From 1ad69513720ef892efd1820c8370e680bc4d1eb5 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 10:37:46 +0100 Subject: [PATCH 01/16] Update ubuntu2404 CIS control 2.1.2 and add var overrides --- controls/cis_ubuntu2404.yml | 5 ++--- .../avahi/disable_avahi_group/package_avahi_removed/rule.yml | 1 + .../service_avahi-daemon_disabled/rule.yml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 07869e17a53..ef9f1a8bf63 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -651,11 +651,10 @@ controls: levels: - l1_server - l2_workstation - related_rules: + rules: - package_avahi_removed - service_avahi-daemon_disabled - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.2. + status: automated - id: 2.1.3 title: Ensure dhcp server services are not in use (Automated) diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml index a2b28ba2d2c..979c97eb5f8 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml @@ -45,3 +45,4 @@ template: pkgname: avahi pkgname@ubuntu2004: avahi-daemon pkgname@ubuntu2204: avahi-daemon + pkgname@ubuntu2404: avahi-daemon diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml index b36cb03d01a..4902245f45c 100644 --- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml @@ -52,3 +52,4 @@ template: packagename@ubuntu1804: avahi-daemon packagename@ubuntu2004: avahi-daemon packagename@ubuntu2204: avahi-daemon + packagename@ubuntu2404: avahi-daemon From a16dd1037041e044fd49a3ee4ae112cc9ca22168 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 10:39:43 +0100 Subject: [PATCH 02/16] Update ubuntu2404 CIS control 2.1.10 --- controls/cis_ubuntu2404.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index ef9f1a8bf63..421926ace40 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -730,10 +730,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: - - package_nis_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.14. + rules: + - package_ypserv_removed + - service_ypserv_disabled + status: automated - id: 2.1.11 title: Ensure print server services are not in use (Automated) From e2ad1a94cc812cfb7d681c378b24cc96168a9c9e Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 10:54:45 +0100 Subject: [PATCH 03/16] Update ubuntu2404 CIS control 2.1.11 --- controls/cis_ubuntu2404.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 421926ace40..b1ded751944 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -740,11 +740,10 @@ controls: levels: - l1_server - l2_workstation - related_rules: + rules: - package_cups_removed - service_cups_disabled - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.3. + status: automated - id: 2.1.12 title: Ensure rpcbind services are not in use (Automated) From 9c41647b897da024324929f852705a18b4499c8e Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 11:02:56 +0100 Subject: [PATCH 04/16] Update ubuntu2404 CIS control 2.1.12 --- controls/cis_ubuntu2404.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index b1ded751944..6e7fa872225 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -750,10 +750,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_rpcbind_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.3.6. + - service_rpcbind_disabled + status: automated - id: 2.1.13 title: Ensure rsync services are not in use (Automated) From a720438d929a3bc017fce3ec707af31dea75c5db Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 11:10:43 +0100 Subject: [PATCH 05/16] Update ubuntu2404 CIS control 2.1.13 --- controls/cis_ubuntu2404.yml | 6 +++--- .../services/obsolete/service_rsyncd_disabled/rule.yml | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 6e7fa872225..199acd5f87a 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -760,10 +760,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_rsync_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.16. + - service_rsyncd_disabled + status: automated - id: 2.1.14 title: Ensure samba file server services are not in use (Automated) diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index 8947f935e85..0c6da6e7674 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -40,4 +40,5 @@ template: packagename@sle12: rsync packagename@sle15: rsync packagename@openeuler2203: rsync - packagename@kylinserver10: rsync + servicename@ubuntu2404: rsync + packagename@ubuntu2404: rsync From ba23d6cd5260e28025d8a341207bd38e12d71098 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 11:15:04 +0100 Subject: [PATCH 06/16] Update ubuntu2404 CIS control 2.1.14 --- controls/cis_ubuntu2404.yml | 6 +++--- .../smb/disabling_samba/service_smb_disabled/rule.yml | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 199acd5f87a..d541513cfb0 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -770,10 +770,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_samba_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.11. + - service_smb_disabled + status: automated - id: 2.1.15 title: Ensure snmp services are not in use (Automated) diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml index d59ebcd4654..07fd14eb39f 100644 --- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml @@ -35,4 +35,5 @@ template: name: service_disabled vars: servicename: smb + servicename@ubuntu2404: smbd packagename: samba From e0f579995f5915e79480b03e88256fe1eb87a10a Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 12:35:23 +0100 Subject: [PATCH 07/16] Update ubuntu2404 CIS control 2.1.15 --- controls/cis_ubuntu2404.yml | 6 +++--- .../package_net-snmp_removed/rule.yml | 1 + .../disabling_snmp_service/service_snmpd_disabled/rule.yml | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index d541513cfb0..b6c2439ca0e 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -780,10 +780,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_net-snmp_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.13. + - service_snmpd_disabled + status: automated - id: 2.1.16 title: Ensure tftp server services are not in use (Automated) diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml index 560c867f267..f414aaa7ebf 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml @@ -47,3 +47,4 @@ template: pkgname@ubuntu1804: snmp pkgname@ubuntu2004: snmp pkgname@ubuntu2204: snmp + pkgname@ubuntu2404: snmpd diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml index 026c0766871..8b790591547 100644 --- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml @@ -38,4 +38,5 @@ template: servicename: snmpd packagename@debian11: snmpd packagename@debian12: snmpd + packagename@ubuntu2404: snmpd packagename: net-snmp From bf6e06d3062a2c173d1daaf0df47559f343efedf Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 13:37:43 +0100 Subject: [PATCH 08/16] Update ubuntu2404 CIS control 2.1.16 and add var overrides --- controls/cis_ubuntu2404.yml | 6 +++-- .../tftp/package_tftp-server_removed/rule.yml | 17 +++++++++----- .../tftp/service_tftp_disabled/rule.yml | 23 ++++++++++++------- 3 files changed, 30 insertions(+), 16 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index b6c2439ca0e..75ded9f2f35 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -790,8 +790,10 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - package_tftp-server_removed + - service_tftp_disabled + status: automated - id: 2.1.17 title: Ensure web proxy server services are not in use (Automated) diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index 72e6a5780de..3f6b4f8cb4e 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -1,12 +1,17 @@ documentation_complete: true +{{% if product in ['ubuntu2404'] %}} +{{% set package_name = "tftpd-hpa" %}} +{{% else %}} +{{% set package_name = "tftp-server" %}} +{{% endif %}} -title: 'Uninstall tftp-server Package' +title: 'Uninstall {{{ package_name }}} Package' -description: '{{{ describe_package_remove(package="tftp-server") }}}' +description: '{{{ describe_package_remove(package=package_name) }}}' rationale: |- - Removing the tftp-server package decreases the risk of the accidental + Removing the {{{ package_name }}} package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router @@ -37,13 +42,13 @@ references: stigid@ol8: OL08-00-040190 stigid@rhel8: RHEL-08-040190 -{{{ complete_ocil_entry_package(package="tftp-server") }}} +{{{ complete_ocil_entry_package(package=package_name) }}} -fixtext: '{{{ fixtext_package_removed("tftp-server") }}}' +fixtext: '{{{ fixtext_package_removed(package_name) }}}' srg_requirement: 'The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for {{{ full_name }}} operational support.' template: name: package_removed vars: - pkgname: tftp-server + pkgname: {{{ package_name }}} diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml index e3817bb1dfc..aaf30dd354f 100644 --- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml @@ -1,14 +1,21 @@ documentation_complete: true +{{% if product in ['ubuntu2404'] %}} +{{% set service_name = "tftpd-hpa" %}} +{{% set package_name = "tftpd-hpa" %}} +{{% else %}} +{{% set service_name = "tftp" %}} +{{% set package_name = "tftp-server" %}} +{{% endif %}} -title: 'Disable tftp Service' +title: 'Disable {{{ service_name }}} Service' description: |- - The tftp service should be disabled. - {{{ describe_service_disable(service="tftp") }}} + The {{{ service_name }}} service should be disabled. + {{{ describe_service_disable(service=service_name) }}} rationale: |- - Disabling the tftp service ensures the system is not acting + Disabling the {{{ service_name }}} service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. severity: high @@ -28,15 +35,15 @@ references: nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 ocil_clause: |- - {{{ ocil_clause_service_disabled(service="tftp") }}} + {{{ ocil_clause_service_disabled(service=service_name) }}} ocil: |- - {{{ ocil_service_disabled(service="tftp") }}} + {{{ ocil_service_disabled(service=service_name) }}} platform: system_with_kernel template: name: service_disabled vars: - servicename: tftp - packagename: tftp-server + servicename: {{{ service_name }}} + packagename: {{{ package_name }}} From 6ce24076b795b5b7ec0a67f3f70473f3561dc66a Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 13:41:37 +0100 Subject: [PATCH 09/16] Update ubuntu2404 CIS control 2.1.17 --- controls/cis_ubuntu2404.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 75ded9f2f35..7e068792e83 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -800,10 +800,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_squid_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.12. + - service_squid_disabled + status: automated - id: 2.1.18 title: Ensure web server services are not in use (Automated) From 228c14506969598b75ce5a3ee5b6d2f2afa2627d Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 14:24:13 +0100 Subject: [PATCH 10/16] Update ubuntu2404 CIS control 2.1.19 --- controls/cis_ubuntu2404.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 7e068792e83..77f54f03c28 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -821,8 +821,10 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - package_xinetd_removed + - service_xinetd_disabled + status: automated - id: 2.1.20 title: Ensure X window server services are not in use (Automated) From 0b9d7928bec2a676ed86c2ae9531f70214e55533 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 14:36:49 +0100 Subject: [PATCH 11/16] Update ubuntu2404 CIS control 2.1.20 and add var overrides --- controls/cis_ubuntu2404.yml | 5 ++--- .../package_xorg-x11-server-common_removed/rule.yml | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 77f54f03c28..bbabf733a19 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -830,10 +830,9 @@ controls: title: Ensure X window server services are not in use (Automated) levels: - l2_server - related_rules: + rules: - package_xorg-x11-server-common_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.1. + status: automated - id: 2.1.21 title: Ensure mail transfer agent is configured for local-only mode (Automated) diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 5a1c5485f3f..b5326194207 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -67,3 +67,4 @@ template: pkgname@ubuntu1804: xserver-xorg pkgname@ubuntu2004: xserver-xorg pkgname@ubuntu2204: xserver-xorg + pkgname@ubuntu2404: xserver-common From 4f920d5f49bc344b807e8079f0fe50717bc10973 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 15:16:29 +0100 Subject: [PATCH 12/16] Update ubuntu2404 CIS control 2.1.4 and add var overrides --- controls/cis_ubuntu2404.yml | 6 +++--- .../dns/disabling_dns_server/package_bind_removed/rule.yml | 2 +- .../disabling_dns_server/service_named_disabled/rule.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index bbabf733a19..9a2213f1c2c 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -671,10 +671,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_bind_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.7. + - service_named_disabled + status: automated - id: 2.1.5 title: Ensure dnsmasq services are not in use (Automated) diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml index 335319ddfaa..767aab8ff31 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Uninstall bind Package' description: |- @@ -44,3 +43,4 @@ template: pkgname@ubuntu1804: bind9 pkgname@ubuntu2004: bind9 pkgname@ubuntu2204: bind9 + pkgname@ubuntu2404: bind9 diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml index 121e82a444f..03b229f7f32 100644 --- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Disable named Service' description: |- @@ -43,3 +42,4 @@ template: vars: servicename: named packagename: bind + packagename@ubuntu2404: bind9 From 885cee956298c04e65215ea2929f929ca2f2ed13 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 15:18:35 +0100 Subject: [PATCH 13/16] Update ubuntu2404 CIS control 2.1.6 --- controls/cis_ubuntu2404.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 9a2213f1c2c..c1c9268ee1a 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -689,10 +689,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_vsftpd_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.8. + - service_vsftpd_disabled + status: automated - id: 2.1.7 title: Ensure ldap server services are not in use (Automated) From 61d40011313222f4bf7786206f9268471b9ca0f3 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 15:22:21 +0100 Subject: [PATCH 14/16] Update ubuntu2404 CIS control 2.1.7 and add var overrides --- controls/cis_ubuntu2404.yml | 6 +++--- .../package_openldap-servers_removed/rule.yml | 2 +- .../ldap/openldap_server/service_slapd_disabled/rule.yml | 9 +++++---- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c1c9268ee1a..a13977bca90 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -699,10 +699,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - package_openldap-servers_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.5. + - service_slapd_disabled + status: automated - id: 2.1.8 title: Ensure message access server services are not in use (Automated) diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml index 0d8f310e4f9..91491b27a12 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml @@ -11,7 +11,6 @@ documentation_complete: true - title: 'Uninstall openldap-servers Package' description: |- @@ -65,3 +64,4 @@ template: pkgname@ubuntu1804: slapd pkgname@ubuntu2004: slapd pkgname@ubuntu2204: slapd + pkgname@ubuntu2404: slapd diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml index cc659d113e5..08810048959 100644 --- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml @@ -1,14 +1,14 @@ documentation_complete: true - title: 'Disable LDAP Server (slapd)' description: |- - The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. + The Lightweight Directory Access Protocol (LDAP) is a service that + provides a method for looking up information from a central database. rationale: |- - If the system will not need to act as an LDAP server, it is recommended that the software be - disabled to reduce the potential attack surface. + If the system will not need to act as an LDAP server, it is recommended + that the software be disabled to reduce the potential attack surface. severity: medium @@ -29,3 +29,4 @@ template: vars: servicename: slapd packagename: openldap-servers + packagename@ubuntu2404: slapd From 050734d71140e820b40ba7feab2451985f2927f7 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 15:29:50 +0100 Subject: [PATCH 15/16] Update ubuntu2404 CIS control 2.1.8 and add var overrides --- controls/cis_ubuntu2404.yml | 7 +++---- .../disabling_dovecot/package_dovecot_removed/rule.yml | 2 +- .../disabling_dovecot/service_dovecot_disabled/rule.yml | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index a13977bca90..3e45d5de814 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -709,11 +709,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: - - package_cyrus-imapd_removed + rules: - package_dovecot_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.10. + - service_dovecot_disabled + status: automated - id: 2.1.9 title: Ensure network file system services are not in use (Automated) diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index 96620a629df..6ba8754a144 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Uninstall dovecot Package' description: |- @@ -43,3 +42,4 @@ template: pkgname@ubuntu1804: dovecot-core pkgname@ubuntu2004: dovecot-core pkgname@ubuntu2204: dovecot-core + pkgname@ubuntu2404: dovecot-core diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml index 3be805fe79a..ca913c7e776 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Disable Dovecot Service' description: |- @@ -34,3 +33,4 @@ template: name: service_disabled vars: servicename: dovecot + packagename@ubuntu2404: dovecot-core From f9d3661a7b0953712d331895e7bc85ae1a9b6468 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 20 Nov 2024 15:37:57 +0100 Subject: [PATCH 16/16] Update ubuntu2404 CIS control 2.1.9 and add var overrides --- controls/cis_ubuntu2404.yml | 4 ++-- .../disabling_nfsd/service_nfs_disabled/rule.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 3e45d5de814..05d5c7c1b9a 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -721,8 +721,8 @@ controls: - l1_workstation related_rules: - package_nfs-kernel-server_removed - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/2.2.6. + - service_nfs_disabled + status: automated - id: 2.1.10 title: Ensure nis server services are not in use (Automated) diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml index b775c79eb07..b6f6248f90c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml @@ -1,6 +1,5 @@ documentation_complete: true - title: 'Disable Network File System (nfs)' description: |- @@ -44,3 +43,4 @@ template: vars: servicename: nfs-server packagename: nfs-utils + packagename@ubuntu2404: nfs-kernel-server