Skip to content

Commit dc73388

Browse files
Mab879Mab879
authored
Merge pull request #14321 from vojtapolasek/fix_ccn
Update RHEL 9 CCN profile
2 parents c22d324 + 5b3ef8a commit dc73388

5 files changed

Lines changed: 67 additions & 23 deletions

File tree

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,5 +21,6 @@ options:
2121
7: 7
2222
8: 8
2323
9: 9
24+
20: 20
2425
24: 24
2526
default: 5

products/rhel9/controls/ccn_rhel9.yml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ controls:
118118
status: automated
119119
rules:
120120
- auditd_data_retention_max_log_file_action
121-
- var_auditd_max_log_file_action=keep_logs
121+
- var_auditd_max_log_file_action=rotate
122122

123123
- id: A.3.SEC-RHEL7
124124
title: Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups,
@@ -242,9 +242,16 @@ controls:
242242
- basic
243243
- intermediate
244244
- advanced
245-
status: pending
246-
notes: |-
247-
Related to nosuid, noexec and nodev options but in /boot. More context is needed.
245+
status: partial
246+
notes: Remaining rules for /boot/efi are not implemented yet.
247+
rules:
248+
- mount_option_boot_efi_nosuid
249+
- mount_option_boot_nodev
250+
- mount_option_boot_noexec
251+
- mount_option_boot_nosuid
252+
# the noauto option could block proper evaluation of other mount options on /boot
253+
related_rules:
254+
- mount_option_boot_noauto
248255

249256
- id: A.5.SEC-RHEL1
250257
title: Login and Impersonation Permissions Are Controlled
@@ -311,6 +318,9 @@ controls:
311318
- var_accounts_maximum_age_login_defs=45
312319
- var_accounts_minimum_age_login_defs=2
313320
- var_accounts_password_warn_age_login_defs=10
321+
- accounts_password_pam_pwhistory_remember_password_auth
322+
- accounts_password_pam_pwhistory_remember_system_auth
323+
- var_password_pam_remember=20
314324

315325
- id: A.5.SEC-RHEL6
316326
title: Secure Protocols Are Used For the Network Authentication Processes
@@ -601,11 +611,15 @@ controls:
601611
- advanced
602612
status: automated
603613
rules:
604-
- accounts_password_pam_minclass
614+
- accounts_password_pam_lcredit
615+
- accounts_password_pam_ocredit
616+
- accounts_password_pam_ucredit
617+
- accounts_password_pam_dcredit
605618
- accounts_password_pam_minlen
619+
- accounts_password_minlen_login_defs
606620
- accounts_password_pam_retry
607-
- var_password_pam_minclass=4
608-
- var_password_pam_minlen=14
621+
- var_password_pam_minlen=12
622+
- var_accounts_password_minlen_login_defs=12
609623

610624
- id: A.11.SEC-RHEL4
611625
title: During Login, the System Displays a Text in Compliance With the Organization's Standards
@@ -625,7 +639,6 @@ controls:
625639
- dconf_gnome_login_banner_text
626640
- sshd_enable_warning_banner_net
627641
- login_banner_text=cis_banners
628-
- motd_banner_text=cis_banners
629642
- remote_login_banner_text=cis_banners
630643

631644
- id: A.11.SEC-RHEL5

tests/data/profile_stability/rhel9/ccn_advanced.profile

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,14 @@
11
accounts_maximum_age_login_defs
22
accounts_minimum_age_login_defs
3-
accounts_password_pam_minclass
3+
accounts_password_minlen_login_defs
4+
accounts_password_pam_dcredit
5+
accounts_password_pam_lcredit
46
accounts_password_pam_minlen
7+
accounts_password_pam_ocredit
8+
accounts_password_pam_pwhistory_remember_password_auth
9+
accounts_password_pam_pwhistory_remember_system_auth
510
accounts_password_pam_retry
11+
accounts_password_pam_ucredit
612
accounts_password_set_max_life_existing
713
accounts_password_set_min_life_existing
814
accounts_password_set_warn_age_existing
@@ -85,7 +91,10 @@ kernel_module_squashfs_disabled
8591
kernel_module_udf_disabled
8692
kernel_module_usb-storage_disabled
8793
login_banner_text=cis_banners
88-
motd_banner_text=cis_banners
94+
mount_option_boot_efi_nosuid
95+
mount_option_boot_nodev
96+
mount_option_boot_noexec
97+
mount_option_boot_nosuid
8998
no_empty_passwords_etc_shadow
9099
no_password_auth_for_systemaccounts
91100
no_shelllogin_for_systemaccounts
@@ -147,18 +156,19 @@ usbguard_generate_policy
147156
use_pam_wheel_for_su
148157
var_accounts_maximum_age_login_defs=45
149158
var_accounts_minimum_age_login_defs=2
159+
var_accounts_password_minlen_login_defs=12
150160
var_accounts_password_warn_age_login_defs=10
151161
var_accounts_passwords_pam_faillock_deny=8
152162
var_accounts_passwords_pam_faillock_unlock_time=never
153163
var_accounts_tmout=5_min
154164
var_accounts_user_umask=027
155-
var_auditd_max_log_file_action=keep_logs
165+
var_auditd_max_log_file_action=rotate
156166
var_authselect_profile=sssd
157167
var_multiple_time_servers=rhel
158168
var_password_hashing_algorithm=SHA512
159169
var_password_hashing_algorithm_pam=sha512
160-
var_password_pam_minclass=4
161-
var_password_pam_minlen=14
170+
var_password_pam_minlen=12
171+
var_password_pam_remember=20
162172
var_screensaver_lock_delay=immediate
163173
var_selinux_policy_name=targeted
164174
var_selinux_state=enforcing

tests/data/profile_stability/rhel9/ccn_basic.profile

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,14 @@
11
accounts_maximum_age_login_defs
22
accounts_minimum_age_login_defs
3-
accounts_password_pam_minclass
3+
accounts_password_minlen_login_defs
4+
accounts_password_pam_dcredit
5+
accounts_password_pam_lcredit
46
accounts_password_pam_minlen
7+
accounts_password_pam_ocredit
8+
accounts_password_pam_pwhistory_remember_password_auth
9+
accounts_password_pam_pwhistory_remember_system_auth
510
accounts_password_pam_retry
11+
accounts_password_pam_ucredit
612
accounts_password_set_max_life_existing
713
accounts_password_set_min_life_existing
814
accounts_password_set_warn_age_existing
@@ -51,7 +57,10 @@ firewalld_loopback_traffic_restricted
5157
firewalld_loopback_traffic_trusted
5258
grub2_password
5359
login_banner_text=cis_banners
54-
motd_banner_text=cis_banners
60+
mount_option_boot_efi_nosuid
61+
mount_option_boot_nodev
62+
mount_option_boot_noexec
63+
mount_option_boot_nosuid
5564
package_firewalld_installed
5665
package_usbguard_installed
5766
remote_login_banner_text=cis_banners
@@ -95,12 +104,13 @@ sysctl_net_ipv6_conf_default_accept_source_route
95104
usbguard_generate_policy
96105
var_accounts_maximum_age_login_defs=45
97106
var_accounts_minimum_age_login_defs=2
107+
var_accounts_password_minlen_login_defs=12
98108
var_accounts_password_warn_age_login_defs=10
99-
var_auditd_max_log_file_action=keep_logs
109+
var_auditd_max_log_file_action=rotate
100110
var_authselect_profile=sssd
101111
var_password_hashing_algorithm=SHA512
102112
var_password_hashing_algorithm_pam=sha512
103-
var_password_pam_minclass=4
104-
var_password_pam_minlen=14
113+
var_password_pam_minlen=12
114+
var_password_pam_remember=20
105115
var_sshd_set_keepalive=1
106116
var_system_crypto_policy=default_policy

tests/data/profile_stability/rhel9/ccn_intermediate.profile

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,14 @@
11
accounts_maximum_age_login_defs
22
accounts_minimum_age_login_defs
3-
accounts_password_pam_minclass
3+
accounts_password_minlen_login_defs
4+
accounts_password_pam_dcredit
5+
accounts_password_pam_lcredit
46
accounts_password_pam_minlen
7+
accounts_password_pam_ocredit
8+
accounts_password_pam_pwhistory_remember_password_auth
9+
accounts_password_pam_pwhistory_remember_system_auth
510
accounts_password_pam_retry
11+
accounts_password_pam_ucredit
612
accounts_password_set_max_life_existing
713
accounts_password_set_min_life_existing
814
accounts_password_set_warn_age_existing
@@ -73,7 +79,10 @@ kernel_module_squashfs_disabled
7379
kernel_module_udf_disabled
7480
kernel_module_usb-storage_disabled
7581
login_banner_text=cis_banners
76-
motd_banner_text=cis_banners
82+
mount_option_boot_efi_nosuid
83+
mount_option_boot_nodev
84+
mount_option_boot_noexec
85+
mount_option_boot_nosuid
7786
no_empty_passwords_etc_shadow
7887
no_password_auth_for_systemaccounts
7988
no_shelllogin_for_systemaccounts
@@ -134,14 +143,15 @@ usbguard_generate_policy
134143
use_pam_wheel_for_su
135144
var_accounts_maximum_age_login_defs=45
136145
var_accounts_minimum_age_login_defs=2
146+
var_accounts_password_minlen_login_defs=12
137147
var_accounts_password_warn_age_login_defs=10
138-
var_auditd_max_log_file_action=keep_logs
148+
var_auditd_max_log_file_action=rotate
139149
var_authselect_profile=sssd
140150
var_multiple_time_servers=rhel
141151
var_password_hashing_algorithm=SHA512
142152
var_password_hashing_algorithm_pam=sha512
143-
var_password_pam_minclass=4
144-
var_password_pam_minlen=14
153+
var_password_pam_minlen=12
154+
var_password_pam_remember=20
145155
var_screensaver_lock_delay=immediate
146156
var_selinux_policy_name=targeted
147157
var_selinux_state=enforcing

0 commit comments

Comments
 (0)