├── .gitattributes ├── .gitignore ├── Changelog.md ├── LICENSE ├── README.md ├── goss.yml ├── run_audit.sh ├── section_1 ├── cis_1.1.1.x │ ├── cis_1.1.1.1.yml │ ├── cis_1.1.1.2.yml │ ├── cis_1.1.1.3.yml │ ├── cis_1.1.1.4.yml │ ├── cis_1.1.1.5.yml │ ├── cis_1.1.1.6.yml │ ├── cis_1.1.1.7.yml │ └── cis_1.1.1.8.yml ├── cis_1.1.2.x │ ├── cis_1.1.2.1.1.yml │ ├── cis_1.1.2.1.2.yml │ ├── cis_1.1.2.1.3.yml │ ├── cis_1.1.2.1.4.yml │ ├── cis_1.1.2.2.1.yml │ ├── cis_1.1.2.2.2.yml │ ├── cis_1.1.2.2.3.yml │ ├── cis_1.1.2.2.4.yml │ ├── cis_1.1.2.3.1.yml │ ├── cis_1.1.2.3.2.yml │ ├── cis_1.1.2.3.3.yml │ ├── cis_1.1.2.4.1.yml │ ├── cis_1.1.2.4.2.yml │ ├── cis_1.1.2.4.3.yml │ ├── cis_1.1.2.5.1.yml │ ├── cis_1.1.2.5.2.yml │ ├── cis_1.1.2.5.3.yml │ ├── cis_1.1.2.5.4.yml │ ├── cis_1.1.2.6.1.yml │ ├── cis_1.1.2.6.2.yml │ ├── cis_1.1.2.6.3.yml │ ├── cis_1.1.2.6.4.yml │ ├── cis_1.1.2.7.1.yml │ ├── cis_1.1.2.7.2.yml │ ├── cis_1.1.2.7.3.yml │ └── cis_1.1.2.7.4.yml ├── cis_1.2.x │ ├── cis_1.2.1.1.yml │ ├── cis_1.2.1.2.yml │ ├── cis_1.2.1.3.yml │ ├── cis_1.2.1.4.yml │ └── cis_1.2.2.1.yml ├── cis_1.3.x │ ├── cis_1.3.1.1.yml │ ├── cis_1.3.1.2.yml │ ├── cis_1.3.1.3.yml │ ├── cis_1.3.1.4.yml │ ├── cis_1.3.1.5.yml │ ├── cis_1.3.1.6.yml │ ├── cis_1.3.1.7.yml │ └── cis_1.3.1.8.yml ├── cis_1.4.x │ ├── cis_1.4.1.yml │ └── cis_1.4.2.yml ├── cis_1.5.x │ ├── cis_1.5.1.yml │ ├── cis_1.5.2.yml │ ├── cis_1.5.3.yml │ └── cis_1.5.4.yml ├── cis_1.6.x │ ├── cis_1.6.1.yml │ ├── cis_1.6.2.yml │ ├── cis_1.6.3.yml │ ├── cis_1.6.4.yml │ ├── cis_1.6.5.yml │ ├── cis_1.6.6.yml │ └── cis_1.6.7.yml ├── cis_1.7.x │ └── cis_1.7.1_6.yml └── cis_1.8 │ ├── cis_1.8.1.yml │ ├── cis_1.8.10.yml │ ├── cis_1.8.2.yml │ ├── cis_1.8.3.yml │ ├── cis_1.8.4.yml │ ├── cis_1.8.5.yml │ ├── cis_1.8.6.yml │ ├── cis_1.8.7.yml │ ├── cis_1.8.8.yml │ └── cis_1.8.9.yml ├── section_2 ├── cis_2.1 │ ├── cis_2.1.1.yml │ ├── cis_2.1.10.yml │ ├── cis_2.1.11.yml │ ├── cis_2.1.12.yml │ ├── cis_2.1.13.yml │ ├── cis_2.1.14.yml │ ├── cis_2.1.15.yml │ ├── cis_2.1.16.yml │ ├── cis_2.1.17.yml │ ├── cis_2.1.18_httpd.yml │ ├── cis_2.1.18_nginx.yml │ ├── cis_2.1.19.yml │ ├── cis_2.1.2.yml │ ├── cis_2.1.20.yml │ ├── cis_2.1.21.yml │ ├── cis_2.1.22.yml │ ├── cis_2.1.3.yml │ ├── cis_2.1.4.yml │ ├── cis_2.1.5.yml │ ├── cis_2.1.6.yml │ ├── cis_2.1.7.yml │ ├── cis_2.1.8.yml │ └── cis_2.1.9.yml ├── cis_2.2 │ ├── cis_2.2.1.yml │ ├── cis_2.2.2.yml │ ├── cis_2.2.3.yml │ ├── cis_2.2.4.yml │ └── cis_2.2.5.yml ├── cis_2.3 │ ├── cis_2.3.1.yml │ ├── cis_2.3.2.yml │ └── cis_2.3.3.yml └── cis_2.4 │ ├── cis_2.4.1.1.yml │ ├── cis_2.4.1.2.yml │ ├── cis_2.4.1.3_7.yml │ ├── cis_2.4.1.8.yml │ └── cis_2.4.2.1.yml ├── section_3 ├── cis_3.1 │ ├── cis_3.1.1.yml │ ├── cis_3.1.2.yml │ └── cis_3.1.3.yml ├── cis_3.2 │ ├── cis_3.2.1.yml │ ├── cis_3.2.2.yml │ ├── cis_3.2.3.yml │ └── cis_3.2.4.yml └── cis_3.3 │ ├── cis_3.3.1.yml │ ├── cis_3.3.10.yml │ ├── cis_3.3.11.yml │ ├── cis_3.3.2.yml │ ├── cis_3.3.3.yml │ ├── cis_3.3.4.yml │ ├── cis_3.3.5.yml │ ├── cis_3.3.6.yml │ ├── cis_3.3.7.yml │ ├── cis_3.3.8.yml │ └── cis_3.3.9.yml ├── section_4 ├── cis_4.1 │ ├── cis_4.1.1.yml │ └── cis_4.1.2.yml ├── cis_4.2 │ ├── cis_4.2.1.yml │ └── cis_4.2.2.yml └── cis_4.3 │ ├── cis_4.3.1.yml │ ├── cis_4.3.2.yml │ ├── cis_4.3.3.yml │ └── cis_4.3.4.yml ├── section_5 ├── cis_5.1 │ ├── cis_5.1.1.yml │ ├── cis_5.1.10.yml │ ├── cis_5.1.11.yml │ ├── cis_5.1.12.yml │ ├── cis_5.1.13.yml │ ├── cis_5.1.14.yml │ ├── cis_5.1.15.yml │ ├── cis_5.1.16.yml │ ├── cis_5.1.17.yml │ ├── cis_5.1.18.yml │ ├── cis_5.1.19.yml │ ├── cis_5.1.2.yml │ ├── cis_5.1.20.yml │ ├── cis_5.1.21.yml │ ├── cis_5.1.22.yml │ ├── cis_5.1.3.yml │ ├── cis_5.1.4.yml │ ├── cis_5.1.5.yml │ ├── cis_5.1.6.yml │ ├── cis_5.1.7.yml │ ├── cis_5.1.8.yml │ └── cis_5.1.9.yml ├── cis_5.2 │ ├── cis_5.2.1.yml │ ├── cis_5.2.2.yml │ ├── cis_5.2.3.yml │ ├── cis_5.2.4.yml │ ├── cis_5.2.5.yml │ ├── cis_5.2.6.yml │ └── cis_5.2.7.yml ├── cis_5.3.1 │ ├── cis_5.3.1.1.yml │ ├── cis_5.3.1.2.yml │ └── cis_5.3.1.3.yml ├── cis_5.3.2 │ ├── cis_5.3.2.1.yml │ ├── cis_5.3.2.2.yml │ ├── cis_5.3.2.3.yml │ ├── cis_5.3.2.4.yml │ └── cis_5.3.2.5.yml ├── cis_5.3.3.1 │ ├── cis_5.3.3.1.1.yml │ ├── cis_5.3.3.1.2.yml │ └── cis_5.3.3.1.3.yml ├── cis_5.3.3.2 │ ├── cis_5.3.3.2.1.yml │ ├── cis_5.3.3.2.2.yml │ ├── cis_5.3.3.2.3.yml │ ├── cis_5.3.3.2.4.yml │ ├── cis_5.3.3.2.5.yml │ ├── cis_5.3.3.2.6.yml │ └── cis_5.3.3.2.7.yml ├── cis_5.3.3.3 │ ├── cis_5.3.3.3.1.yml │ ├── cis_5.3.3.3.2.yml │ └── cis_5.3.3.3.3.yml ├── cis_5.3.3.4 │ ├── cis_5.3.3.4.1.yml │ ├── cis_5.3.3.4.2.yml │ ├── cis_5.3.3.4.3.yml │ └── cis_5.3.3.4.4.yml ├── cis_5.4.1 │ ├── cis_5.4.1.1.yml │ ├── cis_5.4.1.2.yml │ ├── cis_5.4.1.3.yml │ ├── cis_5.4.1.4.yml │ ├── cis_5.4.1.5.yml │ └── cis_5.4.1.6.yml ├── cis_5.4.2 │ ├── cis_5.4.2.1.yml │ ├── cis_5.4.2.2.yml │ ├── cis_5.4.2.3.yml │ ├── cis_5.4.2.4.yml │ ├── cis_5.4.2.5.yml │ ├── cis_5.4.2.6.yml │ └── cis_5.4.2.7.yml └── cis_5.4.3 │ ├── cis_5.4.3.1.yml │ ├── cis_5.4.3.2.yml │ └── cis_5.4.3.3.yml ├── section_6 ├── cis_6.1 │ ├── cis_6.1.1.yml │ ├── cis_6.1.2.yml │ └── cis_6.1.3.yml ├── cis_6.2.2.x │ ├── cis_6.2.2.1.1.yml │ ├── cis_6.2.2.1.2.yml │ ├── cis_6.2.2.1.3.yml │ ├── cis_6.2.2.1.4.yml │ ├── cis_6.2.2.2.yml │ ├── cis_6.2.2.3.yml │ └── cis_6.2.2.4.yml ├── cis_6.2.3.x │ ├── cis_6.2.3.1.yml │ ├── cis_6.2.3.2.yml │ ├── cis_6.2.3.3.yml │ ├── cis_6.2.3.4.yml │ ├── cis_6.2.3.5.yml │ ├── cis_6.2.3.6.yml │ ├── cis_6.2.3.7.yml │ └── cis_6.2.3.8.yml ├── cis_6.2.4 │ └── cis_6.2.4.1.yml ├── cis_6.3.1.x │ ├── cis_6.3.1.1.yml │ ├── cis_6.3.1.2.yml │ ├── cis_6.3.1.3.yml │ └── cis_6.3.1.4.yml ├── cis_6.3.2.x │ ├── cis_6.3.2.1.yml │ ├── cis_6.3.2.2.yml │ ├── cis_6.3.2.3.yml │ └── cis_6.3.2.4.yml ├── cis_6.3.3.x │ ├── cis_6.3.3.1.yml │ ├── cis_6.3.3.10.yml │ ├── cis_6.3.3.11.yml │ ├── cis_6.3.3.12.yml │ ├── cis_6.3.3.13.yml │ ├── cis_6.3.3.14.yml │ ├── cis_6.3.3.15.yml │ ├── cis_6.3.3.16.yml │ ├── cis_6.3.3.17.yml │ ├── cis_6.3.3.18.yml │ ├── cis_6.3.3.19.yml │ ├── cis_6.3.3.2.yml │ ├── cis_6.3.3.20.yml │ ├── cis_6.3.3.21.yml │ ├── cis_6.3.3.3.yml │ ├── cis_6.3.3.4.yml │ ├── cis_6.3.3.5.yml │ ├── cis_6.3.3.6.yml │ ├── cis_6.3.3.7.yml │ ├── cis_6.3.3.8.yml │ └── cis_6.3.3.9.yml └── cis_6.3.4 │ ├── cis_6.3.4.1.yml │ ├── cis_6.3.4.10.yml │ ├── cis_6.3.4.2.yml │ ├── cis_6.3.4.3.yml │ ├── cis_6.3.4.4.yml │ ├── cis_6.3.4.5.yml │ ├── cis_6.3.4.6.yml │ ├── cis_6.3.4.7.yml │ ├── cis_6.3.4.8.yml │ └── cis_6.3.4.9.yml ├── section_7 ├── cis_7.1 │ ├── cis_7.1.1.yml │ ├── cis_7.1.10.yml │ ├── cis_7.1.11.yml │ ├── cis_7.1.12.yml │ ├── cis_7.1.13.yml │ ├── cis_7.1.2.yml │ ├── cis_7.1.3.yml │ ├── cis_7.1.4.yml │ ├── cis_7.1.5.yml │ ├── cis_7.1.6.yml │ ├── cis_7.1.7.yml │ ├── cis_7.1.8.yml │ └── cis_7.1.9.yml └── cis_7.2 │ ├── cis_7.2.1.yml │ ├── cis_7.2.2.yml │ ├── cis_7.2.3.yml │ ├── cis_7.2.4.yml │ ├── cis_7.2.5.yml │ ├── cis_7.2.6.yml │ ├── cis_7.2.7.yml │ ├── cis_7.2.8.yml │ └── cis_7.2.9.yml ├── standalone.yml └── vars └── CIS.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | # adding github settings to show correct language 2 | *.sh linguist-detectable=true 3 | *.yml linguist-detectable=true 4 | *.ps1 linguist-detectable=true 5 | *.j2 linguist-detectable=true 6 | *.md linguist-documentation 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .github/ 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_1 }} 5 | command: 6 | cramfs: 7 | title: 1.1.1.1 | Ensure cramfs kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v cramfs | grep -E '(cramfs|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 1.1.1.1 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_cramfs: 23 | title: 1.1.1.1 | Ensure cramfs kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep cramfs /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist cramfs/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 1.1.1.1 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_2 }} 5 | command: 6 | freevxfs: 7 | title: 1.1.1.2 | Ensure freevxfs kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v freevxfs | grep -E '(freevxfs|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 1.1.1.2 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_freevxfs: 23 | title: 1.1.1.2 | Ensure freevxfs kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep freevxfs /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist freevxfs/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 1.1.1.2 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_3 }} 5 | command: 6 | hfs_modprobe: 7 | title: 1.1.1.3 | Ensure hfs kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v hfs | grep -E '(hfs|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 1.1.1.3 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_hfs: 23 | title: 1.1.1.3 | Ensure hfs kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep hfs /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist hfs/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 1.1.1.3 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_4 }} 5 | command: 6 | hfsplus_modprobe: 7 | title: 1.1.1.4 | Ensure hfsplus kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v hfsplus | grep -E '(hfsplus|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 1.1.1.4 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_hfsplus: 23 | title: 1.1.1.4 | Ensure hfsplus kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep hfsplus /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist hfsplus/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 1.1.1.4 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_5 }} 5 | command: 6 | jffs2_modprobe: 7 | title: 1.1.1.5 | Ensure jffs2 kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v jffs2 | grep -E '(jffs2|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 1.1.1.5 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_jffs2: 23 | title: 1.1.1.5 | Ensure jffs2 kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep jffs2 /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist jffs2/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 1.1.1.5 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_6 }} 5 | command: 6 | squashfs: 7 | title: 1.1.1.6 | Ensure squashfs kernel module is not available | disabled 8 | exit-status: 0 9 | exec: "modprobe -n -v squashfs | grep -E '(squashfs|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 1.1.1.6 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_squashfs: 23 | title: 1.1.1.6 | Ensure squashfs kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep squashfs /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist squashfs/' 28 | meta: 29 | server: 2 30 | workstation: 2 31 | CIS_ID: 1.1.1.6 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_7 }} 5 | command: 6 | udf: 7 | title: 1.1.1.7 | Ensure udf kernel module is not available 8 | exit-status: 0 9 | exec: "modprobe -n -v udf | grep -E '(udf|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 1.1.1.7 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_udf: 23 | title: 1.1.1.7 | Ensure udf kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep udf /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist udf/' 28 | meta: 29 | server: 2 30 | workstation: 2 31 | CIS_ID: 1.1.1.7 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.1.x/cis_1.1.1.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_1_8 }} 5 | command: 6 | usb-storage: 7 | title: 1.1.1.8 | Ensure usb-storage kernel module is not available 8 | exit-status: 0 9 | exec: "modprobe -n -v usb-storage | grep -E '(usb-storage|install)'" 10 | stdout: 11 | - install /bin/true 12 | meta: 13 | server: 1 14 | workstation: 2 15 | CIS_ID: 1.1.1.8 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: CM-7 22 | blacklist_usb-storage: 23 | title: 1.1.1.8 | Ensure usb-storage kernel module is not available | blacklist 24 | exit-status: 0 25 | exec: grep usb-storage /etc/modprobe.d/*.conf 26 | stdout: 27 | - '/blacklist usb-storage/' 28 | meta: 29 | server: 1 30 | workstation: 2 31 | CIS_ID: 1.1.1.8 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-7 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_1_1 }} 5 | mount: 6 | tmp_mount: 7 | title: 1.1.2.1.1 | Ensure /tmp is a separate partition 8 | mountpoint: /tmp 9 | exists: true 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 1.1.2.1.1 15 | CISv8: 4.8 16 | CISv8_IG1: false 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_1_2 }} 5 | mount: 6 | tmp_nodev_options: 7 | title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition 8 | mountpoint: /tmp 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.1.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | tmp_nodev_fstab_options: 27 | title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/tmp.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.1.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_1_3 }} 5 | mount: 6 | tmp_nosuid_options: 7 | title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition 8 | mountpoint: /tmp 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.1.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | tmp_nosuid_fstab_options: 27 | title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/tmp.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.1.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_1_4 }} 5 | mount: 6 | tmp_noexec_options: 7 | title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition 8 | mountpoint: /tmp 9 | exists: true 10 | opts: 11 | - noexec 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.1.4 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | tmp_noexec_fstab_options: 27 | title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/tmp.*noexec/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.1.4 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_2_1 }} 5 | mount: 6 | dev_shm_mount: 7 | title: 1.1.2.2.1 | Ensure /dev/shm is a separate partition 8 | mountpoint: /dev/shm 9 | filesystem: tmpfs 10 | exists: true 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 1.1.2.2.1 16 | CISv8: 4.8 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: CM-7 21 | {{ end }} 22 | {{ end }} 23 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_2_2 }} 5 | mount: 6 | dev_shm_nodev_options: 7 | title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition 8 | mountpoint: /dev/shm 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.2.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | dev_shm_nodev_fstab_options: 27 | title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/dev\/shm.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.2.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_2_3 }} 5 | mount: 6 | dev_shm_nosuid_options: 7 | title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition 8 | mountpoint: /dev/shm 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.2.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | dev_shm_nosuid_fstab_options: 27 | title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/dev\/shm.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.2.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_2_4 }} 5 | mount: 6 | dev_shm_noexec_options: 7 | title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition 8 | mountpoint: /dev/shm 9 | exists: true 10 | opts: 11 | - noexec 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.2.4 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | dev_shm_noexec_fstab_options: 27 | title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/dev\/shm.*noexec/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.2.4 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_3_1 }} 5 | mount: 6 | home_mount: 7 | title: 1.1.2.3.1 | Ensure separate partition exists for /home 8 | mountpoint: /home 9 | exists: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 1.1.2.3.1 15 | CISv8: 4.8 16 | CISv8_IG1: false 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_3_2 }} 5 | mount: 6 | home_nodev_options: 7 | title: 1.1.2.3.2 | Ensure nodev option set on /home partition 8 | mountpoint: /home 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.3.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | home_nodev_fstab_options: 27 | title: 1.1.2.3.2 | Ensure nodev option set on /home partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/home.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.3.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_3_3 }} 5 | mount: 6 | home_nosuid_options: 7 | title: 1.1.2.3.3 | Ensure nosuid option set on /home partition 8 | mountpoint: /home 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.3.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | home_nosuid_fstab_options: 27 | title: 1.1.2.3.3 | Ensure nosuid option set on /home partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/home.*nosuid.*/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.3.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.4.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_4_1 }} 5 | mount: 6 | var_mount: 7 | title: 1.1.2.4.1 | Ensure separate partition exists for /var 8 | mountpoint: /var 9 | exists: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 1.1.2.4.1 15 | CISv8: 3.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.4.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_4_2 }} 5 | mount: 6 | var_nodev_options: 7 | title: 1.1.2.4.2 | Ensure nodev option set on /var partition 8 | mountpoint: '/var' 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.4.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_nodev_fstab_options: 27 | title: 1.1.2.4.2 | Ensure nodev option set on /var partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\s.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.4.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.4.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_4_3 }} 5 | mount: 6 | var_nosuid_options: 7 | title: 1.1.2.4.3 | Ensure nosuid option set on /var partition 8 | mountpoint: '/var' 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.4.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_nosuid_fstab_options: 27 | title: 1.1.2.4.3 | Ensure nosuid option set on /var partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\s.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.4.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.5.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_5_1 }} 5 | mount: 6 | var_tmp_mount: 7 | title: 1.1.2.5.1 | Ensure separate partition exists for /var/tmp 8 | mountpoint: /var/tmp 9 | exists: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 1.1.2.5.1 15 | CISv8: 3.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R4: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.5.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_5_2 }} 5 | mount: 6 | var_tmp_nodev_options: 7 | title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition 8 | mountpoint: '/var/tmp' 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.5.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_tmp_nodev_fstab_options: 27 | title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/tmp\s.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.5.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.5.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_5_3 }} 5 | mount: 6 | var_tmp_nosuid_options: 7 | title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition 8 | mountpoint: '/var/tmp' 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.5.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_tmp_nosuid_fstab_options: 27 | title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/tmp\s.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.5.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.5.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_5_4 }} 5 | mount: 6 | var_tmp_noexec_options: 7 | title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition 8 | mountpoint: '/var/tmp' 9 | exists: true 10 | opts: 11 | - noexec 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.5.4 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_tmp_noexec_fstab_options: 27 | title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/tmp\s.*noexec/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.5.4 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.6.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_6_1 }} 5 | mount: 6 | var_log_mount: 7 | title: 1.1.2.6.1 | Ensure separate partition exists for /var/log 8 | mountpoint: /var/log 9 | exists: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 1.1.2.6.1 15 | CISv8: 3.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.6.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_6_2 }} 5 | mount: 6 | var_log_nodev_options: 7 | title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition 8 | mountpoint: '/var/log' 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.6.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_nodev_fstab_options: 27 | title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\s.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.6.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.6.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_6_3 }} 5 | mount: 6 | var_log_nosuid_options: 7 | title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition 8 | mountpoint: '/var/log' 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.6.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_nosuid_fstab_options: 27 | title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\s.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.6.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.6.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_6_4 }} 5 | mount: 6 | var_log_noexec_options: 7 | title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition 8 | mountpoint: '/var/log' 9 | exists: true 10 | opts: 11 | - noexec 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.6.4 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_noexec_fstab_options: 27 | title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\s.*noexec/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.6.4 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.7.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_7_1 }} 5 | mount: 6 | var_log_audit_mount: 7 | title: 1.1.2.7.1 | Ensure separate partition exists for /var/log/audit 8 | mountpoint: /var/log/audit 9 | exists: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 1.1.2.7.1 15 | CISv8: 8.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: CM-7 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.7.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_7_2 }} 5 | mount: 6 | var_log_audit_nodev_options: 7 | title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition 8 | mountpoint: '/var/log/audit' 9 | exists: true 10 | opts: 11 | - nodev 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.7.2 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_audit_nodev_fstab_options: 27 | title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\/audit\s.*nodev/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.7.2 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.7.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_7_3 }} 5 | mount: 6 | var_log_audit_nosuid_options: 7 | title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition 8 | mountpoint: '/var/log/audit' 9 | exists: true 10 | opts: 11 | - nosuid 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.7.3 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_audit_nosuid_fstab_options: 27 | title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\/audit\s.*nosuid/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.7.3 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.1.2.x/cis_1.1.2.7.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_1_2_7_4 }} 5 | mount: 6 | var_log_audit_noexec_options: 7 | title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition 8 | mountpoint: '/var/log/audit' 9 | exists: true 10 | opts: 11 | - noexec 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.1.2.7.4 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | - AC-3 24 | - MP-2 25 | file: 26 | var_log_audit_noexec_fstab_options: 27 | title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition 28 | exists: true 29 | path: /etc/fstab 30 | contents: 31 | - '/\s\/var\/log\/audit\s.*noexec/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 1.1.2.7.4 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - AC-3 44 | - MP-2 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_1/cis_1.2.x/cis_1.2.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_1_2_1_1 }} 6 | command: 7 | gpg_keys: 8 | title: 1.2.1.1 | Ensure GPG keys are configured 9 | exit-status: 0 10 | exec: "rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'" 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 1.2.1.1 16 | CISv8: 17 | - 7.3 18 | - 7.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SI-2 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.2.x/cis_1.2.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_1_2_1_3 }} 6 | command: 7 | repo_gpgcheck_global: 8 | title: 1.2.1.3 | Ensure repo_gpgcheck is globally active 9 | exec: grep -E "^repo_gpgcheck" /etc/dnf/dnf.conf 10 | timeout: {{ .Vars.timeout_ms }} 11 | exit-status: 12 | or: 13 | - 0 14 | - 1 15 | stdout: 16 | - '/^repo_gpgcheck( |)=( |)1/' 17 | - '!/^repo_gpgcheck( |)=( |)0/' 18 | meta: 19 | server: 2 20 | workstation: 2 21 | CIS_ID: 22 | - 1.2.1.3 23 | CISv8: 24 | - 7.3 25 | CISv8_IG1: true 26 | CISv8_IG2: true 27 | CISv8_IG3: true 28 | NIST800-53R5: SI-2 29 | repo_gpgcheck_repo: 30 | title: 1.2.1.3 | Ensure repo_gpgcheck is globally active 31 | exit-status: 0 32 | exec: if [ `find . -type f | xargs grep 'repo_gpgcheck*' * | grep -v '=1' | wc -l` -ne 0 ]; then echo FAIL; else echo OK; fi 33 | stdout: 34 | - 'OK' 35 | timeout: {{ .Vars.timeout_ms }} 36 | meta: 37 | server: 2 38 | workstation: 2 39 | CIS_ID: 40 | - 1.2.1.3 41 | CISv8: 42 | - 7.3 43 | CISv8_IG1: true 44 | CISv8_IG2: true 45 | CISv8_IG3: true 46 | NIST800-53R5: SI-2 47 | {{ end }} 48 | {{ end }} 49 | {{ end }} 50 | -------------------------------------------------------------------------------- /section_1/cis_1.2.x/cis_1.2.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_1_2_1_4 }} 6 | command: 7 | repos_configured: 8 | title: 1.2.1.4 | Ensure Package manager repositories are configured 9 | exit-status: 0 10 | exec: "yum repolist" 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 1.2.1.4 16 | CISv8: 17 | - 7.3 18 | - 7.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SI-2 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.2.x/cis_1.2.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_1_2_2_1 }} 6 | command: 7 | security-updates: 8 | title: 1.2.2.1 | Ensure updates, patches, and additional security software are installed 9 | exit-status: 0 10 | timeout: {{ .Vars.timeout_ms }} 11 | exec: dnf check-update 12 | stdout: 13 | - "![0-9].* packages available" 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 1.2.2.1 19 | CISv8: 20 | - 7.3 21 | - 7.4 22 | CISv8_IG1: true 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: SI-2 26 | {{ end }} 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_1 }} 6 | package: 7 | libselinux: 8 | title: 1.3.1.1 | Ensure SELinux is installed 9 | installed: true 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 1.3.1.1 15 | CISv8: 16 | - 3.3 17 | CISv8_IG1: true 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AC-3 22 | - MP-2 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_2 }} 6 | command: 7 | selinux_disabled_boot: 8 | title: 1.3.1.2 | Ensure SELinux is not disabled in bootloader configuration 9 | exit-status: 1 10 | exec: 'grep "^\s*linux" /boot/grub2/grubenv | grep -E "(selinux|enforcing)=0"' 11 | stdout: ['!/./'] 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.3.1.2 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_3 }} 6 | command: 7 | selinux_policy: 8 | title: 1.3.1.3 | Ensure SELinux policy is configured | config 9 | exit-status: 0 10 | exec: 'grep SELINUXTYPE= /etc/selinux/config' 11 | stdout: 12 | - '/^SELINUXTYPE( |)=( |)targeted/' 13 | - '!/^SELINUXTYPE( |)=( |)(permissive|disabled)/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 1.3.1.3 19 | CISv8: 20 | - 3.3 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AC-3 26 | - MP-2 27 | selinux_sestatus: 28 | title: 1.3.1.3 | Ensure SELinux policy is configured | sestatus 29 | exit-status: 0 30 | exec: "sestatus | grep 'Loaded policy'" 31 | stdout: 32 | - '/Loaded policy name:\s+targeted/' 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 1.3.1.3 38 | CISv8: 39 | - 3.3 40 | CISv8_IG1: true 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - AC-3 45 | - MP-2 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if not .Vars.rhel9cis_selinux_disable }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_4 }} 6 | command: 7 | getenforce_set: 8 | title: 1.3.1.4 | Ensure the SELinux mode is not disabled 9 | exit-status: 0 10 | exec: "getenforce" 11 | stdout: 12 | - '/^(Enforcing|Permissive)/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 1.3.1.4 18 | CISv8: 19 | - 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AC-3 25 | - MP-2 26 | {{ end }} 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_2 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_5 }} 6 | command: 7 | getenforce_enforcing: 8 | title: 1.3.1.5 | Ensure the SELinux mode is enforcing | running 9 | exit-status: 0 10 | exec: "getenforce" 11 | stdout: 12 | - '/^Enforcing/' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 1.3.1.5 18 | CISv8: 19 | - 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AC-3 25 | - SI-6 26 | file: 27 | /etc/selinux/config: 28 | title: 1.3.1.5 | Ensure the SELinux mode is enforcing | config 29 | exists: true 30 | contents: 31 | - '/^SELINUX( |)=( |)enforcing/' 32 | meta: 33 | server: 2 34 | workstation: 2 35 | CIS_ID: 36 | - 1.3.1.5 37 | CISv8: 38 | - 3.3 39 | CISv8_IG1: true 40 | CISv8_IG2: true 41 | CISv8_IG3: true 42 | NIST800-53R5: 43 | - AC-3 44 | - SI-6 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_2 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_6 }} 6 | command: 7 | selinux_unconfined: 8 | title: 1.3.1.6 | Ensure no unconfined services exist 9 | exit-status: 1 10 | exec: "ps -eZ | grep unconfined_service_t" 11 | stdout: ['!/./'] 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 1.3.1.6 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_7 }} 6 | package: 7 | mctrans: 8 | title: 1.3.1.7 | Ensure the MCS Translation Service (mcstrans) is not installed 9 | installed: false 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 1.3.1.7 15 | CISv8: 16 | - 4.8 17 | CISv8_IG1: true 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AC-3 22 | - MP-2 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.3.x/cis_1.3.1.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_selinux_disable }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_3_1_8 }} 6 | package: 7 | setroubleshoot: 8 | title: 1.3.1.8 | Ensure SETroubleshoot is not installed 9 | installed: false 10 | meta: 11 | server: 1 12 | workstation: NA 13 | CIS_ID: 14 | - 1.3.1.8 15 | CISv8: 16 | - 4.8 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AC-3 22 | - MP-2 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.4.x/cis_1.4.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_4_1 }} 5 | {{ if .Vars.rhel9cis_set_boot_pass }} 6 | file: 7 | grub_bootloader_passwd: 8 | title: 1.4.1 | Ensure bootloader password is set 9 | path: /boot/grub2/user.cfg 10 | exists: true 11 | owner: root 12 | group: root 13 | mode: "0600" 14 | contents: 15 | - '/GRUB2_PASSWORD=grub.pbkdf2.sha512.*/' 16 | meta: 17 | server: 1 18 | workstation: 1 19 | CIS_ID: 20 | - 1.4.1 21 | CISv8: 22 | - 3.3 23 | CISv8_IG1: true 24 | CISv8_IG2: true 25 | CISv8_IG3: true 26 | NIST800-53R5: AC-3 27 | {{ end }} 28 | {{ end }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /section_1/cis_1.5.x/cis_1.5.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_5_1 }} 5 | kernel-param: 6 | address_space_random: 7 | title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | running 8 | name: kernel.randomize_va_space 9 | value: '2' 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 1.5.1 15 | CISv8: 16 | - 10.5 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: CM-6 21 | command: 22 | aslr_enabled_2: 23 | title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | conf 24 | exit-status: 0 25 | exec: 'grep "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/*' 26 | stdout: 27 | - '/^*.conf:kernel.randomize_va_space\s*=\s*2/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 1.5.1 33 | CISv8: 34 | - 10.5 35 | CISv8_IG1: false 36 | CISv8_IG2: true 37 | CISv8_IG3: true 38 | NIST800-53R5: CM-6 39 | {{ end }} 40 | {{ end }} 41 | -------------------------------------------------------------------------------- /section_1/cis_1.5.x/cis_1.5.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_5_2 }} 5 | kernel-param: 6 | ptrace_restricted: 7 | title: 1.5.2 | Ensure ptrace_scope is restricted | running 8 | value: '1' 9 | name: kernel.yama.ptrace_scope 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 1.5.2 15 | CISv8: 16 | - 4.8 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | command: 21 | ptrace_restricted_2: 22 | title: 1.5.2 | Ensure address space layout randomization (ASLR) is enabled | conf 23 | exit-status: 0 24 | exec: 'grep "kernel\.yama\.ptrace_scope" /etc/sysctl.conf /etc/sysctl.d/*' 25 | stdout: 26 | - '/^*.conf:kernel.yama.ptrace_scope\s*=\s*1/' 27 | meta: 28 | server: 1 29 | workstation: 1 30 | CIS_ID: 31 | - 1.5.2 32 | CISv8: 33 | - 4.8 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: CM-6 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_1/cis_1.5.x/cis_1.5.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_5_3 }} 5 | command: 6 | procmaxsize_coredump_conf: 7 | title: 1.5.3 | Ensure core dump backtraces are disabled 8 | exec: grep -i ProcessSizeMax /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d 9 | exit-status: 10 | or: 11 | - 0 12 | - 2 13 | stdout: 14 | - '/^*.conf:ProcessSizeMax=0/' 15 | - '!/^*.conf:ProcessSizeMax=[1-9].*/' 16 | meta: 17 | server: 1 18 | workstation: 1 19 | CIS_ID: 20 | - 1.5.3 21 | CISv8: 22 | - N/A 23 | CISv8_IG1: N/A 24 | CISv8_IG2: N/A 25 | CISv8_IG3: N/A 26 | NIST800-53R5: CM-6 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_1/cis_1.5.x/cis_1.5.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_5_4 }} 5 | command: 6 | storage_coredump_conf: 7 | title: 1.5.4 | Ensure core dump storage is disabled 8 | exec: grep -i storage /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/ 9 | exit-status: 10 | or: 11 | - 0 12 | - 2 13 | stdout: 14 | - '/^*.conf:Storage=none/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 1.5.4 20 | CISv8: 21 | - N/A 22 | CISv8_IG1: N/A 23 | CISv8_IG2: N/A 24 | CISv8_IG3: N/A 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_1 }} 5 | command: 6 | crypto_policies_config: 7 | title: 1.6.1 | Ensure system-wide crypto policy is not legacy 8 | exec: cat /etc/crypto-policies/config 9 | exit-status: 0 10 | stdout: 11 | - '/^(|\s+)(DEFAULT|FUTURE|FIPS)/' 12 | - '!/^(|\s+)LEGACY/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 1.6.1 18 | CISv8: 19 | - 3.10 20 | CISv8_IG1: false 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: SC-8 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_2 }} 5 | command: 6 | crypto_policies_not_in_sshd: 7 | title: 1.6.2 | Ensure system wide crypto policy is not set in sshd configuration 8 | exec: grep -Pi '^\s*CRYPTO_POLICY\s*=' /etc/sysconfig/sshd 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: 14 | - '!/^.*/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 1.6.2 20 | CISv8: 21 | - 3.10 22 | CISv8_IG1: false 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: 26 | - SC-8 27 | - IA-5 28 | - AC-17 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_3 }} 5 | file: 6 | crypto_policies_no_sha1_current: 7 | title: 1.6.3 | Ensure system wide crypto policy disables sha1 hash and signature support 8 | path: /etc/crypto-policies/state/CURRENT.pol 9 | exists: true 10 | contents: 11 | - '/^sha1_in_certs\s*=\s*0/' 12 | - '!/^(hash|sign)\s*=\s*SHA1/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 1.6.3 18 | CISv8: 19 | - 3.10 20 | CISv8_IG1: false 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: SC-8 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_4 }} 5 | file: 6 | crypto_policies_no_weakmacs: 7 | title: 1.6.4 | Ensure system wide crypto policy disables macs less than 128 bits 8 | path: /etc/crypto-policies/state/CURRENT.pol 9 | exists: true 10 | contents: 11 | - '!/^mac\s*=\s*.*64/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.6.4 17 | CISv8: 18 | - 3.10 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SC-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_5 }} 5 | file: 6 | crypto_policies_no_ssh_cbc: 7 | title: 1.6.5 | Ensure system wide crypto policy disables cbc for ssh 8 | path: /etc/crypto-policies/state/CURRENT.pol 9 | exists: true 10 | contents: 11 | - '!/^cipher@/(lib|open)ssh(-server|-client)?\s*=\s*([^#\n\r]+)?-CBC\b' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.6.5 17 | CISv8: 18 | - 3.10 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SC-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_6 }} 5 | file: 6 | crypto_policies_no_ssh_chacha-poly1305: 7 | title: 1.6.6 | Ensure system wide crypto policy disables chacha20-poly1305 for ssh 8 | path: /etc/crypto-policies/state/CURRENT.pol 9 | exists: true 10 | contents: 11 | - '!/^(?i)cipher@/(lib|open)ssh(-server|-client)?\s*=\s*([^#\n\r]+)?-chacha-poly1305\b' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.6.6 17 | CISv8: 18 | - 3.10 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SC-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_1/cis_1.6.x/cis_1.6.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_1_6_7 }} 5 | file: 6 | crypto_policies_no_ssh_EtM: 7 | title: 1.6.7 | Ensure system wide crypto policy disables EtM for ssh 8 | path: /etc/crypto-policies/state/CURRENT.pol 9 | exists: true 10 | contents: 11 | - '!/^\s*etm\b' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 1.6.7 17 | CISv8: 18 | - 3.10 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: SC-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_2 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_1 }} 6 | package: 7 | gdm_removed: 8 | title: 1.8.1 | Ensure GNOME Display Manager is removed 9 | installed: false 10 | name: gdm 11 | meta: 12 | server: 2 13 | workstation: NA 14 | CIS_ID: 15 | - 1.8.1 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | {{ end }} 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.10.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_10 }} 6 | file: 7 | /etc/gdm/custom.conf: 8 | title: 1.8.10 | Ensure XDMCP is not enabled 9 | path: /etc/gdm/custom.conf 10 | exists: true 11 | contents: 12 | - '!/^Enable( |)=( |)true/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 1.8.10 18 | CISv8: 19 | - 4.8 20 | CISv8_IG1: false 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_2 }} 6 | command: 7 | gdm_profile_banner: 8 | title: 1.8.2 | Ensure GDM login banner is configured 9 | exec: cat /etc/dconf/profile/gdm 10 | exit-status: 0 11 | stdout: 12 | - '/^user-db:user/' 13 | - '/^system-db:user/' 14 | - '/^file-db:\/usr\/share\/gdm\/greeter-dconf-defaults/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 1.8.2 20 | CISv8: 21 | - 4.1 22 | CISv8_IG1: true 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | gdm_banner_msg: 26 | title: 1.8.2 | Ensure GDM login banner is configured 27 | exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep banner-message 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - '/^banner-message-enable=true/' 34 | - '!/^banner-message-enable=false/' 35 | - '/^banner-message-text=\'{{ .Vars.rhel9cis_warning_banner }}\'/' 36 | meta: 37 | server: 1 38 | workstation: 1 39 | CIS_ID: 40 | - 1.8.2 41 | CISv8: 42 | - 4.1 43 | CISv8_IG1: true 44 | CISv8_IG2: true 45 | CISv8_IG3: true 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_3 }} 6 | command: 7 | gdm_last_login: 8 | title: 1.8.3 | Ensure GDM disable-user-list option is enabled 9 | exec: cat /etc/dconf/profile/gdm 10 | exit-status: 0 11 | stdout: 12 | - '/^user-db:user/' 13 | - '/^system-db:gdm/' 14 | - '/^file-db:\/usr\/share\/gdm\/greeter-dconf-defaults/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 1.8.3 20 | CISv8: 21 | - NA 22 | CISv8_IG1: NA 23 | CISv8_IG2: NA 24 | CISv8_IG3: NA 25 | gdm_disable_user: 26 | title: 1.8.3 | Ensure GDM disable-user-list option is enabled 27 | exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/00-login-screen | grep disable-user-list 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - '/^disable-user-list=true/' 34 | - '!/^disable-user-list=false/' 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 1.8.3 40 | CISv8: 41 | - NA 42 | CISv8_IG1: NA 43 | CISv8_IG2: NA 44 | CISv8_IG3: NA 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_4 }} 6 | file: 7 | 00-screensaver: 8 | title: 1.8.4 | Ensure GDM screen locks when the user is idle 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/00-screensaver 10 | exists: true 11 | contents: 12 | - '/^[org/gnome/desktop/session]/' 13 | - '/^idle-delay=uint32 (1|[1-9]|[1-8][0-9]{1,2}|900)$/' 14 | - '!/^idle-delay=uint32 (90[1-9]|9[1-9][0-9]|1[0-9]{3,})$/' 15 | - '/^lock-delay=uint32 [0-5]$/' 16 | - '!/^lock-delay=uint32 ([6-9]|[0-9]{2,})$/' 17 | meta: 18 | server: 1 19 | workstation: 1 20 | CIS_ID: 21 | - 1.8.4 22 | CISv8: 4.3 23 | CISv8_IG1: true 24 | CISv8_IG2: true 25 | CISv8_IG3: true 26 | {{ end }} 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_5 }} 6 | file: 7 | 00-screensaver_lock: 8 | title: 1.8.5 | Ensure GDM screen locks cannot be overridden 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock 10 | exists: true 11 | contents: 12 | - '^\/org\/gnome\/desktop\/session\/idle-delay/' 13 | - '^/\/org\/gnome\/desktop\/screensaver\/lock-delay/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 1.8.5 19 | CISv8: 4.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_6 }} 6 | file: 7 | 00-media-automount_disable: 8 | title: 1.8.6 | Ensure GDM automatic mounting of removable media is disabled 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/00-media-automount 10 | exists: true 11 | contents: 12 | - '/^[org/gnome/desktop/media-handling]/' 13 | - '/^automount=false/' 14 | - '/^automount-open=false/' 15 | - '!/^automount=true/' 16 | - '!/^automount-open=true/' 17 | meta: 18 | server: 1 19 | workstation: 1 20 | CIS_ID: 21 | - 1.8.6 22 | CISv8: 10.3 23 | CISv8_IG1: true 24 | CISv8_IG2: true 25 | CISv8_IG3: true 26 | {{ end }} 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_7 }} 6 | file: 7 | 00-media-autorun_override: 8 | title: 1.8.7 | Ensure GDM disabling automatic mounting of removable media is not overridden 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/00-media-autorun 10 | exists: true 11 | contents: 12 | - '^/\/org\/gnome\/desktop\/media-handling\/automount/' 13 | - '^/\/org\/gnome\/desktop\/media-handling\/automount-open/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 1.8.7 19 | CISv8: 10.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_8 }} 6 | file: 7 | 00-media-autorun_never: 8 | title: 1.8.8 | Ensure GDM autorun-never is enabled 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/00-media-autorun 10 | exists: true 11 | contents: 12 | - '/^[org/gnome/desktop/media-handling]/' 13 | - '/^autorun-never=true/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 1.8.8 19 | CISv8: 10.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_1/cis_1.8/cis_1.8.9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if not .Vars.rhel9cis_gui }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_1_8_9 }} 6 | file: 7 | 00-autorun_lock_never: 8 | title: 1.8.9 | Ensure GDM autorun-never is not overridden 9 | path: /etc/dconf/db/{{ .Vars.rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock 10 | exists: true 11 | contents: 12 | - '^/\/org\/gnome\/desktop\/media-handling\/autorun-never/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 1.8.9 18 | CISv8: 10.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | {{ end }} 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_1 }} 5 | {{ if not .Vars.rhel9cis_autofs_services }} 6 | {{ if not .Vars.rhel9cis_autofs_mask }} 7 | package: 8 | autofs_pkg: 9 | title: 2.1.1 | Ensure autofs services are not in use | pkg removed 10 | name: autofs 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 2 15 | CIS_ID: 16 | - 2.1.1 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - SI-3 24 | - MP-7 25 | {{ end }} 26 | {{ if .Vars.rhel9cis_autofs_mask }} 27 | file: 28 | autofs_masked: 29 | title: 2.1.1 | Ensure autofs services are not in use | masked 30 | path: /etc/systemd/system/autofs.service 31 | exists: true 32 | filetype: symlink 33 | linked-to: /dev/null 34 | meta: 35 | server: 1 36 | workstation: 2 37 | CIS_ID: 38 | - 2.1.1 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - SI-3 46 | - MP-7 47 | {{ end }} 48 | {{ end }} 49 | {{ end }} 50 | {{ end }} 51 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.10.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_10 }} 5 | {{ if not .Vars.rhel9cis_nis_server }} 6 | {{ if not .Vars.rhel9cis_nis_mask }} 7 | package: 8 | ypserv_pkg: 9 | title: 2.1.10 | Ensure nis server services are not in use | pkg removed 10 | name: ypserv 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.10 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_nis_mask }} 26 | file: 27 | ypbind_service_masked: 28 | title: 2.1.10 | Ensure nis server services are not in use | masked 29 | path: /etc/systemd/system/ypbind-server.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.10 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.14.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_14 }} 5 | {{ if not .Vars.rhel9cis_snmp_server }} 6 | {{ if not .Vars.rhel9cis_snmp_mask }} 7 | package: 8 | snmp_pkg: 9 | title: 2.1.14 | Ensure snmp services are not in use | pkg removed 10 | name: net-snmp 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.14 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_snmp_mask }} 26 | file: 27 | snmp_service_masked: 28 | title: 2.1.14 | Ensure snmp services are not in use | masked 29 | path: /etc/systemd/system/snmpd.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.14 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.17.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_17 }} 5 | {{ if not .Vars.rhel9cis_squid_server }} 6 | {{ if not .Vars.rhel9cis_squid_mask }} 7 | package: 8 | squid_pkg: 9 | title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed 10 | name: squid 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.17 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-6 24 | - CM-7 25 | {{ end }} 26 | {{ if .Vars.rhel9cis_squid_mask }} 27 | file: 28 | squid_service_masked: 29 | title: 2.1.17 | Ensure web proxy server services are not in use | masked 30 | path: /etc/systemd/system/squid.service 31 | exists: true 32 | filetype: symlink 33 | linked-to: /dev/null 34 | meta: 35 | server: 1 36 | workstation: 1 37 | CIS_ID: 38 | - 2.1.17 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-6 46 | - CM-7 47 | {{ end }} 48 | {{ end }} 49 | {{ end }} 50 | {{ end }} 51 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.18_nginx.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_18 }} 5 | {{ if not .Vars.rhel9cis_nginx_server }} 6 | {{ if not .Vars.rhel9cis_nginx_mask }} 7 | package: 8 | nginx_pkg: 9 | title: 2.1.18 | Ensure web server services are not in use | pkg removed 10 | name: nginx 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.18 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_nginx_mask }} 26 | file: 27 | nginx_service_masked: 28 | title: 2.1.18 | Ensure web server services are not in use | masked 29 | path: /etc/systemd/system/nginx.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.18 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.19.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_19 }} 5 | {{ if not .Vars.rhel9cis_xinetd_server }} 6 | {{ if not .Vars.rhel9cis_xinetd_mask }} 7 | package: 8 | xinetd_pkg: 9 | title: 2.1.19 | Ensure xinetd services are not in use | pkg removed 10 | name: xinetd 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.19 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_xinetd_mask }} 26 | file: 27 | xinetd_service_masked: 28 | title: 2.1.19 | Ensure xinetd services are not in use | masked 29 | path: /etc/systemd/system/xinetd.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.19 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.20.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_20 }} 5 | {{ if not .Vars.rhel9cis_xwindow_server }} 6 | package: 7 | xwindow_pkg: 8 | title: 2.1.20 | Ensure X window server services are not in use | pkg removed 9 | name: xorg-x11-server-common 10 | installed: false 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 2.1.20 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-11 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.21.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_is_mail_server }} 5 | {{ if .Vars.rhel9cis_rule_2_1_21 }} 6 | command: 7 | mta_listening_port25: 8 | title: 2.1.21 Ensure mail transfer agent is configured for local-only mode 9 | exit-status: 1 10 | exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' 11 | stdout: ['!/./'] 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.21 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | file: 25 | /etc/postfix/main.conf: 26 | title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode 27 | exists: true 28 | contents: 29 | - '/^inet_interfaces\s*=\s*loopback-only/' 30 | - '!/^inet_interfaces\s*=\s*all/' 31 | - '!/^(?i)inet_interfaces\s*=\s*ipv4/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 2.1.21 37 | CISv8: 38 | - 4.8 39 | CISv8_IG1: false 40 | CISv8_IG2: true 41 | CISv8_IG3: true 42 | NIST800-53R5: 43 | - CM-7 44 | {{ end }} 45 | {{ end }} 46 | {{ end }} 47 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.22.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_22 }} 5 | command: 6 | manual_listening_ports: 7 | title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required 8 | exit-status: 9 | or: 10 | - 0 11 | - 1 12 | exec: echo "Manual!! - Please check only approved services are listening" 13 | stdout: ['!/./'] 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 2.1.22 19 | CISv8: 20 | - 4.8 21 | CISv8_IG1: false 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - CM-7 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_4 }} 5 | {{ if not .Vars.rhel9cis_dns_server }} 6 | {{ if not .Vars.rhel9cis_dns_mask }} 7 | package: 8 | dns_pkg: 9 | title: 2.1.4 | Ensure dns server services are not in use | pkg removed 10 | name: named 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.4 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_dns_mask }} 26 | file: 27 | dns_service_masked: 28 | title: 2.1.4 | Ensure dns server services are not in use | masked 29 | path: /etc/systemd/system/named.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.4 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_5 }} 5 | {{ if not .Vars.rhel9cis_dnsmasq_server }} 6 | {{ if not .Vars.rhel9cis_dnsmasq_mask }} 7 | package: 8 | dnsmasq_pkg: 9 | title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed 10 | name: dnsmasq 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.5 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_dnsmasq_mask }} 26 | file: 27 | dnsmasq_service_masked: 28 | title: 2.1.5 | Ensure dnsmasq server services are not in use | masked 29 | path: /etc/systemd/system/dnsmasq.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.5 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_6 }} 5 | {{ if not .Vars.rhel9cis_samba_server }} 6 | {{ if not .Vars.rhel9cis_samba_mask }} 7 | package: 8 | samba_pkg: 9 | title: 2.1.6 | Ensure samba file server services are not in use | pkg removed 10 | name: samba 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.6 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-6 24 | - CM-7 25 | {{ end }} 26 | {{ if .Vars.rhel9cis_samba_mask }} 27 | file: 28 | samba_service_masked: 29 | title: 2.1.6 | Ensure samba server services are not in use | masked 30 | path: /etc/systemd/system/smb.service 31 | exists: true 32 | filetype: symlink 33 | linked-to: /dev/null 34 | meta: 35 | server: 1 36 | workstation: 1 37 | CIS_ID: 38 | - 2.1.6 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-6 46 | - CM-7 47 | {{ end }} 48 | {{ end }} 49 | {{ end }} 50 | {{ end }} 51 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_7 }} 5 | {{ if not .Vars.rhel9cis_ftp_server }} 6 | {{ if not .Vars.rhel9cis_ftp_mask }} 7 | package: 8 | ftp_pkg: 9 | title: 2.1.7 | Ensure ftp server services are not in use | pkg removed 10 | name: vsftp 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.7 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_ftp_mask }} 26 | file: 27 | ftp_service_masked: 28 | title: 2.1.7 | Ensure ftp server services are not in use | masked 29 | path: /etc/systemd/system/vsftpd.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 1 36 | CIS_ID: 37 | - 2.1.7 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_2/cis_2.1/cis_2.1.9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_1_9 }} 5 | {{ if not .Vars.rhel9cis_nfs_server }} 6 | {{ if not .Vars.rhel9cis_nfs_mask }} 7 | package: 8 | nfs_pkg: 9 | title: 2.1.9 | Ensure network file system services are not in use | pkg removed 10 | name: nfs-utils 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 2.1.9 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-6 24 | - CM-7 25 | {{ end }} 26 | {{ if .Vars.rhel9cis_nfs_mask }} 27 | file: 28 | nfs_service_masked: 29 | title: 2.1.9 | Ensure network file system services are not in use | masked 30 | path: /etc/systemd/system/nfs-server.service 31 | exists: true 32 | filetype: symlink 33 | linked-to: /dev/null 34 | meta: 35 | server: 1 36 | workstation: 1 37 | CIS_ID: 38 | - 2.1.9 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-6 46 | - CM-7 47 | {{ end }} 48 | {{ end }} 49 | {{ end }} 50 | {{ end }} 51 | -------------------------------------------------------------------------------- /section_2/cis_2.2/cis_2.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if not .Vars.rhel9cis_ftp_client }} 5 | {{ if .Vars.rhel9cis_rule_2_2_1 }} 6 | package: 7 | ftp: 8 | title: 2.2.1 | Ensure ftp client is not installed 9 | installed: false 10 | name: ftp 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 2.2.1 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.2/cis_2.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | {{ if .Vars.rhel9cis_level_2 }} 3 | {{ if not .Vars.rhel9cis_openldap_clients_required }} 4 | {{ if .Vars.rhel9cis_rule_2_2_2 }} 5 | package: 6 | openldap-clients: 7 | title: 2.2.2 | Ensure LDAP client is not installed 8 | installed: false 9 | name: openldap-clients 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 2.2.2 15 | CISv8: 16 | - 4.8 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - CM-7 22 | {{ end }} 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_2/cis_2.2/cis_2.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if not .Vars.rhel9cis_ypbind_required }} 5 | {{ if .Vars.rhel9cis_rule_2_2_3 }} 6 | package: 7 | nis_client: 8 | title: 2.2.3 | Ensure nis client is not installed 9 | installed: false 10 | name: ypbind 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 2.2.3 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.2/cis_2.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if not .Vars.rhel9cis_telnet_required }} 5 | {{ if .Vars.rhel9cis_rule_2_2_4 }} 6 | package: 7 | telnet_client: 8 | title: 2.2.4 | Ensure telnet client is not installed 9 | installed: false 10 | name: telnet 11 | meta: 12 | server: 1 13 | workstation: NA 14 | CIS_ID: 15 | - 2.2.4 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.2/cis_2.2.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if not .Vars.rhel9cis_tftp_client }} 5 | {{ if .Vars.rhel9cis_rule_2_2_5 }} 6 | package: 7 | tftp_client: 8 | title: 2.2.5 | Ensure tftp client is not installed 9 | installed: false 10 | name: tftp 11 | meta: 12 | server: 1 13 | workstation: NA 14 | CIS_ID: 15 | - 2.2.5 16 | CISv8: 17 | - 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | {{ end }} 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.3/cis_2.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_3_1 }} 5 | package: 6 | chrony_installed: 7 | title: 2.3.1 | Ensure time synchronization is in use 8 | installed: true 9 | name: chrony 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 2.3.1 15 | CISv8: 16 | - 8.4 17 | CISv8_IG1: false 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AU-3 22 | - AU-12 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_2/cis_2.3/cis_2.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_3_2 }} 5 | file: 6 | chrony_servers_pools: 7 | title: 2.3.2 | Ensure chrony is configured | server 8 | path: /etc/chrony.conf 9 | exists: true 10 | contents: 11 | - '/^(server|pool)\s.*/' 12 | skip: false 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 2.3.2 18 | CISv8: 19 | - 8.4 20 | CISv8_IG1: false 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AU-3 25 | - AU-12 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_2/cis_2.3/cis_2.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_3_3 }} 5 | file: 6 | chrony_sysconfig: 7 | title: 2.3.3 | Ensure chrony is not run as the root user | sysconfig 8 | path: /etc/sysconfig/chronyd 9 | exists: true 10 | contents: 11 | - '/^OPTIONS=".*-u chrony.*"/' 12 | - '!/^OPTIONS="".*-u root.*"/' 13 | skip: false 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 2.3.3 19 | CISv8: 20 | - 8.4 21 | CISv8_IG1: false 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_2/cis_2.4/cis_2.4.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_4_1_1 }} 5 | service: 6 | crond: 7 | title: 2.4.1.1 | Ensure cron daemon is enabled and active 8 | running: true 9 | enabled: true 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 2.4.1.1 15 | CISv8: 4.1 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - CM-1 21 | - CM-2 22 | - CM-6 23 | - CM-7 24 | - IA-5 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_2/cis_2.4/cis_2.4.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_4_1_2 }} 5 | file: 6 | crontab_perms: 7 | title: 2.4.1.2 | Ensure permissions on /etc/crontab are configured 8 | path: /etc/crontab 9 | exists: true 10 | owner: root 11 | group: root 12 | mode: "0600" 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 2.4.1.2 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_2/cis_2.4/cis_2.4.1.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_4_1_8 }} 5 | file: 6 | cron_deny_users: 7 | title: 2.4.1.8 | Ensure cron is restricted to authorized users 8 | path: /etc/cron.deny 9 | exists: false 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 2.4.1.8 15 | CISv8: 3.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - AC-3 21 | - MP-2 22 | cron_allow_users: 23 | title: 2.4.1.8 | Ensure cron is restricted to authorized users 24 | path: /etc/cron.allow 25 | exists: true 26 | owner: root 27 | group: root 28 | mode: "0600" 29 | meta: 30 | server: 1 31 | workstation: 1 32 | CIS_ID: 33 | - 2.4.1.8 34 | CISv8: 3.3 35 | CISv8_IG1: true 36 | CISv8_IG2: true 37 | CISv8_IG3: true 38 | NIST800-53R5: 39 | - AC-3 40 | - MP-2 41 | {{ end }} 42 | {{ end }} 43 | -------------------------------------------------------------------------------- /section_2/cis_2.4/cis_2.4.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_2_4_2_1 }} 5 | file: 6 | at_deny_users: 7 | title: 2.4.2.1 | Ensure at is restricted to authorized users 8 | path: /etc/at.deny 9 | exists: false 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 2.4.2.1 15 | CISv8: 3.3 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - AC-3 21 | - MP-2 22 | at_allow_users: 23 | title: 2.4.2.1| Ensure at is restricted to authorized users 24 | path: /etc/at.allow 25 | exists: true 26 | owner: root 27 | group: root 28 | mode: "0600" 29 | meta: 30 | server: 1 31 | workstation: 1 32 | CIS_ID: 33 | - 2.4.2.1 34 | CISv8: 3.3 35 | CISv8_IG1: true 36 | CISv8_IG2: true 37 | CISv8_IG3: true 38 | NIST800-53R5: 39 | - AC-3 40 | - MP-2 41 | {{ end }} 42 | {{ end }} 43 | -------------------------------------------------------------------------------- /section_3/cis_3.1/cis_3.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_3_1_2 }} 5 | command: 6 | wireless_disabled: 7 | title: 3.1.2 | Ensure wireless interfaces are disabled 8 | exit-status: 0 9 | exec: 'nmcli radio all | tail -1' 10 | stdout: 11 | - '/^(enabled|disabled|missing)\s\s(disabled)\s\s(enabled|disabled|missing)\s\s(disabled)/' 12 | meta: 13 | server: 1 14 | workstation: NA 15 | CIS_ID: 16 | - 3.1.2 17 | CISv8: 4.8 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-7 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_3/cis_3.1/cis_3.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_3_1_3 }} 5 | {{ if not .Vars.rhel9cis_bluetooth_service }} 6 | {{ if not .Vars.rhel9cis_bluetooth_mask }} 7 | package: 8 | bluetooth_pkg: 9 | title: 3.1.3 | Ensure bluetooth services are not in use | pkg removed 10 | name: bluez 11 | installed: false 12 | meta: 13 | server: 1 14 | workstation: 2 15 | CIS_ID: 16 | - 3.1.3 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | {{ end }} 25 | {{ if .Vars.rhel9cis_bluetooth_mask }} 26 | file: 27 | bluetooth_service_masked: 28 | title: 3.1.3 | Ensure bluetooth server services are not in use | masked 29 | path: /etc/systemd/system/bluetooth.service 30 | exists: true 31 | filetype: symlink 32 | linked-to: /dev/null 33 | meta: 34 | server: 1 35 | workstation: 2 36 | CIS_ID: 37 | - 3.1.3 38 | CISv8: 39 | - 4.8 40 | CISv8_IG1: false 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - CM-7 45 | {{ end }} 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_3/cis_3.2/cis_3.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_3_2_1 }} 5 | command: 6 | modprobe_dccp: 7 | title: 3.2.1 | Ensure dccp kernel module is not available | DCCP config 8 | exit-status: 0 9 | exec: 'modprobe -n -v dccp' 10 | stdout: 11 | - '/install /bin/(true|false)/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 3.2.1 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | - SI-4 25 | lsmod_dccp: 26 | title: 3.2.1 | Ensure dccp kernel module is not available | running dccp 27 | exit-status: 1 28 | exec: lsmod | grep -i dccp 29 | stdout: 30 | - '!/^.*/' 31 | meta: 32 | server: 2 33 | workstation: 2 34 | CIS_ID: 35 | - 3.2.1 36 | CISv8: 37 | - 4.8 38 | CISv8_IG1: false 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - SI-4 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_3/cis_3.2/cis_3.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_3_2_2 }} 5 | command: 6 | modprobe_TIPC: 7 | title: 3.2.2 | Ensure tipc kernel module is not available | tipc config 8 | exit-status: 9 | or: 10 | - 0 11 | - 1 12 | exec: 'modprobe -n -v tipc' 13 | stdout: 14 | - '/install /bin/(true|false)/' 15 | meta: 16 | server: 2 17 | workstation: 2 18 | CIS_ID: 19 | - 3.2.2 20 | CISv8: 21 | - 4.8 22 | CISv8_IG1: false 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: 26 | - CM-7 27 | - SI-4 28 | lsmod_TIPC: 29 | title: 3.2.2 | Ensure tipc kernel module is not available | running tipc 30 | exit-status: 1 31 | exec: lsmod | grep -i tipc 32 | stdout: 33 | - '!/^.*/' 34 | meta: 35 | server: 2 36 | workstation: 2 37 | CIS_ID: 38 | - 3.2.2 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-7 46 | - SI-4 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_3/cis_3.2/cis_3.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_3_2_3 }} 5 | command: 6 | modprobe_RDS: 7 | title: 3.2.3 | Ensure rds kernel module is not available | rds config 8 | exit-status: 9 | or: 10 | - 0 11 | - 1 12 | exec: 'modprobe -n -v rds' 13 | stdout: 14 | - '/install /bin/(true|false)/' 15 | meta: 16 | server: 2 17 | workstation: 2 18 | CIS_ID: 19 | - 3.2.3 20 | CISv8: 21 | - 4.8 22 | CISv8_IG1: false 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: 26 | - CM-7 27 | - SI-4 28 | lsmod_RDS: 29 | title: 3.2.3 | Ensure rds kernel module is not available | running rds 30 | exit-status: 1 31 | exec: lsmod | grep -i rds 32 | stdout: 33 | - '!/^.*/' 34 | meta: 35 | server: 2 36 | workstation: 2 37 | CIS_ID: 38 | - 3.2.3 39 | CISv8: 40 | - 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-7 46 | - SI-4 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_3/cis_3.2/cis_3.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_3_2_4 }} 5 | command: 6 | modprobe_sctp: 7 | title: 3.2.4 | Ensure sctp kernel module is not available | sctp config 8 | exit-status: 0 9 | exec: 'modprobe -n -v sctp' 10 | stdout: 11 | - '/install /bin/(true|false)/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 3.2.4 17 | CISv8: 18 | - 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | - SI-4 25 | lsmod_sctp: 26 | title: 3.2.4 | Ensure sctp kernel module is not available | running sctp 27 | exit-status: 1 28 | exec: lsmod | grep -i sctp 29 | stdout: 30 | - '!/^.*/' 31 | meta: 32 | server: 2 33 | workstation: 2 34 | CIS_ID: 35 | - 3.2.4 36 | CISv8: 37 | - 4.8 38 | CISv8_IG1: false 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - CM-7 43 | - SI-4 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_4/cis_4.1/cis_4.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_1_1 }} 5 | package: 6 | nftables: 7 | title: 4.1.1 | Ensure nftables is installed 8 | installed: true 9 | meta: 10 | server: 1 11 | workstation: 1 12 | CIS_ID: 13 | - 4.1.1 14 | CISv8: 4.4 15 | CISv8_IG1: true 16 | CISv8_IG2: true 17 | CISv8_IG3: true 18 | NIST800-53R5: 19 | - CA-9 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_4/cis_4.2/cis_4.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_2_1 }} 5 | command: 6 | firewall_drop_unncessary_ports_manual: 7 | title: 4.2.1 | Ensure firewalld drops unnecessary services and ports | Manual Check Required 8 | exec: echo "Manual test" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual test/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.2.1 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_4/cis_4.2/cis_4.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_2_2 }} 5 | command: 6 | firewalld_loopback_manual: 7 | title: 4.2.2 | Ensure firewalld loopback traffic is configured | Manual Check Required 8 | exec: echo "Manual test" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual test/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.2.2 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_4/cis_4.3/cis_4.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_3_1 }} 5 | command: 6 | nftables_base_chain_manual: 7 | title: 4.3.1 | Ensure nftables base chains exist | Manual Check Required 8 | exec: echo "Manual test" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual test/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.3.1 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_4/cis_4.3/cis_4.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_3_2 }} 5 | command: 6 | firewall_established_conns_manual: 7 | title: 4.3.2 | Ensure nftables established connections are configured | Manual Check Required 8 | exec: echo "Manual test" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual test/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.3.2 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_4/cis_4.3/cis_4.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_3_3 }} 5 | command: 6 | nftables_default_deny_input: 7 | title: 4.3.3 | Ensure nftables default deny firewall policy | nftables 8 | exec: systemctl --quiet is-enabled nftables.service && nft list ruleset | grep -E 'hook (input|forward)' | grep -v 'policy drop' 9 | exit-status: 0 10 | stdout: 11 | - '!/^.*/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.3.3 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_4/cis_4.3/cis_4.3.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_4_3_4 }} 5 | command: 6 | firewall_loopback_manual: 7 | title: 4.3.4 | Ensure host based firewall loopback traffic is configured | Manual Check Required 8 | exec: echo "Manual test" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual test/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 4.3.4 17 | CISv8: 18 | - 4.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CA-9 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_1 }} 5 | file: 6 | sshd_config_perms: 7 | title: 5.1.1 | Ensure permissions on /etc/ssh/sshd_config are configured 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | mode: "0600" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.1 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.10.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_10 }} 5 | file: 6 | sshd_disable_forward: 7 | title: 5.1.10 | Ensure sshd DisableForwarding is enabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^(?i)disableforwarding yes/' 12 | - '!/^(?i)disableforwarding no/' 13 | meta: 14 | server: 2 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.10 18 | CISv8: 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-7 24 | command: 25 | ssh_disable_forward_live: 26 | title: 5.1.10 | Ensure sshd DisableForwarding is enabled | live 27 | exec: sshd -T | grep disableforwarding 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - '/^disableforwarding yes/' 34 | - '!/^disableforwarding no/' 35 | meta: 36 | server: 2 37 | workstation: 1 38 | CIS_ID: 39 | - 5.1.10 40 | CISv8: 4.8 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-7 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.11.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_11 }} 5 | file: 6 | sshd_gssapi: 7 | title: 5.1.11 | Ensure sshd GSSAPIAuthentication is disabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^(?i)gssapiauthentication no/' 12 | - '!/^(?i)gssapiauthentication yes/' 13 | meta: 14 | server: 2 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.11 18 | CISv8: 4.8 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_gssapi_live: 30 | title: 5.1.11 | Ensure sshd GSSAPIAuthentication is disabled | live 31 | exec: sshd -T | grep -i gssapiauthentication 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | stdout: 37 | - '/^gssapiauthentication no/' 38 | - '!/^gssapiauthentication yes/' 39 | meta: 40 | server: 2 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.11 44 | CISv8: 4.8 45 | CISv8_IG1: false 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.13.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_13 }} 5 | file: 6 | ssh_rhosts: 7 | title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^IgnoreRhosts yes/' 12 | - '!/^IgnoreRhosts no/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.13 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_rhosts_live: 30 | title: 5.1.13 | Ensure SSH IgnoreRhosts is enabled | live 31 | exec: sshd -T | grep ignorerhosts 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | stdout: 37 | - '/^ignorerhosts yes/' 38 | - '!/^ignorerhosts no/' 39 | meta: 40 | server: 1 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.13 44 | CISv8: 4.1 45 | CISv8_IG1: true 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.14.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_14 }} 5 | file: 6 | sshd_logingrace: 7 | title: 5.1.14 | Ensure sshd LoginGraceTime is configured 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^LoginGraceTime ([1-9]|[1-5][0-9]|60)/' 12 | - '!/^LoginGraceTime (6[1-9]|[7-9][0-9]|[1-9][0-9]{2,})/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.14 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-6 24 | command: 25 | ssh_logingrace_live: 26 | title: 5.1.14 | Ensure sshd LoginGraceTime is configured | live 27 | exec: sshd -T | grep logingracetime 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - '/^logingracetime ([1-9]|[1-5][0-9]|60)/' 34 | - '!/^logingracetime (6[1-9]|[7-9][0-9]|[1-9][0-9]{2,})/' 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 5.1.14 40 | CISv8: 4.1 41 | CISv8_IG1: true 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - CM-6 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.15.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_15 }} 5 | file: 6 | sshd_loglevel: 7 | title: 5.1.15 | Ensure SSH LogLevel is appropriate | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^LogLevel\s(VERBOSE|INFO)/' 12 | - '!/^LogLevel DEBUG/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.15 18 | CISv8: 8.2 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | - AU-12 25 | - SI-5 26 | command: 27 | ssh_loglevel_live: 28 | title: 5.1.15 | Ensure SSH LogLevel is appropriate | live 29 | exec: sshd -T | grep loglevel 30 | exit-status: 31 | or: 32 | - 0 33 | - 1 34 | stdout: 35 | - '/^loglevel\s(VERBOSE|INFO)/' 36 | - '!/^loglevel DEBUG/' 37 | meta: 38 | server: 1 39 | workstation: 1 40 | CIS_ID: 41 | - 5.1.15 42 | CISv8: 8.2 43 | CISv8_IG1: true 44 | CISv8_IG2: true 45 | CISv8_IG3: true 46 | NIST800-53R5: 47 | - AU-3 48 | - AU-12 49 | - SI-5 50 | {{ end }} 51 | {{ end }} 52 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.16.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_16 }} 5 | path: 6 | sshd_authtries: 7 | title: 5.1.16 | Ensure sshd MaxAuthTries is configured 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - "/^MaxAuthTries [1-4]/" 12 | - "!/^MaxAuthTries [5-9]/" 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.16 18 | CISv8: 8.5 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | command: 25 | sshd_authtries_live: 26 | title: 5.1.16 | Ensure sshd MaxAuthTries is configured | live 27 | exec: sshd -T | grep maxauthtries 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - "/maxauthtries [1-4]/" 34 | - "!/^maxauthtries [5-9]/" 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 5.1.16 40 | CISv8: 8.5 41 | CISv8_IG1: false 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - AU-3 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.17.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_17 }} 5 | file: 6 | sshd_maxstartups: 7 | title: 5.1.17 | Ensure SSH MaxStartups is configured 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - "MaxStartups 10:30:60" 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.1.17 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | command: 28 | ssh_maxstartups_live: 29 | title: 5.1.17 | Ensure SSH MaxStartups is configured | live 30 | exec: sshd -T | grep maxstartups 31 | exit-status: 32 | or: 33 | - 0 34 | - 1 35 | stdout: 36 | - "maxstartups 10:30:60" 37 | meta: 38 | server: 1 39 | workstation: 1 40 | CIS_ID: 41 | - 5.1.17 42 | CISv8: 4.1 43 | CISv8_IG1: true 44 | CISv8_IG2: true 45 | CISv8_IG3: true 46 | NIST800-53R5: 47 | - CM-1 48 | - CM-2 49 | - CM-6 50 | - CM-7 51 | - IA-5 52 | {{ end }} 53 | {{ end }} 54 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.18.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_18 }} 5 | file: 6 | sshd_maxsessions: 7 | title: 5.1.18 | Ensure SSH MaxSessions is limited 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^MaxSessions ([1-9]|10)/' 12 | - '!/^MaxSessions (1[1-9]|[2-9][0-9]|[1-9]{3,})/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.18 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_maxsessions_live: 30 | title: 5.1.18 | Ensure SSH MaxSessions is limited | live 31 | exec: sshd -T | grep maxsessions 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | stdout: 37 | - '/^maxsessions ([1-9]|10)/' 38 | - '!/^maxsessions (1[1-9]|[2-9][0-9]|[1-9]{3,})/' 39 | meta: 40 | server: 1 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.18 44 | CISv8: 4.1 45 | CISv8_IG1: true 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.20.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_20 }} 5 | file: 6 | sshd_permit_root: 7 | title: 5.1.20 | Ensure SSH root login is disabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^PermitRootLogin no/' 12 | - '!/^PermitRootLogin yes/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.20 18 | CISv8: 5.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-6 24 | command: 25 | ssh_permit_root_live: 26 | title: 5.1.20 | Ensure SSH root login is disabled | live 27 | exec: sshd -T | grep permitrootlogin 28 | exit-status: 29 | or: 30 | - 0 31 | - 1 32 | stdout: 33 | - '/^permitrootlogin no/' 34 | - '!/^permitrootlogin yes/' 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 5.1.20 40 | CISv8: 5.4 41 | CISv8_IG1: true 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - AC-6 46 | {{ end }} 47 | {{ end }} 48 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.21.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_21 }} 5 | file: 6 | sshd_userenv: 7 | title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^PermitUserEnvironment no/' 12 | - '!/^PermitUserEnvironment yes/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.21 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_userenv_live: 30 | title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled | live 31 | exec: sshd -T | grep permituserenvironment 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | stdout: 37 | - '/^permituserenvironment no/' 38 | - '!/^permituserenvironment yes/' 39 | meta: 40 | server: 1 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.21 44 | CISv8: 4.1 45 | CISv8_IG1: true 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.22.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_22 }} 5 | file: 6 | sshd_usepam: 7 | title: 5.1.22 | Ensure sshd UsePAM is enabled | config 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^UsePAM yes/' 12 | - '!/^UsePAM no/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.22 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_usepam_live: 30 | title: 5.1.22 | Ensure sshd UsePAM is enabled | live 31 | exec: sshd -T | grep usepam 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | stdout: 37 | - '/^usepam yes/' 38 | - '!/^usepam no/' 39 | meta: 40 | server: 1 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.22 44 | CISv8: 4.1 45 | CISv8_IG1: true 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_4 }} 5 | command: 6 | no_weak_ssh_ciphers: 7 | title: 5.1.4 | Ensure sshd Ciphers are configured | weak cipher check 8 | exec: sshd -T | grep -Pi --'^ciphers\h+\"?([^#\n\r]+,)?((3des|blowfish|cast128|aes(128|192|256))-cbc|arcfour(128|256)?|rijndael-cbc@lysator\.liu\.se|chacha20-poly1305@openssh\.com)\b' 9 | exit-status: 10 | or: 11 | - 0 12 | - 2 13 | stdout: ['!/./'] 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.1.4 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - SC-8 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_5 }} 5 | command: 6 | no_weak_ssh_kex: 7 | title: 5.1.5 | Ensure sshd KexAlgorithms is configured| weak kex check 8 | exec: sshd -T | grep -Pi -- 'kexalgorithms\h+([^#\n\r]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b' 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: ['!/./'] 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.1.5 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - SC-8 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_6 }} 5 | command: 6 | no_weak_ssh_macs: 7 | title: 5.1.6 | Ensure sshd MACs are configured | weak mac check 8 | exec: sshd -T | grep -Pi -- 'macs\h+([^#\n\r]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b' 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: ['!/./'] 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.1.6 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - CM-1 25 | - CM-2 26 | - CM-6 27 | - CM-7 28 | - IA-5 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_7 }} 5 | command: 6 | sshd_access_limited: 7 | title: 5.1.7 | Ensure SSH access is limited | config 8 | exec: grep -Ei "^(Allow|Deny)(Users|Groups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: 14 | - allowusers: {{ .Vars.rhel9cis_sshd_allowusers }} 15 | - allowgroups: {{ .Vars.rhel9cis_sshd_allowgroups }} 16 | - denyusers: {{ .Vars.rhel9cis_sshd_denyusers }} 17 | - denygroups: {{ .Vars.rhel9cis_sshd_denygroups }} 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 5.1.7 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_5/cis_5.1/cis_5.1.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_1_8 }} 5 | file: 6 | sshd_banner: 7 | title: 5.1.8 | Ensure SSH warning banner configured | sshd_default 8 | path: /etc/ssh/sshd_config 9 | exists: true 10 | contents: 11 | - '/^Banner /etc/issue.net/' 12 | - '!/^Banner none/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.1.8 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | command: 29 | ssh_configd_banner: 30 | title: 5.1.8 | Ensure SSH warning banner configured | conf.d banner settings 31 | exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf 32 | exit-status: 33 | or: 34 | - 0 35 | - 1 36 | - 2 37 | stdout: 38 | - '!/.*/' 39 | meta: 40 | server: 1 41 | workstation: 1 42 | CIS_ID: 43 | - 5.1.8 44 | CISv8: 4.1 45 | CISv8_IG1: true 46 | CISv8_IG2: true 47 | CISv8_IG3: true 48 | NIST800-53R5: 49 | - CM-1 50 | - CM-2 51 | - CM-6 52 | - CM-7 53 | - IA-5 54 | {{ end }} 55 | {{ end }} 56 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_1}} 5 | package: 6 | sudo: 7 | title: 5.2.1 | Ensure sudo is installed 8 | installed: true 9 | meta: 10 | server: 1 11 | workstation: 1 12 | CIS_ID: 13 | - 5.2.1 14 | CISv8: 5.4 15 | CISv8_IG1: true 16 | CISv8_IG2: true 17 | CISv8_IG3: true 18 | NIST800-53R5: 19 | - AC-6 20 | {{ end }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_2 }} 5 | command: 6 | pty_sudoers_d: 7 | title: 5.2.2 | Ensure sudo commands use pty 8 | exec: export PTY=`grep -q -Ei '^\s*Defaults\s+(\[^#]+,\s*)?use_pty' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi 9 | exit-status: 0 10 | stdout: 11 | - 'OK' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.2.2 17 | CISv8: 18 | - 5.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-6 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_3 }} 5 | command: 6 | log_sudoers_d: 7 | title: 5.2.3 | Ensure sudo log file exists | sudoers.d 8 | exec: export LOG=`grep -q -Esi '^\s*Defaults\s+([^#]+,\s*)?logfile=' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $LOG == 0 ]];then echo OK ;fi 9 | exit-status: 0 10 | stdout: 11 | - 'OK' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.2.3 17 | CISv8: 18 | - 8.5 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | - AU-12 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_4 }} 5 | command: 6 | nopasswd_sudoers_d: 7 | title: 5.2.4 | Ensure users must provide password for escalation 8 | exec: grep -R NOPASSWD /etc/sudoers /etc/sudoers.d/* | grep -v '.*\:#' 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: 14 | - '!/.*/' 15 | meta: 16 | server: 2 17 | workstation: 2 18 | CIS_ID: 19 | - 5.2.4 20 | CISv8: 21 | - 5.4 22 | CISv8_IG1: true 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: 26 | - AC-6 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_5 }} 5 | command: 6 | authenticate_sudoers: 7 | title: 5.2.5 | Ensure re-authentication for privilege escalation is not disabled globally 8 | exec: 'grep -r "^[^#].*\!authenticate" /etc/sudoers*' 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: 14 | - '!/.*/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 5.2.5 20 | CISv8: 21 | - 5.4 22 | CISv8_IG1: true 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: 26 | - AC-6 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_6 }} 5 | command: 6 | sudo_timeout: 7 | title: 5.2.6 | Ensure sudo authentication timeout is configured correctly 8 | exec: grep -rP "timestamp_timeout=\K[0-9]*" /etc/sudoers* 9 | exit-status: 0 10 | stdout: 11 | - '!/timestamp_timeout=(-1|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})/' 12 | - '/timestamp_timeout=([5-9]|1[0-5])/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.2.6 18 | CISv8: 19 | - 5.4 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_5/cis_5.2/cis_5.2.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_2_7 }} 5 | file: 6 | restrict_su: 7 | title: 5.2.7 | Ensure access to the su command is restricted 8 | path: /etc/pam.d/su 9 | exists: true 10 | contents: 11 | - '/^auth.*required.*pam_wheel.so\suse_uid\sgroup={{ .Vars.rhel9cis_sugroup }}/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.2.7 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AC-3 23 | - MP-2 24 | command: 25 | sugroup_etc_group: 26 | title: 5.2.7 | Ensure access to the su command is restricted 27 | exec: grep {{ .Vars.rhel9cis_sugroup }} /etc/group 28 | exit-status: 0 29 | stdout: 30 | - '/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:$/' 31 | - '!/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:.*:/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 5.2.7 37 | CISv8: 3.3 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: 42 | - AC-3 43 | - MP-2 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_5/cis_5.3.1/cis_5.3.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_1_1 }} 5 | command: 6 | pam_version: 7 | title: 5.3.1.1 | Ensure latest version of pam is installed 8 | exit-status: 0 9 | exec: rpm -q pam | grep -E "pam-1.5.1-(19|2)" 10 | stdout: 11 | - '/pam-1.5.1-(19|2)/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.1.1 17 | CISv8: 18 | - 5.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: NA 23 | {{ end }} 24 | {{ end }} 25 | 26 | -------------------------------------------------------------------------------- /section_5/cis_5.3.1/cis_5.3.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_1_2 }} 5 | package: 6 | authselect_version: 7 | title: 5.3.1.2 | Ensure latest version of authselect is installed 8 | installed: true 9 | name: authselect 10 | versions: 11 | semver-constraint: ">1.2.6-1" 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.1.2 17 | CISv8: 18 | - 5.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: NA 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_5/cis_5.3.1/cis_5.3.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_1_3 }} 5 | package: 6 | libpwquality: 7 | title: 5.3.1.3 | Ensure latest version of libpwquality is installed 8 | installed: true 9 | name: libpwquality 10 | versions: 11 | semver-constraint: ">1.4.4-7" 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.1.3 17 | CISv8: 18 | - 5.4 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: NA 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_5/cis_5.3.2/cis_5.3.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_2_2 }} 5 | file: 6 | passwd_auth_faillock: 7 | title: 5.3.2.2 | Ensure pam_faillock module is enabled 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/auth\s+required\s+pam_faillock.so preauth silent/' 12 | - '/auth\s+required\s+pam_faillock.so authfail/' 13 | - '/account\s+required\s+pam_faillock.so/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.3.2.2 19 | CISv8: 4.1 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: NA 24 | system_auth_faillock: 25 | title: 5.3.2.2 | Ensure pam_faillock module is enabled 26 | path: /etc/pam.d/system-auth 27 | exists: true 28 | contents: 29 | - '/auth\s+required\s+pam_faillock.so preauth silent/' 30 | - '/auth\s+required\s+pam_faillock.so authfail/' 31 | - '/account\s+required\s+pam_faillock.so/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 5.3.2.2 37 | CISv8: 4.1 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: NA 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_5/cis_5.3.2/cis_5.3.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_2_3 }} 5 | file: 6 | passwd_auth_pwquality: 7 | title: 5.3.2.3 | Ensure pam_pwquality module is enabled 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/password\s+requisite\s+pam_pwquality.so local_users_only/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.2.3 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | system_auth_pwquality: 23 | title: 5.3.2.3 | Ensure pam_pwquality module is enabled 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '/password\s+requisite\s+pam_pwquality.so local_users_only/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.2.3 33 | CISv8: 5.2 34 | CISv8_IG1: true 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.2/cis_5.3.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_2_4 }} 5 | file: 6 | passwd_auth_pwhistory: 7 | title: 5.3.2.4 | Ensure pam_pwhistory module is enabled 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/password\s+(required|requisite)\s+pam_pwhistory.so use_authtok/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.2.4 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | system_auth_pwhistory: 23 | title: 5.3.2.4 | Ensure pam_pwhistory module is enabled 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '/password\s+(required|requisite)\s+pam_pwhistory.so use_authtok/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.2.4 33 | CISv8: 5.2 34 | CISv8_IG1: true 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_5_3_3_1_1 }} 6 | file: 7 | faillock_attempts_deny: 8 | title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured 9 | path: /etc/security/faillock.conf 10 | exists: true 11 | contents: 12 | - '/^deny\s*=\s*[1-5]$/' 13 | - '!/^deny\s*=\s*([6-9]|[0-9]{2,})/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.3.3.1.1 19 | CISv8: 20 | - 6.2 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: NA 25 | command: 26 | faillock_attempts_deny_removed: 27 | title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured 28 | exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?deny\b' /etc/pam.d/system-auth /etc/pam.d/password-auth 29 | exit-status: 30 | or: 31 | - 0 32 | - 1 33 | stdout: 34 | - '!/.*/' 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 5.3.3.1.1 40 | CISv8: 41 | - 6.2 42 | CISv8_IG1: true 43 | CISv8_IG2: true 44 | CISv8_IG3: true 45 | NIST800-53R5: NA 46 | {{ end }} 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_5_3_3_1_2 }} 6 | file: 7 | faillock_unlock_time: 8 | title: 5.3.3.1.2 | Ensure password unlock time is configured 9 | path: /etc/security/faillock.conf 10 | exists: true 11 | contents: 12 | - '/^unlock_time\s*=\s*([1-9]|[1-9][0-9]|[1-8][0-9]{1,2}|900)$/' 13 | - '!/^unlock_time\s*=\s*(90[1-9]|9[1-9][0-9]|[1-9][0-9][0-9]{2,})/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.3.3.1.2 19 | CISv8: 20 | - 6.2 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: NA 25 | command: 26 | faillock_unlock_time_removed: 27 | title: 5.3.3.1.2 | Ensure password unlock time is configured 28 | exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?unlock_time\b' /etc/pam.d/system-auth /etc/pam.d/password-auth 29 | exit-status: 1 30 | stdout: 31 | - '!/.*/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 5.3.3.1.2 37 | CISv8: 38 | - 6.2 39 | CISv8_IG1: true 40 | CISv8_IG2: true 41 | CISv8_IG3: true 42 | NIST800-53R5: NA 43 | {{ end }} 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_level_2 }} 5 | {{ if .Vars.rhel9cis_rule_5_3_3_1_3 }} 6 | file: 7 | faillock_even_root: 8 | title: 5.3.3.1.3 | Ensure password unlock time is configured 9 | path: /etc/security/faillock.conf 10 | exists: true 11 | contents: 12 | - '/^(even_deny_root|root_unlock_time\s*=\s*([6-9][0-9]|[1-3][0-9]{2,2}))/' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 5.3.3.1.3 18 | CISv8: 19 | - 6.2 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: NA 24 | command: 25 | faillock_even_root_removed: 26 | title: 5.3.3.1.3 | Ensure password unlock time is configured 27 | exec: grep -Pl -- '\bpam_faillock\.so\s+([^#\n\r]+\s+)?(even_deny_root|root_unlock_time)' /etc/pam.d/system-auth /etc/pam.d/password-auth 28 | exit-status: 1 29 | stdout: 30 | - '!/.*/' 31 | meta: 32 | server: 1 33 | workstation: 1 34 | CIS_ID: 35 | - 5.3.3.1.3 36 | CISv8: 37 | - 6.2 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: NA 42 | {{ end }} 43 | {{ end }} 44 | {{ end }} 45 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_2_7 }} 5 | command: 6 | password_quality_enforce_root: 7 | title: 5.3.3.2.7 | Ensure password quality checking is enforced 8 | exec: grep -Psi -- '^\s*enforce_for_root\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf 9 | exit-status: 10 | or: 11 | - 0 12 | - 1 13 | stdout: 14 | - '/.*\:enforce_for_root/' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 5.3.3.2.7 20 | CISv8: 21 | - 5.2 22 | CISv8_IG1: true 23 | CISv8_IG2: true 24 | CISv8_IG3: true 25 | NIST800-53R5: IA-5 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_3_1 }} 5 | file: 6 | pwhistory_remember: 7 | title: 5.3.3.3.1 | Ensure password history remember is configured 8 | path: /etc/security/pwhistory.conf 9 | exists: true 10 | contents: 11 | - '/^remember\s*=\s*(2[4-9]|[3-9][0-9])/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.3.1 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | command: 23 | pwhistory_remember_pam_configs: 24 | title: 5.3.3.3.1 | Ensure password history remember is configured | pam_configs 25 | exec: grep -Pi -- '^\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=(2[0-3]|1[0-9]|[0-9])\b' /etc/pam.d/system-auth /etc/pam.d/password-auth 26 | exit-status: 27 | or: 28 | - 0 29 | - 1 30 | stdout: 31 | - '!/.*/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 5.3.3.3.1 37 | CISv8: 5.2 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: IA-5 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_3_2 }} 5 | file: 6 | pwhistory_enforce_for_root: 7 | title: 5.3.3.3.2 | Ensure password history is enforced for the root user 8 | path: /etc/security/pwhistory.conf 9 | exists: true 10 | contents: 11 | - '/^enforce_for_root/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.3.2 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_3_3 }} 5 | file: 6 | pwhistory_use_authtok_password-auth: 7 | title: 5.3.3.3.3 | Ensure pam_pwhistory includes use_authtok | password-auth 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.3.3 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | pwhistory_use_authtok_system-auth: 23 | title: 5.3.3.3.3 | Ensure pam_pwhistory includes use_authtok | system-auth 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.3.3.3 33 | CISv8: 5.2 34 | CISv8_IG1: true 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_4_1 }} 5 | file: 6 | pam_unix_nullok_password-auth: 7 | title: 5.3.3.4.1 | Ensure pam_unix does not include nullok | password-auth 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '!/.*pam_unix.so.*nullok/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.4.1 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | pam_unix_nullok_system-auth: 23 | title: 5.3.3.4.1 | Ensure pam_unix does not include nullok | system-auth 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '!/.*pam_unix.so.*nullok/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.3.4.1 33 | CISv8: 5.2 34 | CISv8_IG1: true 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_4_2 }} 5 | file: 6 | pam_unix_remember_password-auth: 7 | title: 5.3.3.4.2 | Ensure pam_unix does not include remember | password-auth 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '!/.*pam_unix.so.*remember/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.4.2 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | pam_unix_remember_system-auth: 23 | title: 5.3.3.4.2 | Ensure pam_unix does not include remember | system-auth 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '!/.*pam_unix.so.*remember/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.3.4.2 33 | CISv8: 5.2 34 | CISv8_IG1: true 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_4_3 }} 5 | file: 6 | pam_unix_strong_password_password-auth: 7 | title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm | password-auth 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/password\s+.*\s+pam_unix.so.*(yescrypt|sha512)/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.4.3 17 | CISv8: 3.11 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: NA 22 | pam_unix_strong_password_system-auth: 23 | title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm | system-auth 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '/password\s+.*\s+pam_unix.so.*(yescrypt|sha512)/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.3.4.3 33 | CISv8: 3.11 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: NA 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_3_3_4_4 }} 5 | file: 6 | pam_unix_use_authtok_password-auth: 7 | title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok | password-auth 8 | path: /etc/pam.d/password-auth 9 | exists: true 10 | contents: 11 | - '/password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.3.3.4.4 17 | CISv8: 3.11 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: IA-5 22 | pam_unix_use_authtok_system-auth: 23 | title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok | system-auth 24 | path: /etc/pam.d/system-auth 25 | exists: true 26 | contents: 27 | - '/password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' 28 | meta: 29 | server: 1 30 | workstation: 1 31 | CIS_ID: 32 | - 5.3.3.4.4 33 | CISv8: 3.11 34 | CISv8_IG1: false 35 | CISv8_IG2: true 36 | CISv8_IG3: true 37 | NIST800-53R5: IA-5 38 | {{ end }} 39 | {{ end }} 40 | -------------------------------------------------------------------------------- /section_5/cis_5.4.1/cis_5.4.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_1_2 }} 5 | file: 6 | login_defs_min_days: 7 | title: 5.4.1.2 | Ensure minimum password days is configured 8 | path: /etc/login.defs 9 | exists: true 10 | contents: 11 | - '/^PASS_MIN_DAYS\s[1-9]/' 12 | - '!/^PASS_MIN_DAYS\s0/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.4.1.2 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: NA 23 | command: 24 | check_users_MIN_DAYS: 25 | title: 5.4.1.2 | Ensure minimum password days is configured | check users 26 | exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,4" 27 | exit-status: 0 28 | stdout: 29 | - '!/.*/' 30 | meta: 31 | server: 1 32 | workstation: 1 33 | CIS_ID: 34 | - 5.4.1.2 35 | CISv8: 4.1 36 | CISv8_IG1: true 37 | CISv8_IG2: true 38 | CISv8_IG3: true 39 | NIST800-53R5: NA 40 | {{ end }} 41 | {{ end }} 42 | -------------------------------------------------------------------------------- /section_5/cis_5.4.1/cis_5.4.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_1_3 }} 5 | file: 6 | login_defs_warn_age: 7 | title: 5.4.1.3 | Ensure password expiration warning days is configured 8 | path: /etc/login.defs 9 | exists: true 10 | contents: 11 | - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass_warn_age }}$/' 12 | - '/^PASS_WARN_AGE\s+(7|[1-9][0-9]{1,3})$/' 13 | - '!/^PASS_WARN_AGE\s+[1-6]$/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.4.1.3 19 | CISv8: 4.1 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: NA 24 | command: 25 | check_users_MAX_DAYS: 26 | title: 5.4.1.3 | Ensure password expiration warning days is configured | check_users 27 | exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f1,6" 28 | exit-status: 0 29 | stdout: 30 | - '/^.*:([7-9]|[1-9][0-9]{1,})$/' 31 | - '!/^.*:[1-6]$/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 5.4.1.3 37 | CISv8: 4.1 38 | CISv8_IG1: true 39 | CISv8_IG2: true 40 | CISv8_IG3: true 41 | NIST800-53R5: NA 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_5/cis_5.4.1/cis_5.4.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_1_4 }} 5 | file: 6 | login_defs_hashing: 7 | title: 5.4.1.4 | Ensure password expiration warning days is configured 8 | path: /etc/login.defs 9 | exists: true 10 | contents: 11 | - '/^ENCRYPT_METHOD (SHA512|YESCRYPT)/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.4.1.4 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: NA 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_5/cis_5.4.1/cis_5.4.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_1_5 }} 5 | command: 6 | inactive_passwd: 7 | title: 5.4.1.5 | Ensure inactive password lock is configured 8 | exec: useradd -D | grep INACTIVE 9 | exit-status: 0 10 | stdout: 11 | - '/^INACTIVE=([1-9]|[0-3][0-9]|4[0-5])/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.4.1.5 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: NA 22 | inactive_users: 23 | title: 5.4.1.5 | Ensure inactive password lock is configured 24 | exec: "grep -E '^[^:]+:[^!*]' /etc/shadow | cut -d: -f7" 25 | exit-status: 0 26 | stdout: 27 | - '!/^(0|4[6-9]|[5-9][0-9]{2,})/' 28 | - '/([1-9]|[0-3][0-9]|4[0-5])/' 29 | meta: 30 | server: 1 31 | workstation: 1 32 | CIS_ID: 33 | - 5.4.1.5 34 | CISv8: 5.2 35 | CISv8_IG1: true 36 | CISv8_IG2: true 37 | CISv8_IG3: true 38 | NIST800-53R5: NA 39 | {{ end }} 40 | {{ end }} 41 | -------------------------------------------------------------------------------- /section_5/cis_5.4.1/cis_5.4.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_1_6 }} 5 | command: 6 | passwd_chg_past: 7 | title: 5.4.1.6 | Ensure all users last password change date is in the past 8 | exec: 'for usr in `cut -d: -f1 /etc/shadow`; do [[ $(chage --list $usr | grep "^Last password change" | cut -d: -f2) > $(date) ]] && echo "Failed" ; done' 9 | exit-status: 1 10 | stdout: 11 | - '!/Failed/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.4.1.6 17 | CISv8: 5.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: NA 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_1 }} 5 | command: 6 | uid_0_check: 7 | title: 5.4.2.1 | Ensure root is the only UID 0 account 8 | exec: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" 9 | exit-status: 0 10 | stdout: 11 | - 'root' 12 | - '!/[^root]/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.4.2.1 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | {{ end }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_2 }} 5 | command: 6 | gid_0_check: 7 | title: 5.4.2.2 | Ensure root is the only GID 0 account 8 | exec: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4=='0') {print $1\":\"$4}' /etc/passwd" 9 | exit-status: 0 10 | stdout: 11 | - 'root' 12 | - '/[^root]/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.4.2.2 18 | CISv8: 4.1 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - CM-1 24 | - CM-2 25 | - CM-6 26 | - CM-7 27 | - IA-5 28 | {{ end }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_3 }} 5 | command: 6 | group_root_only_0: 7 | title: 5.4.2.3 | Ensure group root is the only GID 0 group 8 | exec: "awk -F: '$3=='0'{print $1\":\"$3}' /etc/group" 9 | exit-status: 0 10 | stdout: ['root:0'] 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 5.4.2.3 16 | CISv8: NA 17 | CISv8_IG1: NA 18 | CISv8_IG2: NA 19 | CISv8_IG3: NA 20 | NIST800-53R5: 21 | - CM-1 22 | - CM-2 23 | - CM-6 24 | - CM-7 25 | - IA-5 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_4 }} 5 | command: 6 | root_passwd_set: 7 | title: 5.4.2.4 | Ensure root account access is controlled 8 | exec: "passwd -S root | awk '$2 ~ /^P/ {print \"OK Password\"}'" 9 | exit-status: 0 10 | stdout: ['OK Password'] 11 | meta: 12 | server: 1 13 | workstation: 1 14 | CIS_ID: 15 | - 5.4.2.4 16 | CISv8: 3.3 17 | CISv8_IG1: true 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: NA 21 | {{ end }} 22 | {{ end }} 23 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_5 }} 5 | command: 6 | root_path_check: 7 | title: 5.4.2.5 | Ensure root PATH Integrity 8 | exec: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" 9 | exit-status: 0 10 | stdout: 11 | - '!/\\./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.4.2.5 17 | CISv8: NA 18 | CISv8_IG1: NA 19 | CISv8_IG2: NA 20 | CISv8_IG3: NA 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_5_4_2_6 }} 6 | command: 7 | root_umask_bash_profile: 8 | title: 5.4.2.6 | Ensure root user umask is configured 9 | exec: grep -i umask /root/.bash_profile /root/.bashrc 10 | exit-status: 0 11 | stdout: 12 | - '/.*:umask 00(2|7)7/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.4.2.6 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | 28 | -------------------------------------------------------------------------------- /section_5/cis_5.4.2/cis_5.4.2.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_2_7 }} 5 | command: 6 | secure_system_accts: 7 | title: 5.4.2.7 | Ensure system accounts do not have a valid login shell 8 | exec: "awk -F: '$3<1000' /etc/passwd | grep -Ev 'root|sync|halt|shutdown|nfsnobody|/sbin/nologin|/bin/false'" 9 | exit-status: 1 10 | stdout: 11 | - '!/./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 5.4.2.7 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AC-2(5) 23 | - AC-3 24 | - AC-11 25 | - MP-2 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_5/cis_5.4.3/cis_5.4.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_3_1 }} 5 | file: 6 | nologin_not_in_shells: 7 | title: 5.4.3.1 | Ensure nologin is not listed in /etc/shells 8 | exists: true 9 | path: /etc/shells 10 | contents: 11 | - '!/.*nologin/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 5.4.3.1 17 | CISv8: NA 18 | CISv8_IG1: NA 19 | CISv8_IG2: NA 20 | CISv8_IG3: NA 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_5/cis_5.4.3/cis_5.4.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_3_2 }} 5 | command: 6 | check_timeout: 7 | title: 5.4.3.2 | Ensure default user shell timeout is configured 8 | exec: 'grep TMOUT /etc/profile.d/*.sh /etc/profile /etc/profile.d/*.sh| cut -d ":" -f2' 9 | exit-status: 0 10 | stdout: 11 | - '/^(readonly |)TMOUT/' 12 | - '/TMOUT=([1-8][0-9]{0,2}|900)$/' 13 | - '/export TMOUT/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 5.4.3.2 19 | CISv8: 4.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_5/cis_5.4.3/cis_5.4.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_5_4_3_3 }} 5 | command: 6 | umask_profile_scripts: 7 | title: 5.4.3.3 | Ensure default user umask is configured 8 | exec: 'grep -i "^\s*umask" /etc/profile /etc/profile.d/*.sh /etc/login.defs | cut -d ":" -f 2' 9 | exit-status: 0 10 | stdout: 11 | - '/(?i)umask\s+00[2-7][7]/' 12 | - '!/(?i)umask\s+[7][0-1][0-6]/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 5.4.3.3 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_6/cis_6.1/cis_6.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_1_1 }} 5 | package: 6 | aide_installed: 7 | title: 6.1.1 | Ensure AIDE is installed 8 | installed: true 9 | name: aide 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 6.1.1 15 | CISv8: 16 | - 3.14 17 | CISv8_IG1: false 18 | CISv8_IG2: false 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AU-2 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_6/cis_6.1/cis_6.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_1_3 }} 5 | command: 6 | audit_bins_crypto_aide: 7 | title: 6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools 8 | exec: grep /sbin/au /etc/aide.conf 9 | exit-status: 10 | or: 11 | - 0 12 | - 2 13 | stdout: 14 | - '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512' 15 | - '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512' 16 | - '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512' 17 | - '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512' 18 | - '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512' 19 | - '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512' 20 | meta: 21 | server: 1 22 | workstation: 1 23 | CIS_ID: 24 | - 6.1.3 25 | CISv8: 26 | - 3.14 27 | CISv8_IG1: false 28 | CISv8_IG2: false 29 | CISv8_IG3: true 30 | {{ end }} 31 | {{ end }} 32 | 33 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_1_1 }} 5 | package: 6 | systemd-journal-remote: 7 | title: 6.2.2.1.1 | Ensure systemd-journal-remote is installed 8 | installed: true 9 | meta: 10 | server: 1 11 | workstation: 1 12 | CIS_ID: 13 | - 6.2.2.1.1 14 | CISv8: 8.2 15 | CISv8_IG1: true 16 | CISv8_IG2: true 17 | CISv8_IG3: true 18 | NIST800-53R5: 19 | - AU-2 20 | - AU-7 21 | - AU-12 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_1_2 }} 5 | file: 6 | journald_remote_config: 7 | title: 6.2.2.1.2 | Ensure systemd-journal-upload authentication is configured 8 | path: /etc/systemd/journal-upload.conf 9 | exists: true 10 | contents: 11 | - '/^URL=/' 12 | - '/ServerKeyFile=.*.pem' 13 | - '/ServerCertificateFile=.*.pem' 14 | - '/TrustedCertificateFile=.*.pem' 15 | meta: 16 | server: 1 17 | workstation: 1 18 | CIS_ID: 19 | - 6.2.2.1.2 20 | CISv8: 8.2 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AU-2 26 | - AU-12 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_1_3 }} 5 | service: 6 | systemd-journal-upload.service: 7 | title: 6.2.2.1.3 | Ensure systemd-journal-upload is enabled and active 8 | running: true 9 | enabled: true 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 6.2.2.1.3 15 | CISv8: 8.2 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - AU-2 21 | - AU-12 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_1_4 }} 5 | service: 6 | systemd-journal-remote.socket: 7 | title: 6.2.2.1.4 | Ensure systemd-journal-remote service is not in use 8 | running: false 9 | enabled: false 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 6.2.2.1.4 15 | CISv8: 16 | - 4.8 17 | - 8.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-2 23 | - AU-7 24 | - AU-12 25 | command: 26 | journald_socket_masked: 27 | title: 6.2.2.1.4 | Ensure systemd-journal-remote service is not in use 28 | exec: systemctl is-enabled systemd-journal-remote.socket 29 | exit-status: 1 30 | stdout: 31 | - '/^masked/' 32 | meta: 33 | server: 1 34 | workstation: 1 35 | CIS_ID: 36 | - 6.2.2.1.4 37 | CISv8: 38 | - 4.8 39 | - 8.2 40 | CISv8_IG1: true 41 | CISv8_IG2: true 42 | CISv8_IG3: true 43 | NIST800-53R5: 44 | - AU-2 45 | - AU-7 46 | - AU-12 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_2 }} 5 | command: 6 | journald_syslog: 7 | title: 6.2.2.2 | Ensure journald ForwardToSyslog is disabled 8 | exec: grep -i forward /etc/systemd/journald.conf /etc/systemd/journald.conf.d/* 9 | exit-status: 0 10 | stdout: 11 | - '/^.*:(?i)(|#)ForwardToSyslog\s*=\s*no/' 12 | - '!/.*:(?i)ForwardToSyslog\s*=\s*yes/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 6.2.2.2 18 | CISv8: 19 | - 8.2 20 | - 8.9 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AU-2 26 | - AU-6 27 | - AU-7 28 | - AU-12 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_3 }} 5 | command: 6 | compress_journald_conf: 7 | title: 6.2.2.3 | Ensure journald Compress is configured 8 | exec: grep -i compress /etc/systemd/journald.conf /etc/systemd/journald.conf.d/* 9 | exit-status: 0 10 | stdout: 11 | - '/^.*:(?i)Compress\s*=\s*yes/' 12 | - '!/^.*:(?i)Compress\s*=\s*no/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 6.2.2.3 18 | CISv8: 19 | - 8.2 20 | - 8.3 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AU-4 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_6/cis_6.2.2.x/cis_6.2.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_2_4 }} 5 | command: 6 | storage_journald_conf: 7 | title: 6.2.2.4 | Ensure journald Storage is configured 8 | exec: grep -i storage /etc/systemd/journald.conf /etc/systemd/journald.conf.d/* 9 | exit-status: 0 10 | stdout: 11 | - '/^.*:Storage=persistent/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 6.2.2.4 17 | CISv8: 8.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-3 23 | - AU-12 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_1 }} 5 | package: 6 | rsyslog: 7 | title: 6.2.3.1 | Ensure rsyslog is installed 8 | installed: true 9 | meta: 10 | server: 1 11 | workstation: 1 12 | CIS_ID: 13 | - 6.2.3.1 14 | CISv8: 8.2 15 | CISv8_IG1: true 16 | CISv8_IG2: true 17 | CISv8_IG3: true 18 | NIST800-53R5: 19 | - AU-2 20 | - AU-3 21 | - AU-12 22 | {{ end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_2 }} 5 | service: 6 | rsyslog: 7 | title: 6.2.3.2 | Ensure rsyslog service is enabled and active 8 | running: true 9 | enabled: true 10 | meta: 11 | server: 1 12 | workstation: 1 13 | CIS_ID: 14 | - 6.2.3.2 15 | CISv8: 8.2 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - AU-2 21 | - AU-3 22 | - AU-12 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_3 }} 5 | command: 6 | forward_journald_conf: 7 | title: 6.2.3.3 | Ensure journald is not configured to send logs to rsyslog 8 | exec: grep -i forward /etc/systemd/journald.conf /etc/systemd/journald.conf.d/ 9 | exit-status: 0 10 | stdout: 11 | - '!/^\.*:ForwardToSyslog/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 6.2.3.3 17 | CISv8: 18 | - 8.2 19 | - 8.9 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AC-3 25 | - AU-2 26 | - AU-4 27 | - AU-12 28 | - MP-2 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_4 }} 5 | command: 6 | perms_rsyslog_d: 7 | title: 6.2.3.4 | Ensure rsyslog default file permissions configured 8 | exec: 'grep -s ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' 9 | exit-status: 0 10 | stdout: 11 | - '/\$FileCreateMode 06[0-4]0/' 12 | - '!/\$FileCreateMode 06[6-7][0-7]/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 6.2.3.4 18 | CISv8: 19 | - 3.3 20 | - 8.2 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AC-3 26 | - AC-6 27 | - MP-2 28 | {{ end }} 29 | {{ end }} 30 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_5 }} 5 | file: 6 | /etc/rsyslog.conf: 7 | title: 6.2.3.5 | Ensure logging is configured 8 | exists: true 9 | contents: 10 | - '/^\*.emerg\s+:omusrmsg:\*/' 11 | - '/auth,authpriv.\*\s+/var/log/secure/' 12 | - '/^mail.\*\s+-/var/log/mail/' 13 | - '/^mail.info\s+-/var/log/mail.info/' 14 | - '/^mail.err\s+/var/log/mail.err/' 15 | - '/^cron.\*\s+/var/log/cron/' 16 | - '/^*.=warning;\*.=err\s+-/var/log/warn/' 17 | - '/^*.crit\s+/var/log/warn/' 18 | - '/^*.*;mail.none;news.none\s+/var/log/messages/' 19 | - '/^local0,local1.\*\s+-/var/log/localmessages/' 20 | - '/^local2,local3.\*\s+-/var/log/localmessages/' 21 | - '/^local4,local5.\*\s+-/var/log/localmessages/' 22 | - '/^local6,local7.\*\s+-/var/log/localmessages/' 23 | meta: 24 | server: 1 25 | workstation: 1 26 | CIS_ID: 27 | - 6.2.3.5 28 | CISv8: 8.2 29 | CISv8_IG1: true 30 | CISv8_IG2: true 31 | CISv8_IG3: true 32 | NIST800-53R5: 33 | - AU-2 34 | - AU-7 35 | - AU-12 36 | {{ end }} 37 | {{ end }} 38 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_2_3_6 }} 5 | {{ if not .Vars.rhel9cis_remote_log_server }} 6 | command: 7 | remote_syslog: 8 | title: 6.2.3.6 | Ensure rsyslog is configured to send logs to a remote host 9 | exec: 'grep -E "action.*omfwd.*target" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' 10 | exit-status: 11 | or: 12 | - 0 13 | - 2 14 | stdout: 15 | - '*.* action(type="omfwd" target="{{ .Vars.rhel9cis_remote_log_host }}" port="{{ .Vars.rhel9cis_remote_log_port }}"' 16 | - protocol="{{ .Vars.rhel9cis_remote_log_protocol }}" 17 | meta: 18 | server: 1 19 | workstation: 1 20 | CIS_ID: 21 | - 6.2.3.6 22 | CISv8: 8.2 23 | CISv8_IG1: true 24 | CISv8_IG2: true 25 | CISv8_IG3: true 26 | NIST800-53R5: 27 | - AU-6 28 | {{ end }} 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_6/cis_6.2.3.x/cis_6.2.3.8.yml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | 4 | {{ if .Vars.rhel9cis_level_1 }} 5 | {{ if .Vars.rhel9cis_rule_6_2_3_8 }} 6 | command: 7 | rsyslog_logrotate: 8 | title: 6.2.3.8 | Ensure rsyslog logrotate is configured 9 | exec: grep -A9 "rsyslog/*.log" /etc/logrotate.conf /etc/logrotate.d/* 10 | exit-status: 11 | or: 12 | - 0 13 | - 1 14 | - 2 15 | stdout: 16 | - '/.*: rotate/' 17 | meta: 18 | server: 1 19 | workstation: 1 20 | CIS_ID: 21 | - 6.2.3.8 22 | CISv8: 23 | - 4.8 24 | - 8.2 25 | CISv8_IG1: true 26 | CISv8_IG2: true 27 | CISv8_IG3: true 28 | NIST800-53R5: 29 | - AU-8 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_6/cis_6.3.1.x/cis_6.3.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_1_1 }} 5 | package: 6 | audit: 7 | title: 6.3.1.1 | Ensure auditd is installed | auditd 8 | installed: true 9 | meta: 10 | server: 2 11 | workstation: 2 12 | CIS_ID: 13 | - 6.3.1.1 14 | CISv8: 15 | - 8.2 16 | - 8.5 17 | CISv8_IG1: true 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: 21 | - AU-2 22 | - AU-3 23 | - AU-12 24 | - SI-5 25 | audit-libs: 26 | title: 6.3.1.1 | Ensure auditd is installed | audit-libs 27 | installed: true 28 | meta: 29 | server: 2 30 | workstation: 2 31 | CIS_ID: 32 | - 6.3.1.1 33 | CISv8: 34 | - 8.2 35 | - 8.5 36 | CISv8_IG1: true 37 | CISv8_IG2: true 38 | CISv8_IG3: true 39 | NIST800-53R5: 40 | - AU-2 41 | - AU-3 42 | - AU-12 43 | - SI-5 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_6/cis_6.3.1.x/cis_6.3.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_1_2 }} 5 | command: 6 | audit_default_grub: 7 | title: 6.3.1.2 | Ensure auditing for processes that start prior to auditd is enabled | config 8 | exec: grep audit= /etc/default/grub 9 | exit-status: 0 10 | stdout: 11 | - '/^GRUB_CMDLINE_LINUX=.*\saudit=1.*/' 12 | meta: 13 | server: 2 14 | CIS_ID: 15 | - 6.3.1.2 16 | CISv8: 8.2 17 | CISv8_IG1: true 18 | CISv8_IG2: true 19 | CISv8_IG3: true 20 | NIST800-53R5: NA 21 | grubby_audit_1: 22 | title: 6.3.1.2 | Ensure auditing for processes that start prior to auditd is enabled | live 23 | exec: grubby --info=ALL | grep -Po 'audit=1' 24 | exit-status: 0 25 | stdout: 26 | - '/^audit=1/' 27 | meta: 28 | server: 2 29 | workstation: 2 30 | CIS_ID: 31 | - 6.3.1.2 32 | CISv8: 8.2 33 | CISv8_IG1: true 34 | CISv8_IG2: true 35 | CISv8_IG3: true 36 | NIST800-53R5: NA 37 | {{ end }} 38 | {{ end }} 39 | -------------------------------------------------------------------------------- /section_6/cis_6.3.1.x/cis_6.3.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_1_3 }} 5 | command: 6 | audit_backlog_default_grub: 7 | title: 6.3.1.3 | Ensure audit_backlog_limit is sufficient | default 8 | exec: grep audit_backlog /etc/default/grub 9 | exit-status: 0 10 | stdout: 11 | - '/^GRUB_CMDLINE_LINUX=.*\saudit_backlog_limit=(8192|819[3-9]|8[2-9]{,2}|9[0-9]{3,9}|[1-9]{5,9}).*/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.1.3 17 | CISv8: 8.2 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-2 23 | - AU-12 24 | - SI-5 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_6/cis_6.3.1.x/cis_6.3.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_1_4 }} 5 | service: 6 | auditd: 7 | title: 6.3.1.4 | Ensure auditd service is enabled and active 8 | enabled: true 9 | running: true 10 | meta: 11 | server: 2 12 | workstation: 2 13 | CIS_ID: 14 | - 6.3.1.4 15 | CISv8: 8.2 16 | CISv8_IG1: true 17 | CISv8_IG2: true 18 | CISv8_IG3: true 19 | NIST800-53R5: 20 | - AU-2 21 | - AU-12 22 | - SI-5 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.3.2.x/cis_6.3.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_2_1 }} 5 | command: 6 | max_log_auditd_conf: 7 | title: 6.3.2.1 | Ensure audit log storage size is configured 8 | exec: grep max_log_file /etc/audit/auditd.conf 9 | exit-status: 0 10 | stdout: 11 | - '/^max_log_file = \d\d+/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.2.1 17 | CISv8: 8.3 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.3.2.x/cis_6.3.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_2_2 }} 5 | command: 6 | max_log_action_auditd_conf: 7 | title: 6.3.2.2 | Ensure audit logs are not automatically deleted 8 | exec: grep max_log_file_action /etc/audit/auditd.conf 9 | exit-status: 0 10 | stdout: 11 | - 'max_log_file_action = keep_logs' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.2.2 17 | CISv8: 8.3 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-8 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.3.2.x/cis_6.3.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_2_3 }} 5 | command: 6 | logs_full_auditd_conf: 7 | title: 6.3.2.3 | Ensure system is disabled when audit logs are full 8 | exec: grep -E "disk.*action" /etc/audit/auditd.conf 9 | exit-status: 0 10 | stdout: 11 | - '/disk_full_action\s*=\s*(halt|single)/' 12 | - '/disk_error_action\s*=\s*(syslog|halt|single)/' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 6.3.2.3 18 | CISv8: 19 | - 8.2 20 | - 8.3 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AU-8 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /section_6/cis_6.3.2.x/cis_6.3.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_2_4 }} 5 | command: 6 | logs_low_space_auditd_conf: 7 | title: 6.3.2.4 | Ensure system warns when audit logs are low on space 8 | exec: grep space_left_action /etc/audit/auditd.conf 9 | exit-status: 0 10 | stdout: 11 | - '/space_left_action\s*=\s*(email|exec|single|halt)/' 12 | - '/admin_space_left_action\s*=\s*(halt|single)/' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 6.3.2.4 18 | CISv8: 19 | - 8.2 20 | - 8.3 21 | CISv8_IG1: true 22 | CISv8_IG2: true 23 | CISv8_IG3: true 24 | NIST800-53R5: 25 | - AU-2 26 | - AU-8 27 | - AU-12 28 | - SI-5 29 | {{ end }} 30 | {{ end }} 31 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_1 }} 5 | command: 6 | auditd_admin_scope_cnf: 7 | title: 6.3.3.1 | Ensure changes to system administration scope (sudoers) is collected | conf_check 8 | exec: grep scope /etc/audit/rules.d/*.rules 9 | exit-status: 0 10 | stdout: 11 | - '-w /etc/sudoers -p wa -k scope' 12 | - '-w /etc/sudoers.d -p wa -k scope' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 6.3.3.1 18 | CISv8: 8.5 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | auditd_admin_scope_live: 25 | title: 6.3.3.1 | Ensure changes to system administration scope (sudoers) is collected | running 26 | exec: auditctl -l | grep scope 27 | exit-status: 0 28 | stdout: 29 | - '-w /etc/sudoers -p wa -k scope' 30 | - '-w /etc/sudoers.d -p wa -k scope' 31 | meta: 32 | server: 2 33 | workstation: 2 34 | CIS_ID: 35 | - 6.3.3.1 36 | CISv8: 8.5 37 | CISv8_IG1: false 38 | CISv8_IG2: true 39 | CISv8_IG3: true 40 | NIST800-53R5: 41 | - AU-3 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.11.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_11 }} 5 | command: 6 | auditd_sessions_cnf: 7 | title: 6.3.3.11 | Ensure session initiation information is collected | conf check 8 | exec: grep session /etc/audit/rules.d/*.rules 9 | exit-status: 0 10 | stdout: 11 | - '-w /var/run/utmp -p wa -k session' 12 | - '-w /var/log/wtmp -p wa -k session' 13 | - '-w /var/log/btmp -p wa -k session' 14 | meta: 15 | server: 2 16 | workstation: 2 17 | CIS_ID: 18 | - 6.3.3.11 19 | CISv8: 8.5 20 | CISv8_IG1: false 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AU-3 25 | auditd_session_live: 26 | title: 6.3.3.11 | Ensure session initiation information is collected | running 27 | exec: auditctl -l | grep session 28 | exit-status: 0 29 | stdout: 30 | - '-w /var/run/utmp -p wa -k session' 31 | - '-w /var/log/wtmp -p wa -k session' 32 | - '-w /var/log/btmp -p wa -k session' 33 | meta: 34 | server: 2 35 | workstation: 2 36 | CIS_ID: 37 | - 6.3.3.11 38 | CISv8: 8.5 39 | CISv8_IG1: false 40 | CISv8_IG2: true 41 | CISv8_IG3: true 42 | NIST800-53R5: 43 | - AU-3 44 | {{ end }} 45 | {{ end }} 46 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.12.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_12 }} 5 | command: 6 | auditd_logins_cnf: 7 | title: 6.3.3.12 | Ensure login and logout events are collected | conf check 8 | exec: grep logins /etc/audit/rules.d/*.rules 9 | exit-status: 0 10 | stdout: 11 | - '-w /var/run/faillock -p wa -k logins' 12 | - '-w /var/log/lastlog -p wa -k logins' 13 | meta: 14 | server: 2 15 | workstation: 2 16 | CIS_ID: 17 | - 6.3.3.12 18 | CISv8: 8.5 19 | CISv8_IG1: false 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | auditd_logins_live: 25 | title: 6.3.3.12 | Ensure login and logout events are collected | running 26 | exec: auditctl -l | grep logins 27 | exit-status: 0 28 | stdout: 29 | - '-w /var/run/faillock -p wa -k logins' 30 | - '-w /var/log/lastlog -p wa -k logins' 31 | meta: 32 | server: 2 33 | workstation: 2 34 | CIS_ID: 35 | - 6.3.3.12 36 | CISv8: 8.5 37 | CISv8_IG1: false 38 | CISv8_IG2: true 39 | CISv8_IG3: true 40 | NIST800-53R5: 41 | - AU-3 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.20.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_20 }} 5 | command: 6 | auditd_immutable: 7 | title: 6.3.3.20 | Ensure the audit configuration is immutable 8 | exec: 'grep "-e 2" /etc/audit/rules.d/*.rules | tail -1' 9 | exit-status: 0 10 | stdout: 11 | - '-e 2' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.3.20 17 | CISv8: 3.3 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AC-3 23 | - AU-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.21.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_21 }} 5 | command: 6 | auditd_conf_vs_live: 7 | title: 6.3.3.21 | Ensure the running and on disk configuration is the same 8 | exec: /usr/sbin/augenrules --check 9 | exit-status: 0 10 | stdout: 11 | - '/^\/usr\/sbin\/augenrules: No change/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.3.21 17 | CISv8: 8.5 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-3 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_3 }} 5 | command: 6 | auditd_sudolog_cnf: 7 | title: 6.3.3.3 | Ensure events that modify the sudo log file are collected | conf_check 8 | exec: grep sudo_log /etc/audit/rules.d/*.rules 9 | exit-status: 0 10 | stdout: 11 | - '-w /var/log/sudo.log -p wa -k sudo_log_file' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.3.3 17 | CISv8: 8.5 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | auditd_sudolog_live: 22 | title: 6.3.3.3 | Ensure events that modify the sudo log file are collected | running 23 | exec: auditctl -l | grep sudo_log 24 | exit-status: 0 25 | stdout: 26 | - '-w /var/log/sudo.log -p wa -k sudo_log_file' 27 | meta: 28 | server: 2 29 | workstation: 2 30 | CIS_ID: 31 | - 6.3.3.3 32 | CISv8: 8.5 33 | CISv8_IG1: false 34 | CISv8_IG2: true 35 | CISv8_IG3: true 36 | {{ end }} 37 | {{ end }} 38 | -------------------------------------------------------------------------------- /section_6/cis_6.3.3.x/cis_6.3.3.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_3_6 }} 5 | command: 6 | auditd_priv_cmds_cnf: 7 | title: 6.3.3.6 | Ensure use of privileged commands is collected | Manual Check Required 8 | exec: echo "Manual - Please investigate privilege commands are collected as per documentation" 9 | exit-status: 0 10 | stdout: 11 | - '!/Manual/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.3.6 17 | CISv8: 8.5 18 | CISv8_IG1: false 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - AU-3 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_1 }} 5 | command: 6 | audit_logfile_dir_perms: 7 | title: 6.3.4.1 | Ensure the audit log file directory mode is configured 8 | exec: for dir in `dirname \`grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'\``; do stat -Lc " %n_%a" $dir; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_7(0|5)0$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.1 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.10.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_10 }} 5 | command: 6 | audit_tools_group: 7 | title: 6.3.4.10 | Ensure audit tools group owner is configured 8 | exec: stat -c "%n_%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules 9 | exit-status: 0 10 | stdout: 11 | - '/.*_root$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.10 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_2 }} 5 | command: 6 | audit_logfile_perms: 7 | title: 6.3.4.2 | Ensure audit log files mode is configured 8 | exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%a" $file; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_6(0|4)0$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.2 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_3 }} 5 | command: 6 | audit_logfile_owner: 7 | title: 6.3.4.3 | Ensure only authorized users own audit log files 8 | exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%U" $file; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_root$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.3 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_4 }} 5 | command: 6 | audit_logfile_group_setting: 7 | title: 6.3.4.4 | Ensure audit log files group owner is configured 8 | exec: grep log_group /etc/audit/audit* | awk '{ print $NF}' 9 | exit-status: 0 10 | stdout: 11 | - '/^(adm|root)$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.4 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - NA 24 | audit_logfile_group: 25 | title: 6.3.4.4 | Ensure audit log files group owner is configured 26 | exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n_%G" $file; done 27 | exit-status: 0 28 | stdout: 29 | - '/.*_(adm|root)$/' 30 | meta: 31 | server: 2 32 | workstation: 2 33 | CIS_ID: 34 | - 6.3.4.4 35 | CISv8: 36 | - 3.3 37 | CISv8_IG1: true 38 | CISv8_IG2: true 39 | CISv8_IG3: true 40 | NIST800-53R5: 41 | - NA 42 | {{ end }} 43 | {{ end }} 44 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_5 }} 5 | command: 6 | audit_conf_perms: 7 | title: 6.3.4.5 | Ensure audit configuration files mode is configured 8 | exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%a" $file; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_6(0|4)0$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.5 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_6 }} 5 | command: 6 | audit_conf_owner: 7 | title: 6.3.4.6 | Ensure audit configuration files owner is configured 8 | exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_root$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.6 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_7 }} 5 | command: 6 | audit_conf_group: 7 | title: 6.3.4.7 | Ensure audit configuration files group owner is configured 8 | exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done 9 | exit-status: 0 10 | stdout: 11 | - '/.*_root$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.7 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_8 }} 5 | command: 6 | audit_tools_perms: 7 | title: 6.3.4.8 | Ensure audit tools mode is configured 8 | exec: stat -c "%n_%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules 9 | exit-status: 0 10 | stdout: 11 | - '/.*_7(0|5)(0|5)$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.8 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AU-3 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_6/cis_6.3.4/cis_6.3.4.9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_2 }} 4 | {{ if .Vars.rhel9cis_rule_6_3_4_9 }} 5 | command: 6 | audit_tools_owner: 7 | title: 6.3.4.9 | Ensure audit tools owner is configured 8 | exec: stat -c "%n_%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules 9 | exit-status: 0 10 | stdout: 11 | - '/.*_root$/' 12 | meta: 13 | server: 2 14 | workstation: 2 15 | CIS_ID: 16 | - 6.3.4.9 17 | CISv8: 18 | - 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - NA 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_1 }} 5 | file: 6 | etc_passwd_perms: 7 | title: 7.1.1 | Ensure permissions on /etc/passwd are configured 8 | path: /etc/passwd 9 | exists: true 10 | mode: 11 | or: 12 | - '0644' 13 | - '0640' 14 | - '0600' 15 | - '0400' 16 | owner: root 17 | group: root 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 7.1.1 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.10.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_10 }} 5 | file: 6 | etc_security_opasswd_perms: 7 | title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured 8 | path: /etc/security/opasswd 9 | exists: true 10 | mode: "0600" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.1.10 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | etc_security_opasswd__old_perms: 26 | title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured | old passwd 27 | path: /etc/security/opasswd.old 28 | exists: 29 | or: 30 | - true 31 | - false 32 | mode: "0600" 33 | owner: root 34 | group: root 35 | meta: 36 | server: 1 37 | workstation: 1 38 | CIS_ID: 39 | - 7.1.10 40 | CISv8: 3.3 41 | CISv8_IG1: true 42 | CISv8_IG2: true 43 | CISv8_IG3: true 44 | NIST800-53R5: 45 | - AC-3 46 | - MP-2 47 | {{ end }} 48 | {{ end }} 49 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.11.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_7_1_11 }} 6 | command: 7 | sticky_bit: 8 | title: 7.1.11 | Ensure world writable files and directories are secured 9 | exec: "df --local -P | awk '{if (NR!=1) print $7}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" 10 | exit-status: 11 | or: 12 | - 0 13 | - 1 14 | timeout: {{ .Vars.timeout_ms }} 15 | stdout: 16 | - '!/.*/' 17 | meta: 18 | server: 1 19 | workstation: 1 20 | CIS_ID: 21 | - 7.1.11 22 | CISv8: 3.3 23 | CISv8_IG1: true 24 | CISv8_IG2: true 25 | CISv8_IG3: true 26 | NIST800-53R5: 27 | - AC-3 28 | - MP-2 29 | {{ end }} 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.12.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_7_1_12 }} 6 | command: 7 | unowned_ungrouped_dirs: 8 | title: 7.1.12 | Ensure no files or directories without an owner and a group exist 9 | exec: df --local -P | awk {'if (NR!=1) print $7'} | xargs -I '{}' find '{}' -xdev {{ .Vars.rhel9cis_exclude_unowned_search_path }} 10 | exit-status: 0 11 | timeout: {{ .Vars.timeout_ms }} 12 | stdout: 13 | - '!/.*/' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 7.1.12 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - AC-3 25 | - MP-2 26 | {{ end }} 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.13.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_7_1_13 }} 6 | command: 7 | audit_sgid_suid: 8 | title: 7.1.13 | Ensure SUID and SGID files are reviewed 9 | exec: df --local -P | awk '{if (NR!=1) print $7}' | xargs -I '{}' find '{}' -xdev -type f \( -perm -2000 -o -perm -4000 \) 10 | timeout: {{ .Vars.timeout_ms }} 11 | exit-status: 0 12 | stdout: 13 | - '!/./' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 7.1.13 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - CM-1 25 | - CM-2 26 | - CM-6 27 | - CM-7 28 | - IA-5 29 | - AC-3 30 | - MP-2 31 | {{ end }} 32 | {{ end }} 33 | {{ end }} 34 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_2 }} 5 | file: 6 | passwd-_perms: 7 | title: 7.1.2 | Ensure permissions on /etc/passwd- are configured 8 | path: /etc/passwd- 9 | exists: true 10 | mode: 11 | or: 12 | - '0644' 13 | - '0640' 14 | - '0600' 15 | - '0400' 16 | owner: root 17 | group: root 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 7.1.2 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_6_1_3 }} 5 | file: 6 | etcgroup_perms: 7 | title: 6.1.3 | Ensure permissions on /etc/group are configured 8 | path: /etc/group 9 | exists: true 10 | mode: 11 | or: 12 | - '0644' 13 | - '0640' 14 | - '0600' 15 | - '0400' 16 | owner: root 17 | group: root 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 6.1.3 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_4 }} 5 | file: 6 | etcgroup-_perms: 7 | title: 7.1.4 | Ensure permissions on /etc/group- are configured 8 | path: /etc/group- 9 | exists: true 10 | mode: 11 | or: 12 | - '0644' 13 | - '0640' 14 | - '0600' 15 | - '0400' 16 | owner: root 17 | group: root 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 7.1.4 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_5 }} 5 | file: 6 | etc_shadow_perms: 7 | title: 7.1.5 | Ensure permissions on /etc/shadow are configured 8 | path: /etc/shadow 9 | exists: true 10 | mode: "0000" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.1.5 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_7 }} 5 | file: 6 | etc_shadow-_perms: 7 | title: 7.1.7 | Ensure permissions on /etc/shadow- are configured 8 | path: /etc/shadow- 9 | exists: true 10 | mode: "0000" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.1.7 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_7 }} 5 | file: 6 | etc_gshadow_perms: 7 | title: 7.1.7 | Ensure permissions on /etc/gshadow are configured 8 | path: /etc/gshadow 9 | exists: true 10 | mode: "0000" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.1.7 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.8.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_8 }} 5 | file: 6 | etc_gshadow-_perms: 7 | title: 7.1.8 | Ensure permissions on /etc/gshadow- are configured 8 | path: /etc/gshadow- 9 | exists: true 10 | mode: "0000" 11 | owner: root 12 | group: root 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.1.8 18 | CISv8: 3.3 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - AC-3 24 | - MP-2 25 | {{ end }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /section_7/cis_7.1/cis_7.1.9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_1_9 }} 5 | file: 6 | etc_shells_perms: 7 | title: 7.1.9 | Ensure permissions on /etc/shells are configured 8 | path: /etc/shells 9 | exists: true 10 | mode: 11 | or: 12 | - '0644' 13 | - '0640' 14 | - '0600' 15 | - '0400' 16 | owner: root 17 | group: root 18 | meta: 19 | server: 1 20 | workstation: 1 21 | CIS_ID: 22 | - 7.1.9 23 | CISv8: 3.3 24 | CISv8_IG1: true 25 | CISv8_IG2: true 26 | CISv8_IG3: true 27 | NIST800-53R5: 28 | - AC-3 29 | - MP-2 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_1 }} 5 | command: 6 | accts_use_shadowed: 7 | title: 7.2.1 | Ensure accounts in /etc/passwd use shadowed passwords 8 | exec: "awk -F: '($2 != \"x\" ) { print $1 \" is not set to shadowed passwords \"}' /etc/passwd" 9 | exit-status: 0 10 | stdout: 11 | - '!/.*/' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 7.2.1 17 | CISv8: NA 18 | CISv8_IG1: NA 19 | CISv8_IG2: NA 20 | CISv8_IG3: NA 21 | NIST800-53R5: 22 | - IA-5 23 | {{ end }} 24 | {{ end }} 25 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_2 }} 5 | command: 6 | nopasswd_shadow: 7 | title: 7.2.2 | Ensure /etc/shadow password fields are not empty 8 | exec: cat /etc/shadow | cut -d ':' -f2 9 | exit-status: 0 10 | stdout: 11 | - '/^(\*|\!|\$)/' 12 | - '!/^$/' 13 | meta: 14 | server: 1 15 | workstation: 1 16 | CIS_ID: 17 | - 7.2.2 18 | CISv8: 5.2 19 | CISv8_IG1: true 20 | CISv8_IG2: true 21 | CISv8_IG3: true 22 | NIST800-53R5: 23 | - IA-5 24 | {{ end }} 25 | {{ end }} 26 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_3 }} 5 | command: 6 | passwd_group_exist: 7 | title: 7.2.3 | Ensure all groups in /etc/passwd exist in /etc/group 8 | exec: "comm -23 <(awk -F: '{print $4}' /etc/passwd | sort -u) <(awk -F: '{print $3}' /etc/group | sort -u)" 9 | exit-status: 0 10 | stdout: 11 | - '!/./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 7.2.3 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_4 }} 5 | command: 6 | no_dup_uid: 7 | title: 7.2.4 | Ensure no duplicate UIDs exist 8 | exec: "cat /etc/passwd | cut -d: -f3 | uniq -d" 9 | exit-status: 0 10 | stdout: 11 | - '!/./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 7.2.4 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.5.yml: -------------------------------------------------------------------------------- 1 | {{ if .Vars.rhel9cis_rule_7_2_5 }} 2 | command: 3 | no_dup_gid: 4 | title: 7.2.5 | Ensure no duplicate GIDs exist 5 | exec: "cat /etc/group | cut -d: -f3 | uniq -d" 6 | exit-status: 0 7 | stdout: 8 | - '!/./' 9 | meta: 10 | server: 1 11 | workstation: 1 12 | CIS_ID: 13 | - 7.2.5 14 | CISv8: 4.1 15 | CISv8_IG1: true 16 | CISv8_IG2: true 17 | CISv8_IG3: true 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_6 }} 5 | command: 6 | no_dup_username: 7 | title: 7.2.6 | Ensure no duplicate user names exist 8 | exec: "cat /etc/passwd | cut -d: -f1 | uniq -d" 9 | exit-status: 0 10 | stdout: 11 | - '!/./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 7.2.6 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.7.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.rhel9cis_rule_7_2_7 }} 5 | command: 6 | no_dup_groupname: 7 | title: 7.2.7 | Ensure no duplicate group names exist 8 | exec: "cat /etc/group | cut -d: -f1 | uniq -d" 9 | exit-status: 0 10 | stdout: 11 | - '!/./' 12 | meta: 13 | server: 1 14 | workstation: 1 15 | CIS_ID: 16 | - 7.2.7 17 | CISv8: 4.1 18 | CISv8_IG1: true 19 | CISv8_IG2: true 20 | CISv8_IG3: true 21 | NIST800-53R5: 22 | - CM-1 23 | - CM-2 24 | - CM-6 25 | - CM-7 26 | - IA-5 27 | {{ end }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /section_7/cis_7.2/cis_7.2.9.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | {{ if .Vars.rhel9cis_level_1 }} 4 | {{ if .Vars.run_heavy_tests }} 5 | {{ if .Vars.rhel9cis_rule_7_2_9 }} 6 | command: 7 | dot_netrc_perms: 8 | title: 7.2.9 | Ensure local interactive user dot files access is configured 9 | exec: 'find /home/ \( -name .netrc -o -name .rhost -o -name .forward \)' 10 | exit-status: 0 11 | timeout: {{ .Vars.timeout_ms }} 12 | stdout: 13 | - '!/./' 14 | meta: 15 | server: 1 16 | workstation: 1 17 | CIS_ID: 18 | - 7.2.9 19 | CISv8: 3.3 20 | CISv8_IG1: true 21 | CISv8_IG2: true 22 | CISv8_IG3: true 23 | NIST800-53R5: 24 | - CM-1 25 | - CM-2 26 | - CM-6 27 | - CM-7 28 | - IA-5 29 | {{ end }} 30 | {{ end }} 31 | {{ end }} 32 | -------------------------------------------------------------------------------- /standalone.yml: -------------------------------------------------------------------------------- 1 | gossfile: 2 | {{ if .Vars.rhel9cis_section1 }} 3 | section_1/*/*.yml: {} 4 | {{ end }} 5 | {{ if .Vars.rhel9cis_section2 }} 6 | section_2/*/*.yml: {} 7 | {{ end }} 8 | {{ if .Vars.rhel9cis_section3 }} 9 | section_3/cis_3.1/*.yml: {} 10 | section_3/cis_3.2/*.yml: {} 11 | section_3/cis_3.3/*.yml: {} 12 | ## firewall configurations 13 | {{ if eq .Vars.rhel9cis_firewall "firewalld" }} 14 | section_3/cis_3.4.1/*.yml: {} 15 | {{ end }} 16 | {{ if eq .Vars.rhel9cis_firewall "nftables" }} 17 | section_3/cis_3.4.2/*.yml: {} 18 | {{ end }} 19 | {{ end }} 20 | {{ if .Vars.rhel9cis_section4 }} 21 | # Auditd and level 2 22 | {{ if .Vars.rhel9cis_level_2 }} 23 | section_4/cis_4.1/*.yml: {} 24 | {{ end }} 25 | section_4/cis_4.2.1/*.yml: {} 26 | section_4/cis_4.2.2/*.yml: {} 27 | section_4/cis_4.2.3/*.yml: {} 28 | section_4/cis_4.3/*.yml: {} 29 | {{ end }} 30 | {{ if .Vars.rhel9cis_section5 }} 31 | section_5/*/*.yml: {} 32 | {{ end }} 33 | {{ if .Vars.rhel9cis_section6 }} 34 | section_6/*/*.yml: {} 35 | {{ end }} 36 | --------------------------------------------------------------------------------