From 04545db01d0b57dbc4b9b7e617e985e8f4f14bd4 Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:24:38 -0600 Subject: [PATCH 1/7] Refined CIS-1.2.3 Moved to blacklist and corrected to properly detect if gpgcheck=0 on all *.repo files. Renamed CIS-1.2.2 to CIS-1.2.3 to match V2.2.0 --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index 505ddfe..1542c80 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -62,6 +62,20 @@ grep: pattern: "^vfat " tag: CIS-1.1.1.8 description: Ensure mounting of FAT filesystems is disabled + activate_gpg_check: + data: + CentOS Linux-7: + - /etc/yum.conf: + pattern: '^\s*gpgcheck\s*=\s*0' + tag: CIS-1.2.3 + - /etc/yum.repos.d/: + pattern: '^\s*gpgcheck\s*=\s*0' + grep_args: + - '-r' + - '-h' + - '--include=*.repo' + tag: CIS-1.2.3 + description: Ensure gpgcheck is globally activated legacy_passwd_entries_group: data: CentOS Linux-7: @@ -171,18 +185,6 @@ grep: pattern: ^SINGLE tag: CIS-1.4.3 description: Ensure authentication required for single user mode - activate_gpg_check: - data: - CentOS Linux-7: - - /etc/yum.conf: - pattern: '^\s*gpgcheck\s*=\s*1' - tag: CIS-1.2.2 - - /etc/yum.repos.d: - pattern: '^\s*gpgcheck\s*=\s*1' - grep_args: - - '-r' - tag: CIS-1.2.2 - description: Ensure gpgcheck is globally activated aide_filesystem_scans: data: CentOS Linux-7: From 1699cd925fa3fafbd615c6ead48076c3240ea9a3 Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:30:49 -0600 Subject: [PATCH 2/7] Correct CIS-4.2.1.3 Update CIS-4.2.1.3 to properly search all possible *.conf files for $FileCreateMode 0640 --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index 1542c80..f63cc23 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -372,9 +372,13 @@ grep: rsyslog_file_perms: data: CentOS Linux-7: - - /etc/rsyslog.conf: + - /etc/rsyslog.conf /etc/rsyslog.d/: pattern: '^\$FileCreateMode' match_output: '0640' + grep_args: + - '-h' + - '-r' + - '--include=*.conf' tag: CIS-4.2.1.3 description: Ensure rsyslog default file permissions configured rsyslog_remote_logging: From 64e4a2d3410539ce02df38d1c933a47ee4d5008e Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:35:32 -0600 Subject: [PATCH 3/7] Pass CIS-5.1.8 if file is missing. CIS-5.1.8 wants to verify both cron.deny and at.deny don't exist. Need to add `match_on_file_missing: True` so the check will pass if the files don't exist. --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index f63cc23..ccafa61 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -715,6 +715,7 @@ stat: tag: CIS-5.1.8 uid: null user: null + match_on_file_missing: True - /etc/at.deny: gid: null group: null @@ -722,6 +723,7 @@ stat: tag: CIS-5.1.8 uid: null user: null + match_on_file_missing: True - /etc/cron.allow: gid: 0 group: root From 1dc6bfb87113680f4b138cf561b006279531c6cf Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:43:41 -0600 Subject: [PATCH 4/7] CIS-5.1.4 allow more restrictive mode. CIS-5.1.4 mode can be more restrictive than 700 or example 600. Modifying to allow for that. --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index ccafa61..849c7c2 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -758,6 +758,7 @@ stat: gid: 0 group: root mode: 700 + allow_more_strict: true tag: CIS-5.1.4 uid: 0 user: root From 3134f4c146a06e07a10107a80d27be249f620929 Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:49:34 -0600 Subject: [PATCH 5/7] Correct CIS-2.2.1.2 The service can be defined to run as ntp:ntp in /usr/lib/systemd/system/ntpd.d.service or /etc/sysconf/ntpd. Corrected to look for ntp:ntp in ether file. --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index 505ddfe..8255e33 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -212,7 +212,7 @@ grep: - /etc/ntp.conf: tag: CIS-2.2.1.2 pattern: '^server' - - /etc/sysconfig/ntpd: + - /usr/lib/systemd/system/ntpd.service /etc/sysconf/ntpd: tag: CIS-2.2.1.2 pattern: 'ntp:ntp' description: Ensure ntp is configured From da7de94c424a23f07adf306a2e7542bea23d400d Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 17:55:53 -0600 Subject: [PATCH 6/7] Fix spacing Lint --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index 089d902..f428363 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -65,7 +65,7 @@ grep: activate_gpg_check: data: CentOS Linux-7: - - /etc/yum.conf: + /etc/rsyslog.conf /etc/rsyslog.d/:/yum.conf: pattern: '^\s*gpgcheck\s*=\s*0' tag: CIS-1.2.3 - /etc/yum.repos.d/: @@ -372,7 +372,7 @@ grep: rsyslog_file_perms: data: CentOS Linux-7: - - /etc/rsyslog.conf /etc/rsyslog.d/: + - /etc/rsyslog.conf /etc/rsyslog.d/: pattern: '^\$FileCreateMode' match_output: '0640' grep_args: From 0f2c9ea58bfb78550ec383e9d142c1d8efb7472c Mon Sep 17 00:00:00 2001 From: rbthomp <26642445+rbthomp@users.noreply.github.com> Date: Wed, 14 Aug 2019 18:00:40 -0600 Subject: [PATCH 7/7] Fix typo Fix typo --- .../cis/centos-7-level-1-scored-v2-2-0.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml index f428363..e80868b 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml @@ -65,7 +65,7 @@ grep: activate_gpg_check: data: CentOS Linux-7: - /etc/rsyslog.conf /etc/rsyslog.d/:/yum.conf: + - /etc/yum.conf: pattern: '^\s*gpgcheck\s*=\s*0' tag: CIS-1.2.3 - /etc/yum.repos.d/: