minimal + description: Only up-to-date official repositories of the distribution must be used. + notes: >- + It is not trivial to distinguish an official repository from an unofficial one. + We cannot draw conclusions from the repo name or URL of the repo (as they can be arbitrary or behind a proxy). + One approach to check the origin of installed packages is to check the signature of the packages. + If the public key of a repository is not installed, the repo is not trusted. status: automated rules: - - enable_pam_namespace - - accounts_polyinstantiated_tmp - - accounts_polyinstantiated_var_tmp - - var_polyinstantiation_enabled=on - - sebool_polyinstantiation_enabled + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_redhat_gpgkey_installed + - ensure_oracle_gpgkey_installed - - id: R40 + - id: R60 + title: Hardened package repositories + levels: + - enhanced + description: >- + When the distribution provides several types of repositories, preference + should be given to those containing packages subject to additional + hardening measures. + Between two packages providing the same service, those subject to hardening + (at compilation, installation, or default configuration) must be preferred. + status: not applicable + + - id: R61 + title: Regular updates + levels: + - minimal + notes: Check the vendor CVE feed and configure automatic install of security related updates. + status: automated + rules: + - security_patches_up_to_date + - package_dnf-automatic_installed + - timer_dnf-automatic_enabled + # Configure dnf-automatic to Install Available Updates Automatically + - dnf-automatic_apply_updates + # Configure dnf-automatic to Install Only Security Updates + - dnf-automatic_security_updates_only + + - id: R62 + title: Minimization of installed services + levels: + - minimal + description: >- + Only the components strictly necessary to the service provided by the system should + be installed. + Those whose presence can not be justified should be disabled, removed or deleted. + status: manual # The list of essential services is not objective. + notes: >- + Performing a minimal install is a good starting point, but doesn't provide any assurance + over any package installed later. + Manual review is required to assess if the installed services are minimal. + In general, use of obsolete or insecure services is not recommended and we remove some + of these in this recommendation. + rules: + - package_dhcp_removed + - package_rsh_removed + - package_rsh-server_removed + - package_sendmail_removed + - package_talk_removed + - package_talk-server_removed + - package_telnet_removed + - package_telnet-server_removed + - package_tftp_removed + - package_tftp-server_removed + - package_xinetd_removed + - package_ypbind_removed + - package_ypserv_removed + + - id: R63 + title: Minimization of services configuration levels: - intermediary - title: Sticky bit and write access rights + description: >- + Services are often installed with default configurations that enable features potentially + problematic from a security point of view. + The features configured at the level of launched services should be limited to the strict + minimum. + notes: >- + Define a list of most problematic components or features to be hardened or restricted. + status: manual + + - id: R64 + title: Least privilege for the services + levels: + - enhanced + description: >- + The deployed services must have their access restricted to the system + strict minimum, especially when it comes to files, processes or network. + notes: >- + SELinux policies limit the privileges of services and daemons just to those which are required. + The policies should be enough to restrict the services' privileges to its essentials, but the + automated content cannot assess whether they are the minimum required for the deployment. status: automated rules: - - dir_perms_world_writable_sticky_bits - - dir_perms_world_writable_root_owned - - file_permissions_unauthorized_world_writable + - selinux_policytype + - var_selinux_policy_name=targeted + + - id: R65 + title: Services partitioning + levels: + - enhanced + notes: >- + Using automation to restrict access and chroot services is not generally reliable. + status: manual + + - id: R66 + title: Virtualization components hardening + levels: + - high + description: >- + Each component supporting the virtualization must be hardened, especially + by applying technical measures to counter the exploit attempts. + notes: >- + We cannot easily automate securing of virtualization technologies in a general way. + It may be interesting to point out virtualization components that are installed and + should be hardened. + status: manual - - id: R41 + - id: R67 + title: Securing remote authentication by PAM levels: - intermediary - title: Securing access for named sockets and pipes - # rules: TBD + notes: We cannot automate securing of remote PAM authentication in a general way. + status: manual - - id: R42 + - id: R68 + title: Protecting stored passwords levels: - minimal - title: In memory services and daemons + description: Any password must be protected by cryptographic mechanisms. notes: >- - Manual review is necessary to decide if the list of resident daemons is minimal. - Asssising rules could be created to list sevices listening on the network for manual review. - automated: no + The selection of rules doesn't cover the use of hardware devices to protect the passwords. + status: supported + rules: + # ENCRYPT_METHOD, system default is SHA512 + - set_password_hashing_algorithm_systemauth + # The default salt size is secure enough: + # https://bugzilla.redhat.com/show_bug.cgi?id=1229472 + # SHA_CRYPT_MIN_ROUNDS 65536 + - var_password_pam_unix_rounds=65536 + - accounts_password_pam_unix_rounds_system_auth + - accounts_password_pam_unix_rounds_password_auth - - id: R43 - title: Hardening and configuring the syslog + - id: R69 + title: Securing access to remote user databases + levels: + - intermediary + notes: We cannot automate securing access to remote databases in a general way. + status: manual + + - id: R70 + title: Separation of System Accounts and Directory Administrator levels: - intermediary + status: manual + + - id: R71 + title: Implementation of a logging system + levels: + - enhanced description: >- - The chosen syslog server must be hardened according to the security guides associated with this server. The configuration of the service must be performed according to the 'Security Recommendations for the implementation of a logging system' (DAT-NT-012) accessible on the ANSSI website. notes: >- A lot of recommendations and requirements from the DAT-NT-012 document are administrative and hard to automate. The rules selected below address a few of the aspects that can be covered, keep in mind that these configurations should be customized for the systems deployment requirements. - status: partial + status: automated rules: # Based on DAT-NT-012 R3 - package_chrony_installed @@ -870,67 +1330,111 @@ controls: - rsyslog_files_groupownership - rsyslog_files_permissions - - id: R44 - levels: - - intermediary - title: Partitioning the syslog service by chroot - # rules: TBD - - - id: R45 + - id: R72 + title: Service Activity Logs levels: - - high - title: Partitioning the syslog service by container + - enhanced description: >- - The syslog services must be isolated from the rest of the system in a - dedicated container. - automated: no - # rules: TBD - - - id: R46 - levels: - - intermediary - title: Service Activity Logs - # rules: TBD + Each service must have a dedicated event logging journal on the system. + This log must only be accessible by the syslog server, and must not be readable, + editable or deletable by the service directly. + status: documentation # How to enable syslog for each service installed in the system - - id: R47 + - id: R73 + title: Logging activity by auditd levels: - - intermediary - title: Dedicated partition for logs - notes: This assumes that syslog stores its logs locally in "/var/log/audit". + - enhanced + description: >- + The logging of the system activity must be done through the auditd service. status: automated rules: - - partition_for_var_log_audit - - - id: R48 + - audit_rules_sysadmin_actions + + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + + - audit_rules_session_events + + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + - audit_rules_mac_modification + + - audit_rules_networkconfig_modification + + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + + - audit_rules_media_export + - audit_rules_dac_modification_umount2 + + - audit_rules_privileged_commands + + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_finit + - audit_rules_privileged_commands_insmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + - audit_rules_privileged_commands_kmod + + - audit_rules_immutable + + - id: R74 + title: Configuring the local messaging service levels: - intermediary - title: Configuring the local messaging service status: automated rules: - postfix_network_listening_disabled - - id: R49 + - id: R75 + title: Messaging Aliases for Service Accounts levels: - intermediary - title: Messaging Aliases for Service Accounts - status: partial # it is hard to define what are "service accounts" + status: automated #semi-automated notes: >- - Only the alias for root user is currently covered. + Only the alias for root user is covered by the rule. + The other services cannot be reliably covered, as there is no simple way + of determining what is a service account. rules: - postfix_client_configure_mail_alias - - id: R50 - levels: - - enhanced - title: Logging activity by auditd - description: >- - The logging of the system activity must be done through the auditd service. - # rules: TBD - - - id: R51 + - id: R76 + title: Sealing and integrity of files levels: - high - title: Sealing and integrity of files description: >- Any file that is not transient (such as temporary files, databases, etc.) must be monitored by a sealing program. @@ -946,10 +1450,10 @@ controls: - aide_verify_acls - aide_verify_ext_attributes - - id: R52 + - id: R77 + title: Protection of the seals database levels: - high - title: Protection of the seals database description: >- The sealing database must be protected from malicious access by cryptographic signature mechanisms (with the key used for the signature @@ -957,207 +1461,43 @@ controls: of the one on which the sealing is done. Check section "Database and config signing in AIDE manual" https://aide.github.io/doc/#signing - automated: no - - - id: R53 - levels: - - enhanced - title: Restricting access of deployed services - description: >- - The deployed services must have their access restricted to the system - strict minimum, especially when it comes to files, processes or network. - notes: >- - SELinux policies limit the privileges of services and daemons just to those which are required. - status: partial - rules: - - selinux_policytype - - var_selinux_policy_name=targeted + status: does not meet - - id: R54 + - id: R78 + title: Network services partitioning levels: - enhanced - title: Virtualization components hardening description: >- - Each component supporting the virtualization must be hardened, especially - by applying technical measures to counter the exploit attempts. - notes: >- - It may be interesting to point out virtualization components that are installed and - should be hardened. - automated: no - - - id: R55 - levels: - - intermediary - title: chroot jail and access right for partitioned service - notes: >- - Using automation to restrict access and chroot services is not generally reliable. - automated: no - - - id: R56 - levels: - - intermediary - title: Enablement and usage of chroot by a service + Network services should as much as possible be hosted on isolated environments. + This avoids having other potentially affected services if one of them gets + compromised under the same environment. notes: >- - Using automation to restrict access and chroot services is not generally reliable. - automated: no + Manual analysis is required to determine if services are hosted appropriately in + separate or isolated system while maintaining functionality. + status: manual - - id: R57 + - id: R79 + title: Hardening and monitoring of exposed services levels: - intermediary - title: Group dedicated to the use of sudo - description: >- - A group dedicated to the use of sudo must be created, and only members of this - group are allowed to execute sudo. notes: >- - The rules below create and configure a group named sudogrp, to change the group customize the - value of var_sudo_dedicated_group. + SELinux can provide confinement and monitoring of services, and AIDE provides + basic integrity checking. System logs are configured as part of R43. + Hardening of particular services should be done on a case by case basis and is + not automated by this content. status: automated rules: - - sudo_dedicated_group - - var_sudo_dedicated_group=sudogrp - - - id: R58 - levels: - - intermediary - title: Sudo configuration guidelines - status: partial - rules: - - sudo_add_noexec - - sudo_add_requiretty - - sudo_add_use_pty - - sudo_add_umask - - var_sudo_umask=0027 - - sudo_add_ignore_dot - - sudo_add_env_reset - - sudo_add_passwd_timeout - - var_sudo_passwd_timeout=1_minute + - selinux_state + - var_selinux_state=enforcing + - package_aide_installed + - aide_build_database - - id: R59 + - id: R80 + title: Minimization of network services levels: - minimal - title: User authentication running sudo - description: >- - The calling user must be authenticated before running any command with sudo. - status: automated - rules: - - sudo_remove_nopasswd - - sudo_remove_no_authenticate - - - id: R60 - levels: - - intermediary - title: Privileges of target sudo users - description: The targeted users of a rule should be, as much as possible, non privileged users. - status: automated - rules: - - sudoers_no_root_target - - - id: R61 - levels: - - enhanced - title: Limiting the number of commands requiring the use of the EXEC option - description: >- - The commands requiring the execution of sub-processes (EXEC tag) must be - explicitly listed and their use should be reduced to a strict minimum. - notes: >- - Human review is required to assess if the set of commands requiring EXEC is minimal. - An auxiliary rule could list rules containing EXEC tag, for analysis. - automated: no - - - id: R62 - levels: - - intermediary - title: Good use of negation in a sudoers file - description: The sudoers configuration rules should not involve negation. - status: automated - rules: - - sudoers_no_command_negation - - - id: R63 - levels: - - intermediary - title: Explicit arguments in sudo specifications - status: automated - rules: - - sudoers_explicit_command_args - - - id: R64 - levels: - - intermediary - title: Good use of sudoedit - description: A file requiring sudo to be edited, must be edited through the sudoedit command. + description: All network services must be listening on the correct network intefaces. notes: >- - In R62 we established that the sudoers files should not use negations, thus the approach - for this requirement is to ensure that sudoedit is the only text editor allowed. - But it is difficult to ensure that allowed binaries aren't text editors without human - review. - automated: no - - - id: R65 - levels: - - high - title: Enable AppArmor security profiles - description: >- - All AppArmor security profiles on the system must be enabled by default. - automated: no - - - id: R66 - levels: - - high - title: Enabling SELinux Targeted Policy - description: >- - It is recommended to enable the targeted policy when the distribution - support it and that it does not operate another security module than SELinux. - status: automated - rules: - - selinux_policytype - - var_selinux_policy_name=targeted - - - id: R67 - levels: - - high - title: Setting SELinux booleans - description: >- - It is recommended to set the following Booleans: - allow_execheap to off, forbids processes to make their heap executable; - allow_execmem to off, forbids processes to have both write and execute rights on memory pages; - allow_execstack to off, forbids processes to make their stack executable; - secure_mode_insmod to on, prohibits dynamic loading of modules by any process; - ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role. - notes: - In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the - boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not - available, deny_execmem provides the same functionality. - status: automated - rules: - - var_selinuxuser_execheap=off - - sebool_selinuxuser_execheap - - var_deny_execmem=on - - sebool_deny_execmem - - var_selinuxuser_execstack=off - - sebool_selinuxuser_execstack - - var_secure_mode_insmod=on - - sebool_secure_mode_insmod - - sebool_ssh_sysadm_login - - - id: R68 - levels: - - high - title: Uninstalling SELinux Policy Debugging Tools - description: >- - SELinux policy manipulation and debugging tools should not be installed - on a machine in production. - status: automated - rules: - - package_setroubleshoot_removed - - package_setroubleshoot-server_removed - - package_setroubleshoot-plugins_removed - - - id: R69 - levels: - - high - title: Confining interactive non-privileged users - description: >- - Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. - notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. - automated: no + Manual review is necessary to decide if the list of resident daemons is minimal. + Assisting rules could be created to list sevices listening on the network for manual review. + status: manual diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml index 7469e59fa9a..de20b4410a1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -42,7 +42,6 @@ identifiers: cce@rhel9: CCE-86354-8 references: - anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.3 cis@alinux3: 5.5.3 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml index 05133fcc2d7..b25fca9fcc0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml @@ -42,7 +42,6 @@ identifiers: cce@rhel9: CCE-89176-2 references: - anssi: BP28(R18) cis-csc: 1,12,15,16,5 cis@alinux2: 5.3.3 cis@alinux3: 5.5.3 diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml index 2fd90cf1993..d0ea4be1e36 100644 --- a/linux_os/guide/system/accounts/enable_authselect/rule.yml +++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@rhel9: CCE-89732-2 references: - anssi: BP28(R5) + anssi: BP28(R31) cis@rhel8: 1.2.3 cis@rhel9: 5.4.1 disa: CCI-000213 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index a6a6dd0b870..605a4b86521 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85693-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index 6ee6ac9c1ce..8d9504f8595 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85690-6 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index cb6e31f3658..29ec72a821a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85694-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index 7801c9d3c91..fb53d6543a6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85695-5 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index 8d4ea1599c3..635a264f0fb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -38,6 +38,7 @@ identifiers: cce@sle15: CCE-85721-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index b83392a3433..932ee8d509c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85692-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index b1e28c60f01..d647c43abe4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -52,6 +52,7 @@ identifiers: cce@sle15: CCE-85686-4 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index a37a19e147b..0f007aad560 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -47,6 +47,7 @@ identifiers: cce@sle15: CCE-85688-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 175d9efc600..a1066785f8c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85691-4 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index c98fb979d70..7d86aee37b5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -52,6 +52,7 @@ identifiers: cce@sle15: CCE-85685-6 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index fa8859599fd..db69a3081d9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -47,6 +47,7 @@ identifiers: cce@sle15: CCE-85689-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index 9f10cb9e430..cd8b64194ed 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -51,6 +51,7 @@ identifiers: cce@sle15: CCE-85684-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index b60f7a8b0fc..10b2dd2cf81 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -47,6 +47,7 @@ identifiers: cce@sle15: CCE-85687-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.10 cis@rhel7: 4.1.9 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index dbf993a8ee2..d2d196ab8e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -27,11 +27,14 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-90777-4 + cce@rhel8: CCE-90776-6 cce@rhel9: CCE-88570-7 cce@sle12: CCE-83219-6 cce@sle15: CCE-91250-1 references: + anssi: BP28(R73) disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml index e93d70187f7..5b6bb0424ac 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@sle15: CCE-85768-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.14 cis@alinux3: 4.1.3.13 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml index 8c64031b752..fd2e5b77fd1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@sle15: CCE-85769-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.14 cis@rhel7: 4.1.13 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml index 80c6fab1bba..7c42d57ec2b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@sle15: CCE-85770-6 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@rhel7: 4.1.14 cis@rhel8: 4.1.14 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml index 89e3a08a258..432d5dee7b2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@sle15: CCE-85771-4 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.14 cis@rhel7: 4.1.13 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml index 44ca041186c..2d9dfec6f82 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@sle15: CCE-85772-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.14 cis@rhel7: 4.1.13 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 136b1c31a5c..1b476f4ddf1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -41,6 +41,7 @@ identifiers: cce@sle15: CCE-85681-5 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.11 cis@rhel7: 4.1.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 276d885c80b..398110dfb9d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -44,6 +44,7 @@ identifiers: cce@sle15: CCE-85696-3 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.11 cis@rhel7: 4.1.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 3ead6b29b31..8893d52f688 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -44,6 +44,7 @@ identifiers: cce@sle15: CCE-85680-7 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.11 cis@rhel7: 4.1.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 91f224548c4..1126705b8ec 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -44,6 +44,7 @@ identifiers: cce@sle15: CCE-85682-3 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.11 cis@rhel7: 4.1.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 528ed1eb232..2884c9d5f91 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -44,6 +44,7 @@ identifiers: cce@sle15: CCE-85608-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.11 cis@rhel7: 4.1.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index 5d330be50ae..b333d3f9059 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85748-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.17 cis@alinux3: 4.1.3.26 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 39a8a5f9e5c..a3a2e846e8e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@sle15: CCE-85749-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.17 cis@rhel7: 4.1.17 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 3e9b4f4a2b1..36bfc21b47c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85750-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.17 cis@rhel7: 4.1.16 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml index 087ce43af01..45be4858b98 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-91449-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.8 cis@alinux3: 4.1.3.12 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 7a8b0a97b8b..34e160abf09 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85598-1 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.8 cis@alinux3: 4.1.3.12 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml index 287ad5947c0..e980107be4c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml @@ -48,6 +48,7 @@ identifiers: cce@sle15: CCE-91251-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@rhel7: 4.1.11 cis@rhel8: 4.1.3.6 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index ba5e55752fa..4e3c6a4629b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85744-1 references: + anssi: BP28(R73) cis@alinux2: 4.1.17 cis@rhel7: 4.1.16 cis@rhel8: 4.1.3.19 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 731e2bd1892..79e57d9dcf0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -43,6 +43,7 @@ identifiers: cce@sle15: CCE-85591-6 references: + anssi: BP28(R73) cis@alinux3: 4.1.3.20 disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 5da579d187d..c2f7f6a476a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -37,6 +37,7 @@ identifiers: cce@sle15: CCE-85731-8 references: + anssi: BP28(R73) cis@alinux2: 4.1.17 cis@rhel7: 4.1.16 cis@rhel8: 4.1.3.19 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index c3d60ac50ee..c6d2520f9b7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85732-6 references: + anssi: BP28(R73) cis@alinux2: 4.1.17 cis@rhel7: 4.1.16 cis@rhel8: 4.1.3.19 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml index 6afc7507b75..81e0bc11e34 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85831-6 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 cis@alinux2: 4.1.18 cis@alinux3: 4.1.3.28 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml index f79da937a49..c32c007d66a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@sle15: CCE-85830-8 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.7 cis@rhel7: 4.1.6 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index de7624f2527..9c14a932977 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85718-5 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.13 cis@alinux3: 4.1.3.10 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml index a1290d6b671..dd005ca5bce 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@sle15: CCE-85828-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.6 cis@alinux3: 4.1.3.5 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml index 5839f18df82..6a7f113954a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@sle15: CCE-85829-0 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.9 cis@alinux3: 4.1.3.11 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index da852da52f9..3c60402607d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@sle15: CCE-85679-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.15 cis@alinux3: 4.1.3.1 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 54aac1317f7..46128d8aa6a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85578-3 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.5 cis@alinux3: 4.1.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 77b59cedb01..5cfe91d293b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85580-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.5 cis@alinux3: 4.1.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index 359ee814ab0..d58af4cefce 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85728-4 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.5 cis@alinux3: 4.1.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 842c6d524fb..d67693eef65 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85577-5 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.5 cis@alinux3: 4.1.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 733202b9df7..68a975a74b9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@sle15: CCE-85579-1 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.5 cis@alinux3: 4.1.3.8 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml index b5fd51dfbab..d3bfa7bad9c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@sle15: CCE-85814-2 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.4 cis@alinux3: 4.1.3.4 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml index b1d4614df53..ef00aeb5e28 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@sle15: CCE-85816-7 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux3: 4.1.3.4 cis@rhel7: 4.1.3 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml index 19901630808..eaa02bece41 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml @@ -43,6 +43,7 @@ identifiers: cce@sle15: CCE-85815-9 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.4 cis@alinux3: 4.1.3.4 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml index 0becaa3c149..16089eacf02 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@sle15: CCE-85812-6 references: + anssi: BP28(R73) cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 cis@alinux2: 4.1.4 cis@alinux3: 4.1.3.4 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml index bed938cf64b..73555fbc2a7 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml @@ -27,9 +27,13 @@ warnings: severity: high identifiers: + cce@rhel7: CCE-90775-8 cce@rhel8: CCE-88123-5 cce@rhel9: CCE-89123-4 +references: + anssi: BP28(R8) + ocil_clause: 'l1tf mitigations are not configured appropriately' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml index 7ffc4e298af..07e1e8b651b 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml @@ -20,9 +20,13 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-90774-1 cce@rhel8: CCE-87098-0 cce@rhel9: CCE-88098-9 +references: + anssi: BP28(R8) + ocil_clause: 'MCE tolerance is not set to zero' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml index 609d7ed4528..61c28a32769 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml @@ -22,9 +22,13 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-90773-3 cce@rhel8: CCE-87345-5 cce@rhel9: CCE-88345-4 +references: + anssi: BP28(R1) + ocil_clause: 'the kernel is configured to disable SMAP' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml index fd5f81e889a..bcecdb84a00 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml @@ -22,9 +22,13 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-90772-5 cce@rhel8: CCE-85989-2 cce@rhel9: CCE-86089-0 +references: + anssi: BP28(R1) + ocil_clause: 'the kernel is configured to disable SMEP' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml index c455abcfd48..70251f709c9 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel9: CCE-83843-3 references: + anssi: BP28(R8) disa: CCI-000381 nist: SI-16 srg: SRG-OS-000433-GPOS-00193,SRG-OS-000095-GPOS-00049 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml index 93652e4fef5..fba8cac196a 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml @@ -28,9 +28,13 @@ rationale: |- severity: low identifiers: + cce@rhel7: CCE-90771-7 cce@rhel8: CCE-89567-2 cce@rhel9: CCE-90567-9 +references: + anssi: BP28(R8) + ocil_clause: 'trust on hardware random number generator is not configured appropriately' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml index da0129531eb..6fd9d301b59 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml @@ -26,9 +26,13 @@ warnings: severity: medium identifiers: + cce@rhel7: CCE-90770-9 cce@rhel8: CCE-86777-0 cce@rhel9: CCE-87770-4 +references: + anssi: BP28(R8) + ocil_clause: 'merging of slabs with similar size is enabled' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml index fa02c02dc59..eb6d2e46ea6 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml @@ -30,9 +30,13 @@ warnings: severity: medium identifiers: + cce@rhel7: CCE-90769-1 cce@rhel8: CCE-89234-9 cce@rhel9: CCE-90234-6 +references: + anssi: BP28(R8) + ocil_clause: 'SSB is not configured appropriately' ocil: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml index 8c0f22f239f..c5a52c2391c 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml @@ -23,9 +23,13 @@ rationale: |- severity: high identifiers: + cce@rhel7: CCE-90763-4 cce@rhel8: CCE-89345-3 cce@rhel9: CCE-90345-0 +references: + anssi: BP28(R8) + ocil_clause: 'spectre_v2 mitigation is not enforced' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml index 0eec9c5b702..ef617d1525b 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_latent_entropy/rule.yml @@ -31,6 +31,9 @@ identifiers: cce@rhel8: CCE-87034-5 cce@rhel9: CCE-87035-2 +references: + anssi: BP28(R21) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml index b50ba51b52f..f73121dfaba 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_randstruct/rule.yml @@ -26,6 +26,9 @@ identifiers: cce@rhel8: CCE-87107-9 cce@rhel9: CCE-87109-5 +references: + anssi: BP28(R21) + ocil_clause: 'the kernel was built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml index 9a0a9794c89..3e32dead87e 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml @@ -30,6 +30,9 @@ severity: medium identifiers: cce@rhel9: CCE-87128-5 +references: + anssi: BP28(R21) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml index 49a1475181d..6a19eb78d5f 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml @@ -27,6 +27,9 @@ identifiers: cce@rhel8: CCE-87046-9 cce@rhel9: CCE-87047-7 +references: + anssi: BP28(R21) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml index f65fcd76084..4e84339787a 100644 --- a/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml +++ b/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak_byref_all/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87089-9 cce@rhel9: CCE-87090-7 +references: + anssi: BP28(R21) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml index 3f242f07564..2b718f31db3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-86778-8 cce@rhel9: CCE-86779-6 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml index 58e688458fb..8ca4e096263 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_arm64_sw_ttbr0_pan/rule.yml @@ -28,6 +28,9 @@ identifiers: cce@rhel8: CCE-89059-0 cce@rhel9: CCE-89060-8 +references: + anssi: BP28(R27) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml index 12936e2f4b1..2ff16ff53f6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87766-2 cce@rhel9: CCE-87767-0 +references: + anssi: BP28(R23) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml index 70475c9ab47..43823e062ec 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86095-7 cce@rhel9: CCE-86096-5 +references: + anssi: BP28(R19) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml index 33e0ef488a8..7c85b7efe1d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug_on_data_corruption/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87304-2 cce@rhel9: CCE-87305-9 +references: + anssi: BP28(R16) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml index 90ae5dc3eef..6f1d7826767 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-88962-6 cce@rhel9: CCE-88963-4 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml index 806fa33fcb8..0c1a88cfd8c 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87256-4 cce@rhel9: CCE-87257-2 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml index 29107f0b814..2e258265385 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml @@ -25,6 +25,9 @@ identifiers: cce@rhel8: CCE-86656-6 cce@rhel9: CCE-86657-4 +references: + anssi: BP28(R16) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml index 6f11d71769f..0dbb85a70a2 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-88033-6 cce@rhel9: CCE-89033-5 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml index 3ba875b0caa..58aaa3a1a82 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86986-7 cce@rhel9: CCE-86987-5 +references: + anssi: BP28(R16) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml index 7aa615a487d..16673ea4195 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86814-1 cce@rhel9: CCE-86815-8 +references: + anssi: BP28(R16) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml index 6e981c24778..e633922d147 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-87148-3 cce@rhel9: CCE-87149-1 +references: + anssi: BP28(R16) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml index 96344b8b7aa..e09a870434f 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_wx/rule.yml @@ -26,6 +26,9 @@ identifiers: cce@rhel8: CCE-87032-9 cce@rhel9: CCE-88032-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml index 168d0bb2f36..087d1e066b6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-88160-7 cce@rhel9: CCE-88161-5 +references: + anssi: BP28(R25) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml index 3327c830096..c6a12f1c13a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-86947-9 cce@rhel9: CCE-86948-7 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml index d9ba9ef4d14..b380e43cf73 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_fortify_source/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-86545-1 cce@rhel9: CCE-86546-9 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml index 41bc3b9b7d7..0fd7014cc51 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml @@ -26,6 +26,9 @@ identifiers: cce@rhel8: CCE-88299-3 cce@rhel9: CCE-89299-2 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml index f0437d60f3b..785d3d9c244 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy_fallback/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-86091-6 cce@rhel9: CCE-86092-4 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml index 52035387339..5d07f04482a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-87608-6 cce@rhel9: CCE-87609-4 +references: + anssi: BP28(R23) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml index ce372fa8825..298a793678d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-88746-3 cce@rhel9: CCE-88747-1 +references: + anssi: BP28(R25) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml index e1b2dd5eb64..da0ab5da3a7 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_ipv6/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-87225-9 cce@rhel9: CCE-87226-7 +references: + anssi: BP28(R22) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml index 761372262fa..10d446c5ca3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-87488-3 cce@rhel9: CCE-87489-1 +references: + anssi: BP28(R23) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml index 311beffd3ee..9650e095c5b 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-87925-4 cce@rhel9: CCE-87926-2 +references: + anssi: BP28(R23) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml index af38cc1c063..a88d800769a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_emulate/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-87649-0 cce@rhel9: CCE-87650-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml index fa2b3b6dc9e..7976cd56cdd 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_none/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87573-2 cce@rhel9: CCE-87574-0 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml index 5868bb3425b..dbc5966e1fd 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_vsyscall_xonly/rule.yml @@ -22,6 +22,9 @@ severity: medium identifiers: cce@rhel9: CCE-87805-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml index ab30078a616..35f88e89d74 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_modify_ldt_syscall/rule.yml @@ -27,6 +27,9 @@ identifiers: cce@rhel8: CCE-88827-1 cce@rhel9: CCE-88828-9 +references: + anssi: BP28(R25) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml index 148f265c2d8..d999efc50a5 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-89378-4 cce@rhel9: CCE-89379-2 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml index a86269aa319..65673e3fa27 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-89615-9 cce@rhel9: CCE-89616-7 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml index 697811ab61a..1f87c486c93 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-89459-2 cce@rhel9: CCE-89460-0 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml index 9a144199e12..24cda489f26 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-89843-7 cce@rhel9: CCE-89844-5 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml index ef1b482f735..e1404100795 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml @@ -27,6 +27,9 @@ identifiers: cce@rhel8: CCE-90000-1 cce@rhel9: CCE-89999-7 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml index d161a5147fe..61b7f57b247 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-89692-8 cce@rhel9: CCE-89691-0 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml index 016c1e2cfa9..db257597410 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-88426-2 cce@rhel9: CCE-88427-0 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml index 33d6ca3a530..0db34b4b97e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml @@ -18,9 +18,13 @@ warnings: severity: medium identifiers: + cce@rhel7: CCE-90768-3 cce@rhel8: CCE-88574-9 cce@rhel9: CCE-88575-6 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml index c8e8ff3fd3e..ee1a2ab4eb7 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-88808-1 cce@rhel9: CCE-88809-9 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml index c534cdaf676..8bede6ed2f3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-88591-3 cce@rhel9: CCE-88592-1 +references: + anssi: BP28(R25) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml index 8f9f3f10c78..d3ff601f295 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86176-5 cce@rhel9: CCE-86177-3 +references: + anssi: BP28(R19) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml index 95de81e26d2..f7ce574b153 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-86349-8 cce@rhel9: CCE-86350-6 +references: + anssi: BP28(R19) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml index 8faa1cbe1a2..d6a51dd24b0 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-87105-3 cce@rhel9: CCE-87106-1 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml index 1b44f63d492..c0130abe7dc 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-88318-1 cce@rhel9: CCE-88319-9 +references: + anssi: BP28(R25),BP28(R27) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml index 2d07a813307..0d507621b1d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-88440-3 cce@rhel9: CCE-88441-1 +references: + anssi: BP28(R25) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml index 8868e1738b7..6b0fb3a20ef 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_refcount_full/rule.yml @@ -27,6 +27,9 @@ identifiers: cce@rhel8: CCE-86422-3 cce@rhel9: CCE-86423-1 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml index 0b2c30372d7..d88e0d7efec 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87494-1 cce@rhel9: CCE-87495-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml index 6a891f41a6e..2753a98ec6f 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_sched_stack_end_check/rule.yml @@ -25,6 +25,9 @@ identifiers: cce@rhel8: CCE-88041-9 cce@rhel9: CCE-89041-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml index ac53c3ec443..1b0b2e70f40 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-86450-4 cce@rhel9: CCE-86451-2 +references: + anssi: BP28(R20) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml index bf1df8d79ce..e4c6330c8b5 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86490-0 cce@rhel9: CCE-86491-8 +references: + anssi: BP28(R20) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml index 2327c2ffc0e..30bc29d97da 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-86572-5 cce@rhel9: CCE-86573-3 +references: + anssi: BP28(R20) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml index 4c33d42a66d..7a04938d51e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-87339-8 cce@rhel9: CCE-87340-6 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml index 9b746c34613..ab54c4ae25d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-86884-4 cce@rhel9: CCE-86885-1 +references: + anssi: BP28(R20) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml index 527853bc981..d0f5be2d0bb 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-86716-8 cce@rhel9: CCE-86717-6 +references: + anssi: BP28(R20) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml index 53c9704704a..78b5db286da 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_hardened/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-87962-7 cce@rhel9: CCE-87963-5 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml index 6813ea28fbe..5c93226b195 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_freelist_random/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-87725-8 cce@rhel9: CCE-87726-6 + +references: + anssi: BP28(R17) ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml index 7518f1d0c60..3dd3de678ff 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slab_merge_default/rule.yml @@ -29,6 +29,9 @@ identifiers: cce@rhel8: CCE-88122-7 cce@rhel9: CCE-88121-9 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml index 85d19d8e286..f2ba3ea3fab 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-88275-3 cce@rhel9: CCE-88276-1 +references: + anssi: BP28(R17) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml index 50ef83cc873..ce52a1198b2 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel8: CCE-88055-9 cce@rhel9: CCE-89055-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml index b9c47058a5f..87e6828d140 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_stackprotector_strong/rule.yml @@ -26,6 +26,9 @@ identifiers: cce@rhel8: CCE-88036-9 cce@rhel9: CCE-89036-8 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml index 1ff97ebfc2c..a585ee932cf 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_strict_kernel_rwx/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-85993-4 cce@rhel9: CCE-86993-3 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml index 6a6fdb04354..2c34a6816c7 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_strict_module_rwx/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-89227-3 cce@rhel9: CCE-89228-1 +references: + anssi: BP28(R18) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml index 925d0c00199..b2975571399 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml @@ -25,6 +25,9 @@ identifiers: cce@rhel8: CCE-87330-7 cce@rhel9: CCE-87331-5 +references: + anssi: BP28(R22) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml index c5a32fdf260..b0ba51c0611 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml @@ -22,9 +22,13 @@ warnings: severity: medium identifiers: + cce@rhel7: CCE-90767-5 cce@rhel8: CCE-89179-6 cce@rhel9: CCE-89180-4 +references: + anssi: BP28(R27) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml index a406bbe45e5..0f575cad31a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_vmap_stack/rule.yml @@ -22,6 +22,9 @@ identifiers: cce@rhel8: CCE-86251-6 cce@rhel9: CCE-86252-4 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml index 6038159bbcc..d3e7372d3be 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml @@ -23,6 +23,9 @@ identifiers: cce@rhel8: CCE-87883-5 cce@rhel9: CCE-87884-3 +references: + anssi: BP28(R15) + ocil_clause: 'the kernel was not built with the required value' ocil: |- diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml index e49c00bdbda..70b97b107cf 100644 --- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@sle15: CCE-91161-0 references: - anssi: BP28(R5),NT28(R46) cis-csc: 1,14,15,16,3,5,6 cis@alinux2: 4.2.2 cis@alinux3: 4.2.1.1 diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml index 429a2324ab4..5dcdc7fb51d 100644 --- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@sle15: CCE-91162-8 references: - anssi: BP28(R5),NT28(R46) cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cis@alinux2: 4.2.1.1 cis@alinux3: 4.2.1.2 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml index b10be0ff21a..1d1d0c6927a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91202-2 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml index b03379b6787..d61211712aa 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -17,9 +17,8 @@ identifiers: cce@sle12: CCE-91518-1 cce@sle15: CCE-91203-0 - references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml index dd8c7c88476..6cfdfe69270 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91204-8 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml index f2bf2f03852..eb126428244 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91205-5 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml index 424a0b2c003..5323d1473bc 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml @@ -20,7 +20,7 @@ identifiers: cce@sle15: CCE-91206-3 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.max_addresses", value="1") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml index 34f8d0d2a62..e5b1d34055f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91208-9 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml index 2ebd8ca45a8..561bf545ab4 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91209-7 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml index 8add0b63332..67e3ac551b6 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91210-5 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml index f25bf50e293..0362586d348 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-91211-3 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.autoconf", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml index 089a68d3c9f..145dd2df513 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml @@ -20,7 +20,7 @@ identifiers: cce@sle15: CCE-91212-1 references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.max_addresses", value="1") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml index 623294f9faa..b46af1bf7ed 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml @@ -17,9 +17,8 @@ identifiers: cce@sle12: CCE-91528-0 cce@sle15: CCE-91213-9 - references: - anssi: BP28(R22) + anssi: BP28(R22) {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.router_solicitations", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml index bfd05e336d0..e171365125c 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml @@ -18,8 +18,10 @@ severity: medium identifiers: cce@rhel7: CCE-80175-3 cce@rhel8: CCE-85904-1 + cce@rhel9: CCE-86215-1 references: + anssi: BP28(R13) cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 cui: 3.1.20 diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml index cd1357aa7b6..5171b4ee963 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml @@ -18,8 +18,10 @@ severity: medium identifiers: cce@rhel7: CCE-85975-1 cce@rhel8: CCE-86004-9 + cce@rhel9: CCE-90764-2 references: + anssi: BP28(R13) cis-csc: 11,14,3,9 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 cui: 3.1.20 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml index 6a93232e43e..f29d4a2edfb 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml @@ -17,6 +17,9 @@ identifiers: cce@rhel8: CCE-88789-3 cce@rhel9: CCE-89789-2 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_local", value="0") }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml index 8c5c4a84835..109f154f3b8 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-88555-8 cce@rhel9: CCE-89555-7 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_filter_value")) }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml index 99ecb2e0090..30f7b53c07a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml @@ -18,6 +18,9 @@ identifiers: cce@rhel8: CCE-88889-1 cce@rhel9: CCE-89889-0 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_ignore", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_ignore")) }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml index 55a35774c58..2294640568e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel8: CCE-88001-3 cce@rhel9: CCE-89001-2 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml index 9d84eab4d94..dfcd0b6aa9e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml @@ -23,7 +23,6 @@ identifiers: cce@sle15: CCE-91222-0 references: - anssi: BP28(R22) cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 cis@alinux2: 3.2.4 cis@alinux3: 3.3.4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml index c2b3a8f60ea..fb41765118f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml @@ -16,6 +16,9 @@ identifiers: cce@rhel8: CCE-88023-7 cce@rhel9: CCE-89023-6 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.route_localnet", value="0") }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml index 2f81c06d98f..ede13aec18a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml @@ -15,6 +15,9 @@ identifiers: cce@rhel8: CCE-88333-0 cce@rhel9: CCE-89333-9 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.shared_media", value="0") }}} template: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml index 2796895ef7b..5c804f7436c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml @@ -15,6 +15,9 @@ identifiers: cce@rhel8: CCE-88444-5 cce@rhel9: CCE-89444-4 +references: + anssi: BP28(R12) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.shared_media", value="0") }}} template: diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index ac61d0336af..11060d05bec 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -34,6 +34,7 @@ identifiers: cce@sle15: CCE-85658-3 references: + anssi: BP28(R55) cis-csc: 1,11,12,13,14,15,16,18,3,5 cis@alinux2: 6.1.12 cis@alinux3: 6.1.13 diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index d75c09f28a4..13650fcea5b 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -34,6 +34,7 @@ identifiers: cce@sle15: CCE-85657-5 references: + anssi: BP28(R55) cis-csc: 11,12,13,14,15,16,18,3,5,9 cis@alinux2: 6.1.11 cis@rhel7: 6.1.11 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml index febe85cac3e..c031a6cdcca 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/rule.yml @@ -36,7 +36,6 @@ identifiers: cce@sle15: CCE-91417-6 references: - anssi: BP28(R9) cis-csc: 12,15,8 cis@rhel7: 1.5.2 cobit5: APO13.01,DSS05.02 diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml index 5c4a6eff1c7..d80812bd8f3 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml @@ -24,7 +24,6 @@ identifiers: cce@sle15: CCE-91254-3 references: - anssi: BP28(R9) cis-csc: 11,3,9 cis@rhel7: 1.5.2 cis@sle12: 1.6.2 diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml index f35b9537d7e..78c982211ee 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel9: CCE-83985-2 references: + anssi: BP28(R8) disa: CCI-001084 nist: CM-6(a) srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml index a9605bf9b4e..ea3560cecb2 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel9: CCE-83986-0 references: + anssi: BP28(R8) disa: CCI-001084 nist: CM-6(a) srg: SRG-OS-000433-GPOS-00192,SRG-OS-000134-GPOS-00068 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml index 346154a31ea..0dc1a763c84 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml @@ -16,9 +16,13 @@ warnings: severity: medium identifiers: + cce@rhel7: CCE-90766-7 cce@rhel8: CCE-87666-4 cce@rhel9: CCE-88666-3 +references: + anssi: BP28(R9) + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.panic_on_oops", value="1") }}} platform: machine diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml index 9e5920b0956..ca51c5534ee 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel9: CCE-83957-1 references: + anssi: BP28(R9) disa: CCI-000366 nist: AC-6,SC-7(10) ospp: FMT_SMF_EXT.1 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml index 1c1907f05ef..323fef1e6ea 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel9: CCE-83966-2 references: + anssi: BP28(R12) disa: CCI-000366 nist: CM-6,SC-7(10) ospp: FMT_SMF_EXT.1 diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml index 4704f3101ac..bcc834d4f7d 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml @@ -18,7 +18,11 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: CCE-90778-2 + references: + anssi: BP28(R1) cis-csc: 12,15,8 cjis: 5.10.1.2 cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml index 28c5ac1c10d..165fa215768 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@sle15: CCE-91187-5 references: - anssi: BP28(R58) cis@alinux3: 5.3.6 ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo' diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml index 155a4f7c89b..a84131281c6 100644 --- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml @@ -24,9 +24,6 @@ identifiers: cce@sle12: CCE-91503-3 cce@sle15: CCE-91194-1 -references: - anssi: BP28(R60) - # The second part of the sentence explaining what got wrong. # ... Is it the case that ocil_clause: '/etc/sudoers file contains rules that allow non-root users to run commands as root' diff --git a/linux_os/guide/system/software/sudo/var_sudo_umask.var b/linux_os/guide/system/software/sudo/var_sudo_umask.var index 127ccaae9b9..058336438a5 100644 --- a/linux_os/guide/system/software/sudo/var_sudo_umask.var +++ b/linux_os/guide/system/software/sudo/var_sudo_umask.var @@ -18,3 +18,4 @@ options: default: "0022" "0022": "0022" "0027": "0027" + "0077": "0077" diff --git a/products/ol8/profiles/anssi_bp28_enhanced.profile b/products/ol8/profiles/anssi_bp28_enhanced.profile index 4a34d1e290e..7b546b1314b 100644 --- a/products/ol8/profiles/anssi_bp28_enhanced.profile +++ b/products/ol8/profiles/anssi_bp28_enhanced.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile index 5336db82dd6..72c21bc5398 100644 --- a/products/ol8/profiles/anssi_bp28_high.profile +++ b/products/ol8/profiles/anssi_bp28_high.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/ol8/profiles/anssi_bp28_intermediary.profile b/products/ol8/profiles/anssi_bp28_intermediary.profile index eaf62384f94..a38977b76d5 100644 --- a/products/ol8/profiles/anssi_bp28_intermediary.profile +++ b/products/ol8/profiles/anssi_bp28_intermediary.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/ol8/profiles/anssi_bp28_minimal.profile b/products/ol8/profiles/anssi_bp28_minimal.profile index 7febdeb4438..0cabc24a232 100644 --- a/products/ol8/profiles/anssi_bp28_minimal.profile +++ b/products/ol8/profiles/anssi_bp28_minimal.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel7/profiles/anssi_nt28_enhanced.profile b/products/rhel7/profiles/anssi_nt28_enhanced.profile index 4a34d1e290e..7b546b1314b 100644 --- a/products/rhel7/profiles/anssi_nt28_enhanced.profile +++ b/products/rhel7/profiles/anssi_nt28_enhanced.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel7/profiles/anssi_nt28_high.profile b/products/rhel7/profiles/anssi_nt28_high.profile index 5336db82dd6..72c21bc5398 100644 --- a/products/rhel7/profiles/anssi_nt28_high.profile +++ b/products/rhel7/profiles/anssi_nt28_high.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel7/profiles/anssi_nt28_intermediary.profile b/products/rhel7/profiles/anssi_nt28_intermediary.profile index 6864e845b9b..afa5e599740 100644 --- a/products/rhel7/profiles/anssi_nt28_intermediary.profile +++ b/products/rhel7/profiles/anssi_nt28_intermediary.profile @@ -4,7 +4,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel7/profiles/anssi_nt28_minimal.profile b/products/rhel7/profiles/anssi_nt28_minimal.profile index 7febdeb4438..0cabc24a232 100644 --- a/products/rhel7/profiles/anssi_nt28_minimal.profile +++ b/products/rhel7/profiles/anssi_nt28_minimal.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile index 8f2ee31493b..62cbe1715b0 100644 --- a/products/rhel8/profiles/anssi_bp28_enhanced.profile +++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile index 0cd4b67f83a..e2eeabbb78d 100644 --- a/products/rhel8/profiles/anssi_bp28_high.profile +++ b/products/rhel8/profiles/anssi_bp28_high.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel8/profiles/anssi_bp28_intermediary.profile b/products/rhel8/profiles/anssi_bp28_intermediary.profile index 9c9e4cc6634..81b6846681f 100644 --- a/products/rhel8/profiles/anssi_bp28_intermediary.profile +++ b/products/rhel8/profiles/anssi_bp28_intermediary.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel8/profiles/anssi_bp28_minimal.profile b/products/rhel8/profiles/anssi_bp28_minimal.profile index 19a95efb7cf..79a63fd4341 100644 --- a/products/rhel8/profiles/anssi_bp28_minimal.profile +++ b/products/rhel8/profiles/anssi_bp28_minimal.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile index da048c9b556..62cbe1715b0 100644 --- a/products/rhel9/profiles/anssi_bp28_enhanced.profile +++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile index 729326e4d4e..e2eeabbb78d 100644 --- a/products/rhel9/profiles/anssi_bp28_high.profile +++ b/products/rhel9/profiles/anssi_bp28_high.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel9/profiles/anssi_bp28_intermediary.profile b/products/rhel9/profiles/anssi_bp28_intermediary.profile index 2811f8ed1cb..81b6846681f 100644 --- a/products/rhel9/profiles/anssi_bp28_intermediary.profile +++ b/products/rhel9/profiles/anssi_bp28_intermediary.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/rhel9/profiles/anssi_bp28_minimal.profile b/products/rhel9/profiles/anssi_bp28_minimal.profile index ef70da40b92..79a63fd4341 100644 --- a/products/rhel9/profiles/anssi_bp28_minimal.profile +++ b/products/rhel9/profiles/anssi_bp28_minimal.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle12/profiles/anssi_bp28_enhanced.profile b/products/sle12/profiles/anssi_bp28_enhanced.profile index 8108a16b5bd..2050076e7cb 100644 --- a/products/sle12/profiles/anssi_bp28_enhanced.profile +++ b/products/sle12/profiles/anssi_bp28_enhanced.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle12/profiles/anssi_bp28_high.profile b/products/sle12/profiles/anssi_bp28_high.profile index bc33b092689..28a4e61078d 100644 --- a/products/sle12/profiles/anssi_bp28_high.profile +++ b/products/sle12/profiles/anssi_bp28_high.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile index 22498b6b6fc..a37070ca4e2 100644 --- a/products/sle12/profiles/anssi_bp28_intermediary.profile +++ b/products/sle12/profiles/anssi_bp28_intermediary.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle12/profiles/anssi_bp28_minimal.profile b/products/sle12/profiles/anssi_bp28_minimal.profile index 830141f44ed..778712d6cce 100644 --- a/products/sle12/profiles/anssi_bp28_minimal.profile +++ b/products/sle12/profiles/anssi_bp28_minimal.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle15/profiles/anssi_bp28_enhanced.profile b/products/sle15/profiles/anssi_bp28_enhanced.profile index 8108a16b5bd..2050076e7cb 100644 --- a/products/sle15/profiles/anssi_bp28_enhanced.profile +++ b/products/sle15/profiles/anssi_bp28_enhanced.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (enhanced)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the enhanced hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle15/profiles/anssi_bp28_high.profile b/products/sle15/profiles/anssi_bp28_high.profile index bc33b092689..28a4e61078d 100644 --- a/products/sle15/profiles/anssi_bp28_high.profile +++ b/products/sle15/profiles/anssi_bp28_high.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (high)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the high hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle15/profiles/anssi_bp28_intermediary.profile b/products/sle15/profiles/anssi_bp28_intermediary.profile index 24a98fd8244..2c9d9aefb92 100644 --- a/products/sle15/profiles/anssi_bp28_intermediary.profile +++ b/products/sle15/profiles/anssi_bp28_intermediary.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (intermediary)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the intermediary hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/products/sle15/profiles/anssi_bp28_minimal.profile b/products/sle15/profiles/anssi_bp28_minimal.profile index 830141f44ed..778712d6cce 100644 --- a/products/sle15/profiles/anssi_bp28_minimal.profile +++ b/products/sle15/profiles/anssi_bp28_minimal.profile @@ -7,7 +7,7 @@ metadata: title: 'ANSSI-BP-028 (minimal)' description: |- - This profile contains configurations that align to ANSSI-BP-028 v1.2 at the minimal hardening level. + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 9da169fc193..74cfe617be5 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -97,7 +97,6 @@ CCE-86211-0 CCE-86212-8 CCE-86213-6 CCE-86214-4 -CCE-86215-1 CCE-86216-9 CCE-86217-7 CCE-86218-5 @@ -4014,18 +4013,3 @@ CCE-90759-2 CCE-90760-0 CCE-90761-8 CCE-90762-6 -CCE-90763-4 -CCE-90764-2 -CCE-90766-7 -CCE-90767-5 -CCE-90768-3 -CCE-90769-1 -CCE-90770-9 -CCE-90771-7 -CCE-90772-5 -CCE-90773-3 -CCE-90774-1 -CCE-90775-8 -CCE-90776-6 -CCE-90777-4 -CCE-90778-2