From 86d5603cd79eda41539484c61203d0bc6cf8f5b6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 09:00:39 -0500 Subject: [PATCH 01/11] Remove RHEL7 profile stability tests --- .../data/profile_stability/rhel7/cis.profile | 479 ------------------ .../rhel7/cis_server_l1.profile | 377 -------------- .../rhel7/cis_workstation_l1.profile | 369 -------------- .../rhel7/cis_workstation_l2.profile | 473 ----------------- tests/data/profile_stability/rhel7/e8.profile | 113 ----- .../profile_stability/rhel7/pci-dss.profile | 317 ------------ .../data/profile_stability/rhel7/stig.profile | 365 ------------- .../profile_stability/rhel7/stig_gui.profile | 375 -------------- 8 files changed, 2868 deletions(-) delete mode 100644 tests/data/profile_stability/rhel7/cis.profile delete mode 100644 tests/data/profile_stability/rhel7/cis_server_l1.profile delete mode 100644 tests/data/profile_stability/rhel7/cis_workstation_l1.profile delete mode 100644 tests/data/profile_stability/rhel7/cis_workstation_l2.profile delete mode 100644 tests/data/profile_stability/rhel7/e8.profile delete mode 100644 tests/data/profile_stability/rhel7/pci-dss.profile delete mode 100644 tests/data/profile_stability/rhel7/stig.profile delete mode 100644 tests/data/profile_stability/rhel7/stig_gui.profile diff --git a/tests/data/profile_stability/rhel7/cis.profile b/tests/data/profile_stability/rhel7/cis.profile deleted file mode 100644 index e06b6501cae..00000000000 --- a/tests/data/profile_stability/rhel7/cis.profile +++ /dev/null @@ -1,479 +0,0 @@ -description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration - from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, - v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed - Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." -extends: null -hidden: '' -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux -selections: -- mount_option_dev_shm_noexec -- file_permissions_etc_issue -- dconf_gnome_banner_enabled -- sudo_custom_logfile -- package_squid_removed -- accounts_root_gid_zero -- accounts_users_netrc_file_permissions -- sysctl_net_ipv4_conf_default_rp_filter -- file_ownership_var_log_audit_stig -- no_password_auth_for_systemaccounts -- package_ypbind_removed -- file_permissions_backup_etc_passwd -- package_avahi_removed -- file_owner_etc_shadow -- mount_option_dev_shm_nosuid -- sshd_set_loglevel_verbose -- accounts_passwords_pam_faillock_deny -- audit_rules_sysadmin_actions -- has_nonlocal_mta -- package_bind_removed -- kernel_module_udf_disabled -- audit_rules_file_deletion_events_unlink -- kernel_module_dccp_disabled -- package_ypserv_removed -- sshd_set_max_sessions -- mount_option_tmp_nodev -- file_groupowner_backup_etc_gshadow -- partition_for_tmp -- file_permissions_cron_allow -- kernel_module_hfsplus_disabled -- xwindows_runlevel_target -- rsyslog_files_groupownership -- mount_option_var_nosuid -- audit_rules_login_events_faillock -- group_unique_id -- audit_rules_dac_modification_fchown -- package_vsftpd_removed -- socket_systemd-journal-remote_disabled -- accounts_password_pam_difok -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- file_owner_backup_etc_group -- service_crond_enabled -- file_permissions_cron_monthly -- file_owner_backup_etc_passwd -- sudo_require_reauthentication -- file_groupowner_backup_etc_group -- auditd_data_retention_space_left_action -- file_ownership_home_directories -- file_at_deny_not_exist -- sysctl_net_ipv6_conf_all_accept_redirects -- sshd_set_idle_timeout -- file_owner_sshd_config -- dconf_gnome_screensaver_user_locks -- partition_for_var_tmp -- file_groupowner_backup_etc_passwd -- journald_storage -- file_group_ownership_var_log_audit -- package_sudo_installed -- service_autofs_disabled -- file_owner_cron_weekly -- file_owner_etc_issue -- kernel_module_freevxfs_disabled -- file_permissions_audit_binaries -- audit_rules_privileged_commands_kmod -- accounts_password_all_shadowed -- file_owner_etc_shells -- require_emergency_target_auth -- sysctl_kernel_randomize_va_space -- accounts_no_uid_except_zero -- file_permissions_etc_gshadow -- audit_rules_file_deletion_events_rename -- partition_for_var -- accounts_umask_etc_bashrc -- wireless_disable_interfaces -- audit_rules_mac_modification -- audit_rules_usergroup_modification_gshadow -- sshd_limit_user_access -- audit_rules_unsuccessful_file_modification_creat -- ensure_pam_wheel_group_empty -- package_setroubleshoot_removed -- service_rpcbind_disabled -- file_groupowner_user_cfg -- package_tftp-server_removed -- audit_rules_unsuccessful_file_modification_ftruncate -- file_permission_user_init_files -- audit_rules_kernel_module_loading_init -- file_owner_cron_d -- file_permissions_ungroupowned -- sysctl_net_ipv4_conf_default_log_martians -- package_telnet-server_removed -- partition_for_var_log_audit -- root_path_no_dot -- file_owner_backup_etc_shadow -- service_systemd-journald_enabled -- service_rsyslog_enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_permissions_etc_issue_net -- audit_rules_usergroup_modification_group -- file_groupowner_cron_weekly -- dconf_gnome_disable_automount -- file_permissions_sshd_pub_key -- package_xorg-x11-server-common_removed -- grub2_password -- account_unique_name -- chronyd_specify_remote_server -- accounts_password_warn_age_login_defs -- audit_rules_mac_modification_usr_share -- mount_option_tmp_nosuid -- sshd_enable_pam -- file_groupowner_grub2_cfg -- sysctl_net_ipv6_conf_default_accept_ra -- file_owner_etc_motd -- package_telnet_removed -- file_groupowner_etc_issue_net -- sshd_set_maxstartups -- file_permissions_var_log_audit -- audit_rules_dac_modification_chmod -- accounts_passwords_pam_faillock_deny_root -- rsyslog_filecreatemode -- audit_rules_dac_modification_lchown -- audit_rules_unsuccessful_file_modification_truncate -- file_owner_crontab -- file_permissions_cron_d -- file_permissions_user_cfg -- postfix_network_listening_disabled -- file_permissions_home_directories -- disable_host_auth -- audit_rules_usergroup_modification_shadow -- audit_sudo_log_events -- audit_rules_dac_modification_fremovexattr -- auditd_data_retention_admin_space_left_action -- accounts_maximum_age_login_defs -- audit_rules_file_deletion_events_renameat -- sshd_disable_rhosts -- auditd_data_retention_max_log_file_action -- file_owner_cron_allow -- file_permissions_sshd_config -- service_nfs_disabled -- sysctl_net_ipv4_conf_default_accept_redirects -- no_empty_passwords -- file_groupowner_etc_gshadow -- file_permissions_backup_etc_shadow -- selinux_policytype -- group_unique_name -- package_openldap-clients_removed -- kernel_module_squashfs_disabled -- mount_option_var_tmp_noexec -- audit_rules_dac_modification_chown -- dconf_gnome_screensaver_idle_delay -- rsyslog_nolisten -- mount_option_tmp_noexec -- file_groupowner_backup_etc_shadow -- grub2_audit_backlog_limit_argument -- aide_build_database -- file_groupowner_cron_hourly -- sudo_add_use_pty -- package_aide_installed -- audit_rules_execution_chacl -- package_rsyslog_installed -- file_owner_cron_monthly -- accounts_password_set_max_life_existing -- grub2_audit_argument -- file_groupowner_sshd_config -- package_httpd_removed -- accounts_umask_etc_login_defs -- grub2_uefi_password -- set_password_hashing_algorithm_logindefs -- file_permissions_sshd_private_key -- file_groupowner_etc_shells -- accounts_passwords_pam_faillock_unlock_time -- file_groupownership_audit_binaries -- mount_option_var_log_audit_noexec -- file_groupowner_etc_issue -- file_groupowner_efi_user_cfg -- audit_rules_dac_modification_removexattr -- dconf_db_up_to_date -- no_empty_passwords_etc_shadow -- grub2_enable_selinux -- ensure_gpgcheck_never_disabled -- coredump_disable_backtraces -- file_permissions_backup_etc_gshadow -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_automount_open -- ensure_root_password_configured -- no_files_unowned_by_user -- no_rsh_trust_files -- audit_rules_usergroup_modification_opasswd -- accounts_user_dot_group_ownership -- dconf_gnome_disable_user_list -- accounts_password_pam_minclass -- mount_option_var_tmp_nodev -- file_cron_deny_not_exist -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- rsyslog_files_ownership -- dconf_gnome_screensaver_lock_delay -- package_nginx_removed -- file_permissions_etc_passwd -- file_permissions_efi_user_cfg -- file_permissions_etc_group -- partition_for_dev_shm -- iptables_rules_for_open_ports -- partition_for_var_log -- auditd_data_retention_action_mail_acct -- audit_rules_dac_modification_fchownat -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- directory_permissions_var_log_audit -- accounts_umask_etc_profile -- file_groupowner_cron_monthly -- audit_rules_dac_modification_fchmod -- set_firewalld_appropriate_zone -- selinux_confinement_of_daemons -- banner_etc_issue -- sysctl_net_ipv4_conf_all_accept_source_route -- set_password_hashing_algorithm_passwordauth -- file_owner_etc_gshadow -- sysctl_net_ipv4_conf_all_log_martians -- gnome_gdm_disable_xdmcp -- accounts_password_pam_pwhistory_remember_password_auth -- package_audit_installed -- mount_option_dev_shm_nodev -- audit_rules_dac_modification_fsetxattr -- no_forward_files -- package_dovecot_removed -- ensure_gpgcheck_globally_activated -- accounts_password_set_warn_age_existing -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- gid_passwd_group_same -- file_groupownership_sshd_pub_key -- audit_rules_unsuccessful_file_modification_open -- audit_rules_dac_modification_setxattr -- audit_rules_login_events_lastlog -- audit_rules_suid_auid_privilege_function -- mount_option_var_nodev -- file_owner_grub2_cfg -- mount_option_var_log_audit_nodev -- partition_for_home -- package_cups_removed -- file_cron_allow_exists -- file_owner_etc_passwd -- mount_option_var_tmp_nosuid -- sysctl_net_ipv6_conf_default_accept_source_route -- file_ownership_sshd_private_key -- package_net-snmp_removed -- service_bluetooth_disabled -- file_groupowner_etc_motd -- dir_perms_world_writable_sticky_bits -- file_owner_etc_issue_net -- mount_option_var_log_audit_nosuid -- sshd_enable_warning_banner_net -- file_permissions_cron_weekly -- sshd_use_strong_kex -- package_gdm_removed -- chronyd_run_as_chrony_user -- sshd_disable_gssapi_auth -- file_owner_efi_user_cfg -- set_ip6tables_default_rule -- accounts_password_pam_pwhistory_remember_system_auth -- service_firewalld_enabled -- audit_rules_media_export -- service_auditd_enabled -- accounts_tmout -- package_mcstrans_removed -- audit_rules_time_watch_localtime -- file_ownership_audit_configuration -- file_owner_etc_group -- audit_rules_privileged_commands_usermod -- file_groupowner_etc_group -- file_permissions_grub2_cfg -- package_xinetd_removed -- accounts_password_pam_maxrepeat -- package_samba_removed -- audit_rules_file_deletion_events_unlinkat -- audit_rules_kernel_module_loading_finit -- file_permissions_etc_motd -- file_ownership_sshd_pub_key -- audit_rules_dac_modification_fchmodat -- file_groupowner_cron_allow -- audit_rules_time_stime -- audit_rules_time_adjtimex -- file_ownership_audit_binaries -- file_owner_user_cfg -- mount_option_var_log_nosuid -- package_rsync_removed -- sysctl_net_ipv4_tcp_syncookies -- file_permissions_etc_shells -- coredump_disable_storage -- package_cyrus-imapd_removed -- package_libselinux_installed -- package_dhcp_removed -- file_groupownership_audit_configuration -- banner_etc_motd -- sysctl_net_ipv4_conf_all_secure_redirects -- selinux_not_disabled -- package_audit-libs_installed -- kernel_module_sctp_disabled -- file_groupowner_etc_passwd -- accounts_password_pam_dictcheck -- auditd_data_disk_full_action -- file_groupowner_efi_grub2_cfg -- account_disable_post_pw_expiration -- audit_rules_dac_modification_lsetxattr -- journald_compress -- sysctl_net_ipv6_conf_all_accept_source_route -- account_unique_id -- package_pam_pwquality_installed -- sysctl_net_ipv6_conf_default_accept_redirects -- file_permissions_etc_shadow -- sshd_use_approved_ciphers -- journald_forward_to_syslog -- accounts_password_pam_minlen -- audit_rules_usergroup_modification_passwd -- package_chrony_installed -- dconf_gnome_session_idle_user_locks -- sysctl_net_ipv4_ip_forward -- audit_rules_execution_chcon -- audit_rules_immutable -- file_owner_backup_etc_gshadow -- kernel_module_cramfs_disabled -- kernel_module_hfs_disabled -- audit_rules_kernel_module_loading_query -- package_dnsmasq_removed -- sysctl_net_ipv4_conf_all_accept_redirects -- ip6tables_rules_for_open_ports -- file_owner_cron_daily -- mount_option_home_nodev -- audit_rules_kernel_module_loading_create -- sshd_use_strong_macs -- set_loopback_traffic -- audit_rules_time_clock_settime -- file_permissions_backup_etc_group -- audit_rules_dac_modification_lremovexattr -- mount_option_home_nosuid -- no_shelllogin_for_systemaccounts -- sshd_disable_empty_passwords -- audit_rules_unsuccessful_file_modification_openat -- accounts_password_last_change_is_in_past -- banner_etc_issue_net -- rsyslog_files_permissions -- sshd_do_not_permit_user_env -- accounts_user_interactive_home_directory_exists -- sysctl_net_ipv6_conf_all_forwarding -- sshd_disable_root_login -- selinux_state -- file_permissions_unauthorized_world_writable -- file_groupowner_crontab -- kernel_module_rds_disabled -- file_groupowner_etc_shadow -- package_tftp_removed -- sshd_set_keepalive -- kernel_module_tipc_disabled -- file_groupowner_cron_daily -- file_owner_cron_hourly -- set_password_hashing_algorithm_systemauth -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_kernel_yama_ptrace_scope -- file_owner_efi_grub2_cfg -- file_permissions_audit_configuration -- kernel_module_usb-storage_disabled -- sysctl_net_ipv4_conf_default_accept_source_route -- file_permissions_cron_daily -- file_permissions_efi_grub2_cfg -- auditd_data_disk_error_action -- accounts_set_post_pw_existing -- file_groupownership_sshd_private_key -- file_groupowner_cron_d -- sshd_set_max_auth_tries -- sysctl_net_ipv4_conf_default_secure_redirects -- file_etc_security_opasswd -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv6_conf_all_accept_ra -- mount_option_var_log_noexec -- file_permissions_crontab -- audit_rules_privileged_commands -- auditd_data_retention_max_log_file -- audit_rules_kernel_module_loading_delete -- audit_rules_session_events -- require_singleuser_auth -- aide_periodic_cron_checking -- package_firewalld_installed -- package_iptables_installed -- mount_option_var_log_nodev -- use_pam_wheel_group_for_su -- kernel_module_jffs2_disabled -- sudo_require_authentication -- package_ftp_removed -- sshd_set_login_grace_time -- set_password_hashing_algorithm_libuserconf -- file_permissions_cron_hourly -- audit_rules_time_settimeofday -- var_user_initialization_files_regex=all_dotfiles -- var_accounts_user_umask=027 -- var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 -- var_accounts_password_warn_age_login_defs=7 -- var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 -- var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=24 -- var_password_pam_dictcheck=1 -- var_password_pam_maxrepeat=3 -- var_password_pam_minclass=4 -- var_password_pam_minlen=14 -- var_password_pam_difok=2 -- var_accounts_passwords_pam_faillock_unlock_time=900 -- var_accounts_passwords_pam_faillock_deny=5 -- var_pam_wheel_group_for_su=cis -- var_sudo_timestamp_timeout=15_minutes -- var_sudo_logfile=var_log_sudo_log -- var_sshd_set_maxstartups=10:30:60 -- var_sshd_max_sessions=10 -- sshd_max_auth_tries_value=4 -- sshd_strong_macs=cis_rhel7 -- var_sshd_set_login_grace_time=60 -- sshd_strong_kex=cis_rhel7 -- sshd_idle_timeout_value=5_minutes -- var_sshd_set_keepalive=1 -- sshd_approved_ciphers=cis_rhel7 -- sysctl_net_ipv6_conf_all_accept_ra_value=disabled -- sysctl_net_ipv6_conf_default_accept_ra_value=disabled -- sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_log_martians_value=enabled -- sysctl_net_ipv4_conf_default_log_martians_value=enabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only -- var_multiple_time_servers=rhel -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- remote_login_banner_text=cis_banners -- login_banner_text=cis_banners -- motd_banner_text=cis_banners -- var_selinux_policy_name=targeted -- var_auditd_space_left_action=cis_rhel7 -- var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=cis_rhel7 -- var_auditd_disk_full_action=cis_rhel7 -- var_auditd_disk_error_action=cis_rhel7 -- var_auditd_max_log_file_action=keep_logs -- var_auditd_max_log_file=6 -- var_selinux_state=enforcing -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: -- cis_rhel7 -title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis.profile -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_server_l1.profile b/tests/data/profile_stability/rhel7/cis_server_l1.profile deleted file mode 100644 index b90e3254f51..00000000000 --- a/tests/data/profile_stability/rhel7/cis_server_l1.profile +++ /dev/null @@ -1,377 +0,0 @@ -description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration - from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, - v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed - Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." -extends: null -hidden: '' -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux -selections: -- file_groupowner_etc_passwd -- file_permissions_etc_issue -- mount_option_dev_shm_noexec -- service_systemd-journald_enabled -- accounts_password_pam_dictcheck -- service_rsyslog_enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_groupowner_efi_grub2_cfg -- file_cron_deny_not_exist -- mount_option_var_tmp_nodev -- account_disable_post_pw_expiration -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- dconf_gnome_banner_enabled -- rsyslog_files_ownership -- dconf_gnome_screensaver_lock_delay -- sudo_custom_logfile -- package_squid_removed -- file_permissions_etc_issue_net -- package_nginx_removed -- file_permissions_etc_passwd -- accounts_root_gid_zero -- file_permissions_efi_user_cfg -- journald_compress -- file_groupowner_cron_weekly -- file_permissions_etc_group -- accounts_users_netrc_file_permissions -- partition_for_dev_shm -- dconf_gnome_disable_automount -- iptables_rules_for_open_ports -- file_permissions_sshd_pub_key -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv6_conf_all_accept_source_route -- grub2_password -- account_unique_id -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- package_pam_pwquality_installed -- sysctl_net_ipv6_conf_default_accept_redirects -- account_unique_name -- file_permissions_etc_shadow -- no_password_auth_for_systemaccounts -- sshd_use_approved_ciphers -- package_ypbind_removed -- accounts_umask_etc_profile -- file_permissions_backup_etc_passwd -- chronyd_specify_remote_server -- package_avahi_removed -- accounts_password_warn_age_login_defs -- accounts_password_pam_minlen -- file_groupowner_cron_monthly -- file_owner_etc_shadow -- journald_forward_to_syslog -- package_chrony_installed -- selinux_confinement_of_daemons -- dconf_gnome_session_idle_user_locks -- set_firewalld_appropriate_zone -- sysctl_net_ipv4_ip_forward -- mount_option_dev_shm_nosuid -- mount_option_tmp_nosuid -- banner_etc_issue -- sshd_enable_pam -- file_groupowner_grub2_cfg -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_all_accept_source_route -- sysctl_net_ipv6_conf_default_accept_ra -- accounts_passwords_pam_faillock_deny -- file_owner_etc_motd -- set_password_hashing_algorithm_passwordauth -- file_owner_etc_gshadow -- file_owner_backup_etc_gshadow -- sysctl_net_ipv4_conf_all_log_martians -- package_telnet_removed -- gnome_gdm_disable_xdmcp -- file_groupowner_etc_issue_net -- kernel_module_cramfs_disabled -- sshd_set_maxstartups -- kernel_module_hfs_disabled -- accounts_password_pam_pwhistory_remember_password_auth -- has_nonlocal_mta -- rsyslog_filecreatemode -- package_bind_removed -- mount_option_dev_shm_nodev -- package_dnsmasq_removed -- no_forward_files -- package_dovecot_removed -- ensure_gpgcheck_globally_activated -- file_owner_crontab -- file_permissions_cron_d -- file_permissions_user_cfg -- postfix_network_listening_disabled -- accounts_password_set_warn_age_existing -- sysctl_net_ipv4_conf_all_send_redirects -- gid_passwd_group_same -- sysctl_net_ipv4_conf_all_accept_redirects -- package_ypserv_removed -- file_permissions_home_directories -- ip6tables_rules_for_open_ports -- file_groupownership_sshd_pub_key -- mount_option_tmp_nodev -- file_groupowner_backup_etc_gshadow -- partition_for_tmp -- sshd_set_max_sessions -- file_permissions_cron_allow -- file_owner_cron_daily -- kernel_module_hfsplus_disabled -- mount_option_home_nodev -- rsyslog_files_groupownership -- sshd_use_strong_macs -- mount_option_var_nodev -- mount_option_var_nosuid -- set_loopback_traffic -- file_owner_grub2_cfg -- disable_host_auth -- mount_option_var_log_audit_nodev -- package_cups_removed -- file_cron_allow_exists -- file_owner_etc_passwd -- file_permissions_backup_etc_group -- group_unique_id -- mount_option_var_tmp_nosuid -- mount_option_home_nosuid -- no_shelllogin_for_systemaccounts -- sysctl_net_ipv6_conf_default_accept_source_route -- sshd_disable_empty_passwords -- accounts_password_last_change_is_in_past -- file_ownership_sshd_private_key -- package_vsftpd_removed -- socket_systemd-journal-remote_disabled -- accounts_password_pam_difok -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- file_owner_backup_etc_group -- banner_etc_issue_net -- rsyslog_files_permissions -- sshd_do_not_permit_user_env -- package_net-snmp_removed -- accounts_user_interactive_home_directory_exists -- service_bluetooth_disabled -- sysctl_net_ipv6_conf_all_forwarding -- accounts_maximum_age_login_defs -- file_groupowner_etc_motd -- sshd_disable_rhosts -- service_crond_enabled -- dir_perms_world_writable_sticky_bits -- file_permissions_cron_monthly -- file_owner_cron_allow -- sshd_disable_root_login -- file_owner_backup_etc_passwd -- file_permissions_sshd_config -- service_nfs_disabled -- file_owner_etc_issue_net -- sudo_require_reauthentication -- file_permissions_unauthorized_world_writable -- file_groupowner_crontab -- sysctl_net_ipv4_conf_default_accept_redirects -- file_groupowner_backup_etc_group -- mount_option_var_log_audit_nosuid -- no_empty_passwords -- sshd_enable_warning_banner_net -- file_groupowner_etc_shadow -- file_groupowner_etc_gshadow -- file_permissions_cron_weekly -- sshd_use_strong_kex -- file_permissions_backup_etc_shadow -- selinux_policytype -- file_ownership_home_directories -- file_at_deny_not_exist -- sysctl_net_ipv6_conf_all_accept_redirects -- sshd_set_idle_timeout -- package_tftp_removed -- sshd_set_keepalive -- chronyd_run_as_chrony_user -- file_groupowner_cron_daily -- dconf_gnome_screensaver_user_locks -- file_owner_cron_hourly -- file_owner_sshd_config -- group_unique_name -- mount_option_var_tmp_noexec -- set_password_hashing_algorithm_systemauth -- dconf_gnome_screensaver_idle_delay -- file_owner_efi_grub2_cfg -- rsyslog_nolisten -- sysctl_kernel_yama_ptrace_scope -- mount_option_tmp_noexec -- file_groupowner_backup_etc_shadow -- file_owner_efi_user_cfg -- set_ip6tables_default_rule -- accounts_password_pam_pwhistory_remember_system_auth -- aide_build_database -- kernel_module_usb-storage_disabled -- file_groupowner_cron_hourly -- sudo_add_use_pty -- package_aide_installed -- sysctl_net_ipv4_conf_default_accept_source_route -- service_firewalld_enabled -- file_groupowner_backup_etc_passwd -- journald_storage -- accounts_tmout -- package_rsyslog_installed -- file_owner_cron_monthly -- file_permissions_cron_daily -- accounts_password_set_max_life_existing -- package_sudo_installed -- file_permissions_efi_grub2_cfg -- service_autofs_disabled -- file_owner_cron_weekly -- accounts_set_post_pw_existing -- file_owner_etc_issue -- kernel_module_freevxfs_disabled -- file_groupowner_sshd_config -- file_groupownership_sshd_private_key -- package_mcstrans_removed -- file_groupowner_cron_d -- sshd_set_max_auth_tries -- sysctl_net_ipv4_conf_default_secure_redirects -- file_etc_security_opasswd -- package_httpd_removed -- file_owner_etc_group -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_umask_etc_login_defs -- grub2_uefi_password -- mount_option_var_log_noexec -- accounts_password_all_shadowed -- file_groupowner_etc_group -- file_owner_etc_shells -- file_permissions_crontab -- file_permissions_grub2_cfg -- file_permissions_sshd_private_key -- require_emergency_target_auth -- set_password_hashing_algorithm_logindefs -- sysctl_kernel_randomize_va_space -- file_groupowner_etc_shells -- package_xinetd_removed -- accounts_password_pam_maxrepeat -- accounts_no_uid_except_zero -- file_permissions_etc_gshadow -- accounts_passwords_pam_faillock_unlock_time -- package_samba_removed -- mount_option_var_log_audit_noexec -- accounts_umask_etc_bashrc -- file_groupowner_etc_issue -- file_ownership_sshd_pub_key -- file_permissions_etc_motd -- file_groupowner_efi_user_cfg -- dconf_db_up_to_date -- wireless_disable_interfaces -- no_empty_passwords_etc_shadow -- file_groupowner_cron_allow -- require_singleuser_auth -- ensure_pam_wheel_group_empty -- aide_periodic_cron_checking -- package_setroubleshoot_removed -- service_rpcbind_disabled -- sshd_limit_user_access -- grub2_enable_selinux -- package_firewalld_installed -- ensure_gpgcheck_never_disabled -- file_groupowner_user_cfg -- package_tftp-server_removed -- coredump_disable_backtraces -- file_owner_user_cfg -- file_permission_user_init_files -- mount_option_var_log_nodev -- package_iptables_installed -- mount_option_var_log_nosuid -- package_rsync_removed -- sysctl_net_ipv4_tcp_syncookies -- use_pam_wheel_group_for_su -- kernel_module_jffs2_disabled -- file_permissions_etc_shells -- coredump_disable_storage -- file_permissions_backup_etc_gshadow -- package_cyrus-imapd_removed -- sudo_require_authentication -- file_owner_cron_d -- file_permissions_ungroupowned -- package_libselinux_installed -- sysctl_net_ipv4_conf_default_log_martians -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_automount_open -- ensure_root_password_configured -- no_files_unowned_by_user -- no_rsh_trust_files -- package_dhcp_removed -- package_ftp_removed -- banner_etc_motd -- package_telnet-server_removed -- root_path_no_dot -- sshd_set_login_grace_time -- sysctl_net_ipv4_conf_all_secure_redirects -- accounts_user_dot_group_ownership -- dconf_gnome_disable_user_list -- set_password_hashing_algorithm_libuserconf -- file_permissions_cron_hourly -- file_owner_backup_etc_shadow -- accounts_password_pam_minclass -- selinux_not_disabled -- var_user_initialization_files_regex=all_dotfiles -- var_accounts_user_umask=027 -- var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 -- var_accounts_password_warn_age_login_defs=7 -- var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 -- var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=24 -- var_password_pam_dictcheck=1 -- var_password_pam_maxrepeat=3 -- var_password_pam_minclass=4 -- var_password_pam_minlen=14 -- var_password_pam_difok=2 -- var_accounts_passwords_pam_faillock_unlock_time=900 -- var_accounts_passwords_pam_faillock_deny=5 -- var_pam_wheel_group_for_su=cis -- var_sudo_timestamp_timeout=15_minutes -- var_sudo_logfile=var_log_sudo_log -- var_sshd_set_maxstartups=10:30:60 -- var_sshd_max_sessions=10 -- sshd_max_auth_tries_value=4 -- sshd_strong_macs=cis_rhel7 -- var_sshd_set_login_grace_time=60 -- sshd_strong_kex=cis_rhel7 -- sshd_idle_timeout_value=5_minutes -- var_sshd_set_keepalive=1 -- sshd_approved_ciphers=cis_rhel7 -- sysctl_net_ipv6_conf_all_accept_ra_value=disabled -- sysctl_net_ipv6_conf_default_accept_ra_value=disabled -- sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_log_martians_value=enabled -- sysctl_net_ipv4_conf_default_log_martians_value=enabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only -- var_multiple_time_servers=rhel -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- remote_login_banner_text=cis_banners -- login_banner_text=cis_banners -- motd_banner_text=cis_banners -- var_selinux_policy_name=targeted -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: -- cis_rhel7 -title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_server_l1.profile -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l1.profile b/tests/data/profile_stability/rhel7/cis_workstation_l1.profile deleted file mode 100644 index 1429dba784c..00000000000 --- a/tests/data/profile_stability/rhel7/cis_workstation_l1.profile +++ /dev/null @@ -1,369 +0,0 @@ -description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration - from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, - v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed - Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." -extends: null -hidden: '' -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux -selections: -- file_groupowner_etc_passwd -- file_permissions_etc_issue -- mount_option_dev_shm_noexec -- service_systemd-journald_enabled -- accounts_password_pam_dictcheck -- service_rsyslog_enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_groupowner_efi_grub2_cfg -- file_cron_deny_not_exist -- mount_option_var_tmp_nodev -- account_disable_post_pw_expiration -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- dconf_gnome_banner_enabled -- rsyslog_files_ownership -- dconf_gnome_screensaver_lock_delay -- sudo_custom_logfile -- package_squid_removed -- file_permissions_etc_issue_net -- package_nginx_removed -- file_permissions_etc_passwd -- accounts_root_gid_zero -- file_permissions_efi_user_cfg -- journald_compress -- file_groupowner_cron_weekly -- file_permissions_etc_group -- accounts_users_netrc_file_permissions -- partition_for_dev_shm -- iptables_rules_for_open_ports -- file_permissions_sshd_pub_key -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv6_conf_all_accept_source_route -- grub2_password -- account_unique_id -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- package_pam_pwquality_installed -- sysctl_net_ipv6_conf_default_accept_redirects -- account_unique_name -- file_permissions_etc_shadow -- no_password_auth_for_systemaccounts -- sshd_use_approved_ciphers -- package_ypbind_removed -- accounts_umask_etc_profile -- file_permissions_backup_etc_passwd -- chronyd_specify_remote_server -- accounts_password_warn_age_login_defs -- accounts_password_pam_minlen -- file_groupowner_cron_monthly -- file_owner_etc_shadow -- journald_forward_to_syslog -- package_chrony_installed -- selinux_confinement_of_daemons -- dconf_gnome_session_idle_user_locks -- set_firewalld_appropriate_zone -- sysctl_net_ipv4_ip_forward -- mount_option_dev_shm_nosuid -- mount_option_tmp_nosuid -- banner_etc_issue -- sshd_enable_pam -- file_groupowner_grub2_cfg -- sshd_set_loglevel_verbose -- sysctl_net_ipv4_conf_all_accept_source_route -- sysctl_net_ipv6_conf_default_accept_ra -- accounts_passwords_pam_faillock_deny -- file_owner_etc_motd -- set_password_hashing_algorithm_passwordauth -- file_owner_etc_gshadow -- file_owner_backup_etc_gshadow -- sysctl_net_ipv4_conf_all_log_martians -- package_telnet_removed -- gnome_gdm_disable_xdmcp -- file_groupowner_etc_issue_net -- kernel_module_cramfs_disabled -- sshd_set_maxstartups -- kernel_module_hfs_disabled -- accounts_password_pam_pwhistory_remember_password_auth -- has_nonlocal_mta -- rsyslog_filecreatemode -- package_bind_removed -- mount_option_dev_shm_nodev -- package_dnsmasq_removed -- no_forward_files -- package_dovecot_removed -- ensure_gpgcheck_globally_activated -- file_owner_crontab -- file_permissions_cron_d -- file_permissions_user_cfg -- postfix_network_listening_disabled -- accounts_password_set_warn_age_existing -- sysctl_net_ipv4_conf_all_send_redirects -- gid_passwd_group_same -- sysctl_net_ipv4_conf_all_accept_redirects -- package_ypserv_removed -- file_permissions_home_directories -- ip6tables_rules_for_open_ports -- file_groupownership_sshd_pub_key -- mount_option_tmp_nodev -- file_groupowner_backup_etc_gshadow -- partition_for_tmp -- sshd_set_max_sessions -- file_permissions_cron_allow -- file_owner_cron_daily -- kernel_module_hfsplus_disabled -- mount_option_home_nodev -- rsyslog_files_groupownership -- sshd_use_strong_macs -- mount_option_var_nodev -- mount_option_var_nosuid -- set_loopback_traffic -- file_owner_grub2_cfg -- disable_host_auth -- mount_option_var_log_audit_nodev -- file_cron_allow_exists -- file_owner_etc_passwd -- file_permissions_backup_etc_group -- group_unique_id -- mount_option_var_tmp_nosuid -- mount_option_home_nosuid -- no_shelllogin_for_systemaccounts -- sysctl_net_ipv6_conf_default_accept_source_route -- sshd_disable_empty_passwords -- accounts_password_last_change_is_in_past -- file_ownership_sshd_private_key -- package_vsftpd_removed -- socket_systemd-journal-remote_disabled -- accounts_password_pam_difok -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- file_owner_backup_etc_group -- banner_etc_issue_net -- rsyslog_files_permissions -- sshd_do_not_permit_user_env -- package_net-snmp_removed -- accounts_user_interactive_home_directory_exists -- sysctl_net_ipv6_conf_all_forwarding -- accounts_maximum_age_login_defs -- file_groupowner_etc_motd -- sshd_disable_rhosts -- service_crond_enabled -- dir_perms_world_writable_sticky_bits -- file_permissions_cron_monthly -- file_owner_cron_allow -- sshd_disable_root_login -- file_owner_backup_etc_passwd -- file_permissions_sshd_config -- service_nfs_disabled -- file_owner_etc_issue_net -- sudo_require_reauthentication -- file_permissions_unauthorized_world_writable -- file_groupowner_crontab -- sysctl_net_ipv4_conf_default_accept_redirects -- file_groupowner_backup_etc_group -- mount_option_var_log_audit_nosuid -- no_empty_passwords -- sshd_enable_warning_banner_net -- file_groupowner_etc_shadow -- file_groupowner_etc_gshadow -- file_permissions_cron_weekly -- sshd_use_strong_kex -- file_permissions_backup_etc_shadow -- selinux_policytype -- file_ownership_home_directories -- file_at_deny_not_exist -- sysctl_net_ipv6_conf_all_accept_redirects -- sshd_set_idle_timeout -- package_tftp_removed -- sshd_set_keepalive -- chronyd_run_as_chrony_user -- file_groupowner_cron_daily -- dconf_gnome_screensaver_user_locks -- file_owner_cron_hourly -- file_owner_sshd_config -- group_unique_name -- mount_option_var_tmp_noexec -- set_password_hashing_algorithm_systemauth -- dconf_gnome_screensaver_idle_delay -- file_owner_efi_grub2_cfg -- rsyslog_nolisten -- sysctl_kernel_yama_ptrace_scope -- mount_option_tmp_noexec -- sshd_disable_gssapi_auth -- file_groupowner_backup_etc_shadow -- file_owner_efi_user_cfg -- set_ip6tables_default_rule -- accounts_password_pam_pwhistory_remember_system_auth -- aide_build_database -- file_groupowner_cron_hourly -- sudo_add_use_pty -- package_aide_installed -- sysctl_net_ipv4_conf_default_accept_source_route -- service_firewalld_enabled -- file_groupowner_backup_etc_passwd -- journald_storage -- accounts_tmout -- package_rsyslog_installed -- file_owner_cron_monthly -- file_permissions_cron_daily -- accounts_password_set_max_life_existing -- package_sudo_installed -- file_permissions_efi_grub2_cfg -- file_owner_cron_weekly -- accounts_set_post_pw_existing -- file_owner_etc_issue -- kernel_module_freevxfs_disabled -- file_groupowner_sshd_config -- file_groupownership_sshd_private_key -- package_mcstrans_removed -- file_groupowner_cron_d -- sshd_set_max_auth_tries -- sysctl_net_ipv4_conf_default_secure_redirects -- file_etc_security_opasswd -- package_httpd_removed -- file_owner_etc_group -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv6_conf_all_accept_ra -- accounts_umask_etc_login_defs -- grub2_uefi_password -- mount_option_var_log_noexec -- accounts_password_all_shadowed -- file_groupowner_etc_group -- file_owner_etc_shells -- file_permissions_crontab -- file_permissions_grub2_cfg -- file_permissions_sshd_private_key -- require_emergency_target_auth -- set_password_hashing_algorithm_logindefs -- sysctl_kernel_randomize_va_space -- file_groupowner_etc_shells -- package_xinetd_removed -- accounts_password_pam_maxrepeat -- accounts_no_uid_except_zero -- file_permissions_etc_gshadow -- accounts_passwords_pam_faillock_unlock_time -- package_samba_removed -- mount_option_var_log_audit_noexec -- accounts_umask_etc_bashrc -- file_groupowner_etc_issue -- file_ownership_sshd_pub_key -- file_permissions_etc_motd -- file_groupowner_efi_user_cfg -- dconf_db_up_to_date -- no_empty_passwords_etc_shadow -- file_groupowner_cron_allow -- require_singleuser_auth -- ensure_pam_wheel_group_empty -- aide_periodic_cron_checking -- service_rpcbind_disabled -- sshd_limit_user_access -- grub2_enable_selinux -- package_firewalld_installed -- ensure_gpgcheck_never_disabled -- file_groupowner_user_cfg -- package_tftp-server_removed -- coredump_disable_backtraces -- file_owner_user_cfg -- file_permission_user_init_files -- mount_option_var_log_nodev -- package_iptables_installed -- mount_option_var_log_nosuid -- package_rsync_removed -- sysctl_net_ipv4_tcp_syncookies -- use_pam_wheel_group_for_su -- kernel_module_jffs2_disabled -- file_permissions_etc_shells -- coredump_disable_storage -- file_permissions_backup_etc_gshadow -- package_cyrus-imapd_removed -- sudo_require_authentication -- file_owner_cron_d -- file_permissions_ungroupowned -- package_libselinux_installed -- sysctl_net_ipv4_conf_default_log_martians -- accounts_root_path_dirs_no_write -- ensure_root_password_configured -- no_files_unowned_by_user -- no_rsh_trust_files -- package_dhcp_removed -- package_ftp_removed -- package_telnet-server_removed -- banner_etc_motd -- root_path_no_dot -- sshd_set_login_grace_time -- sysctl_net_ipv4_conf_all_secure_redirects -- accounts_user_dot_group_ownership -- dconf_gnome_disable_user_list -- set_password_hashing_algorithm_libuserconf -- file_permissions_cron_hourly -- file_owner_backup_etc_shadow -- accounts_password_pam_minclass -- selinux_not_disabled -- var_user_initialization_files_regex=all_dotfiles -- var_accounts_user_umask=027 -- var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 -- var_accounts_password_warn_age_login_defs=7 -- var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 -- var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=24 -- var_password_pam_dictcheck=1 -- var_password_pam_maxrepeat=3 -- var_password_pam_minclass=4 -- var_password_pam_minlen=14 -- var_password_pam_difok=2 -- var_accounts_passwords_pam_faillock_unlock_time=900 -- var_accounts_passwords_pam_faillock_deny=5 -- var_pam_wheel_group_for_su=cis -- var_sudo_timestamp_timeout=15_minutes -- var_sudo_logfile=var_log_sudo_log -- var_sshd_set_maxstartups=10:30:60 -- var_sshd_max_sessions=10 -- sshd_max_auth_tries_value=4 -- sshd_strong_macs=cis_rhel7 -- var_sshd_set_login_grace_time=60 -- sshd_strong_kex=cis_rhel7 -- sshd_idle_timeout_value=5_minutes -- var_sshd_set_keepalive=1 -- sshd_approved_ciphers=cis_rhel7 -- sysctl_net_ipv6_conf_all_accept_ra_value=disabled -- sysctl_net_ipv6_conf_default_accept_ra_value=disabled -- sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_log_martians_value=enabled -- sysctl_net_ipv4_conf_default_log_martians_value=enabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only -- var_multiple_time_servers=rhel -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- remote_login_banner_text=cis_banners -- login_banner_text=cis_banners -- motd_banner_text=cis_banners -- var_selinux_policy_name=targeted -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: -- cis_rhel7 -title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_workstation_l1.profile -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l2.profile b/tests/data/profile_stability/rhel7/cis_workstation_l2.profile deleted file mode 100644 index 505f3287f00..00000000000 --- a/tests/data/profile_stability/rhel7/cis_workstation_l2.profile +++ /dev/null @@ -1,473 +0,0 @@ -description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration - from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, - v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed - Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." -extends: null -hidden: '' -metadata: - version: 4.0.0 - SMEs: - - vojtapolasek - - yuumasato -reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux -selections: -- mount_option_dev_shm_noexec -- file_permissions_etc_issue -- dconf_gnome_banner_enabled -- sudo_custom_logfile -- package_squid_removed -- accounts_root_gid_zero -- accounts_users_netrc_file_permissions -- sysctl_net_ipv4_conf_default_rp_filter -- file_ownership_var_log_audit_stig -- no_password_auth_for_systemaccounts -- package_ypbind_removed -- file_permissions_backup_etc_passwd -- package_avahi_removed -- file_owner_etc_shadow -- mount_option_dev_shm_nosuid -- sshd_set_loglevel_verbose -- accounts_passwords_pam_faillock_deny -- audit_rules_sysadmin_actions -- has_nonlocal_mta -- package_bind_removed -- kernel_module_udf_disabled -- audit_rules_file_deletion_events_unlink -- kernel_module_dccp_disabled -- package_ypserv_removed -- sshd_set_max_sessions -- mount_option_tmp_nodev -- file_groupowner_backup_etc_gshadow -- partition_for_tmp -- file_permissions_cron_allow -- kernel_module_hfsplus_disabled -- rsyslog_files_groupownership -- mount_option_var_nosuid -- audit_rules_login_events_faillock -- group_unique_id -- audit_rules_dac_modification_fchown -- package_vsftpd_removed -- socket_systemd-journal-remote_disabled -- accounts_password_pam_difok -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- file_owner_backup_etc_group -- service_crond_enabled -- file_permissions_cron_monthly -- file_owner_backup_etc_passwd -- sudo_require_reauthentication -- file_groupowner_backup_etc_group -- auditd_data_retention_space_left_action -- file_ownership_home_directories -- file_at_deny_not_exist -- sysctl_net_ipv6_conf_all_accept_redirects -- sshd_set_idle_timeout -- file_owner_sshd_config -- dconf_gnome_screensaver_user_locks -- partition_for_var_tmp -- file_groupowner_backup_etc_passwd -- journald_storage -- file_group_ownership_var_log_audit -- package_sudo_installed -- service_autofs_disabled -- file_owner_cron_weekly -- file_owner_etc_issue -- kernel_module_freevxfs_disabled -- file_permissions_audit_binaries -- audit_rules_privileged_commands_kmod -- accounts_password_all_shadowed -- file_owner_etc_shells -- require_emergency_target_auth -- sysctl_kernel_randomize_va_space -- accounts_no_uid_except_zero -- file_permissions_etc_gshadow -- audit_rules_file_deletion_events_rename -- partition_for_var -- accounts_umask_etc_bashrc -- audit_rules_mac_modification -- audit_rules_usergroup_modification_gshadow -- sshd_limit_user_access -- audit_rules_unsuccessful_file_modification_creat -- ensure_pam_wheel_group_empty -- service_rpcbind_disabled -- file_groupowner_user_cfg -- package_tftp-server_removed -- audit_rules_unsuccessful_file_modification_ftruncate -- file_permission_user_init_files -- audit_rules_kernel_module_loading_init -- file_owner_cron_d -- file_permissions_ungroupowned -- sysctl_net_ipv4_conf_default_log_martians -- package_telnet-server_removed -- partition_for_var_log_audit -- root_path_no_dot -- file_owner_backup_etc_shadow -- service_systemd-journald_enabled -- service_rsyslog_enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- file_permissions_etc_issue_net -- audit_rules_usergroup_modification_group -- file_groupowner_cron_weekly -- dconf_gnome_disable_automount -- file_permissions_sshd_pub_key -- grub2_password -- account_unique_name -- chronyd_specify_remote_server -- accounts_password_warn_age_login_defs -- audit_rules_mac_modification_usr_share -- mount_option_tmp_nosuid -- sshd_enable_pam -- file_groupowner_grub2_cfg -- sysctl_net_ipv6_conf_default_accept_ra -- file_owner_etc_motd -- package_telnet_removed -- file_groupowner_etc_issue_net -- sshd_set_maxstartups -- file_permissions_var_log_audit -- audit_rules_dac_modification_chmod -- accounts_passwords_pam_faillock_deny_root -- rsyslog_filecreatemode -- audit_rules_dac_modification_lchown -- audit_rules_unsuccessful_file_modification_truncate -- file_owner_crontab -- file_permissions_cron_d -- file_permissions_user_cfg -- postfix_network_listening_disabled -- file_permissions_home_directories -- disable_host_auth -- audit_rules_usergroup_modification_shadow -- audit_sudo_log_events -- audit_rules_dac_modification_fremovexattr -- auditd_data_retention_admin_space_left_action -- accounts_maximum_age_login_defs -- audit_rules_file_deletion_events_renameat -- sshd_disable_rhosts -- auditd_data_retention_max_log_file_action -- file_owner_cron_allow -- file_permissions_sshd_config -- service_nfs_disabled -- sysctl_net_ipv4_conf_default_accept_redirects -- no_empty_passwords -- file_groupowner_etc_gshadow -- file_permissions_backup_etc_shadow -- selinux_policytype -- group_unique_name -- package_openldap-clients_removed -- kernel_module_squashfs_disabled -- mount_option_var_tmp_noexec -- audit_rules_dac_modification_chown -- dconf_gnome_screensaver_idle_delay -- rsyslog_nolisten -- mount_option_tmp_noexec -- file_groupowner_backup_etc_shadow -- grub2_audit_backlog_limit_argument -- aide_build_database -- file_groupowner_cron_hourly -- sudo_add_use_pty -- package_aide_installed -- audit_rules_execution_chacl -- package_rsyslog_installed -- file_owner_cron_monthly -- accounts_password_set_max_life_existing -- grub2_audit_argument -- file_groupowner_sshd_config -- package_httpd_removed -- accounts_umask_etc_login_defs -- grub2_uefi_password -- set_password_hashing_algorithm_logindefs -- file_permissions_sshd_private_key -- file_groupowner_etc_shells -- accounts_passwords_pam_faillock_unlock_time -- file_groupownership_audit_binaries -- mount_option_var_log_audit_noexec -- file_groupowner_etc_issue -- file_groupowner_efi_user_cfg -- audit_rules_dac_modification_removexattr -- dconf_db_up_to_date -- no_empty_passwords_etc_shadow -- grub2_enable_selinux -- ensure_gpgcheck_never_disabled -- coredump_disable_backtraces -- file_permissions_backup_etc_gshadow -- accounts_root_path_dirs_no_write -- dconf_gnome_disable_automount_open -- ensure_root_password_configured -- no_files_unowned_by_user -- no_rsh_trust_files -- audit_rules_usergroup_modification_opasswd -- accounts_user_dot_group_ownership -- dconf_gnome_disable_user_list -- accounts_password_pam_minclass -- mount_option_var_tmp_nodev -- file_cron_deny_not_exist -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- rsyslog_files_ownership -- dconf_gnome_screensaver_lock_delay -- package_nginx_removed -- file_permissions_etc_passwd -- file_permissions_efi_user_cfg -- file_permissions_etc_group -- partition_for_dev_shm -- iptables_rules_for_open_ports -- partition_for_var_log -- auditd_data_retention_action_mail_acct -- audit_rules_dac_modification_fchownat -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- directory_permissions_var_log_audit -- accounts_umask_etc_profile -- file_groupowner_cron_monthly -- audit_rules_dac_modification_fchmod -- set_firewalld_appropriate_zone -- selinux_confinement_of_daemons -- banner_etc_issue -- sysctl_net_ipv4_conf_all_accept_source_route -- set_password_hashing_algorithm_passwordauth -- file_owner_etc_gshadow -- sysctl_net_ipv4_conf_all_log_martians -- gnome_gdm_disable_xdmcp -- accounts_password_pam_pwhistory_remember_password_auth -- package_audit_installed -- mount_option_dev_shm_nodev -- audit_rules_dac_modification_fsetxattr -- no_forward_files -- package_dovecot_removed -- ensure_gpgcheck_globally_activated -- accounts_password_set_warn_age_existing -- audit_rules_networkconfig_modification -- audit_rules_networkconfig_modification_network_scripts -- gid_passwd_group_same -- file_groupownership_sshd_pub_key -- audit_rules_unsuccessful_file_modification_open -- audit_rules_dac_modification_setxattr -- audit_rules_login_events_lastlog -- audit_rules_suid_auid_privilege_function -- mount_option_var_nodev -- file_owner_grub2_cfg -- mount_option_var_log_audit_nodev -- partition_for_home -- file_cron_allow_exists -- file_owner_etc_passwd -- mount_option_var_tmp_nosuid -- sysctl_net_ipv6_conf_default_accept_source_route -- file_ownership_sshd_private_key -- package_net-snmp_removed -- service_bluetooth_disabled -- file_groupowner_etc_motd -- dir_perms_world_writable_sticky_bits -- file_owner_etc_issue_net -- mount_option_var_log_audit_nosuid -- sshd_enable_warning_banner_net -- file_permissions_cron_weekly -- sshd_use_strong_kex -- chronyd_run_as_chrony_user -- sshd_disable_gssapi_auth -- file_owner_efi_user_cfg -- set_ip6tables_default_rule -- accounts_password_pam_pwhistory_remember_system_auth -- service_firewalld_enabled -- audit_rules_media_export -- service_auditd_enabled -- accounts_tmout -- package_mcstrans_removed -- audit_rules_time_watch_localtime -- file_ownership_audit_configuration -- file_owner_etc_group -- audit_rules_privileged_commands_usermod -- file_groupowner_etc_group -- file_permissions_grub2_cfg -- package_xinetd_removed -- accounts_password_pam_maxrepeat -- package_samba_removed -- audit_rules_file_deletion_events_unlinkat -- audit_rules_kernel_module_loading_finit -- file_permissions_etc_motd -- file_ownership_sshd_pub_key -- audit_rules_dac_modification_fchmodat -- file_groupowner_cron_allow -- audit_rules_time_stime -- audit_rules_time_adjtimex -- file_ownership_audit_binaries -- file_owner_user_cfg -- mount_option_var_log_nosuid -- package_rsync_removed -- sysctl_net_ipv4_tcp_syncookies -- file_permissions_etc_shells -- coredump_disable_storage -- package_cyrus-imapd_removed -- package_libselinux_installed -- package_dhcp_removed -- file_groupownership_audit_configuration -- banner_etc_motd -- sysctl_net_ipv4_conf_all_secure_redirects -- selinux_not_disabled -- package_audit-libs_installed -- kernel_module_sctp_disabled -- file_groupowner_etc_passwd -- accounts_password_pam_dictcheck -- auditd_data_disk_full_action -- file_groupowner_efi_grub2_cfg -- account_disable_post_pw_expiration -- audit_rules_dac_modification_lsetxattr -- journald_compress -- sysctl_net_ipv6_conf_all_accept_source_route -- account_unique_id -- package_pam_pwquality_installed -- sysctl_net_ipv6_conf_default_accept_redirects -- file_permissions_etc_shadow -- sshd_use_approved_ciphers -- journald_forward_to_syslog -- accounts_password_pam_minlen -- audit_rules_usergroup_modification_passwd -- package_chrony_installed -- dconf_gnome_session_idle_user_locks -- sysctl_net_ipv4_ip_forward -- audit_rules_execution_chcon -- audit_rules_immutable -- file_owner_backup_etc_gshadow -- kernel_module_cramfs_disabled -- kernel_module_hfs_disabled -- audit_rules_kernel_module_loading_query -- package_dnsmasq_removed -- sysctl_net_ipv4_conf_all_accept_redirects -- ip6tables_rules_for_open_ports -- file_owner_cron_daily -- mount_option_home_nodev -- audit_rules_kernel_module_loading_create -- sshd_use_strong_macs -- set_loopback_traffic -- audit_rules_time_clock_settime -- file_permissions_backup_etc_group -- audit_rules_dac_modification_lremovexattr -- mount_option_home_nosuid -- no_shelllogin_for_systemaccounts -- sshd_disable_empty_passwords -- audit_rules_unsuccessful_file_modification_openat -- accounts_password_last_change_is_in_past -- banner_etc_issue_net -- rsyslog_files_permissions -- sshd_do_not_permit_user_env -- accounts_user_interactive_home_directory_exists -- sysctl_net_ipv6_conf_all_forwarding -- sshd_disable_root_login -- selinux_state -- file_permissions_unauthorized_world_writable -- file_groupowner_crontab -- kernel_module_rds_disabled -- file_groupowner_etc_shadow -- package_tftp_removed -- sshd_set_keepalive -- kernel_module_tipc_disabled -- file_groupowner_cron_daily -- file_owner_cron_hourly -- set_password_hashing_algorithm_systemauth -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_kernel_yama_ptrace_scope -- file_owner_efi_grub2_cfg -- file_permissions_audit_configuration -- kernel_module_usb-storage_disabled -- sysctl_net_ipv4_conf_default_accept_source_route -- file_permissions_cron_daily -- file_permissions_efi_grub2_cfg -- auditd_data_disk_error_action -- accounts_set_post_pw_existing -- file_groupownership_sshd_private_key -- file_groupowner_cron_d -- sshd_set_max_auth_tries -- sysctl_net_ipv4_conf_default_secure_redirects -- file_etc_security_opasswd -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv6_conf_all_accept_ra -- mount_option_var_log_noexec -- file_permissions_crontab -- audit_rules_privileged_commands -- auditd_data_retention_max_log_file -- audit_rules_kernel_module_loading_delete -- audit_rules_session_events -- require_singleuser_auth -- aide_periodic_cron_checking -- package_firewalld_installed -- package_iptables_installed -- mount_option_var_log_nodev -- use_pam_wheel_group_for_su -- kernel_module_jffs2_disabled -- sudo_require_authentication -- package_ftp_removed -- sshd_set_login_grace_time -- set_password_hashing_algorithm_libuserconf -- file_permissions_cron_hourly -- audit_rules_time_settimeofday -- var_user_initialization_files_regex=all_dotfiles -- var_accounts_user_umask=027 -- var_accounts_tmout=15_min -- var_account_disable_post_pw_expiration=30 -- var_accounts_password_warn_age_login_defs=7 -- var_accounts_maximum_age_login_defs=365 -- var_password_hashing_algorithm=SHA512 -- var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_remember=24 -- var_password_pam_dictcheck=1 -- var_password_pam_maxrepeat=3 -- var_password_pam_minclass=4 -- var_password_pam_minlen=14 -- var_password_pam_difok=2 -- var_accounts_passwords_pam_faillock_unlock_time=900 -- var_accounts_passwords_pam_faillock_deny=5 -- var_pam_wheel_group_for_su=cis -- var_sudo_timestamp_timeout=15_minutes -- var_sudo_logfile=var_log_sudo_log -- var_sshd_set_maxstartups=10:30:60 -- var_sshd_max_sessions=10 -- sshd_max_auth_tries_value=4 -- sshd_strong_macs=cis_rhel7 -- var_sshd_set_login_grace_time=60 -- sshd_strong_kex=cis_rhel7 -- sshd_idle_timeout_value=5_minutes -- var_sshd_set_keepalive=1 -- sshd_approved_ciphers=cis_rhel7 -- sysctl_net_ipv6_conf_all_accept_ra_value=disabled -- sysctl_net_ipv6_conf_default_accept_ra_value=disabled -- sysctl_net_ipv4_tcp_syncookies_value=enabled -- sysctl_net_ipv4_conf_all_log_martians_value=enabled -- sysctl_net_ipv4_conf_default_log_martians_value=enabled -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_rp_filter_value=enabled -- sysctl_net_ipv4_conf_default_rp_filter_value=enabled -- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -- sysctl_net_ipv6_conf_all_forwarding_value=disabled -- var_postfix_inet_interfaces=loopback-only -- var_multiple_time_servers=rhel -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- remote_login_banner_text=cis_banners -- login_banner_text=cis_banners -- motd_banner_text=cis_banners -- var_selinux_policy_name=targeted -- var_auditd_space_left_action=cis_rhel7 -- var_auditd_action_mail_acct=root -- var_auditd_admin_space_left_action=cis_rhel7 -- var_auditd_disk_full_action=cis_rhel7 -- var_auditd_disk_error_action=cis_rhel7 -- var_auditd_max_log_file_action=keep_logs -- var_auditd_max_log_file=6 -- var_selinux_state=enforcing -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: -- cis_rhel7 -title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_workstation_l2.profile -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/e8.profile b/tests/data/profile_stability/rhel7/e8.profile deleted file mode 100644 index c2124c00b41..00000000000 --- a/tests/data/profile_stability/rhel7/e8.profile +++ /dev/null @@ -1,113 +0,0 @@ -description: 'This profile contains configuration checks for Red Hat Enterprise Linux - 7 - - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - - - A copy of the Essential Eight in Linux Environments guide can be found at the - - ACSC website: - - - https://www.cyber.gov.au/publications/essential-eight-in-linux-environments' -documentation_complete: true -selections: -- accounts_no_uid_except_zero -- audit_rules_dac_modification_chmod -- audit_rules_dac_modification_chown -- audit_rules_execution_chcon -- audit_rules_execution_restorecon -- audit_rules_execution_semanage -- audit_rules_execution_setfiles -- audit_rules_execution_setsebool -- audit_rules_execution_seunshare -- audit_rules_kernel_module_loading -- audit_rules_login_events -- audit_rules_login_events_faillock -- audit_rules_login_events_lastlog -- audit_rules_login_events_tallylog -- audit_rules_networkconfig_modification -- audit_rules_sysadmin_actions -- audit_rules_time_adjtimex -- audit_rules_time_clock_settime -- audit_rules_time_settimeofday -- audit_rules_time_stime -- audit_rules_time_watch_localtime -- audit_rules_usergroup_modification -- auditd_data_retention_flush -- auditd_freq -- auditd_local_events -- auditd_log_format -- auditd_name_format -- auditd_write_logs -- dir_perms_world_writable_sticky_bits -- ensure_gpgcheck_globally_activated -- ensure_gpgcheck_local_packages -- ensure_gpgcheck_never_disabled -- ensure_redhat_gpgkey_installed -- file_ownership_binary_dirs -- file_ownership_library_dirs -- file_permissions_binary_dirs -- file_permissions_library_dirs -- file_permissions_unauthorized_sgid -- file_permissions_unauthorized_suid -- file_permissions_unauthorized_world_writable -- mount_option_dev_shm_nodev -- mount_option_dev_shm_noexec -- mount_option_dev_shm_nosuid -- network_sniffer_disabled -- no_empty_passwords -- package_firewalld_installed -- package_quagga_removed -- package_rear_installed -- package_rsh-server_removed -- package_rsh_removed -- package_rsyslog_installed -- package_squid_removed -- package_talk-server_removed -- package_talk_removed -- package_telnet-server_removed -- package_telnet_removed -- package_xinetd_removed -- package_ypbind_removed -- rpm_verify_hashes -- rpm_verify_ownership -- rpm_verify_permissions -- security_patches_up_to_date -- selinux_policytype -- selinux_state -- service_auditd_enabled -- service_avahi-daemon_disabled -- service_firewalld_enabled -- service_rsyslog_enabled -- service_squid_disabled -- service_telnet_disabled -- service_xinetd_disabled -- service_zebra_disabled -- sshd_allow_only_protocol2 -- sshd_disable_empty_passwords -- sshd_disable_gssapi_auth -- sshd_disable_rhosts -- sshd_disable_rhosts_rsa -- sshd_disable_root_login -- sshd_disable_user_known_hosts -- sshd_do_not_permit_user_env -- sshd_enable_strictmodes -- sshd_print_last_log -- sshd_set_loglevel_info -- sshd_use_strong_ciphers -- sshd_use_strong_macs -- sudo_remove_no_authenticate -- sudo_remove_nopasswd -- sudo_require_authentication -- sysctl_kernel_dmesg_restrict -- sysctl_kernel_exec_shield -- sysctl_kernel_kexec_load_disabled -- sysctl_kernel_kptr_restrict -- sysctl_kernel_randomize_va_space -- sysctl_kernel_yama_ptrace_scope -- var_selinux_state=enforcing -- var_selinux_policy_name=targeted -- var_auditd_flush=incremental_async -- var_accounts_passwords_pam_faillock_dir=run -title: Australian Cyber Security Centre (ACSC) Essential Eight diff --git a/tests/data/profile_stability/rhel7/pci-dss.profile b/tests/data/profile_stability/rhel7/pci-dss.profile deleted file mode 100644 index 7bf1bc72d9f..00000000000 --- a/tests/data/profile_stability/rhel7/pci-dss.profile +++ /dev/null @@ -1,317 +0,0 @@ -description: 'Payment Card Industry - Data Security Standard (PCI-DSS) is a set of - - security standards designed to ensure the secure handling of payment card - - data, with the goal of preventing data breaches and protecting sensitive - - financial information. - - - This profile ensures Red Hat Enterprise Linux 7 is configured in alignment - - with PCI-DSS v4.0 requirements.' -extends: null -hidden: '' -metadata: - version: '4.0' - SMEs: - - marcusburghardt - - mab879 - - vojtapolasek -reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf -selections: -- accounts_password_set_max_life_existing -- audit_rules_file_deletion_events_rename -- audit_rules_file_deletion_events_unlink -- no_files_unowned_by_user -- dconf_gnome_screensaver_idle_delay -- file_owner_cron_d -- audit_rules_dac_modification_lchown -- file_permissions_cron_hourly -- accounts_root_gid_zero -- audit_rules_usergroup_modification_passwd -- audit_rules_dac_modification_chmod -- rpm_verify_ownership -- accounts_tmout -- file_groupowner_cron_allow -- file_owner_backup_etc_shadow -- nftables_ensure_default_deny_policy -- file_groupowner_crontab -- dconf_db_up_to_date -- sysctl_net_ipv4_conf_all_secure_redirects -- accounts_no_uid_except_zero -- file_groupowner_cron_d -- kernel_module_usb-storage_disabled -- file_groupowner_backup_etc_group -- audit_rules_dac_modification_removexattr -- file_groupowner_backup_etc_shadow -- package_telnet-server_removed -- package_rsh_removed -- service_auditd_enabled -- sshd_set_max_sessions -- sshd_use_strong_kex -- security_patches_up_to_date -- sysctl_net_ipv4_conf_default_accept_redirects -- file_groupowner_cron_monthly -- file_owner_grub2_cfg -- audit_rules_dac_modification_fchmod -- ensure_root_password_configured -- sshd_disable_rhosts -- sudo_custom_logfile -- no_empty_passwords -- package_tftp_removed -- file_owner_etc_shadow -- accounts_passwords_pam_faillock_unlock_time -- accounts_passwords_pam_faillock_deny -- rsyslog_files_ownership -- account_disable_post_pw_expiration -- sysctl_net_ipv6_conf_default_accept_source_route -- audit_rules_dac_modification_fremovexattr -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- wireless_disable_interfaces -- coredump_disable_backtraces -- service_chronyd_or_ntpd_enabled -- dconf_gnome_disable_automount_open -- chronyd_specify_remote_server -- dconf_gnome_screensaver_idle_activation_enabled -- file_groupowner_etc_group -- no_direct_root_logins -- sshd_set_idle_timeout -- accounts_password_all_shadowed -- audit_rules_dac_modification_setxattr -- auditd_data_retention_admin_space_left_action -- file_permissions_etc_passwd -- file_permissions_grub2_cfg -- package_cryptsetup-luks_installed -- rsyslog_files_permissions -- gid_passwd_group_same -- file_owner_cron_weekly -- chronyd_run_as_chrony_user -- file_permissions_backup_etc_shadow -- coredump_disable_storage -- audit_rules_sysadmin_actions -- grub2_audit_argument -- account_unique_id -- package_firewalld_installed -- file_groupowner_etc_issue_net -- file_permissions_user_cfg -- auditd_audispd_syslog_plugin_activated -- sudo_add_use_pty -- ensure_gpgcheck_never_disabled -- use_pam_wheel_group_for_su -- bios_enable_execution_restrictions -- audit_rules_session_events -- audit_rules_media_export -- no_password_auth_for_systemaccounts -- auditd_data_retention_space_left -- audit_rules_login_events_faillock -- rpm_verify_hashes -- accounts_set_post_pw_existing -- service_nftables_disabled -- accounts_password_set_warn_age_existing -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- audit_rules_mac_modification -- ntpd_specify_multiple_servers -- audit_rules_time_settimeofday -- sshd_use_approved_macs -- sysctl_fs_suid_dumpable -- sysctl_net_ipv4_ip_forward -- audit_rules_dac_modification_lsetxattr -- accounts_password_pam_dcredit -- accounts_password_pam_unix_remember -- file_permissions_sshd_config -- no_empty_passwords_etc_shadow -- audit_rules_file_deletion_events_unlinkat -- file_permissions_backup_etc_group -- file_groupowner_user_cfg -- sshd_use_approved_ciphers -- audit_rules_immutable -- audit_rules_file_deletion_events_renameat -- file_group_ownership_var_log_audit -- package_aide_installed -- file_permissions_etc_group -- ensure_shadow_group_empty -- accounts_password_pam_minlen -- configure_firewalld_ports -- file_groupowner_etc_passwd -- audit_rules_usergroup_modification_gshadow -- audit_rules_suid_privilege_function -- group_unique_id -- sshd_do_not_permit_user_env -- file_permissions_cron_weekly -- dconf_gnome_disable_automount -- audit_rules_time_clock_settime -- file_permissions_cron_d -- selinux_confinement_of_daemons -- ensure_pam_wheel_group_empty -- ensure_gpgcheck_globally_activated -- file_permissions_backup_etc_passwd -- no_shelllogin_for_systemaccounts -- sshd_disable_empty_passwords -- file_owner_etc_issue_net -- sshd_disable_x11_forwarding -- audit_rules_usergroup_modification_group -- audit_rules_dac_modification_fchownat -- auditd_data_retention_space_left_action -- group_unique_name -- dir_perms_world_writable_sticky_bits -- package_ypserv_removed -- set_ip6tables_default_rule -- sshd_set_login_grace_time -- file_owner_etc_passwd -- accounts_password_warn_age_login_defs -- network_nmcli_permissions -- package_sudo_installed -- file_groupowner_cron_weekly -- selinux_state -- file_permissions_var_log_audit -- file_owner_user_cfg -- file_groupowner_cron_daily -- sysctl_net_ipv4_tcp_syncookies -- file_owner_crontab -- package_talk_removed -- package_chrony_installed -- audit_rules_login_events_lastlog -- audit_rules_time_watch_localtime -- dconf_gnome_screensaver_mode_blank -- file_owner_cron_hourly -- package_libselinux_installed -- file_groupowner_backup_etc_passwd -- sshd_set_loglevel_verbose -- audit_rules_dac_modification_fchown -- file_permissions_etc_shadow -- kernel_module_dccp_disabled -- package_ftp_removed -- package_telnet_removed -- service_avahi-daemon_disabled -- package_audispd-plugins_installed -- file_permissions_cron_monthly -- file_permissions_cron_allow -- sudo_require_authentication -- audit_rules_dac_modification_fchmodat -- securetty_root_login_console_only -- audit_rules_dac_modification_fsetxattr -- set_password_hashing_algorithm_libuserconf -- service_rsyncd_disabled -- set_firewalld_default_zone -- audit_rules_networkconfig_modification -- file_permissions_sshd_private_key -- rsyslog_files_groupownership -- service_rpcbind_disabled -- sysctl_kernel_randomize_va_space -- package_tftp-server_removed -- file_owner_backup_etc_group -- file_ownership_var_log_audit -- file_permissions_ungroupowned -- audit_rules_time_adjtimex -- sysctl_net_ipv4_conf_all_send_redirects -- accounts_password_pam_lcredit -- audit_rules_login_events_tallylog -- install_PAE_kernel_on_x86-32 -- file_permissions_unauthorized_world_writable -- ensure_redhat_gpgkey_installed -- auditd_name_format -- grub2_enable_selinux -- accounts_maximum_age_login_defs -- kernel_module_sctp_disabled -- file_permissions_cron_daily -- set_password_hashing_algorithm_logindefs -- sudo_require_reauthentication -- directory_access_var_log_audit -- dconf_gnome_session_idle_user_locks -- ntpd_specify_remote_server -- aide_periodic_cron_checking -- gnome_gdm_disable_guest_login -- dconf_gnome_screensaver_lock_delay -- grub2_audit_backlog_limit_argument -- sysctl_net_ipv4_conf_default_send_redirects -- sshd_enable_pam -- sshd_disable_tcp_forwarding -- dconf_gnome_screensaver_lock_enabled -- package_nftables_installed -- disable_users_coredumps -- audit_rules_usergroup_modification_shadow -- file_permissions_sshd_pub_key -- accounts_password_pam_pwhistory_remember_password_auth -- display_login_attempts -- file_cron_deny_not_exist -- file_groupowner_grub2_cfg -- package_xinetd_removed -- audit_rules_time_stime -- selinux_policytype -- sysctl_net_ipv4_conf_all_rp_filter -- package_ypbind_removed -- package_audit_installed -- service_ntpd_enabled -- file_owner_cron_allow -- sshd_disable_root_login -- account_unique_name -- package_talk-server_removed -- audit_rules_dac_modification_lremovexattr -- audit_rules_file_deletion_events_rmdir -- file_owner_cron_monthly -- package_dhcp_removed -- sshd_set_keepalive -- file_groupowner_etc_shadow -- accounts_password_last_change_is_in_past -- file_permissions_etc_issue_net -- file_at_deny_not_exist -- aide_build_database -- set_password_hashing_algorithm_systemauth -- file_permissions_crontab -- disable_host_auth -- file_owner_cron_daily -- package_logrotate_installed -- postfix_network_listening_disabled -- gnome_gdm_disable_automatic_login -- file_owner_etc_group -- package_rsh-server_removed -- file_owner_backup_etc_passwd -- service_firewalld_enabled -- audit_rules_dac_modification_chown -- accounts_password_pam_pwhistory_remember_system_auth -- package_net-snmp_removed -- sshd_limit_user_access -- audit_sudo_log_events -- network_sniffer_disabled -- sshd_set_max_auth_tries -- sshd_set_maxstartups -- file_groupowner_cron_hourly -- audit_rules_usergroup_modification_opasswd -- var_multiple_time_servers=generic -- var_auditd_admin_space_left_action=single -- var_auditd_space_left=100MB -- var_auditd_space_left_action=email -- var_auditd_name_format=fqd -- var_accounts_maximum_age_login_defs=90 -- var_accounts_password_warn_age_login_defs=7 -- var_password_pam_unix_remember=4 -- var_password_pam_remember=4 -- var_password_pam_remember_control_flag=requisite_or_required -- var_password_pam_dcredit=1 -- var_password_pam_lcredit=1 -- var_password_pam_minlen=12 -- var_accounts_passwords_pam_faillock_deny=10 -- var_accounts_passwords_pam_faillock_unlock_time=1800 -- var_password_pam_tally2=10 -- var_accounts_passwords_pam_tally2_unlock_time=1800 -- var_password_hashing_algorithm=SHA512 -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=10_seconds -- sshd_idle_timeout_value=15_minutes -- var_sshd_set_keepalive=1 -- var_account_disable_post_pw_expiration=90 -- var_system_crypto_policy=default_policy -- var_sshd_set_login_grace_time=60 -- var_postfix_inet_interfaces=loopback-only -- var_selinux_policy_name=targeted -- var_selinux_state=enforcing -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: -- pcidss_4 -title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7 -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/stig.profile b/tests/data/profile_stability/rhel7/stig.profile deleted file mode 100644 index 14a42c37b1f..00000000000 --- a/tests/data/profile_stability/rhel7/stig.profile +++ /dev/null @@ -1,365 +0,0 @@ -description: 'This profile contains configuration checks that align to the - - DISA STIG for Red Hat Enterprise Linux V3R14. - - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes - this - - configuration baseline as applicable to the operating system tier of - - Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: - - - - Red Hat Enterprise Linux Server - - - Red Hat Enterprise Linux Workstation and Desktop - - - Red Hat Enterprise Linux for HPC - - - Red Hat Storage - - - Red Hat Containers with a Red Hat Enterprise Linux 7 image' -extends: null -hidden: '' -metadata: - version: V3R14 - SMEs: - - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -selections: -- mount_option_dev_shm_noexec -- grub2_enable_fips_mode -- sshd_disable_rhosts_rsa -- auditd_audispd_remote_daemon_type -- mount_option_nosuid_remote_filesystems -- sudo_remove_nopasswd -- sssd_ldap_configure_tls_reqcert -- sssd_enable_pam_services -- account_disable_post_pw_expiration -- accounts_umask_interactive_users -- dconf_gnome_screensaver_lock_enabled -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- audit_rules_system_shutdown -- dconf_gnome_banner_enabled -- service_sshd_enabled -- auditd_audispd_remote_daemon_activated -- dconf_gnome_screensaver_lock_delay -- installed_OS_is_vendor_supported -- audit_rules_dac_modification_lsetxattr -- audit_rules_suid_privilege_function -- package_rsh-server_removed -- audit_rules_execution_semanage -- account_temp_expire_date -- dconf_gnome_disable_ctrlaltdel_reboot -- accounts_user_home_paths_only -- audit_rules_usergroup_modification_group -- mount_option_nosuid_removable_partitions -- selinux_confine_to_least_privilege -- dconf_gnome_disable_automount -- auditd_data_retention_action_mail_acct -- clean_components_post_updating -- audit_rules_privileged_commands_pam_timestamp_check -- audit_rules_dac_modification_fchownat -- file_permissions_sshd_pub_key -- sysctl_net_ipv4_conf_default_rp_filter -- audit_rules_privileged_commands_mount -- grub2_password -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- sysctl_net_ipv6_conf_all_accept_source_route -- accounts_passwords_pam_faillock_interval -- gnome_gdm_disable_guest_login -- audit_rules_privileged_commands_userhelper -- auditd_audispd_configure_remote_server -- dconf_gnome_screensaver_idle_activation_enabled -- sshd_enable_warning_banner -- sshd_disable_compression -- accounts_password_pam_minlen -- audit_rules_usergroup_modification_passwd -- audit_rules_dac_modification_fchmod -- audit_rules_unsuccessful_file_modification_open_by_handle_at -- ensure_redhat_gpgkey_installed -- dconf_gnome_session_idle_user_locks -- audit_rules_privileged_commands_unix_chkpwd -- grub2_admin_username -- audit_rules_execution_chcon -- mount_option_dev_shm_nosuid -- aide_use_fips_hashes -- banner_etc_issue -- package_screen_installed -- rsyslog_remote_loghost -- sshd_allow_only_protocol2 -- sysctl_net_ipv4_conf_all_accept_source_route -- accounts_passwords_pam_faillock_deny -- package_mailx_installed -- audit_rules_sysadmin_actions -- dconf_gnome_enable_smartcard_auth -- mount_option_noexec_remote_filesystems -- set_password_hashing_algorithm_passwordauth -- audit_rules_privileged_commands_umount -- accounts_users_home_files_ownership -- file_permissions_var_log_audit -- audit_rules_dac_modification_chmod -- accounts_password_pam_pwhistory_remember_password_auth -- accounts_passwords_pam_faillock_deny_root -- audit_rules_dac_modification_lchown -- audit_rules_unsuccessful_file_modification_truncate -- mount_option_dev_shm_nodev -- audit_rules_dac_modification_fsetxattr -- ensure_gpgcheck_globally_activated -- auditd_name_format -- file_groupownership_home_directories -- gid_passwd_group_same -- audit_rules_file_deletion_events_unlink -- sshd_set_keepalive_0 -- sysctl_net_ipv4_conf_all_accept_redirects -- kernel_module_dccp_disabled -- package_ypserv_removed -- accounts_password_pam_retry -- file_permissions_home_directories -- partition_for_tmp -- wireless_disable_interfaces -- agent_mfetpd_running -- audit_rules_dac_modification_setxattr -- audit_rules_unsuccessful_file_modification_open -- sshd_x11_use_localhost -- mount_option_krb_sec_remote_filesystems -- audit_rules_login_events_lastlog -- auditd_audispd_remote_daemon_path -- dir_perms_world_writable_system_owned_group -- audit_rules_kernel_module_loading_create -- accounts_minimum_age_login_defs -- audit_rules_file_deletion_events_rmdir -- audit_rules_login_events_faillock -- disable_host_auth -- partition_for_home -- rpm_verify_hashes -- rpm_verify_permissions -- libreswan_approved_tunnels -- sshd_disable_user_known_hosts -- audit_rules_usergroup_modification_shadow -- network_sniffer_disabled -- audit_rules_dac_modification_lremovexattr -- mount_option_home_nosuid -- display_login_attempts -- auditd_audispd_disk_full_action -- audit_rules_dac_modification_fchown -- accounts_have_homedir_login_defs -- audit_rules_unsuccessful_file_modification_openat -- package_vsftpd_removed -- sshd_disable_empty_passwords -- security_patches_up_to_date -- accounts_password_pam_difok -- smartcard_auth -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- sshd_do_not_permit_user_env -- rpm_verify_ownership -- audit_rules_privileged_commands_chage -- accounts_user_interactive_home_directory_exists -- audit_rules_dac_modification_fremovexattr -- smartcard_configure_cert_checking -- accounts_maximum_age_login_defs -- audit_rules_file_deletion_events_renameat -- sshd_disable_rhosts -- auditd_overflow_action -- file_owner_cron_allow -- selinux_all_devicefiles_labeled -- sudoers_validate_passwd -- sysctl_kernel_dmesg_restrict -- accounts_users_home_files_permissions -- snmpd_not_default_password -- sshd_disable_root_login -- accounts_authorized_local_users -- audit_rules_privileged_commands_newgrp -- dconf_gnome_screensaver_lock_locked -- disable_ctrlaltdel_reboot -- file_ownership_var_log_audit -- postfix_prevent_unrestricted_relay -- selinux_state -- sudo_require_reauthentication -- tftpd_uses_secure_mode -- aide_verify_ext_attributes -- sysctl_net_ipv4_conf_default_accept_redirects -- no_empty_passwords -- accounts_password_set_min_life_existing -- dconf_gnome_screensaver_idle_activation_locked -- sshd_use_approved_kex_ordered_stig -- sudoers_default_includedir -- auditd_data_retention_space_left_action -- no_host_based_files -- sudo_remove_no_authenticate -- configure_firewalld_ports -- selinux_policytype -- file_ownership_home_directories -- grub2_no_removeable_media -- sshd_set_idle_timeout -- sysctl_net_ipv4_conf_all_send_redirects -- set_password_hashing_algorithm_systemauth -- dconf_gnome_screensaver_user_locks -- accounts_password_pam_ucredit -- accounts_password_pam_maxclassrepeat -- audit_rules_dac_modification_chown -- dconf_gnome_screensaver_idle_delay -- rsyslog_cron_logging -- rsyslog_nolisten -- audit_rules_privileged_commands_passwd -- sshd_disable_gssapi_auth -- sshd_print_last_log -- aide_verify_acls -- audit_rules_privileged_commands_crontab -- dir_perms_world_writable_system_owned -- audit_rules_privileged_commands_gpasswd -- sudo_restrict_privilege_elevation_to_authorized -- accounts_password_pam_pwhistory_remember_system_auth -- accounts_max_concurrent_login_sessions -- aide_build_database -- kernel_module_usb-storage_disabled -- set_firewalld_default_zone -- auditd_data_retention_space_left_percentage -- package_aide_installed -- package_mcafeetp_installed -- audit_rules_media_export -- service_auditd_enabled -- service_firewalld_enabled -- sshd_use_approved_macs_ordered_stig -- sysctl_net_ipv4_conf_default_accept_source_route -- audit_rules_privileged_commands_chsh -- accounts_tmout -- install_smartcard_packages -- accounts_password_set_max_life_existing -- ensure_gpgcheck_local_packages -- sshd_disable_kerb_auth -- sshd_disable_x11_forwarding -- service_autofs_disabled -- no_user_host_based_files -- audit_rules_privileged_commands_su -- accounts_password_pam_ocredit -- accounts_password_pam_dcredit -- audit_rules_execution_setsebool -- sysctl_net_ipv4_conf_default_send_redirects -- audit_rules_privileged_commands_kmod -- accounts_umask_etc_login_defs -- network_configure_name_resolution -- grub2_uefi_password -- accounts_user_dot_no_world_writable_programs -- set_password_hashing_algorithm_logindefs -- file_permissions_sshd_private_key -- sshd_enable_strictmodes -- sysctl_kernel_randomize_va_space -- auditd_audispd_network_failure_action -- package_openssh-server_installed -- grub2_uefi_admin_username -- accounts_password_pam_maxrepeat -- authconfig_config_files_symlinks -- accounts_no_uid_except_zero -- accounts_password_pam_lcredit -- sssd_ldap_start_tls -- accounts_passwords_pam_faillock_unlock_time -- audit_rules_file_deletion_events_rename -- audit_rules_kernel_module_loading_delete -- audit_rules_file_deletion_events_unlinkat -- partition_for_var -- auditd_audispd_remote_daemon_direction -- sebool_ssh_sysadm_login -- audit_rules_kernel_module_loading_finit -- chronyd_or_ntpd_set_maxpoll -- sshd_use_approved_ciphers_ordered_stig -- audit_rules_dac_modification_removexattr -- audit_rules_privileged_commands_postqueue -- auditd_audispd_encrypt_sent_records -- audit_rules_usergroup_modification_gshadow -- dconf_db_up_to_date -- install_antivirus -- audit_rules_dac_modification_fchmodat -- file_groupowner_cron_allow -- audit_rules_unsuccessful_file_modification_creat -- no_empty_passwords_etc_shadow -- aide_periodic_cron_checking -- accounts_logon_fail_delay -- require_singleuser_auth -- disallow_bypass_password_sudo -- sssd_ldap_configure_tls_ca -- sysctl_net_ipv4_ip_forward -- audit_rules_execution_setfiles -- selinux_user_login_roles -- package_tftp-server_removed -- audit_rules_unsuccessful_file_modification_ftruncate -- audit_rules_privileged_commands_postdrop -- file_permission_user_init_files -- gnome_gdm_disable_automatic_login -- uefi_no_removeable_media -- audit_rules_kernel_module_loading_init -- accounts_users_home_files_groupownership -- aide_scan_notification -- file_permissions_ungroupowned -- dconf_gnome_disable_automount_open -- no_files_unowned_by_user -- package_telnet-server_removed -- xwindows_remove_packages -- partition_for_var_log_audit -- audit_rules_privileged_commands_ssh_keysign -- audit_rules_usergroup_modification_opasswd -- accounts_user_dot_group_ownership -- audit_rules_privileged_commands_sudo -- dconf_gnome_disable_user_list -- set_password_hashing_algorithm_libuserconf -- service_kdump_disabled -- accounts_password_pam_minclass -- selinux_context_elevation_for_sudo -- sshd_use_priv_separation -- login_banner_text=dod_banners -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- sshd_idle_timeout_value=10_minutes -- var_accounts_fail_delay=4 -- var_selinux_state=enforcing -- var_selinux_policy_name=targeted -- var_password_pam_minlen=15 -- var_password_pam_ocredit=1 -- var_password_pam_lcredit=1 -- var_password_pam_ucredit=1 -- var_accounts_passwords_pam_faillock_unlock_time=never -- var_accounts_passwords_pam_faillock_fail_interval=900 -- var_accounts_passwords_pam_faillock_deny=3 -- var_password_pam_unix_remember=5 -- var_password_pam_maxclassrepeat=4 -- var_password_pam_difok=8 -- var_password_pam_dcredit=1 -- var_password_pam_minclass=4 -- var_accounts_minimum_age_login_defs=1 -- var_password_pam_maxrepeat=3 -- var_accounts_maximum_age_login_defs=60 -- var_account_disable_post_pw_expiration=35 -- var_removable_partition=dev_cdrom -- var_auditd_action_mail_acct=root -- var_auditd_space_left_action=email -- var_auditd_space_left_percentage=25pc -- var_accounts_user_umask=077 -- var_password_pam_retry=3 -- var_accounts_max_concurrent_login_sessions=10 -- var_accounts_tmout=15_min -- var_accounts_authorized_local_users_regex=rhel7 -- var_time_service_set_maxpoll=18_hours -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- var_audit_failure_mode=panic -- var_accounts_passwords_pam_faillock_dir=run -- sshd_required=yes -- var_sshd_set_keepalive=0 -- var_auditd_name_format=stig -- sssd_ldap_start_tls.severity=medium -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: [] -title: DISA STIG for Red Hat Enterprise Linux 7 -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/stig.profile -documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/stig_gui.profile b/tests/data/profile_stability/rhel7/stig_gui.profile deleted file mode 100644 index 4487ba41258..00000000000 --- a/tests/data/profile_stability/rhel7/stig_gui.profile +++ /dev/null @@ -1,375 +0,0 @@ -description: 'This profile contains configuration checks that align to the - - DISA STIG with GUI for Red Hat Enterprise Linux V3R14. - - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes - this - - configuration baseline as applicable to the operating system tier of - - Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: - - - - Red Hat Enterprise Linux Server - - - Red Hat Enterprise Linux Workstation and Desktop - - - Red Hat Enterprise Linux for HPC - - - Red Hat Storage - - - Red Hat Containers with a Red Hat Enterprise Linux 7 image - - - Warning: The installation and use of a Graphical User Interface (GUI) - - increases your attack vector and decreases your overall security posture. If - - your Information Systems Security Officer (ISSO) lacks a documented operational - - requirement for a graphical user interface, please consider using the - - standard DISA STIG for Red Hat Enterprise Linux 7 profile.' -extends: null -hidden: '' -metadata: - version: V3R14 - SMEs: - - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -selections: -- mount_option_dev_shm_noexec -- grub2_enable_fips_mode -- sshd_disable_rhosts_rsa -- auditd_audispd_remote_daemon_type -- mount_option_nosuid_remote_filesystems -- sudo_remove_nopasswd -- sssd_ldap_configure_tls_reqcert -- sssd_enable_pam_services -- account_disable_post_pw_expiration -- accounts_umask_interactive_users -- dconf_gnome_screensaver_lock_enabled -- sysctl_net_ipv4_conf_all_rp_filter -- accounts_user_dot_user_ownership -- audit_rules_system_shutdown -- dconf_gnome_banner_enabled -- service_sshd_enabled -- auditd_audispd_remote_daemon_activated -- dconf_gnome_screensaver_lock_delay -- installed_OS_is_vendor_supported -- audit_rules_dac_modification_lsetxattr -- audit_rules_suid_privilege_function -- package_rsh-server_removed -- audit_rules_execution_semanage -- account_temp_expire_date -- dconf_gnome_disable_ctrlaltdel_reboot -- accounts_user_home_paths_only -- audit_rules_usergroup_modification_group -- mount_option_nosuid_removable_partitions -- selinux_confine_to_least_privilege -- dconf_gnome_disable_automount -- auditd_data_retention_action_mail_acct -- clean_components_post_updating -- audit_rules_privileged_commands_pam_timestamp_check -- audit_rules_dac_modification_fchownat -- file_permissions_sshd_pub_key -- sysctl_net_ipv4_conf_default_rp_filter -- audit_rules_privileged_commands_mount -- grub2_password -- dconf_gnome_disable_autorun -- dconf_gnome_login_banner_text -- sysctl_net_ipv6_conf_all_accept_source_route -- accounts_passwords_pam_faillock_interval -- gnome_gdm_disable_guest_login -- audit_rules_privileged_commands_userhelper -- auditd_audispd_configure_remote_server -- dconf_gnome_screensaver_idle_activation_enabled -- sshd_enable_warning_banner -- sshd_disable_compression -- accounts_password_pam_minlen -- audit_rules_usergroup_modification_passwd -- audit_rules_dac_modification_fchmod -- audit_rules_unsuccessful_file_modification_open_by_handle_at -- ensure_redhat_gpgkey_installed -- dconf_gnome_session_idle_user_locks -- audit_rules_privileged_commands_unix_chkpwd -- grub2_admin_username -- audit_rules_execution_chcon -- mount_option_dev_shm_nosuid -- aide_use_fips_hashes -- banner_etc_issue -- package_screen_installed -- rsyslog_remote_loghost -- sshd_allow_only_protocol2 -- sysctl_net_ipv4_conf_all_accept_source_route -- accounts_passwords_pam_faillock_deny -- package_mailx_installed -- audit_rules_sysadmin_actions -- dconf_gnome_enable_smartcard_auth -- mount_option_noexec_remote_filesystems -- set_password_hashing_algorithm_passwordauth -- audit_rules_privileged_commands_umount -- accounts_users_home_files_ownership -- file_permissions_var_log_audit -- audit_rules_dac_modification_chmod -- accounts_password_pam_pwhistory_remember_password_auth -- accounts_passwords_pam_faillock_deny_root -- audit_rules_dac_modification_lchown -- audit_rules_unsuccessful_file_modification_truncate -- mount_option_dev_shm_nodev -- audit_rules_dac_modification_fsetxattr -- ensure_gpgcheck_globally_activated -- auditd_name_format -- file_groupownership_home_directories -- gid_passwd_group_same -- audit_rules_file_deletion_events_unlink -- sshd_set_keepalive_0 -- sysctl_net_ipv4_conf_all_accept_redirects -- kernel_module_dccp_disabled -- package_ypserv_removed -- accounts_password_pam_retry -- file_permissions_home_directories -- partition_for_tmp -- wireless_disable_interfaces -- agent_mfetpd_running -- audit_rules_dac_modification_setxattr -- audit_rules_unsuccessful_file_modification_open -- sshd_x11_use_localhost -- mount_option_krb_sec_remote_filesystems -- audit_rules_login_events_lastlog -- auditd_audispd_remote_daemon_path -- dir_perms_world_writable_system_owned_group -- audit_rules_kernel_module_loading_create -- accounts_minimum_age_login_defs -- audit_rules_file_deletion_events_rmdir -- audit_rules_login_events_faillock -- disable_host_auth -- partition_for_home -- rpm_verify_hashes -- rpm_verify_permissions -- libreswan_approved_tunnels -- sshd_disable_user_known_hosts -- audit_rules_usergroup_modification_shadow -- network_sniffer_disabled -- audit_rules_dac_modification_lremovexattr -- mount_option_home_nosuid -- display_login_attempts -- auditd_audispd_disk_full_action -- audit_rules_dac_modification_fchown -- accounts_have_homedir_login_defs -- audit_rules_unsuccessful_file_modification_openat -- package_vsftpd_removed -- sshd_disable_empty_passwords -- security_patches_up_to_date -- accounts_password_pam_difok -- smartcard_auth -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- sshd_do_not_permit_user_env -- rpm_verify_ownership -- audit_rules_privileged_commands_chage -- accounts_user_interactive_home_directory_exists -- audit_rules_dac_modification_fremovexattr -- smartcard_configure_cert_checking -- accounts_maximum_age_login_defs -- audit_rules_file_deletion_events_renameat -- sshd_disable_rhosts -- auditd_overflow_action -- file_owner_cron_allow -- selinux_all_devicefiles_labeled -- sudoers_validate_passwd -- sysctl_kernel_dmesg_restrict -- accounts_users_home_files_permissions -- snmpd_not_default_password -- sshd_disable_root_login -- accounts_authorized_local_users -- audit_rules_privileged_commands_newgrp -- dconf_gnome_screensaver_lock_locked -- disable_ctrlaltdel_reboot -- file_ownership_var_log_audit -- postfix_prevent_unrestricted_relay -- selinux_state -- sudo_require_reauthentication -- tftpd_uses_secure_mode -- aide_verify_ext_attributes -- sysctl_net_ipv4_conf_default_accept_redirects -- no_empty_passwords -- accounts_password_set_min_life_existing -- dconf_gnome_screensaver_idle_activation_locked -- sshd_use_approved_kex_ordered_stig -- sudoers_default_includedir -- auditd_data_retention_space_left_action -- no_host_based_files -- sudo_remove_no_authenticate -- configure_firewalld_ports -- selinux_policytype -- file_ownership_home_directories -- grub2_no_removeable_media -- sshd_set_idle_timeout -- sysctl_net_ipv4_conf_all_send_redirects -- set_password_hashing_algorithm_systemauth -- dconf_gnome_screensaver_user_locks -- accounts_password_pam_ucredit -- accounts_password_pam_maxclassrepeat -- audit_rules_dac_modification_chown -- dconf_gnome_screensaver_idle_delay -- rsyslog_cron_logging -- rsyslog_nolisten -- audit_rules_privileged_commands_passwd -- sshd_disable_gssapi_auth -- sshd_print_last_log -- aide_verify_acls -- audit_rules_privileged_commands_crontab -- dir_perms_world_writable_system_owned -- audit_rules_privileged_commands_gpasswd -- sudo_restrict_privilege_elevation_to_authorized -- accounts_password_pam_pwhistory_remember_system_auth -- accounts_max_concurrent_login_sessions -- aide_build_database -- kernel_module_usb-storage_disabled -- set_firewalld_default_zone -- auditd_data_retention_space_left_percentage -- package_aide_installed -- package_mcafeetp_installed -- audit_rules_media_export -- service_auditd_enabled -- service_firewalld_enabled -- sshd_use_approved_macs_ordered_stig -- sysctl_net_ipv4_conf_default_accept_source_route -- audit_rules_privileged_commands_chsh -- accounts_tmout -- install_smartcard_packages -- accounts_password_set_max_life_existing -- ensure_gpgcheck_local_packages -- sshd_disable_kerb_auth -- sshd_disable_x11_forwarding -- service_autofs_disabled -- no_user_host_based_files -- audit_rules_privileged_commands_su -- accounts_password_pam_ocredit -- accounts_password_pam_dcredit -- audit_rules_execution_setsebool -- sysctl_net_ipv4_conf_default_send_redirects -- audit_rules_privileged_commands_kmod -- accounts_umask_etc_login_defs -- network_configure_name_resolution -- grub2_uefi_password -- accounts_user_dot_no_world_writable_programs -- set_password_hashing_algorithm_logindefs -- file_permissions_sshd_private_key -- sshd_enable_strictmodes -- sysctl_kernel_randomize_va_space -- auditd_audispd_network_failure_action -- package_openssh-server_installed -- grub2_uefi_admin_username -- accounts_password_pam_maxrepeat -- authconfig_config_files_symlinks -- accounts_no_uid_except_zero -- accounts_password_pam_lcredit -- sssd_ldap_start_tls -- accounts_passwords_pam_faillock_unlock_time -- audit_rules_file_deletion_events_rename -- audit_rules_kernel_module_loading_delete -- audit_rules_file_deletion_events_unlinkat -- partition_for_var -- auditd_audispd_remote_daemon_direction -- sebool_ssh_sysadm_login -- audit_rules_kernel_module_loading_finit -- chronyd_or_ntpd_set_maxpoll -- sshd_use_approved_ciphers_ordered_stig -- audit_rules_dac_modification_removexattr -- audit_rules_privileged_commands_postqueue -- auditd_audispd_encrypt_sent_records -- audit_rules_usergroup_modification_gshadow -- dconf_db_up_to_date -- install_antivirus -- audit_rules_dac_modification_fchmodat -- file_groupowner_cron_allow -- audit_rules_unsuccessful_file_modification_creat -- no_empty_passwords_etc_shadow -- aide_periodic_cron_checking -- accounts_logon_fail_delay -- require_singleuser_auth -- disallow_bypass_password_sudo -- sssd_ldap_configure_tls_ca -- sysctl_net_ipv4_ip_forward -- audit_rules_execution_setfiles -- selinux_user_login_roles -- package_tftp-server_removed -- audit_rules_unsuccessful_file_modification_ftruncate -- audit_rules_privileged_commands_postdrop -- file_permission_user_init_files -- gnome_gdm_disable_automatic_login -- uefi_no_removeable_media -- audit_rules_kernel_module_loading_init -- accounts_users_home_files_groupownership -- aide_scan_notification -- file_permissions_ungroupowned -- dconf_gnome_disable_automount_open -- no_files_unowned_by_user -- package_telnet-server_removed -- partition_for_var_log_audit -- audit_rules_privileged_commands_ssh_keysign -- audit_rules_usergroup_modification_opasswd -- accounts_user_dot_group_ownership -- audit_rules_privileged_commands_sudo -- dconf_gnome_disable_user_list -- set_password_hashing_algorithm_libuserconf -- service_kdump_disabled -- accounts_password_pam_minclass -- selinux_context_elevation_for_sudo -- sshd_use_priv_separation -- login_banner_text=dod_banners -- inactivity_timeout_value=15_minutes -- var_screensaver_lock_delay=5_seconds -- sshd_idle_timeout_value=10_minutes -- var_accounts_fail_delay=4 -- var_selinux_state=enforcing -- var_selinux_policy_name=targeted -- var_password_pam_minlen=15 -- var_password_pam_ocredit=1 -- var_password_pam_lcredit=1 -- var_password_pam_ucredit=1 -- var_accounts_passwords_pam_faillock_unlock_time=never -- var_accounts_passwords_pam_faillock_fail_interval=900 -- var_accounts_passwords_pam_faillock_deny=3 -- var_password_pam_unix_remember=5 -- var_password_pam_maxclassrepeat=4 -- var_password_pam_difok=8 -- var_password_pam_dcredit=1 -- var_password_pam_minclass=4 -- var_accounts_minimum_age_login_defs=1 -- var_password_pam_maxrepeat=3 -- var_accounts_maximum_age_login_defs=60 -- var_account_disable_post_pw_expiration=35 -- var_removable_partition=dev_cdrom -- var_auditd_action_mail_acct=root -- var_auditd_space_left_action=email -- var_auditd_space_left_percentage=25pc -- var_accounts_user_umask=077 -- var_password_pam_retry=3 -- var_accounts_max_concurrent_login_sessions=10 -- var_accounts_tmout=15_min -- var_accounts_authorized_local_users_regex=rhel7 -- var_time_service_set_maxpoll=18_hours -- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -- var_audit_failure_mode=panic -- var_accounts_passwords_pam_faillock_dir=run -- sshd_required=yes -- var_sshd_set_keepalive=0 -- var_auditd_name_format=stig -- sssd_ldap_start_tls.severity=medium -unselected_groups: [] -platforms: !!set {} -cpe_names: !!set {} -platform: null -filter_rules: '' -policies: [] -title: DISA STIG with GUI for Red Hat Enterprise Linux 7 -definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/stig_gui.profile -documentation_complete: true From b11fff34da9e444254e83e24f08b1e7c49b3effc Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 09:03:45 -0500 Subject: [PATCH 02/11] Clean up missed RHEL 7 conditionals --- .../audit_rules_privileged_commands_sudo/rule.yml | 2 +- .../accounts-physical/require_singleuser_auth/rule.yml | 2 -- .../tests/pam_faillock_disabled.fail.sh | 4 ---- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index dd294fa80df..848a5673817 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] or 'rhel' in product %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 582092ad081..bce5581559a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -85,8 +85,6 @@ fixtext: |- Add or update the following line in "/usr/lib/systemd/system/rescue.service": {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}} ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - {{%- elif product in ["rhel7"] -%}} - ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" {{%- else -%}} ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" {{%- endif %}} diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh index 579e5670ea1..67c1b593bdb 100644 --- a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh @@ -1,10 +1,6 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -{{%- if product in ["rhel7"] %}} -# packages = authconfig -{{%- else %}} # packages = authselect -{{%- endif %}} # variables = var_accounts_passwords_pam_faillock_deny=3 if [ -f /usr/sbin/authconfig ]; then From 0ca8c6391fc1db2907d0f43060a61e92826f8243 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 09:04:37 -0500 Subject: [PATCH 03/11] Clean up tests/stable_profile_ids.py due to RHEL 7 removal --- tests/stable_profile_ids.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/stable_profile_ids.py b/tests/stable_profile_ids.py index b6822e33e04..c969f2a0141 100755 --- a/tests/stable_profile_ids.py +++ b/tests/stable_profile_ids.py @@ -19,16 +19,14 @@ STABLE_PROFILE_IDS = { "FEDORA": ["standard", "ospp", "pci-dss"], - "RHEL-7": ["C2S", "cjis", "hipaa", "cui", "rht-ccp", - "ospp", "ncp", "pci-dss", "stig"], "RHEL-8": ["ospp", "pci-dss"], } BENCHMARK_TO_FILE_STEM = { "FEDORA": "fedora", - "RHEL-7": "rhel7", "RHEL-8": "rhel8", + "RHEL-9": "rhel9" } From 4710dde135824bdb434c157a2088c46f69e06b6b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 09:05:36 -0500 Subject: [PATCH 04/11] Automatus docs to use RHEL9 --- tests/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/README.md b/tests/README.md index c0a9b5ec056..0f731287704 100644 --- a/tests/README.md +++ b/tests/README.md @@ -43,7 +43,7 @@ To use Libvirt backend, you need to have: - Package `qemu-guest-agent` installed - Package `openscap` version 1.2.15 or higher installed - `root` can login via ssh (it is recommended to setup key-based authentication) - - `root` can install packages (for RHEL7, it means subscription enabled). + - `root` can install packages (for RHEL, it means subscription enabled). - `CPE_NAME` is present in `/etc/os-release`. Currently, Ubuntu doesn't ship it in the stock image. See [this Ubuntu bug](https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1472288). @@ -397,12 +397,12 @@ If you would like to test the rule `sshd_disable_kerb_auth`: Using Libvirt: ``` -./automatus.py rule --libvirt qemu:///system ssg-test-suite-rhel7 --datastream ../build/ssg-rhel7-ds.xml sshd_disable_kerb_auth +./automatus.py rule --libvirt qemu:///system ssg-test-suite-rhel9 --datastream ../build/ssg-rhel9-ds.xml sshd_disable_kerb_auth ``` Using Podman: ``` -./automatus.py rule --container ssg_test_suite --datastream ../build/ssg-rhel7-ds.xml sshd_disable_kerb_auth +./automatus.py rule --container ssg_test_suite --datastream ../build/ssg-rhel9-ds.xml sshd_disable_kerb_auth ``` or just call the `test_rule_in_container.sh` script that passes the backend options for you @@ -411,7 +411,7 @@ that remove some testing limitations of the container backend. Using Docker: ``` -./automatus.py rule --docker ssg_test_suite --datastream ../build/ssg-rhel7-ds.xml sshd_disable_kerb_auth +./automatus.py rule --docker ssg_test_suite --datastream ../build/ssg-rhel9-ds.xml sshd_disable_kerb_auth ``` Notice we didn't use full rule name on the command line. The prefix `xccdf_org.ssgproject.content_rule_` is added if not provided. @@ -444,9 +444,9 @@ In this operation mode, you specify the `profile` command and you supply the profile ID as a positional argument. Automatus then runs scans over the target domain and remediates it based on particular profile. -To test RHEL7 STIG Profile on a VM: +To test RHEL9 STIG Profile on a VM: ``` -./automatus.py profile --libvirt qemu:///session ssg-test-suite-rhel7 --datastream ../build/ssg-rhel7-ds.xml stig +./automatus.py profile --libvirt qemu:///session ssg-test-suite-rhel9 --datastream ../build/ssg-rhel9-ds.xml stig ``` To test Fedora Standard Profile on a Podman container: From a364b3c17f576675793d109fa2283524bb310cbb Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 09:06:49 -0500 Subject: [PATCH 05/11] Move product unit tests to RHEL 9 --- tests/unit/ssg-module/data/product.yml | 50 ++++++------------- .../ssg-module/data/properties/00-default.yml | 6 +-- tests/unit/ssg-module/test_build_cpe.py | 24 ++++----- .../ssg-module/test_build_remediations.py | 4 +- tests/unit/ssg-module/test_build_yaml.py | 18 +++---- tests/unit/ssg-module/test_products.py | 4 +- 6 files changed, 43 insertions(+), 63 deletions(-) diff --git a/tests/unit/ssg-module/data/product.yml b/tests/unit/ssg-module/data/product.yml index 1bdd4ce879d..540ab0181a9 100644 --- a/tests/unit/ssg-module/data/product.yml +++ b/tests/unit/ssg-module/data/product.yml @@ -1,13 +1,13 @@ -product: rhel7 -full_name: Red Hat Enterprise Linux 7 +product: rhel9 +full_name: Red Hat Enterprise Linux 9 type: platform -benchmark_id: RHEL-7 +benchmark_id: RHEL-9 benchmark_root: "../../linux_os/guide" profiles_root: "./profiles" -pkg_manager: "yum" +pkg_manager: "dnf" # in some product.ymls pkg_system is inferred from pkg_manager by # get_implied_properties, but it would be better to set it explicitly here, # because we will not need to involve get_implied_properties @@ -19,49 +19,29 @@ init_system: "systemd" # The fingerprints below are retrieved from https://access.redhat.com/security/team/key pkg_release: "4ae0493b" pkg_version: "fd431d51" -aux_pkg_release: "45700c69" -aux_pkg_version: "2fa658e0" +aux_pkg_release: "6229229e" +aux_pkg_version: "5a6340b3" release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" -auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" -oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml" +auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3" grub2_uefi_boot_path: "/boot/efi/EFI/redhat" cpes_root: "./applicability" cpes: - - rhel7: - name: "cpe:/o:redhat:enterprise_linux:7" - title: "Red Hat Enterprise Linux 7" - check_id: installed_OS_is_rhel7 - - - rhel7-server: - name: "cpe:/o:redhat:enterprise_linux:7::server" - title: "Red Hat Enterprise Linux 7 Server" - check_id: installed_OS_is_rhel7 - - - rhel7-client: - name: "cpe:/o:redhat:enterprise_linux:7::client" - title: "Red Hat Enterprise Linux 7 Client" - check_id: installed_OS_is_rhel7 - - - rhel7-computenode: - name: "cpe:/o:redhat:enterprise_linux:7::computenode" - title: "Red Hat Enterprise Linux 7 ComputeNode" - check_id: installed_OS_is_rhel7 - - - rhel7-workstation: - name: "cpe:/o:redhat:enterprise_linux:7::workstation" - title: "red hat enterprise linux 7 workstation" - check_id: installed_OS_is_rhel7 + - rhel9: + name: "cpe:/o:redhat:enterprise_linux:9" + title: "Red Hat Enterprise Linux 9" + check_id: installed_OS_is_rhel9 # Mapping of CPE platform to package platform_package_overrides: login_defs: "shadow-utils" -centos_pkg_release: "53a7ff4b" -centos_pkg_version: "f4a80eb5" -centos_major_version: "7" +centos_pkg_release: "5ccc5b19" +centos_pkg_version: "8483c65d" +centos_major_version: "9" reference_uris: cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/' + ccn: 'https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html' diff --git a/tests/unit/ssg-module/data/properties/00-default.yml b/tests/unit/ssg-module/data/properties/00-default.yml index 74ce8f670cd..2b063060394 100644 --- a/tests/unit/ssg-module/data/properties/00-default.yml +++ b/tests/unit/ssg-module/data/properties/00-default.yml @@ -2,8 +2,8 @@ default: property_one: one -{{%- if product == "rhel7" %}} - rhel_version: "seven" +{{%- if product == "rhel9" %}} + rhel_version: "nine" {{%- else %}} - rhel_version: "not_seven" + rhel_version: "not_nine" {{% endif %}} diff --git a/tests/unit/ssg-module/test_build_cpe.py b/tests/unit/ssg-module/test_build_cpe.py index 4275b00c256..4e60c3908b9 100644 --- a/tests/unit/ssg-module/test_build_cpe.py +++ b/tests/unit/ssg-module/test_build_cpe.py @@ -120,21 +120,21 @@ def test_product_cpes(): # get a product CPE by name and verify it's loaded # this CPE is defined in `DATADIR/product.yml` - rhel7_cpe = product_cpes.get_cpe("rhel7") - assert(rhel7_cpe.name == "cpe:/o:redhat:enterprise_linux:7") - assert(rhel7_cpe.title == "Red Hat Enterprise Linux 7") - assert(rhel7_cpe.check_id == "installed_OS_is_rhel7") - assert(rhel7_cpe.bash_conditional == "") - assert(rhel7_cpe.ansible_conditional == "") + rhel9_cpe = product_cpes.get_cpe("rhel9") + assert(rhel9_cpe.name == "cpe:/o:redhat:enterprise_linux:9") + assert(rhel9_cpe.title == "Red Hat Enterprise Linux 9") + assert(rhel9_cpe.check_id == "installed_OS_is_rhel9") + assert(rhel9_cpe.bash_conditional == "") + assert(rhel9_cpe.ansible_conditional == "") # get CPE by ID and verify it's loaded, the get_cpe method should return # the same object as when CPE name was used above - rhel7_cpe_2 = product_cpes.get_cpe("cpe:/o:redhat:enterprise_linux:7") - assert(rhel7_cpe_2.name == rhel7_cpe.name) - assert(rhel7_cpe_2.title == rhel7_cpe.title) - assert(rhel7_cpe_2.check_id == rhel7_cpe.check_id) - assert(rhel7_cpe_2.bash_conditional == rhel7_cpe.bash_conditional) - assert(rhel7_cpe_2.ansible_conditional == rhel7_cpe.ansible_conditional) + rhel9_cpe_2 = product_cpes.get_cpe("cpe:/o:redhat:enterprise_linux:9") + assert(rhel9_cpe_2.name == rhel9_cpe.name) + assert(rhel9_cpe_2.title == rhel9_cpe.title) + assert(rhel9_cpe_2.check_id == rhel9_cpe.check_id) + assert(rhel9_cpe_2.bash_conditional == rhel9_cpe.bash_conditional) + assert(rhel9_cpe_2.ansible_conditional == rhel9_cpe.ansible_conditional) # get a content CPE by name and verify it's loaded # this CPE is defined in `DATADIR/applicability/virtualization.yml` diff --git a/tests/unit/ssg-module/test_build_remediations.py b/tests/unit/ssg-module/test_build_remediations.py index 2140ea8b5e2..091c6c57f32 100644 --- a/tests/unit/ssg-module/test_build_remediations.py +++ b/tests/unit/ssg-module/test_build_remediations.py @@ -13,7 +13,7 @@ @pytest.fixture def env_yaml(): - env_yaml = dict(product="rhel7") + env_yaml = dict(product="rhel9") return env_yaml @@ -49,7 +49,7 @@ def do_test_contents(remediation, config): assert 'strategy' in config assert 'disruption' in config - assert ssg.utils.is_applicable_for_product(config['platform'], 'rhel7') + assert ssg.utils.is_applicable_for_product(config['platform'], 'rhel9') assert ssg.utils.is_applicable_for_product(config['platform'], 'fedora') assert not ssg.utils.is_applicable_for_product(config['platform'], 'rhel8') assert not ssg.utils.is_applicable_for_product(config['platform'], 'ol7') diff --git a/tests/unit/ssg-module/test_build_yaml.py b/tests/unit/ssg-module/test_build_yaml.py index ed0d7b69a1f..7df91e7d4df 100644 --- a/tests/unit/ssg-module/test_build_yaml.py +++ b/tests/unit/ssg-module/test_build_yaml.py @@ -277,17 +277,17 @@ def test_platform_from_text_simple(product_cpes): "{%s}check-fact-ref" % cpe_language_namespace) assert len(check_fact_refs) == 1 assert check_fact_refs[0].get("system") == "http://oval.mitre.org/XMLSchema/oval-definitions-5" - assert check_fact_refs[0].get("href") == "ssg-rhel7-cpe-oval.xml" + assert check_fact_refs[0].get("href") == "ssg-rhel9-cpe-oval.xml" assert check_fact_refs[0].get("id-ref") == "oval:ssg-installed_env_is_a_machine:def:1" def test_platform_from_text_simple_product_cpe(product_cpes): - platform = ssg.build_yaml.Platform.from_text("rhel7-workstation", product_cpes) + platform = ssg.build_yaml.Platform.from_text("rhel9", product_cpes) assert platform.get_remediation_conditional("bash") == "" assert platform.get_remediation_conditional("ansible") == "" platform_el = platform.to_xml_element() assert platform_el.tag == "{%s}platform" % cpe_language_namespace - assert platform_el.get("id") == "rhel7-workstation" + assert platform_el.get("id") == "rhel9" logical_tests = platform_el.findall( "{%s}logical-test" % cpe_language_namespace) assert len(logical_tests) == 1 @@ -297,8 +297,8 @@ def test_platform_from_text_simple_product_cpe(product_cpes): "{%s}check-fact-ref" % cpe_language_namespace) assert len(check_fact_refs) == 1 assert check_fact_refs[0].get("system") == "http://oval.mitre.org/XMLSchema/oval-definitions-5" - assert check_fact_refs[0].get("href") == "ssg-rhel7-cpe-oval.xml" - assert check_fact_refs[0].get("id-ref") == "oval:ssg-installed_OS_is_rhel7:def:1" + assert check_fact_refs[0].get("href") == "ssg-rhel9-cpe-oval.xml" + assert check_fact_refs[0].get("id-ref") == "oval:ssg-installed_OS_is_rhel9:def:1" def test_platform_from_text_or(product_cpes): @@ -318,10 +318,10 @@ def test_platform_from_text_or(product_cpes): "{%s}check-fact-ref" % cpe_language_namespace) assert len(check_fact_refs) == 2 assert check_fact_refs[0].get("system") == "http://oval.mitre.org/XMLSchema/oval-definitions-5" - assert check_fact_refs[0].get("href") == "ssg-rhel7-cpe-oval.xml" + assert check_fact_refs[0].get("href") == "ssg-rhel9-cpe-oval.xml" assert check_fact_refs[0].get("id-ref") == "oval:ssg-installed_env_has_chrony_package:def:1" assert check_fact_refs[1].get("system") == "http://oval.mitre.org/XMLSchema/oval-definitions-5" - assert check_fact_refs[1].get("href") == "ssg-rhel7-cpe-oval.xml" + assert check_fact_refs[1].get("href") == "ssg-rhel9-cpe-oval.xml" assert check_fact_refs[1].get("id-ref") == "oval:ssg-installed_env_has_ntp_package:def:1" @@ -375,10 +375,10 @@ def test_platform_equality(product_cpes): def test_platform_as_dict(product_cpes): - pl = ssg.build_yaml.Platform.from_text("chrony and rhel7", product_cpes) + pl = ssg.build_yaml.Platform.from_text("chrony and rhel9", product_cpes) # represent_as_dict is used during dump_yaml d = pl.represent_as_dict() - assert d["name"] == "chrony_and_rhel7" + assert d["name"] == "chrony_and_rhel9" # the "rhel7" platform doesn't have any conditionals # therefore the final conditional doesn't use it assert d["ansible_conditional"] == "( \"chrony\" in ansible_facts.packages )" diff --git a/tests/unit/ssg-module/test_products.py b/tests/unit/ssg-module/test_products.py index 5594c45e70b..b44add6b5b4 100644 --- a/tests/unit/ssg-module/test_products.py +++ b/tests/unit/ssg-module/test_products.py @@ -94,8 +94,8 @@ def test_product_updates_with_dict(testing_product): def test_product_updates_with_files(product_with_updated_properties): product = product_with_updated_properties assert product["property_one"] == "one" - assert product["product"] == "rhel7" - assert product["rhel_version"] == "seven" + assert product["product"] == "rhel9" + assert product["rhel_version"] == "nine" def test_updates_have_access_to_previously_defined_properties(product_with_updated_properties): From d6498c3c6c064ef5f115d07c0772daedd068afb6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 11:40:32 -0500 Subject: [PATCH 06/11] Clean up testing rules metadata --- .../test_playbook_builder_data/guide/selinux_state/rule.yml | 2 -- .../test_playbook_builder_data/rules/selinux_state.yml | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/rule.yml b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/rule.yml index a938c98ed19..f016b27a46c 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/rule.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/rule.yml @@ -22,7 +22,6 @@ severity: medium references: anssi: R4,R66 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 - cis@rhel7: 1.6.1.4,1.6.1.5 cis@rhel8: 1.6.1.5 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 @@ -37,7 +36,6 @@ references: pcidss4: '1.2.6' srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585 stigid@ol7: OL07-00-020210 - stigid@rhel7: RHEL-07-020210 stigid@rhel8: RHEL-08-010170 ocil_clause: 'SELINUX is not set to enforcing' diff --git a/tests/unit/ssg-module/test_playbook_builder_data/rules/selinux_state.yml b/tests/unit/ssg-module/test_playbook_builder_data/rules/selinux_state.yml index ec3b0d2024a..664e339183c 100644 --- a/tests/unit/ssg-module/test_playbook_builder_data/rules/selinux_state.yml +++ b/tests/unit/ssg-module/test_playbook_builder_data/rules/selinux_state.yml @@ -29,8 +29,7 @@ references: {cis: 1.6.1.2, cis-csc: '1,11,12,13,14,15,16,18,3,4,5,6,8,9', cobit5 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6', iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5', nist: 'AC-3,AC-3(3),AC-3(4),AC-4,AC-6,AU-9,SI-6(a)', nist-csf: 'DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4', - srg: SRG-OS-000445-GPOS-00199, - stigid@rhel7: 'RHEL-07-020210'} + srg: SRG-OS-000445-GPOS-00199} severity: high title: Ensure SELinux State is Enforcing warnings: [] From ede5b4ab70843ce27b693098064cc3b3c372d51e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jun 2024 07:31:48 -0500 Subject: [PATCH 07/11] RHEL7 -> RHEL9 in testing bash fix --- tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh b/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh index 8887eae1106..7ea036bf01e 100644 --- a/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh +++ b/tests/unit/ssg-module/data/group_dir/rule_dir/bash/rhel.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,multi_platform_fedora +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # reboot = false # complexity = low # strategy = configure From 13a9e638ca017e8c7087d464c2b3af5a5cdc49a2 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jun 2024 07:42:52 -0500 Subject: [PATCH 08/11] Remove RHEL7 OVAL files --- .../docker_selinux_enabled/oval/rhel7.xml | 41 ----------- .../docker_storage_configured/oval/rhel7.xml | 69 ------------------- 2 files changed, 110 deletions(-) delete mode 100644 linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml delete mode 100644 linux_os/guide/services/docker/docker_storage_configured/oval/rhel7.xml diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml b/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml deleted file mode 100644 index 0bb2cfbe00b..00000000000 --- a/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml +++ /dev/null @@ -1,41 +0,0 @@ - - - - Ensure SELinux support is enabled in Docker - - Red Hat Enterprise Linux 7 - - The Docker daemon should be configured to start with --selinux-enabled option to enable SELinux for the daemon. - - - - - - - - - - - - - - - - - - - /etc/sysconfig/docker - ^(?!#)\s*OPTIONS\s*=.*[\s'](--selinux-enabled)[\s'].*$ - 1 - - - - - - - - /etc/docker/daemon.json - ^(?!#)\s*"selinux-enabled":[\s]+true(|,)[\s]*$ - 1 - - diff --git a/linux_os/guide/services/docker/docker_storage_configured/oval/rhel7.xml b/linux_os/guide/services/docker/docker_storage_configured/oval/rhel7.xml deleted file mode 100644 index cc380b4daf8..00000000000 --- a/linux_os/guide/services/docker/docker_storage_configured/oval/rhel7.xml +++ /dev/null @@ -1,69 +0,0 @@ - - - - - Use direct-lvm with device mapper storage driver - - Red Hat Enterprise Linux 7 - - To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^(?!#).*(?:--storage-opt[\s=]dm\.thinpooldev=([^\s]*)).*$ - 1 - - - - - ^(?!#)\s*STORAGE_DRIVER\s*=\s*"?([a-z]*)"?\s*$ - 1 - - - - - - - - devicemapper - - - - /etc/sysconfig/docker-storage - /usr/lib/docker-storage-setup/docker-storage-setup - - - - - - - From ebf39733f51477845742634914b81f356fc70c03 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jun 2024 08:03:07 -0500 Subject: [PATCH 09/11] Update kickstarts for Automatus since RHEL 7 is gone --- tests/kickstarts/test_suite.cfg | 3 +- tests/kickstarts/test_suite_rhel7.cfg | 155 -------------------------- 2 files changed, 1 insertion(+), 157 deletions(-) delete mode 100644 tests/kickstarts/test_suite_rhel7.cfg diff --git a/tests/kickstarts/test_suite.cfg b/tests/kickstarts/test_suite.cfg index 505bf8478fe..eb91151d5ae 100644 --- a/tests/kickstarts/test_suite.cfg +++ b/tests/kickstarts/test_suite.cfg @@ -1,8 +1,7 @@ # SCAP Security Guide SCAP Test Suite node # This kickstart is known to apply for: -# - Red Hat Enterprise Linux 7 Server # - Red Hat Enterprise Linux 8 - when using additional repository AppStream -# - CentOS 7 +# - Red Hat Enterprise Linux 9 - when using additional repository AppStream # - Fedora # # Based on: diff --git a/tests/kickstarts/test_suite_rhel7.cfg b/tests/kickstarts/test_suite_rhel7.cfg deleted file mode 100644 index 44f21a23214..00000000000 --- a/tests/kickstarts/test_suite_rhel7.cfg +++ /dev/null @@ -1,155 +0,0 @@ -# SCAP Security Guide SCAP Test Suite node -# This kickstart is known to apply for: -# - Red Hat Enterprise Linux 7 Server -# - Red Hat Enterprise Linux 8 - when using additional repository AppStream -# - CentOS 7 -# - Fedora -# -# Based on: -# https://pykickstart.readthedocs.io/en/latest/ -# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg - -# To enable custom repositories for the machine after installation use: -#repo --name=myrepo --baseurl=http://... -&&YUM_EXTRA_REPO&& - -# Set language to use during installation and the default language to use on the installed system (required) -lang en_US.UTF-8 - -# Set system keyboard type / layout (required) -keyboard us - -# Configure network information for target system and activate network devices in the installer environment (optional) -# --onboot enable device at a boot time -# --device device to be activated and / or configured with the network command -# --bootproto method to obtain networking configuration for device (default dhcp) -# --noipv6 disable IPv6 on this device -network --onboot yes --device eth0 --bootproto dhcp --noipv6 - -# Set the system's root password (required) -# Plaintext password is: server -# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create -# encrypted password form for different plaintext password -rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 - -# The selected profile will restrict root login -# Add a user that can login and escalate privileges -# Plaintext password is: admin123 -user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted - -# Configure firewall settings for the system (optional) -# --enabled reject incoming connections that are not in response to outbound requests -# --ssh allow sshd service through the firewall -firewall --enabled --ssh - -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - -# Set the system time zone (required) -timezone --utc America/New_York - -# Specify how the bootloader should be installed (required) -# Refer to e.g. -# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw -# to see how to create encrypted password form for different plaintext password -bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" - -# Initialize (format) all disks (optional) -zerombr - -# The following partition layout scheme assumes disk of size 20GB or larger -# Modify size of partitions appropriately to reflect actual machine's hardware -# -# Remove Linux partitions from the system prior to creating new ones (optional) -# --linux erase all Linux partitions -# --initlabel initialize the disk label to the default based on the underlying architecture -clearpart --linux --initlabel - -# Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 --fsoptions="nosuid,noexec" -part pv.01 --grow --size=1 - -# Create a Logical Volume Management (LVM) group (optional) -volgroup VolGroup --pesize=4096 pv.01 - -# Create particular logical volumes (optional) -logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow -# Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5512 --fsoptions="nodev" -# Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" -# Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" -# Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -# Ensure /tmp Located On Separate Partition -logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var/tmp Located On Separate Partition -logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" -# Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -# Ensure /var/log/audit Located On Separate Partition -logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" -logvol swap --name=swap --vgname=VolGroup --size=2016 - -# Packages selection (%packages section is required) -%packages -openscap-scanner -tar -qemu-guest-agent -openssh-clients -openssh-server -%end # End of %packages section - -%post --log /root/post-install.log --interpreter /bin/bash - -# initialize guest agent for Automatus -systemctl enable qemu-guest-agent.service - -mkdir -p /root/.ssh -printf "%s\n" "&&HOST_PUBLIC_KEY&&" >> /root/.ssh/authorized_keys -chmod og-rw /root/.ssh /root/.ssh/authorized_keys -systemctl enable sshd - -# This is needed to add entries about password change into /etc/shadow -# so the remediation of the rule accounts_password_set_max_life_existing -# won't request a password change in our automated tests. -echo "admin123" | passwd --stdin admin -echo "server" | passwd --stdin root - -# create yum/dnf repository from URL if replaced by install_vm.py -if ! [[ '&&YUM_REPO_URL&&' =~ YUM_REPO_URL ]]; then - cat > /etc/yum.repos.d/inst-ks.repo <> /etc/yum.repos.d/inst-ks.repo < Date: Fri, 28 Jun 2024 08:03:42 -0500 Subject: [PATCH 10/11] Clean up testing OVAL since RHEL7 is gone --- tests/unit/ssg-module/data/group_dir/rule_dir/oval/rhel.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/data/group_dir/rule_dir/oval/rhel.xml b/tests/unit/ssg-module/data/group_dir/rule_dir/oval/rhel.xml index ac2888a91bf..066675595ba 100644 --- a/tests/unit/ssg-module/data/group_dir/rule_dir/oval/rhel.xml +++ b/tests/unit/ssg-module/data/group_dir/rule_dir/oval/rhel.xml @@ -3,7 +3,7 @@ Service chronyd Or Service ntpd Enabled - Red Hat Enterprise Linux 7 + Red Hat Enterprise Linux 9 At least one of the chronyd or ntpd services should be enabled if possible. From f508ec66eb32fd9a1f06d130b884aab6f31c52a8 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jun 2024 13:49:07 -0500 Subject: [PATCH 11/11] Fix test_oval.py due to RHEL 7 removal --- tests/unit/ssg-module/test_oval.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/ssg-module/test_oval.py b/tests/unit/ssg-module/test_oval.py index e041c585eb6..fe4d31b4e13 100644 --- a/tests/unit/ssg-module/test_oval.py +++ b/tests/unit/ssg-module/test_oval.py @@ -11,7 +11,7 @@ def test_applicable_platforms(): rap = ssg.oval.applicable_platforms(rhel_oval) assert len(rap) == 1 - assert 'Red Hat Enterprise Linux 7' in rap + assert 'Red Hat Enterprise Linux 9' in rap sap = ssg.oval.applicable_platforms(shared_oval) assert len(sap) == 4