From 1d717c90cc4393983feb73b53bf4831052c60882 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 12:17:55 -0600 Subject: [PATCH 1/6] Add CCI to package_gdm_removed --- .../guide/system/software/gnome/package_gdm_removed/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml index e98cba89309..e02db77b6b0 100644 --- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml @@ -37,6 +37,7 @@ references: cis@sle15: '1.10' cis@ubuntu2004: '1.10' cis@ubuntu2204: 1.8.1 + disa: CCI-000366 nist: CM-7(a),CM-7(b),CM-6(a) srg: SRG-OS-000480-GPOS-00227 From e00baa52aaa51ddd6e87ef137993eac8f7130f8e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 13:19:18 -0600 Subject: [PATCH 2/6] Add references to chrony_set_nts --- linux_os/guide/services/ntp/chrony_set_nts/rule.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux_os/guide/services/ntp/chrony_set_nts/rule.yml b/linux_os/guide/services/ntp/chrony_set_nts/rule.yml index 6d1f505980e..70da0e3ea28 100644 --- a/linux_os/guide/services/ntp/chrony_set_nts/rule.yml +++ b/linux_os/guide/services/ntp/chrony_set_nts/rule.yml @@ -17,6 +17,11 @@ rationale: |- identifiers: cce@rhel10: CCE-86471-0 +references: + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + + severity: medium platforms: From 59836c5b3da6e0c26fa4699edc6a173f5b37a43e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 13:33:15 -0600 Subject: [PATCH 3/6] Add cci to file_permissions_cron_allow fix file_permissions_cron_allow --- .../restrict_at_cron_users/file_permissions_cron_allow/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index 0a1cf6b72fb..9810c67cb37 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -35,6 +35,7 @@ references: cis@sle15: 5.1.8 cis@ubuntu2004: 5.1.8 cis@ubuntu2204: 5.1.8 + disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.allow", perms=target_perms) }}}' From a3d71f12c1b7c2715b857b06e1146c4611367bd6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 13:41:24 -0600 Subject: [PATCH 4/6] Add SRG GPOS and CCI to audit_rules_privileged_commands_pkexec --- .../audit_rules_privileged_commands_pkexec/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml index 915eaeafd3c..910b3c8162e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pkexec/rule.yml @@ -38,7 +38,8 @@ identifiers: cce@rhel10: CCE-89134-1 references: - srg: SRG-APP-000029-CTR-000085 + disa: CCI-000130 + srg: SRG-APP-000029-CTR-000085,SRG-OS-000037-GPOS-00015 {{{ ocil_fix_srg_privileged_command("pkexec") }}} From f996d6db42456999db62d79df4c7947921ac8b01 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 13:53:01 -0600 Subject: [PATCH 5/6] Add SRG GPOS and CCI to tftp_uses_secure_mode_systemd --- .../obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml index 7b490bd123b..6c581419102 100644 --- a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml @@ -39,6 +39,9 @@ warnings: An OVAL check is not currently available since ExecStart cannot be checked with OVAL since it is not exposed via dbus. Currently, a remedation is not available for this rule. - identifiers: cce@rhel10: CCE-86495-9 + +references: + disa: CCI-000197 + srg: SRG-OS-000074-GPOS-00042 From 38709659bd254eca7f4220e8e47a42707c7ce893 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 13:53:31 -0600 Subject: [PATCH 6/6] Add SRG GPOS and CCI to package_tftp_removed --- .../services/obsolete/tftp/package_tftp_removed/rule.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index 54ec1b2611b..45a3c44b2c1 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -23,6 +23,11 @@ identifiers: cce@sle12: CCE-91465-5 cce@sle15: CCE-91158-6 +references: + disa: CCI-000197 + srg: SRG-OS-000074-GPOS-00042 + + ocil: '{{{ describe_package_remove(package="tftp") }}}' template: