From 138fbf4b021481856033c25d635435c021482f99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 22 Feb 2024 11:30:52 +0100 Subject: [PATCH] Extend the stable-profiles test We will add the following profiles to the stable-profiles test: - RHEL 7: CIS, PCI-DSS, STIG - RHEL 8: CIS - RHEL 9: CIS, PCI-DSS, STIG The test will fail the CI if a rule is added or removed from a profile. That is especially useful for the profiles that are generated from control files that are shared among multiple profiles or products. The test become more relevant after the prodtype removal, because now the inclusion of rules to a data stream is driven only by profiles. --- .../data/profile_stability/rhel7/cis.profile | 478 ++++++++++++++ .../rhel7/cis_server_l1.profile | 377 +++++++++++ .../rhel7/cis_workstation_l1.profile | 369 +++++++++++ .../rhel7/cis_workstation_l2.profile | 472 ++++++++++++++ .../profile_stability/rhel7/pci-dss.profile | 317 ++++++++++ .../data/profile_stability/rhel7/stig.profile | 365 +++++++++++ .../profile_stability/rhel7/stig_gui.profile | 375 +++++++++++ .../data/profile_stability/rhel8/cis.profile | 483 ++++++++++++++ .../rhel8/cis_server_l1.profile | 377 +++++++++++ .../rhel8/cis_workstation_l1.profile | 371 +++++++++++ .../rhel8/cis_workstation_l2.profile | 477 ++++++++++++++ .../data/profile_stability/rhel9/cis.profile | 442 +++++++++++++ .../rhel9/cis_server_l1.profile | 350 +++++++++++ .../rhel9/cis_workstation_l1.profile | 346 ++++++++++ .../rhel9/cis_workstation_l2.profile | 436 +++++++++++++ .../profile_stability/rhel9/pci-dss.profile | 307 +++++++++ .../data/profile_stability/rhel9/stig.profile | 587 +++++++++++++++++ .../profile_stability/rhel9/stig_gui.profile | 595 ++++++++++++++++++ 18 files changed, 7524 insertions(+) create mode 100644 tests/data/profile_stability/rhel7/cis.profile create mode 100644 tests/data/profile_stability/rhel7/cis_server_l1.profile create mode 100644 tests/data/profile_stability/rhel7/cis_workstation_l1.profile create mode 100644 tests/data/profile_stability/rhel7/cis_workstation_l2.profile create mode 100644 tests/data/profile_stability/rhel7/pci-dss.profile create mode 100644 tests/data/profile_stability/rhel7/stig.profile create mode 100644 tests/data/profile_stability/rhel7/stig_gui.profile create mode 100644 tests/data/profile_stability/rhel8/cis.profile create mode 100644 tests/data/profile_stability/rhel8/cis_server_l1.profile create mode 100644 tests/data/profile_stability/rhel8/cis_workstation_l1.profile create mode 100644 tests/data/profile_stability/rhel8/cis_workstation_l2.profile create mode 100644 tests/data/profile_stability/rhel9/cis.profile create mode 100644 tests/data/profile_stability/rhel9/cis_server_l1.profile create mode 100644 tests/data/profile_stability/rhel9/cis_workstation_l1.profile create mode 100644 tests/data/profile_stability/rhel9/cis_workstation_l2.profile create mode 100644 tests/data/profile_stability/rhel9/pci-dss.profile create mode 100644 tests/data/profile_stability/rhel9/stig.profile create mode 100644 tests/data/profile_stability/rhel9/stig_gui.profile diff --git a/tests/data/profile_stability/rhel7/cis.profile b/tests/data/profile_stability/rhel7/cis.profile new file mode 100644 index 00000000000..71b62c10b64 --- /dev/null +++ b/tests/data/profile_stability/rhel7/cis.profile @@ -0,0 +1,478 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, + v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 4.0.0 + SMEs: + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux +selections: +- mount_option_dev_shm_noexec +- file_permissions_etc_issue +- dconf_gnome_banner_enabled +- sudo_custom_logfile +- package_squid_removed +- accounts_root_gid_zero +- accounts_users_netrc_file_permissions +- sysctl_net_ipv4_conf_default_rp_filter +- file_ownership_var_log_audit_stig +- no_password_auth_for_systemaccounts +- package_ypbind_removed +- file_permissions_backup_etc_passwd +- package_avahi_removed +- file_owner_etc_shadow +- mount_option_dev_shm_nosuid +- sshd_set_loglevel_verbose +- accounts_passwords_pam_faillock_deny +- audit_rules_sysadmin_actions +- has_nonlocal_mta +- package_bind_removed +- kernel_module_udf_disabled +- audit_rules_file_deletion_events_unlink +- kernel_module_dccp_disabled +- package_ypserv_removed +- sshd_set_max_sessions +- mount_option_tmp_nodev +- file_groupowner_backup_etc_gshadow +- partition_for_tmp +- file_permissions_cron_allow +- kernel_module_hfsplus_disabled +- xwindows_runlevel_target +- rsyslog_files_groupownership +- mount_option_var_nosuid +- audit_rules_login_events_faillock +- group_unique_id +- audit_rules_dac_modification_fchown +- package_vsftpd_removed +- socket_systemd-journal-remote_disabled +- accounts_password_pam_difok +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- file_owner_backup_etc_group +- service_crond_enabled +- file_permissions_cron_monthly +- file_owner_backup_etc_passwd +- sudo_require_reauthentication +- file_groupowner_backup_etc_group +- auditd_data_retention_space_left_action +- file_ownership_home_directories +- file_at_deny_not_exist +- sysctl_net_ipv6_conf_all_accept_redirects +- sshd_set_idle_timeout +- file_owner_sshd_config +- dconf_gnome_screensaver_user_locks +- partition_for_var_tmp +- file_groupowner_backup_etc_passwd +- journald_storage +- file_group_ownership_var_log_audit +- package_sudo_installed +- service_autofs_disabled +- file_owner_cron_weekly +- file_owner_etc_issue +- kernel_module_freevxfs_disabled +- file_permissions_audit_binaries +- audit_rules_privileged_commands_kmod +- accounts_password_all_shadowed +- file_owner_etc_shells +- require_emergency_target_auth +- sysctl_kernel_randomize_va_space +- accounts_no_uid_except_zero +- file_permissions_etc_gshadow +- audit_rules_file_deletion_events_rename +- partition_for_var +- accounts_umask_etc_bashrc +- wireless_disable_interfaces +- audit_rules_mac_modification +- audit_rules_usergroup_modification_gshadow +- sshd_limit_user_access +- audit_rules_unsuccessful_file_modification_creat +- ensure_pam_wheel_group_empty +- package_setroubleshoot_removed +- service_rpcbind_disabled +- file_groupowner_user_cfg +- package_tftp-server_removed +- audit_rules_unsuccessful_file_modification_ftruncate +- file_permission_user_init_files +- audit_rules_kernel_module_loading_init +- file_owner_cron_d +- file_permissions_ungroupowned +- sysctl_net_ipv4_conf_default_log_martians +- package_telnet-server_removed +- partition_for_var_log_audit +- root_path_no_dot +- file_owner_backup_etc_shadow +- service_systemd-journald_enabled +- service_rsyslog_enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_permissions_etc_issue_net +- audit_rules_usergroup_modification_group +- file_groupowner_cron_weekly +- dconf_gnome_disable_automount +- file_permissions_sshd_pub_key +- package_xorg-x11-server-common_removed +- grub2_password +- account_unique_name +- chronyd_specify_remote_server +- accounts_password_warn_age_login_defs +- audit_rules_mac_modification_usr_share +- mount_option_tmp_nosuid +- sshd_enable_pam +- file_groupowner_grub2_cfg +- sysctl_net_ipv6_conf_default_accept_ra +- file_owner_etc_motd +- package_telnet_removed +- file_groupowner_etc_issue_net +- sshd_set_maxstartups +- file_permissions_var_log_audit +- audit_rules_dac_modification_chmod +- accounts_passwords_pam_faillock_deny_root +- rsyslog_filecreatemode +- audit_rules_dac_modification_lchown +- audit_rules_unsuccessful_file_modification_truncate +- file_owner_crontab +- file_permissions_cron_d +- file_permissions_user_cfg +- postfix_network_listening_disabled +- file_permissions_home_directories +- disable_host_auth +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- audit_rules_dac_modification_fremovexattr +- auditd_data_retention_admin_space_left_action +- accounts_maximum_age_login_defs +- audit_rules_file_deletion_events_renameat +- sshd_disable_rhosts +- auditd_data_retention_max_log_file_action +- file_owner_cron_allow +- file_permissions_sshd_config +- service_nfs_disabled +- sysctl_net_ipv4_conf_default_accept_redirects +- no_empty_passwords +- file_groupowner_etc_gshadow +- file_permissions_backup_etc_shadow +- selinux_policytype +- group_unique_name +- package_openldap-clients_removed +- kernel_module_squashfs_disabled +- mount_option_var_tmp_noexec +- audit_rules_dac_modification_chown +- dconf_gnome_screensaver_idle_delay +- rsyslog_nolisten +- mount_option_tmp_noexec +- file_groupowner_backup_etc_shadow +- grub2_audit_backlog_limit_argument +- aide_build_database +- file_groupowner_cron_hourly +- sudo_add_use_pty +- package_aide_installed +- audit_rules_execution_chacl +- package_rsyslog_installed +- file_owner_cron_monthly +- accounts_password_set_max_life_existing +- grub2_audit_argument +- file_groupowner_sshd_config +- package_httpd_removed +- accounts_umask_etc_login_defs +- grub2_uefi_password +- set_password_hashing_algorithm_logindefs +- file_permissions_sshd_private_key +- file_groupowner_etc_shells +- accounts_passwords_pam_faillock_unlock_time +- file_groupownership_audit_binaries +- mount_option_var_log_audit_noexec +- file_groupowner_etc_issue +- file_groupowner_efi_user_cfg +- audit_rules_dac_modification_removexattr +- dconf_db_up_to_date +- no_empty_passwords_etc_shadow +- grub2_enable_selinux +- ensure_gpgcheck_never_disabled +- coredump_disable_backtraces +- file_permissions_backup_etc_gshadow +- accounts_root_path_dirs_no_write +- dconf_gnome_disable_automount_open +- ensure_root_password_configured +- no_files_unowned_by_user +- no_rsh_trust_files +- audit_rules_usergroup_modification_opasswd +- accounts_user_dot_group_ownership +- dconf_gnome_disable_user_list +- accounts_password_pam_minclass +- mount_option_var_tmp_nodev +- file_cron_deny_not_exist +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- rsyslog_files_ownership +- dconf_gnome_screensaver_lock_delay +- package_nginx_removed +- file_permissions_etc_passwd +- file_permissions_efi_user_cfg +- file_permissions_etc_group +- partition_for_dev_shm +- iptables_rules_for_open_ports +- partition_for_var_log +- auditd_data_retention_action_mail_acct +- audit_rules_dac_modification_fchownat +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- directory_permissions_var_log_audit +- accounts_umask_etc_profile +- file_groupowner_cron_monthly +- audit_rules_dac_modification_fchmod +- set_firewalld_appropriate_zone +- selinux_confinement_of_daemons +- banner_etc_issue +- sysctl_net_ipv4_conf_all_accept_source_route +- set_password_hashing_algorithm_passwordauth +- file_owner_etc_gshadow +- sysctl_net_ipv4_conf_all_log_martians +- gnome_gdm_disable_xdmcp +- accounts_password_pam_pwhistory_remember_password_auth +- package_audit_installed +- mount_option_dev_shm_nodev +- audit_rules_dac_modification_fsetxattr +- no_forward_files +- package_dovecot_removed +- ensure_gpgcheck_globally_activated +- accounts_password_set_warn_age_existing +- audit_rules_networkconfig_modification +- gid_passwd_group_same +- file_groupownership_sshd_pub_key +- audit_rules_unsuccessful_file_modification_open +- audit_rules_dac_modification_setxattr +- audit_rules_login_events_lastlog +- audit_rules_suid_auid_privilege_function +- mount_option_var_nodev +- file_owner_grub2_cfg +- mount_option_var_log_audit_nodev +- partition_for_home +- package_cups_removed +- file_cron_allow_exists +- file_owner_etc_passwd +- mount_option_var_tmp_nosuid +- sysctl_net_ipv6_conf_default_accept_source_route +- file_ownership_sshd_private_key +- package_net-snmp_removed +- service_bluetooth_disabled +- file_groupowner_etc_motd +- dir_perms_world_writable_sticky_bits +- file_owner_etc_issue_net +- mount_option_var_log_audit_nosuid +- sshd_enable_warning_banner_net +- file_permissions_cron_weekly +- sshd_use_strong_kex +- package_gdm_removed +- chronyd_run_as_chrony_user +- sshd_disable_gssapi_auth +- file_owner_efi_user_cfg +- set_ip6tables_default_rule +- accounts_password_pam_pwhistory_remember_system_auth +- service_firewalld_enabled +- audit_rules_media_export +- service_auditd_enabled +- accounts_tmout +- package_mcstrans_removed +- audit_rules_time_watch_localtime +- file_ownership_audit_configuration +- file_owner_etc_group +- audit_rules_privileged_commands_usermod +- file_groupowner_etc_group +- file_permissions_grub2_cfg +- package_xinetd_removed +- accounts_password_pam_maxrepeat +- package_samba_removed +- audit_rules_file_deletion_events_unlinkat +- audit_rules_kernel_module_loading_finit +- file_permissions_etc_motd +- file_ownership_sshd_pub_key +- audit_rules_dac_modification_fchmodat +- file_groupowner_cron_allow +- audit_rules_time_stime +- audit_rules_time_adjtimex +- file_ownership_audit_binaries +- file_owner_user_cfg +- mount_option_var_log_nosuid +- package_rsync_removed +- sysctl_net_ipv4_tcp_syncookies +- file_permissions_etc_shells +- coredump_disable_storage +- package_cyrus-imapd_removed +- package_libselinux_installed +- package_dhcp_removed +- file_groupownership_audit_configuration +- banner_etc_motd +- sysctl_net_ipv4_conf_all_secure_redirects +- selinux_not_disabled +- package_audit-libs_installed +- kernel_module_sctp_disabled +- file_groupowner_etc_passwd +- accounts_password_pam_dictcheck +- auditd_data_disk_full_action +- file_groupowner_efi_grub2_cfg +- account_disable_post_pw_expiration +- audit_rules_dac_modification_lsetxattr +- journald_compress +- sysctl_net_ipv6_conf_all_accept_source_route +- account_unique_id +- package_pam_pwquality_installed +- sysctl_net_ipv6_conf_default_accept_redirects +- file_permissions_etc_shadow +- sshd_use_approved_ciphers +- journald_forward_to_syslog +- accounts_password_pam_minlen +- audit_rules_usergroup_modification_passwd +- package_chrony_installed +- dconf_gnome_session_idle_user_locks +- sysctl_net_ipv4_ip_forward +- audit_rules_execution_chcon +- audit_rules_immutable +- file_owner_backup_etc_gshadow +- kernel_module_cramfs_disabled +- kernel_module_hfs_disabled +- audit_rules_kernel_module_loading_query +- package_dnsmasq_removed +- sysctl_net_ipv4_conf_all_accept_redirects +- ip6tables_rules_for_open_ports +- file_owner_cron_daily +- mount_option_home_nodev +- audit_rules_kernel_module_loading_create +- sshd_use_strong_macs +- set_loopback_traffic +- audit_rules_time_clock_settime +- file_permissions_backup_etc_group +- audit_rules_dac_modification_lremovexattr +- mount_option_home_nosuid +- no_shelllogin_for_systemaccounts +- sshd_disable_empty_passwords +- audit_rules_unsuccessful_file_modification_openat +- accounts_password_last_change_is_in_past +- banner_etc_issue_net +- rsyslog_files_permissions +- sshd_do_not_permit_user_env +- accounts_user_interactive_home_directory_exists +- sysctl_net_ipv6_conf_all_forwarding +- sshd_disable_root_login +- selinux_state +- file_permissions_unauthorized_world_writable +- file_groupowner_crontab +- kernel_module_rds_disabled +- file_groupowner_etc_shadow +- package_tftp_removed +- sshd_set_keepalive +- kernel_module_tipc_disabled +- file_groupowner_cron_daily +- file_owner_cron_hourly +- set_password_hashing_algorithm_systemauth +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_kernel_yama_ptrace_scope +- file_owner_efi_grub2_cfg +- file_permissions_audit_configuration +- kernel_module_usb-storage_disabled +- sysctl_net_ipv4_conf_default_accept_source_route +- file_permissions_cron_daily +- file_permissions_efi_grub2_cfg +- auditd_data_disk_error_action +- accounts_set_post_pw_existing +- file_groupownership_sshd_private_key +- file_groupowner_cron_d +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_secure_redirects +- file_etc_security_opasswd +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv6_conf_all_accept_ra +- mount_option_var_log_noexec +- file_permissions_crontab +- audit_rules_privileged_commands +- auditd_data_retention_max_log_file +- audit_rules_kernel_module_loading_delete +- audit_rules_session_events +- require_singleuser_auth +- aide_periodic_cron_checking +- package_firewalld_installed +- package_iptables_installed +- mount_option_var_log_nodev +- use_pam_wheel_group_for_su +- kernel_module_jffs2_disabled +- sudo_require_authentication +- package_ftp_removed +- sshd_set_login_grace_time +- set_password_hashing_algorithm_libuserconf +- file_permissions_cron_hourly +- audit_rules_time_settimeofday +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sudo_timestamp_timeout=15_minutes +- var_sudo_logfile=var_log_sudo_log +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel7 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel7 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel7 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_auditd_space_left_action=cis_rhel7 +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=cis_rhel7 +- var_auditd_disk_full_action=cis_rhel7 +- var_auditd_disk_error_action=cis_rhel7 +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel7 +title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_server_l1.profile b/tests/data/profile_stability/rhel7/cis_server_l1.profile new file mode 100644 index 00000000000..b90e3254f51 --- /dev/null +++ b/tests/data/profile_stability/rhel7/cis_server_l1.profile @@ -0,0 +1,377 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, + v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 4.0.0 + SMEs: + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux +selections: +- file_groupowner_etc_passwd +- file_permissions_etc_issue +- mount_option_dev_shm_noexec +- service_systemd-journald_enabled +- accounts_password_pam_dictcheck +- service_rsyslog_enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_groupowner_efi_grub2_cfg +- file_cron_deny_not_exist +- mount_option_var_tmp_nodev +- account_disable_post_pw_expiration +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- dconf_gnome_banner_enabled +- rsyslog_files_ownership +- dconf_gnome_screensaver_lock_delay +- sudo_custom_logfile +- package_squid_removed +- file_permissions_etc_issue_net +- package_nginx_removed +- file_permissions_etc_passwd +- accounts_root_gid_zero +- file_permissions_efi_user_cfg +- journald_compress +- file_groupowner_cron_weekly +- file_permissions_etc_group +- accounts_users_netrc_file_permissions +- partition_for_dev_shm +- dconf_gnome_disable_automount +- iptables_rules_for_open_ports +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv6_conf_all_accept_source_route +- grub2_password +- account_unique_id +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- package_pam_pwquality_installed +- sysctl_net_ipv6_conf_default_accept_redirects +- account_unique_name +- file_permissions_etc_shadow +- no_password_auth_for_systemaccounts +- sshd_use_approved_ciphers +- package_ypbind_removed +- accounts_umask_etc_profile +- file_permissions_backup_etc_passwd +- chronyd_specify_remote_server +- package_avahi_removed +- accounts_password_warn_age_login_defs +- accounts_password_pam_minlen +- file_groupowner_cron_monthly +- file_owner_etc_shadow +- journald_forward_to_syslog +- package_chrony_installed +- selinux_confinement_of_daemons +- dconf_gnome_session_idle_user_locks +- set_firewalld_appropriate_zone +- sysctl_net_ipv4_ip_forward +- mount_option_dev_shm_nosuid +- mount_option_tmp_nosuid +- banner_etc_issue +- sshd_enable_pam +- file_groupowner_grub2_cfg +- sshd_set_loglevel_verbose +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv6_conf_default_accept_ra +- accounts_passwords_pam_faillock_deny +- file_owner_etc_motd +- set_password_hashing_algorithm_passwordauth +- file_owner_etc_gshadow +- file_owner_backup_etc_gshadow +- sysctl_net_ipv4_conf_all_log_martians +- package_telnet_removed +- gnome_gdm_disable_xdmcp +- file_groupowner_etc_issue_net +- kernel_module_cramfs_disabled +- sshd_set_maxstartups +- kernel_module_hfs_disabled +- accounts_password_pam_pwhistory_remember_password_auth +- has_nonlocal_mta +- rsyslog_filecreatemode +- package_bind_removed +- mount_option_dev_shm_nodev +- package_dnsmasq_removed +- no_forward_files +- package_dovecot_removed +- ensure_gpgcheck_globally_activated +- file_owner_crontab +- file_permissions_cron_d +- file_permissions_user_cfg +- postfix_network_listening_disabled +- accounts_password_set_warn_age_existing +- sysctl_net_ipv4_conf_all_send_redirects +- gid_passwd_group_same +- sysctl_net_ipv4_conf_all_accept_redirects +- package_ypserv_removed +- file_permissions_home_directories +- ip6tables_rules_for_open_ports +- file_groupownership_sshd_pub_key +- mount_option_tmp_nodev +- file_groupowner_backup_etc_gshadow +- partition_for_tmp +- sshd_set_max_sessions +- file_permissions_cron_allow +- file_owner_cron_daily +- kernel_module_hfsplus_disabled +- mount_option_home_nodev +- rsyslog_files_groupownership +- sshd_use_strong_macs +- mount_option_var_nodev +- mount_option_var_nosuid +- set_loopback_traffic +- file_owner_grub2_cfg +- disable_host_auth +- mount_option_var_log_audit_nodev +- package_cups_removed +- file_cron_allow_exists +- file_owner_etc_passwd +- file_permissions_backup_etc_group +- group_unique_id +- mount_option_var_tmp_nosuid +- mount_option_home_nosuid +- no_shelllogin_for_systemaccounts +- sysctl_net_ipv6_conf_default_accept_source_route +- sshd_disable_empty_passwords +- accounts_password_last_change_is_in_past +- file_ownership_sshd_private_key +- package_vsftpd_removed +- socket_systemd-journal-remote_disabled +- accounts_password_pam_difok +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- file_owner_backup_etc_group +- banner_etc_issue_net +- rsyslog_files_permissions +- sshd_do_not_permit_user_env +- package_net-snmp_removed +- accounts_user_interactive_home_directory_exists +- service_bluetooth_disabled +- sysctl_net_ipv6_conf_all_forwarding +- accounts_maximum_age_login_defs +- file_groupowner_etc_motd +- sshd_disable_rhosts +- service_crond_enabled +- dir_perms_world_writable_sticky_bits +- file_permissions_cron_monthly +- file_owner_cron_allow +- sshd_disable_root_login +- file_owner_backup_etc_passwd +- file_permissions_sshd_config +- service_nfs_disabled +- file_owner_etc_issue_net +- sudo_require_reauthentication +- file_permissions_unauthorized_world_writable +- file_groupowner_crontab +- sysctl_net_ipv4_conf_default_accept_redirects +- file_groupowner_backup_etc_group +- mount_option_var_log_audit_nosuid +- no_empty_passwords +- sshd_enable_warning_banner_net +- file_groupowner_etc_shadow +- file_groupowner_etc_gshadow +- file_permissions_cron_weekly +- sshd_use_strong_kex +- file_permissions_backup_etc_shadow +- selinux_policytype +- file_ownership_home_directories +- file_at_deny_not_exist +- sysctl_net_ipv6_conf_all_accept_redirects +- sshd_set_idle_timeout +- package_tftp_removed +- sshd_set_keepalive +- chronyd_run_as_chrony_user +- file_groupowner_cron_daily +- dconf_gnome_screensaver_user_locks +- file_owner_cron_hourly +- file_owner_sshd_config +- group_unique_name +- mount_option_var_tmp_noexec +- set_password_hashing_algorithm_systemauth +- dconf_gnome_screensaver_idle_delay +- file_owner_efi_grub2_cfg +- rsyslog_nolisten +- sysctl_kernel_yama_ptrace_scope +- mount_option_tmp_noexec +- file_groupowner_backup_etc_shadow +- file_owner_efi_user_cfg +- set_ip6tables_default_rule +- accounts_password_pam_pwhistory_remember_system_auth +- aide_build_database +- kernel_module_usb-storage_disabled +- file_groupowner_cron_hourly +- sudo_add_use_pty +- package_aide_installed +- sysctl_net_ipv4_conf_default_accept_source_route +- service_firewalld_enabled +- file_groupowner_backup_etc_passwd +- journald_storage +- accounts_tmout +- package_rsyslog_installed +- file_owner_cron_monthly +- file_permissions_cron_daily +- accounts_password_set_max_life_existing +- package_sudo_installed +- file_permissions_efi_grub2_cfg +- service_autofs_disabled +- file_owner_cron_weekly +- accounts_set_post_pw_existing +- file_owner_etc_issue +- kernel_module_freevxfs_disabled +- file_groupowner_sshd_config +- file_groupownership_sshd_private_key +- package_mcstrans_removed +- file_groupowner_cron_d +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_secure_redirects +- file_etc_security_opasswd +- package_httpd_removed +- file_owner_etc_group +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv6_conf_all_accept_ra +- accounts_umask_etc_login_defs +- grub2_uefi_password +- mount_option_var_log_noexec +- accounts_password_all_shadowed +- file_groupowner_etc_group +- file_owner_etc_shells +- file_permissions_crontab +- file_permissions_grub2_cfg +- file_permissions_sshd_private_key +- require_emergency_target_auth +- set_password_hashing_algorithm_logindefs +- sysctl_kernel_randomize_va_space +- file_groupowner_etc_shells +- package_xinetd_removed +- accounts_password_pam_maxrepeat +- accounts_no_uid_except_zero +- file_permissions_etc_gshadow +- accounts_passwords_pam_faillock_unlock_time +- package_samba_removed +- mount_option_var_log_audit_noexec +- accounts_umask_etc_bashrc +- file_groupowner_etc_issue +- file_ownership_sshd_pub_key +- file_permissions_etc_motd +- file_groupowner_efi_user_cfg +- dconf_db_up_to_date +- wireless_disable_interfaces +- no_empty_passwords_etc_shadow +- file_groupowner_cron_allow +- require_singleuser_auth +- ensure_pam_wheel_group_empty +- aide_periodic_cron_checking +- package_setroubleshoot_removed +- service_rpcbind_disabled +- sshd_limit_user_access +- grub2_enable_selinux +- package_firewalld_installed +- ensure_gpgcheck_never_disabled +- file_groupowner_user_cfg +- package_tftp-server_removed +- coredump_disable_backtraces +- file_owner_user_cfg +- file_permission_user_init_files +- mount_option_var_log_nodev +- package_iptables_installed +- mount_option_var_log_nosuid +- package_rsync_removed +- sysctl_net_ipv4_tcp_syncookies +- use_pam_wheel_group_for_su +- kernel_module_jffs2_disabled +- file_permissions_etc_shells +- coredump_disable_storage +- file_permissions_backup_etc_gshadow +- package_cyrus-imapd_removed +- sudo_require_authentication +- file_owner_cron_d +- file_permissions_ungroupowned +- package_libselinux_installed +- sysctl_net_ipv4_conf_default_log_martians +- accounts_root_path_dirs_no_write +- dconf_gnome_disable_automount_open +- ensure_root_password_configured +- no_files_unowned_by_user +- no_rsh_trust_files +- package_dhcp_removed +- package_ftp_removed +- banner_etc_motd +- package_telnet-server_removed +- root_path_no_dot +- sshd_set_login_grace_time +- sysctl_net_ipv4_conf_all_secure_redirects +- accounts_user_dot_group_ownership +- dconf_gnome_disable_user_list +- set_password_hashing_algorithm_libuserconf +- file_permissions_cron_hourly +- file_owner_backup_etc_shadow +- accounts_password_pam_minclass +- selinux_not_disabled +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sudo_timestamp_timeout=15_minutes +- var_sudo_logfile=var_log_sudo_log +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel7 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel7 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel7 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel7 +title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_server_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l1.profile b/tests/data/profile_stability/rhel7/cis_workstation_l1.profile new file mode 100644 index 00000000000..1429dba784c --- /dev/null +++ b/tests/data/profile_stability/rhel7/cis_workstation_l1.profile @@ -0,0 +1,369 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, + v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 4.0.0 + SMEs: + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux +selections: +- file_groupowner_etc_passwd +- file_permissions_etc_issue +- mount_option_dev_shm_noexec +- service_systemd-journald_enabled +- accounts_password_pam_dictcheck +- service_rsyslog_enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_groupowner_efi_grub2_cfg +- file_cron_deny_not_exist +- mount_option_var_tmp_nodev +- account_disable_post_pw_expiration +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- dconf_gnome_banner_enabled +- rsyslog_files_ownership +- dconf_gnome_screensaver_lock_delay +- sudo_custom_logfile +- package_squid_removed +- file_permissions_etc_issue_net +- package_nginx_removed +- file_permissions_etc_passwd +- accounts_root_gid_zero +- file_permissions_efi_user_cfg +- journald_compress +- file_groupowner_cron_weekly +- file_permissions_etc_group +- accounts_users_netrc_file_permissions +- partition_for_dev_shm +- iptables_rules_for_open_ports +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv6_conf_all_accept_source_route +- grub2_password +- account_unique_id +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- package_pam_pwquality_installed +- sysctl_net_ipv6_conf_default_accept_redirects +- account_unique_name +- file_permissions_etc_shadow +- no_password_auth_for_systemaccounts +- sshd_use_approved_ciphers +- package_ypbind_removed +- accounts_umask_etc_profile +- file_permissions_backup_etc_passwd +- chronyd_specify_remote_server +- accounts_password_warn_age_login_defs +- accounts_password_pam_minlen +- file_groupowner_cron_monthly +- file_owner_etc_shadow +- journald_forward_to_syslog +- package_chrony_installed +- selinux_confinement_of_daemons +- dconf_gnome_session_idle_user_locks +- set_firewalld_appropriate_zone +- sysctl_net_ipv4_ip_forward +- mount_option_dev_shm_nosuid +- mount_option_tmp_nosuid +- banner_etc_issue +- sshd_enable_pam +- file_groupowner_grub2_cfg +- sshd_set_loglevel_verbose +- sysctl_net_ipv4_conf_all_accept_source_route +- sysctl_net_ipv6_conf_default_accept_ra +- accounts_passwords_pam_faillock_deny +- file_owner_etc_motd +- set_password_hashing_algorithm_passwordauth +- file_owner_etc_gshadow +- file_owner_backup_etc_gshadow +- sysctl_net_ipv4_conf_all_log_martians +- package_telnet_removed +- gnome_gdm_disable_xdmcp +- file_groupowner_etc_issue_net +- kernel_module_cramfs_disabled +- sshd_set_maxstartups +- kernel_module_hfs_disabled +- accounts_password_pam_pwhistory_remember_password_auth +- has_nonlocal_mta +- rsyslog_filecreatemode +- package_bind_removed +- mount_option_dev_shm_nodev +- package_dnsmasq_removed +- no_forward_files +- package_dovecot_removed +- ensure_gpgcheck_globally_activated +- file_owner_crontab +- file_permissions_cron_d +- file_permissions_user_cfg +- postfix_network_listening_disabled +- accounts_password_set_warn_age_existing +- sysctl_net_ipv4_conf_all_send_redirects +- gid_passwd_group_same +- sysctl_net_ipv4_conf_all_accept_redirects +- package_ypserv_removed +- file_permissions_home_directories +- ip6tables_rules_for_open_ports +- file_groupownership_sshd_pub_key +- mount_option_tmp_nodev +- file_groupowner_backup_etc_gshadow +- partition_for_tmp +- sshd_set_max_sessions +- file_permissions_cron_allow +- file_owner_cron_daily +- kernel_module_hfsplus_disabled +- mount_option_home_nodev +- rsyslog_files_groupownership +- sshd_use_strong_macs +- mount_option_var_nodev +- mount_option_var_nosuid +- set_loopback_traffic +- file_owner_grub2_cfg +- disable_host_auth +- mount_option_var_log_audit_nodev +- file_cron_allow_exists +- file_owner_etc_passwd +- file_permissions_backup_etc_group +- group_unique_id +- mount_option_var_tmp_nosuid +- mount_option_home_nosuid +- no_shelllogin_for_systemaccounts +- sysctl_net_ipv6_conf_default_accept_source_route +- sshd_disable_empty_passwords +- accounts_password_last_change_is_in_past +- file_ownership_sshd_private_key +- package_vsftpd_removed +- socket_systemd-journal-remote_disabled +- accounts_password_pam_difok +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- file_owner_backup_etc_group +- banner_etc_issue_net +- rsyslog_files_permissions +- sshd_do_not_permit_user_env +- package_net-snmp_removed +- accounts_user_interactive_home_directory_exists +- sysctl_net_ipv6_conf_all_forwarding +- accounts_maximum_age_login_defs +- file_groupowner_etc_motd +- sshd_disable_rhosts +- service_crond_enabled +- dir_perms_world_writable_sticky_bits +- file_permissions_cron_monthly +- file_owner_cron_allow +- sshd_disable_root_login +- file_owner_backup_etc_passwd +- file_permissions_sshd_config +- service_nfs_disabled +- file_owner_etc_issue_net +- sudo_require_reauthentication +- file_permissions_unauthorized_world_writable +- file_groupowner_crontab +- sysctl_net_ipv4_conf_default_accept_redirects +- file_groupowner_backup_etc_group +- mount_option_var_log_audit_nosuid +- no_empty_passwords +- sshd_enable_warning_banner_net +- file_groupowner_etc_shadow +- file_groupowner_etc_gshadow +- file_permissions_cron_weekly +- sshd_use_strong_kex +- file_permissions_backup_etc_shadow +- selinux_policytype +- file_ownership_home_directories +- file_at_deny_not_exist +- sysctl_net_ipv6_conf_all_accept_redirects +- sshd_set_idle_timeout +- package_tftp_removed +- sshd_set_keepalive +- chronyd_run_as_chrony_user +- file_groupowner_cron_daily +- dconf_gnome_screensaver_user_locks +- file_owner_cron_hourly +- file_owner_sshd_config +- group_unique_name +- mount_option_var_tmp_noexec +- set_password_hashing_algorithm_systemauth +- dconf_gnome_screensaver_idle_delay +- file_owner_efi_grub2_cfg +- rsyslog_nolisten +- sysctl_kernel_yama_ptrace_scope +- mount_option_tmp_noexec +- sshd_disable_gssapi_auth +- file_groupowner_backup_etc_shadow +- file_owner_efi_user_cfg +- set_ip6tables_default_rule +- accounts_password_pam_pwhistory_remember_system_auth +- aide_build_database +- file_groupowner_cron_hourly +- sudo_add_use_pty +- package_aide_installed +- sysctl_net_ipv4_conf_default_accept_source_route +- service_firewalld_enabled +- file_groupowner_backup_etc_passwd +- journald_storage +- accounts_tmout +- package_rsyslog_installed +- file_owner_cron_monthly +- file_permissions_cron_daily +- accounts_password_set_max_life_existing +- package_sudo_installed +- file_permissions_efi_grub2_cfg +- file_owner_cron_weekly +- accounts_set_post_pw_existing +- file_owner_etc_issue +- kernel_module_freevxfs_disabled +- file_groupowner_sshd_config +- file_groupownership_sshd_private_key +- package_mcstrans_removed +- file_groupowner_cron_d +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_secure_redirects +- file_etc_security_opasswd +- package_httpd_removed +- file_owner_etc_group +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv6_conf_all_accept_ra +- accounts_umask_etc_login_defs +- grub2_uefi_password +- mount_option_var_log_noexec +- accounts_password_all_shadowed +- file_groupowner_etc_group +- file_owner_etc_shells +- file_permissions_crontab +- file_permissions_grub2_cfg +- file_permissions_sshd_private_key +- require_emergency_target_auth +- set_password_hashing_algorithm_logindefs +- sysctl_kernel_randomize_va_space +- file_groupowner_etc_shells +- package_xinetd_removed +- accounts_password_pam_maxrepeat +- accounts_no_uid_except_zero +- file_permissions_etc_gshadow +- accounts_passwords_pam_faillock_unlock_time +- package_samba_removed +- mount_option_var_log_audit_noexec +- accounts_umask_etc_bashrc +- file_groupowner_etc_issue +- file_ownership_sshd_pub_key +- file_permissions_etc_motd +- file_groupowner_efi_user_cfg +- dconf_db_up_to_date +- no_empty_passwords_etc_shadow +- file_groupowner_cron_allow +- require_singleuser_auth +- ensure_pam_wheel_group_empty +- aide_periodic_cron_checking +- service_rpcbind_disabled +- sshd_limit_user_access +- grub2_enable_selinux +- package_firewalld_installed +- ensure_gpgcheck_never_disabled +- file_groupowner_user_cfg +- package_tftp-server_removed +- coredump_disable_backtraces +- file_owner_user_cfg +- file_permission_user_init_files +- mount_option_var_log_nodev +- package_iptables_installed +- mount_option_var_log_nosuid +- package_rsync_removed +- sysctl_net_ipv4_tcp_syncookies +- use_pam_wheel_group_for_su +- kernel_module_jffs2_disabled +- file_permissions_etc_shells +- coredump_disable_storage +- file_permissions_backup_etc_gshadow +- package_cyrus-imapd_removed +- sudo_require_authentication +- file_owner_cron_d +- file_permissions_ungroupowned +- package_libselinux_installed +- sysctl_net_ipv4_conf_default_log_martians +- accounts_root_path_dirs_no_write +- ensure_root_password_configured +- no_files_unowned_by_user +- no_rsh_trust_files +- package_dhcp_removed +- package_ftp_removed +- package_telnet-server_removed +- banner_etc_motd +- root_path_no_dot +- sshd_set_login_grace_time +- sysctl_net_ipv4_conf_all_secure_redirects +- accounts_user_dot_group_ownership +- dconf_gnome_disable_user_list +- set_password_hashing_algorithm_libuserconf +- file_permissions_cron_hourly +- file_owner_backup_etc_shadow +- accounts_password_pam_minclass +- selinux_not_disabled +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sudo_timestamp_timeout=15_minutes +- var_sudo_logfile=var_log_sudo_log +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel7 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel7 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel7 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel7 +title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_workstation_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/cis_workstation_l2.profile b/tests/data/profile_stability/rhel7/cis_workstation_l2.profile new file mode 100644 index 00000000000..28a95d72218 --- /dev/null +++ b/tests/data/profile_stability/rhel7/cis_workstation_l2.profile @@ -0,0 +1,472 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 7 Benchmark\u2122, + v4.0.0, released 2023-12-21.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 7 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 4.0.0 + SMEs: + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux +selections: +- mount_option_dev_shm_noexec +- file_permissions_etc_issue +- dconf_gnome_banner_enabled +- sudo_custom_logfile +- package_squid_removed +- accounts_root_gid_zero +- accounts_users_netrc_file_permissions +- sysctl_net_ipv4_conf_default_rp_filter +- file_ownership_var_log_audit_stig +- no_password_auth_for_systemaccounts +- package_ypbind_removed +- file_permissions_backup_etc_passwd +- package_avahi_removed +- file_owner_etc_shadow +- mount_option_dev_shm_nosuid +- sshd_set_loglevel_verbose +- accounts_passwords_pam_faillock_deny +- audit_rules_sysadmin_actions +- has_nonlocal_mta +- package_bind_removed +- kernel_module_udf_disabled +- audit_rules_file_deletion_events_unlink +- kernel_module_dccp_disabled +- package_ypserv_removed +- sshd_set_max_sessions +- mount_option_tmp_nodev +- file_groupowner_backup_etc_gshadow +- partition_for_tmp +- file_permissions_cron_allow +- kernel_module_hfsplus_disabled +- rsyslog_files_groupownership +- mount_option_var_nosuid +- audit_rules_login_events_faillock +- group_unique_id +- audit_rules_dac_modification_fchown +- package_vsftpd_removed +- socket_systemd-journal-remote_disabled +- accounts_password_pam_difok +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- file_owner_backup_etc_group +- service_crond_enabled +- file_permissions_cron_monthly +- file_owner_backup_etc_passwd +- sudo_require_reauthentication +- file_groupowner_backup_etc_group +- auditd_data_retention_space_left_action +- file_ownership_home_directories +- file_at_deny_not_exist +- sysctl_net_ipv6_conf_all_accept_redirects +- sshd_set_idle_timeout +- file_owner_sshd_config +- dconf_gnome_screensaver_user_locks +- partition_for_var_tmp +- file_groupowner_backup_etc_passwd +- journald_storage +- file_group_ownership_var_log_audit +- package_sudo_installed +- service_autofs_disabled +- file_owner_cron_weekly +- file_owner_etc_issue +- kernel_module_freevxfs_disabled +- file_permissions_audit_binaries +- audit_rules_privileged_commands_kmod +- accounts_password_all_shadowed +- file_owner_etc_shells +- require_emergency_target_auth +- sysctl_kernel_randomize_va_space +- accounts_no_uid_except_zero +- file_permissions_etc_gshadow +- audit_rules_file_deletion_events_rename +- partition_for_var +- accounts_umask_etc_bashrc +- audit_rules_mac_modification +- audit_rules_usergroup_modification_gshadow +- sshd_limit_user_access +- audit_rules_unsuccessful_file_modification_creat +- ensure_pam_wheel_group_empty +- service_rpcbind_disabled +- file_groupowner_user_cfg +- package_tftp-server_removed +- audit_rules_unsuccessful_file_modification_ftruncate +- file_permission_user_init_files +- audit_rules_kernel_module_loading_init +- file_owner_cron_d +- file_permissions_ungroupowned +- sysctl_net_ipv4_conf_default_log_martians +- package_telnet-server_removed +- partition_for_var_log_audit +- root_path_no_dot +- file_owner_backup_etc_shadow +- service_systemd-journald_enabled +- service_rsyslog_enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_permissions_etc_issue_net +- audit_rules_usergroup_modification_group +- file_groupowner_cron_weekly +- dconf_gnome_disable_automount +- file_permissions_sshd_pub_key +- grub2_password +- account_unique_name +- chronyd_specify_remote_server +- accounts_password_warn_age_login_defs +- audit_rules_mac_modification_usr_share +- mount_option_tmp_nosuid +- sshd_enable_pam +- file_groupowner_grub2_cfg +- sysctl_net_ipv6_conf_default_accept_ra +- file_owner_etc_motd +- package_telnet_removed +- file_groupowner_etc_issue_net +- sshd_set_maxstartups +- file_permissions_var_log_audit +- audit_rules_dac_modification_chmod +- accounts_passwords_pam_faillock_deny_root +- rsyslog_filecreatemode +- audit_rules_dac_modification_lchown +- audit_rules_unsuccessful_file_modification_truncate +- file_owner_crontab +- file_permissions_cron_d +- file_permissions_user_cfg +- postfix_network_listening_disabled +- file_permissions_home_directories +- disable_host_auth +- audit_rules_usergroup_modification_shadow +- audit_sudo_log_events +- audit_rules_dac_modification_fremovexattr +- auditd_data_retention_admin_space_left_action +- accounts_maximum_age_login_defs +- audit_rules_file_deletion_events_renameat +- sshd_disable_rhosts +- auditd_data_retention_max_log_file_action +- file_owner_cron_allow +- file_permissions_sshd_config +- service_nfs_disabled +- sysctl_net_ipv4_conf_default_accept_redirects +- no_empty_passwords +- file_groupowner_etc_gshadow +- file_permissions_backup_etc_shadow +- selinux_policytype +- group_unique_name +- package_openldap-clients_removed +- kernel_module_squashfs_disabled +- mount_option_var_tmp_noexec +- audit_rules_dac_modification_chown +- dconf_gnome_screensaver_idle_delay +- rsyslog_nolisten +- mount_option_tmp_noexec +- file_groupowner_backup_etc_shadow +- grub2_audit_backlog_limit_argument +- aide_build_database +- file_groupowner_cron_hourly +- sudo_add_use_pty +- package_aide_installed +- audit_rules_execution_chacl +- package_rsyslog_installed +- file_owner_cron_monthly +- accounts_password_set_max_life_existing +- grub2_audit_argument +- file_groupowner_sshd_config +- package_httpd_removed +- accounts_umask_etc_login_defs +- grub2_uefi_password +- set_password_hashing_algorithm_logindefs +- file_permissions_sshd_private_key +- file_groupowner_etc_shells +- accounts_passwords_pam_faillock_unlock_time +- file_groupownership_audit_binaries +- mount_option_var_log_audit_noexec +- file_groupowner_etc_issue +- file_groupowner_efi_user_cfg +- audit_rules_dac_modification_removexattr +- dconf_db_up_to_date +- no_empty_passwords_etc_shadow +- grub2_enable_selinux +- ensure_gpgcheck_never_disabled +- coredump_disable_backtraces +- file_permissions_backup_etc_gshadow +- accounts_root_path_dirs_no_write +- dconf_gnome_disable_automount_open +- ensure_root_password_configured +- no_files_unowned_by_user +- no_rsh_trust_files +- audit_rules_usergroup_modification_opasswd +- accounts_user_dot_group_ownership +- dconf_gnome_disable_user_list +- accounts_password_pam_minclass +- mount_option_var_tmp_nodev +- file_cron_deny_not_exist +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- rsyslog_files_ownership +- dconf_gnome_screensaver_lock_delay +- package_nginx_removed +- file_permissions_etc_passwd +- file_permissions_efi_user_cfg +- file_permissions_etc_group +- partition_for_dev_shm +- iptables_rules_for_open_ports +- partition_for_var_log +- auditd_data_retention_action_mail_acct +- audit_rules_dac_modification_fchownat +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- directory_permissions_var_log_audit +- accounts_umask_etc_profile +- file_groupowner_cron_monthly +- audit_rules_dac_modification_fchmod +- set_firewalld_appropriate_zone +- selinux_confinement_of_daemons +- banner_etc_issue +- sysctl_net_ipv4_conf_all_accept_source_route +- set_password_hashing_algorithm_passwordauth +- file_owner_etc_gshadow +- sysctl_net_ipv4_conf_all_log_martians +- gnome_gdm_disable_xdmcp +- accounts_password_pam_pwhistory_remember_password_auth +- package_audit_installed +- mount_option_dev_shm_nodev +- audit_rules_dac_modification_fsetxattr +- no_forward_files +- package_dovecot_removed +- ensure_gpgcheck_globally_activated +- accounts_password_set_warn_age_existing +- audit_rules_networkconfig_modification +- gid_passwd_group_same +- file_groupownership_sshd_pub_key +- audit_rules_unsuccessful_file_modification_open +- audit_rules_dac_modification_setxattr +- audit_rules_login_events_lastlog +- audit_rules_suid_auid_privilege_function +- mount_option_var_nodev +- file_owner_grub2_cfg +- mount_option_var_log_audit_nodev +- partition_for_home +- file_cron_allow_exists +- file_owner_etc_passwd +- mount_option_var_tmp_nosuid +- sysctl_net_ipv6_conf_default_accept_source_route +- file_ownership_sshd_private_key +- package_net-snmp_removed +- service_bluetooth_disabled +- file_groupowner_etc_motd +- dir_perms_world_writable_sticky_bits +- file_owner_etc_issue_net +- mount_option_var_log_audit_nosuid +- sshd_enable_warning_banner_net +- file_permissions_cron_weekly +- sshd_use_strong_kex +- chronyd_run_as_chrony_user +- sshd_disable_gssapi_auth +- file_owner_efi_user_cfg +- set_ip6tables_default_rule +- accounts_password_pam_pwhistory_remember_system_auth +- service_firewalld_enabled +- audit_rules_media_export +- service_auditd_enabled +- accounts_tmout +- package_mcstrans_removed +- audit_rules_time_watch_localtime +- file_ownership_audit_configuration +- file_owner_etc_group +- audit_rules_privileged_commands_usermod +- file_groupowner_etc_group +- file_permissions_grub2_cfg +- package_xinetd_removed +- accounts_password_pam_maxrepeat +- package_samba_removed +- audit_rules_file_deletion_events_unlinkat +- audit_rules_kernel_module_loading_finit +- file_permissions_etc_motd +- file_ownership_sshd_pub_key +- audit_rules_dac_modification_fchmodat +- file_groupowner_cron_allow +- audit_rules_time_stime +- audit_rules_time_adjtimex +- file_ownership_audit_binaries +- file_owner_user_cfg +- mount_option_var_log_nosuid +- package_rsync_removed +- sysctl_net_ipv4_tcp_syncookies +- file_permissions_etc_shells +- coredump_disable_storage +- package_cyrus-imapd_removed +- package_libselinux_installed +- package_dhcp_removed +- file_groupownership_audit_configuration +- banner_etc_motd +- sysctl_net_ipv4_conf_all_secure_redirects +- selinux_not_disabled +- package_audit-libs_installed +- kernel_module_sctp_disabled +- file_groupowner_etc_passwd +- accounts_password_pam_dictcheck +- auditd_data_disk_full_action +- file_groupowner_efi_grub2_cfg +- account_disable_post_pw_expiration +- audit_rules_dac_modification_lsetxattr +- journald_compress +- sysctl_net_ipv6_conf_all_accept_source_route +- account_unique_id +- package_pam_pwquality_installed +- sysctl_net_ipv6_conf_default_accept_redirects +- file_permissions_etc_shadow +- sshd_use_approved_ciphers +- journald_forward_to_syslog +- accounts_password_pam_minlen +- audit_rules_usergroup_modification_passwd +- package_chrony_installed +- dconf_gnome_session_idle_user_locks +- sysctl_net_ipv4_ip_forward +- audit_rules_execution_chcon +- audit_rules_immutable +- file_owner_backup_etc_gshadow +- kernel_module_cramfs_disabled +- kernel_module_hfs_disabled +- audit_rules_kernel_module_loading_query +- package_dnsmasq_removed +- sysctl_net_ipv4_conf_all_accept_redirects +- ip6tables_rules_for_open_ports +- file_owner_cron_daily +- mount_option_home_nodev +- audit_rules_kernel_module_loading_create +- sshd_use_strong_macs +- set_loopback_traffic +- audit_rules_time_clock_settime +- file_permissions_backup_etc_group +- audit_rules_dac_modification_lremovexattr +- mount_option_home_nosuid +- no_shelllogin_for_systemaccounts +- sshd_disable_empty_passwords +- audit_rules_unsuccessful_file_modification_openat +- accounts_password_last_change_is_in_past +- banner_etc_issue_net +- rsyslog_files_permissions +- sshd_do_not_permit_user_env +- accounts_user_interactive_home_directory_exists +- sysctl_net_ipv6_conf_all_forwarding +- sshd_disable_root_login +- selinux_state +- file_permissions_unauthorized_world_writable +- file_groupowner_crontab +- kernel_module_rds_disabled +- file_groupowner_etc_shadow +- package_tftp_removed +- sshd_set_keepalive +- kernel_module_tipc_disabled +- file_groupowner_cron_daily +- file_owner_cron_hourly +- set_password_hashing_algorithm_systemauth +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_kernel_yama_ptrace_scope +- file_owner_efi_grub2_cfg +- file_permissions_audit_configuration +- kernel_module_usb-storage_disabled +- sysctl_net_ipv4_conf_default_accept_source_route +- file_permissions_cron_daily +- file_permissions_efi_grub2_cfg +- auditd_data_disk_error_action +- accounts_set_post_pw_existing +- file_groupownership_sshd_private_key +- file_groupowner_cron_d +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_secure_redirects +- file_etc_security_opasswd +- sysctl_net_ipv4_conf_default_send_redirects +- sysctl_net_ipv6_conf_all_accept_ra +- mount_option_var_log_noexec +- file_permissions_crontab +- audit_rules_privileged_commands +- auditd_data_retention_max_log_file +- audit_rules_kernel_module_loading_delete +- audit_rules_session_events +- require_singleuser_auth +- aide_periodic_cron_checking +- package_firewalld_installed +- package_iptables_installed +- mount_option_var_log_nodev +- use_pam_wheel_group_for_su +- kernel_module_jffs2_disabled +- sudo_require_authentication +- package_ftp_removed +- sshd_set_login_grace_time +- set_password_hashing_algorithm_libuserconf +- file_permissions_cron_hourly +- audit_rules_time_settimeofday +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sudo_timestamp_timeout=15_minutes +- var_sudo_logfile=var_log_sudo_log +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel7 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel7 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel7 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_auditd_space_left_action=cis_rhel7 +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=cis_rhel7 +- var_auditd_disk_full_action=cis_rhel7 +- var_auditd_disk_error_action=cis_rhel7 +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel7 +title: CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/cis_workstation_l2.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/pci-dss.profile b/tests/data/profile_stability/rhel7/pci-dss.profile new file mode 100644 index 00000000000..2f0368f9f69 --- /dev/null +++ b/tests/data/profile_stability/rhel7/pci-dss.profile @@ -0,0 +1,317 @@ +description: 'Payment Card Industry - Data Security Standard (PCI-DSS) is a set of + + security standards designed to ensure the secure handling of payment card + + data, with the goal of preventing data breaches and protecting sensitive + + financial information. + + + This profile ensures Red Hat Enterprise Linux 7 is configured in alignment + + with PCI-DSS v4.0 requirements.' +extends: null +hidden: '' +metadata: + version: '4.0' + SMEs: + - marcusburghardt + - mab879 + - vojtapolasek +reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf +selections: +- file_groupowner_etc_passwd +- ensure_shadow_group_empty +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_cron_deny_not_exist +- disable_users_coredumps +- account_disable_post_pw_expiration +- dconf_gnome_screensaver_lock_enabled +- sysctl_net_ipv4_conf_all_rp_filter +- rsyslog_files_ownership +- service_nftables_disabled +- dconf_gnome_screensaver_lock_delay +- sudo_custom_logfile +- file_permissions_etc_issue_net +- no_direct_root_logins +- file_permissions_etc_passwd +- audit_rules_dac_modification_lsetxattr +- audit_rules_suid_privilege_function +- package_rsh-server_removed +- accounts_root_gid_zero +- audit_rules_usergroup_modification_group +- file_groupowner_cron_weekly +- file_permissions_etc_group +- dconf_gnome_disable_automount +- file_permissions_sshd_pub_key +- audit_rules_dac_modification_fchownat +- account_unique_id +- gnome_gdm_disable_guest_login +- account_unique_name +- file_permissions_etc_shadow +- no_password_auth_for_systemaccounts +- sshd_use_approved_ciphers +- dconf_gnome_screensaver_idle_activation_enabled +- package_ypbind_removed +- file_permissions_backup_etc_passwd +- chronyd_specify_remote_server +- accounts_password_warn_age_login_defs +- accounts_password_pam_minlen +- audit_rules_usergroup_modification_passwd +- audit_rules_dac_modification_fchmod +- file_groupowner_cron_monthly +- file_owner_etc_shadow +- ensure_redhat_gpgkey_installed +- dconf_gnome_session_idle_user_locks +- package_chrony_installed +- selinux_confinement_of_daemons +- sysctl_net_ipv4_ip_forward +- sshd_enable_pam +- file_groupowner_grub2_cfg +- sshd_set_loglevel_verbose +- accounts_passwords_pam_faillock_deny +- directory_access_var_log_audit +- audit_rules_sysadmin_actions +- audit_rules_immutable +- package_telnet_removed +- file_groupowner_etc_issue_net +- sshd_set_maxstartups +- file_permissions_var_log_audit +- audit_rules_dac_modification_chmod +- dconf_gnome_screensaver_mode_blank +- accounts_password_pam_pwhistory_remember_password_auth +- package_audit_installed +- audit_rules_dac_modification_lchown +- audit_rules_dac_modification_fsetxattr +- ensure_gpgcheck_globally_activated +- file_owner_crontab +- file_permissions_cron_d +- file_permissions_user_cfg +- postfix_network_listening_disabled +- accounts_password_set_warn_age_existing +- auditd_name_format +- audit_rules_networkconfig_modification +- gid_passwd_group_same +- audit_rules_file_deletion_events_unlink +- kernel_module_dccp_disabled +- package_ypserv_removed +- sshd_set_max_sessions +- wireless_disable_interfaces +- file_permissions_cron_allow +- audit_rules_dac_modification_setxattr +- file_owner_cron_daily +- audit_rules_login_events_lastlog +- rsyslog_files_groupownership +- audit_rules_file_deletion_events_rmdir +- audit_rules_login_events_faillock +- file_owner_grub2_cfg +- disable_host_auth +- rpm_verify_hashes +- ntpd_specify_remote_server +- audit_rules_usergroup_modification_shadow +- audit_rules_time_clock_settime +- file_owner_etc_passwd +- audit_rules_dac_modification_lremovexattr +- file_permissions_backup_etc_group +- group_unique_id +- display_login_attempts +- network_sniffer_disabled +- no_shelllogin_for_systemaccounts +- audit_rules_dac_modification_fchown +- sshd_disable_empty_passwords +- accounts_password_last_change_is_in_past +- sysctl_net_ipv6_conf_default_accept_source_route +- security_patches_up_to_date +- ntpd_specify_multiple_servers +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- file_owner_backup_etc_group +- rsyslog_files_permissions +- audit_sudo_log_events +- rpm_verify_ownership +- sshd_do_not_permit_user_env +- package_net-snmp_removed +- network_nmcli_permissions +- audit_rules_dac_modification_fremovexattr +- auditd_data_retention_admin_space_left_action +- accounts_maximum_age_login_defs +- audit_rules_file_deletion_events_renameat +- sshd_disable_rhosts +- dir_perms_world_writable_sticky_bits +- file_permissions_cron_monthly +- file_owner_cron_allow +- sshd_use_approved_macs +- sshd_disable_root_login +- file_owner_backup_etc_passwd +- file_permissions_sshd_config +- file_owner_etc_issue_net +- file_ownership_var_log_audit +- package_talk_removed +- file_permissions_unauthorized_world_writable +- selinux_state +- service_avahi-daemon_disabled +- file_groupowner_crontab +- sudo_require_reauthentication +- sysctl_net_ipv4_conf_default_accept_redirects +- file_groupowner_backup_etc_group +- no_empty_passwords +- sysctl_fs_suid_dumpable +- file_groupowner_etc_shadow +- auditd_data_retention_space_left_action +- file_permissions_cron_weekly +- sshd_use_strong_kex +- service_ntpd_enabled +- configure_firewalld_ports +- file_permissions_backup_etc_shadow +- auditd_data_retention_space_left +- selinux_policytype +- accounts_password_pam_unix_remember +- file_at_deny_not_exist +- sshd_set_idle_timeout +- package_tftp_removed +- sshd_set_keepalive +- chronyd_run_as_chrony_user +- file_groupowner_cron_daily +- file_owner_cron_hourly +- group_unique_name +- securetty_root_login_console_only +- set_password_hashing_algorithm_systemauth +- sysctl_net_ipv4_conf_all_send_redirects +- audit_rules_dac_modification_chown +- dconf_gnome_screensaver_idle_delay +- install_PAE_kernel_on_x86-32 +- file_groupowner_backup_etc_shadow +- sshd_disable_tcp_forwarding +- grub2_audit_backlog_limit_argument +- set_ip6tables_default_rule +- accounts_password_pam_pwhistory_remember_system_auth +- aide_build_database +- kernel_module_usb-storage_disabled +- file_groupowner_cron_hourly +- set_firewalld_default_zone +- package_aide_installed +- sudo_add_use_pty +- service_firewalld_enabled +- audit_rules_media_export +- service_auditd_enabled +- file_groupowner_backup_etc_passwd +- package_cryptsetup-luks_installed +- accounts_tmout +- file_group_ownership_var_log_audit +- file_owner_cron_monthly +- file_permissions_cron_daily +- accounts_password_set_max_life_existing +- auditd_audispd_syslog_plugin_activated +- package_sudo_installed +- sshd_disable_x11_forwarding +- file_owner_cron_weekly +- accounts_set_post_pw_existing +- grub2_audit_argument +- service_rsyncd_disabled +- file_groupowner_cron_d +- sshd_set_max_auth_tries +- audit_rules_time_watch_localtime +- accounts_password_pam_dcredit +- sysctl_net_ipv4_conf_default_send_redirects +- file_owner_etc_group +- bios_enable_execution_restrictions +- nftables_ensure_default_deny_policy +- package_logrotate_installed +- package_talk-server_removed +- accounts_password_all_shadowed +- file_groupowner_etc_group +- file_permissions_crontab +- file_permissions_grub2_cfg +- file_permissions_sshd_private_key +- set_password_hashing_algorithm_logindefs +- sysctl_kernel_randomize_va_space +- package_xinetd_removed +- accounts_no_uid_except_zero +- accounts_password_pam_lcredit +- accounts_passwords_pam_faillock_unlock_time +- audit_rules_file_deletion_events_rename +- audit_rules_session_events +- audit_rules_file_deletion_events_unlinkat +- package_rsh_removed +- package_audispd-plugins_installed +- service_chronyd_or_ntpd_enabled +- audit_rules_dac_modification_removexattr +- dconf_db_up_to_date +- audit_rules_mac_modification +- audit_rules_usergroup_modification_gshadow +- no_empty_passwords_etc_shadow +- audit_rules_dac_modification_fchmodat +- file_groupowner_cron_allow +- service_rpcbind_disabled +- ensure_pam_wheel_group_empty +- aide_periodic_cron_checking +- audit_rules_time_adjtimex +- audit_rules_time_stime +- sshd_limit_user_access +- grub2_enable_selinux +- package_nftables_installed +- ensure_gpgcheck_never_disabled +- file_groupowner_user_cfg +- package_tftp-server_removed +- coredump_disable_backtraces +- file_owner_user_cfg +- gnome_gdm_disable_automatic_login +- sysctl_net_ipv4_tcp_syncookies +- use_pam_wheel_group_for_su +- coredump_disable_storage +- sudo_require_authentication +- file_owner_cron_d +- file_permissions_ungroupowned +- package_libselinux_installed +- audit_rules_login_events_tallylog +- package_dhcp_removed +- dconf_gnome_disable_automount_open +- ensure_root_password_configured +- no_files_unowned_by_user +- package_ftp_removed +- package_telnet-server_removed +- sshd_set_login_grace_time +- audit_rules_usergroup_modification_opasswd +- sysctl_net_ipv4_conf_all_secure_redirects +- set_password_hashing_algorithm_libuserconf +- file_permissions_cron_hourly +- file_owner_backup_etc_shadow +- audit_rules_time_settimeofday +- kernel_module_sctp_disabled +- var_multiple_time_servers=generic +- var_auditd_admin_space_left_action=single +- var_auditd_space_left=100MB +- var_auditd_space_left_action=email +- var_auditd_name_format=fqd +- var_accounts_maximum_age_login_defs=90 +- var_accounts_password_warn_age_login_defs=7 +- var_password_pam_unix_remember=4 +- var_password_pam_remember=4 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_dcredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_minlen=12 +- var_accounts_passwords_pam_faillock_deny=10 +- var_accounts_passwords_pam_faillock_unlock_time=1800 +- var_password_pam_tally2=10 +- var_accounts_passwords_pam_tally2_unlock_time=1800 +- var_password_hashing_algorithm=SHA512 +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=10_seconds +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_account_disable_post_pw_expiration=90 +- var_system_crypto_policy=default_policy +- var_sshd_set_login_grace_time=60 +- var_postfix_inet_interfaces=loopback-only +- var_selinux_policy_name=targeted +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- pcidss_4 +title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 7 +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/pci-dss.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/stig.profile b/tests/data/profile_stability/rhel7/stig.profile new file mode 100644 index 00000000000..14a42c37b1f --- /dev/null +++ b/tests/data/profile_stability/rhel7/stig.profile @@ -0,0 +1,365 @@ +description: 'This profile contains configuration checks that align to the + + DISA STIG for Red Hat Enterprise Linux V3R14. + + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes + this + + configuration baseline as applicable to the operating system tier of + + Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: + + + - Red Hat Enterprise Linux Server + + - Red Hat Enterprise Linux Workstation and Desktop + + - Red Hat Enterprise Linux for HPC + + - Red Hat Storage + + - Red Hat Containers with a Red Hat Enterprise Linux 7 image' +extends: null +hidden: '' +metadata: + version: V3R14 + SMEs: + - ggbecker +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +selections: +- mount_option_dev_shm_noexec +- grub2_enable_fips_mode +- sshd_disable_rhosts_rsa +- auditd_audispd_remote_daemon_type +- mount_option_nosuid_remote_filesystems +- sudo_remove_nopasswd +- sssd_ldap_configure_tls_reqcert +- sssd_enable_pam_services +- account_disable_post_pw_expiration +- accounts_umask_interactive_users +- dconf_gnome_screensaver_lock_enabled +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- audit_rules_system_shutdown +- dconf_gnome_banner_enabled +- service_sshd_enabled +- auditd_audispd_remote_daemon_activated +- dconf_gnome_screensaver_lock_delay +- installed_OS_is_vendor_supported +- audit_rules_dac_modification_lsetxattr +- audit_rules_suid_privilege_function +- package_rsh-server_removed +- audit_rules_execution_semanage +- account_temp_expire_date +- dconf_gnome_disable_ctrlaltdel_reboot +- accounts_user_home_paths_only +- audit_rules_usergroup_modification_group +- mount_option_nosuid_removable_partitions +- selinux_confine_to_least_privilege +- dconf_gnome_disable_automount +- auditd_data_retention_action_mail_acct +- clean_components_post_updating +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_dac_modification_fchownat +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_conf_default_rp_filter +- audit_rules_privileged_commands_mount +- grub2_password +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- sysctl_net_ipv6_conf_all_accept_source_route +- accounts_passwords_pam_faillock_interval +- gnome_gdm_disable_guest_login +- audit_rules_privileged_commands_userhelper +- auditd_audispd_configure_remote_server +- dconf_gnome_screensaver_idle_activation_enabled +- sshd_enable_warning_banner +- sshd_disable_compression +- accounts_password_pam_minlen +- audit_rules_usergroup_modification_passwd +- audit_rules_dac_modification_fchmod +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- ensure_redhat_gpgkey_installed +- dconf_gnome_session_idle_user_locks +- audit_rules_privileged_commands_unix_chkpwd +- grub2_admin_username +- audit_rules_execution_chcon +- mount_option_dev_shm_nosuid +- aide_use_fips_hashes +- banner_etc_issue +- package_screen_installed +- rsyslog_remote_loghost +- sshd_allow_only_protocol2 +- sysctl_net_ipv4_conf_all_accept_source_route +- accounts_passwords_pam_faillock_deny +- package_mailx_installed +- audit_rules_sysadmin_actions +- dconf_gnome_enable_smartcard_auth +- mount_option_noexec_remote_filesystems +- set_password_hashing_algorithm_passwordauth +- audit_rules_privileged_commands_umount +- accounts_users_home_files_ownership +- file_permissions_var_log_audit +- audit_rules_dac_modification_chmod +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_passwords_pam_faillock_deny_root +- audit_rules_dac_modification_lchown +- audit_rules_unsuccessful_file_modification_truncate +- mount_option_dev_shm_nodev +- audit_rules_dac_modification_fsetxattr +- ensure_gpgcheck_globally_activated +- auditd_name_format +- file_groupownership_home_directories +- gid_passwd_group_same +- audit_rules_file_deletion_events_unlink +- sshd_set_keepalive_0 +- sysctl_net_ipv4_conf_all_accept_redirects +- kernel_module_dccp_disabled +- package_ypserv_removed +- accounts_password_pam_retry +- file_permissions_home_directories +- partition_for_tmp +- wireless_disable_interfaces +- agent_mfetpd_running +- audit_rules_dac_modification_setxattr +- audit_rules_unsuccessful_file_modification_open +- sshd_x11_use_localhost +- mount_option_krb_sec_remote_filesystems +- audit_rules_login_events_lastlog +- auditd_audispd_remote_daemon_path +- dir_perms_world_writable_system_owned_group +- audit_rules_kernel_module_loading_create +- accounts_minimum_age_login_defs +- audit_rules_file_deletion_events_rmdir +- audit_rules_login_events_faillock +- disable_host_auth +- partition_for_home +- rpm_verify_hashes +- rpm_verify_permissions +- libreswan_approved_tunnels +- sshd_disable_user_known_hosts +- audit_rules_usergroup_modification_shadow +- network_sniffer_disabled +- audit_rules_dac_modification_lremovexattr +- mount_option_home_nosuid +- display_login_attempts +- auditd_audispd_disk_full_action +- audit_rules_dac_modification_fchown +- accounts_have_homedir_login_defs +- audit_rules_unsuccessful_file_modification_openat +- package_vsftpd_removed +- sshd_disable_empty_passwords +- security_patches_up_to_date +- accounts_password_pam_difok +- smartcard_auth +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sshd_do_not_permit_user_env +- rpm_verify_ownership +- audit_rules_privileged_commands_chage +- accounts_user_interactive_home_directory_exists +- audit_rules_dac_modification_fremovexattr +- smartcard_configure_cert_checking +- accounts_maximum_age_login_defs +- audit_rules_file_deletion_events_renameat +- sshd_disable_rhosts +- auditd_overflow_action +- file_owner_cron_allow +- selinux_all_devicefiles_labeled +- sudoers_validate_passwd +- sysctl_kernel_dmesg_restrict +- accounts_users_home_files_permissions +- snmpd_not_default_password +- sshd_disable_root_login +- accounts_authorized_local_users +- audit_rules_privileged_commands_newgrp +- dconf_gnome_screensaver_lock_locked +- disable_ctrlaltdel_reboot +- file_ownership_var_log_audit +- postfix_prevent_unrestricted_relay +- selinux_state +- sudo_require_reauthentication +- tftpd_uses_secure_mode +- aide_verify_ext_attributes +- sysctl_net_ipv4_conf_default_accept_redirects +- no_empty_passwords +- accounts_password_set_min_life_existing +- dconf_gnome_screensaver_idle_activation_locked +- sshd_use_approved_kex_ordered_stig +- sudoers_default_includedir +- auditd_data_retention_space_left_action +- no_host_based_files +- sudo_remove_no_authenticate +- configure_firewalld_ports +- selinux_policytype +- file_ownership_home_directories +- grub2_no_removeable_media +- sshd_set_idle_timeout +- sysctl_net_ipv4_conf_all_send_redirects +- set_password_hashing_algorithm_systemauth +- dconf_gnome_screensaver_user_locks +- accounts_password_pam_ucredit +- accounts_password_pam_maxclassrepeat +- audit_rules_dac_modification_chown +- dconf_gnome_screensaver_idle_delay +- rsyslog_cron_logging +- rsyslog_nolisten +- audit_rules_privileged_commands_passwd +- sshd_disable_gssapi_auth +- sshd_print_last_log +- aide_verify_acls +- audit_rules_privileged_commands_crontab +- dir_perms_world_writable_system_owned +- audit_rules_privileged_commands_gpasswd +- sudo_restrict_privilege_elevation_to_authorized +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_max_concurrent_login_sessions +- aide_build_database +- kernel_module_usb-storage_disabled +- set_firewalld_default_zone +- auditd_data_retention_space_left_percentage +- package_aide_installed +- package_mcafeetp_installed +- audit_rules_media_export +- service_auditd_enabled +- service_firewalld_enabled +- sshd_use_approved_macs_ordered_stig +- sysctl_net_ipv4_conf_default_accept_source_route +- audit_rules_privileged_commands_chsh +- accounts_tmout +- install_smartcard_packages +- accounts_password_set_max_life_existing +- ensure_gpgcheck_local_packages +- sshd_disable_kerb_auth +- sshd_disable_x11_forwarding +- service_autofs_disabled +- no_user_host_based_files +- audit_rules_privileged_commands_su +- accounts_password_pam_ocredit +- accounts_password_pam_dcredit +- audit_rules_execution_setsebool +- sysctl_net_ipv4_conf_default_send_redirects +- audit_rules_privileged_commands_kmod +- accounts_umask_etc_login_defs +- network_configure_name_resolution +- grub2_uefi_password +- accounts_user_dot_no_world_writable_programs +- set_password_hashing_algorithm_logindefs +- file_permissions_sshd_private_key +- sshd_enable_strictmodes +- sysctl_kernel_randomize_va_space +- auditd_audispd_network_failure_action +- package_openssh-server_installed +- grub2_uefi_admin_username +- accounts_password_pam_maxrepeat +- authconfig_config_files_symlinks +- accounts_no_uid_except_zero +- accounts_password_pam_lcredit +- sssd_ldap_start_tls +- accounts_passwords_pam_faillock_unlock_time +- audit_rules_file_deletion_events_rename +- audit_rules_kernel_module_loading_delete +- audit_rules_file_deletion_events_unlinkat +- partition_for_var +- auditd_audispd_remote_daemon_direction +- sebool_ssh_sysadm_login +- audit_rules_kernel_module_loading_finit +- chronyd_or_ntpd_set_maxpoll +- sshd_use_approved_ciphers_ordered_stig +- audit_rules_dac_modification_removexattr +- audit_rules_privileged_commands_postqueue +- auditd_audispd_encrypt_sent_records +- audit_rules_usergroup_modification_gshadow +- dconf_db_up_to_date +- install_antivirus +- audit_rules_dac_modification_fchmodat +- file_groupowner_cron_allow +- audit_rules_unsuccessful_file_modification_creat +- no_empty_passwords_etc_shadow +- aide_periodic_cron_checking +- accounts_logon_fail_delay +- require_singleuser_auth +- disallow_bypass_password_sudo +- sssd_ldap_configure_tls_ca +- sysctl_net_ipv4_ip_forward +- audit_rules_execution_setfiles +- selinux_user_login_roles +- package_tftp-server_removed +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_privileged_commands_postdrop +- file_permission_user_init_files +- gnome_gdm_disable_automatic_login +- uefi_no_removeable_media +- audit_rules_kernel_module_loading_init +- accounts_users_home_files_groupownership +- aide_scan_notification +- file_permissions_ungroupowned +- dconf_gnome_disable_automount_open +- no_files_unowned_by_user +- package_telnet-server_removed +- xwindows_remove_packages +- partition_for_var_log_audit +- audit_rules_privileged_commands_ssh_keysign +- audit_rules_usergroup_modification_opasswd +- accounts_user_dot_group_ownership +- audit_rules_privileged_commands_sudo +- dconf_gnome_disable_user_list +- set_password_hashing_algorithm_libuserconf +- service_kdump_disabled +- accounts_password_pam_minclass +- selinux_context_elevation_for_sudo +- sshd_use_priv_separation +- login_banner_text=dod_banners +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- sshd_idle_timeout_value=10_minutes +- var_accounts_fail_delay=4 +- var_selinux_state=enforcing +- var_selinux_policy_name=targeted +- var_password_pam_minlen=15 +- var_password_pam_ocredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_ucredit=1 +- var_accounts_passwords_pam_faillock_unlock_time=never +- var_accounts_passwords_pam_faillock_fail_interval=900 +- var_accounts_passwords_pam_faillock_deny=3 +- var_password_pam_unix_remember=5 +- var_password_pam_maxclassrepeat=4 +- var_password_pam_difok=8 +- var_password_pam_dcredit=1 +- var_password_pam_minclass=4 +- var_accounts_minimum_age_login_defs=1 +- var_password_pam_maxrepeat=3 +- var_accounts_maximum_age_login_defs=60 +- var_account_disable_post_pw_expiration=35 +- var_removable_partition=dev_cdrom +- var_auditd_action_mail_acct=root +- var_auditd_space_left_action=email +- var_auditd_space_left_percentage=25pc +- var_accounts_user_umask=077 +- var_password_pam_retry=3 +- var_accounts_max_concurrent_login_sessions=10 +- var_accounts_tmout=15_min +- var_accounts_authorized_local_users_regex=rhel7 +- var_time_service_set_maxpoll=18_hours +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- var_audit_failure_mode=panic +- var_accounts_passwords_pam_faillock_dir=run +- sshd_required=yes +- var_sshd_set_keepalive=0 +- var_auditd_name_format=stig +- sssd_ldap_start_tls.severity=medium +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: [] +title: DISA STIG for Red Hat Enterprise Linux 7 +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/stig.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel7/stig_gui.profile b/tests/data/profile_stability/rhel7/stig_gui.profile new file mode 100644 index 00000000000..4487ba41258 --- /dev/null +++ b/tests/data/profile_stability/rhel7/stig_gui.profile @@ -0,0 +1,375 @@ +description: 'This profile contains configuration checks that align to the + + DISA STIG with GUI for Red Hat Enterprise Linux V3R14. + + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes + this + + configuration baseline as applicable to the operating system tier of + + Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: + + + - Red Hat Enterprise Linux Server + + - Red Hat Enterprise Linux Workstation and Desktop + + - Red Hat Enterprise Linux for HPC + + - Red Hat Storage + + - Red Hat Containers with a Red Hat Enterprise Linux 7 image + + + Warning: The installation and use of a Graphical User Interface (GUI) + + increases your attack vector and decreases your overall security posture. If + + your Information Systems Security Officer (ISSO) lacks a documented operational + + requirement for a graphical user interface, please consider using the + + standard DISA STIG for Red Hat Enterprise Linux 7 profile.' +extends: null +hidden: '' +metadata: + version: V3R14 + SMEs: + - ggbecker +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +selections: +- mount_option_dev_shm_noexec +- grub2_enable_fips_mode +- sshd_disable_rhosts_rsa +- auditd_audispd_remote_daemon_type +- mount_option_nosuid_remote_filesystems +- sudo_remove_nopasswd +- sssd_ldap_configure_tls_reqcert +- sssd_enable_pam_services +- account_disable_post_pw_expiration +- accounts_umask_interactive_users +- dconf_gnome_screensaver_lock_enabled +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_user_dot_user_ownership +- audit_rules_system_shutdown +- dconf_gnome_banner_enabled +- service_sshd_enabled +- auditd_audispd_remote_daemon_activated +- dconf_gnome_screensaver_lock_delay +- installed_OS_is_vendor_supported +- audit_rules_dac_modification_lsetxattr +- audit_rules_suid_privilege_function +- package_rsh-server_removed +- audit_rules_execution_semanage +- account_temp_expire_date +- dconf_gnome_disable_ctrlaltdel_reboot +- accounts_user_home_paths_only +- audit_rules_usergroup_modification_group +- mount_option_nosuid_removable_partitions +- selinux_confine_to_least_privilege +- dconf_gnome_disable_automount +- auditd_data_retention_action_mail_acct +- clean_components_post_updating +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_dac_modification_fchownat +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_conf_default_rp_filter +- audit_rules_privileged_commands_mount +- grub2_password +- dconf_gnome_disable_autorun +- dconf_gnome_login_banner_text +- sysctl_net_ipv6_conf_all_accept_source_route +- accounts_passwords_pam_faillock_interval +- gnome_gdm_disable_guest_login +- audit_rules_privileged_commands_userhelper +- auditd_audispd_configure_remote_server +- dconf_gnome_screensaver_idle_activation_enabled +- sshd_enable_warning_banner +- sshd_disable_compression +- accounts_password_pam_minlen +- audit_rules_usergroup_modification_passwd +- audit_rules_dac_modification_fchmod +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- ensure_redhat_gpgkey_installed +- dconf_gnome_session_idle_user_locks +- audit_rules_privileged_commands_unix_chkpwd +- grub2_admin_username +- audit_rules_execution_chcon +- mount_option_dev_shm_nosuid +- aide_use_fips_hashes +- banner_etc_issue +- package_screen_installed +- rsyslog_remote_loghost +- sshd_allow_only_protocol2 +- sysctl_net_ipv4_conf_all_accept_source_route +- accounts_passwords_pam_faillock_deny +- package_mailx_installed +- audit_rules_sysadmin_actions +- dconf_gnome_enable_smartcard_auth +- mount_option_noexec_remote_filesystems +- set_password_hashing_algorithm_passwordauth +- audit_rules_privileged_commands_umount +- accounts_users_home_files_ownership +- file_permissions_var_log_audit +- audit_rules_dac_modification_chmod +- accounts_password_pam_pwhistory_remember_password_auth +- accounts_passwords_pam_faillock_deny_root +- audit_rules_dac_modification_lchown +- audit_rules_unsuccessful_file_modification_truncate +- mount_option_dev_shm_nodev +- audit_rules_dac_modification_fsetxattr +- ensure_gpgcheck_globally_activated +- auditd_name_format +- file_groupownership_home_directories +- gid_passwd_group_same +- audit_rules_file_deletion_events_unlink +- sshd_set_keepalive_0 +- sysctl_net_ipv4_conf_all_accept_redirects +- kernel_module_dccp_disabled +- package_ypserv_removed +- accounts_password_pam_retry +- file_permissions_home_directories +- partition_for_tmp +- wireless_disable_interfaces +- agent_mfetpd_running +- audit_rules_dac_modification_setxattr +- audit_rules_unsuccessful_file_modification_open +- sshd_x11_use_localhost +- mount_option_krb_sec_remote_filesystems +- audit_rules_login_events_lastlog +- auditd_audispd_remote_daemon_path +- dir_perms_world_writable_system_owned_group +- audit_rules_kernel_module_loading_create +- accounts_minimum_age_login_defs +- audit_rules_file_deletion_events_rmdir +- audit_rules_login_events_faillock +- disable_host_auth +- partition_for_home +- rpm_verify_hashes +- rpm_verify_permissions +- libreswan_approved_tunnels +- sshd_disable_user_known_hosts +- audit_rules_usergroup_modification_shadow +- network_sniffer_disabled +- audit_rules_dac_modification_lremovexattr +- mount_option_home_nosuid +- display_login_attempts +- auditd_audispd_disk_full_action +- audit_rules_dac_modification_fchown +- accounts_have_homedir_login_defs +- audit_rules_unsuccessful_file_modification_openat +- package_vsftpd_removed +- sshd_disable_empty_passwords +- security_patches_up_to_date +- accounts_password_pam_difok +- smartcard_auth +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sshd_do_not_permit_user_env +- rpm_verify_ownership +- audit_rules_privileged_commands_chage +- accounts_user_interactive_home_directory_exists +- audit_rules_dac_modification_fremovexattr +- smartcard_configure_cert_checking +- accounts_maximum_age_login_defs +- audit_rules_file_deletion_events_renameat +- sshd_disable_rhosts +- auditd_overflow_action +- file_owner_cron_allow +- selinux_all_devicefiles_labeled +- sudoers_validate_passwd +- sysctl_kernel_dmesg_restrict +- accounts_users_home_files_permissions +- snmpd_not_default_password +- sshd_disable_root_login +- accounts_authorized_local_users +- audit_rules_privileged_commands_newgrp +- dconf_gnome_screensaver_lock_locked +- disable_ctrlaltdel_reboot +- file_ownership_var_log_audit +- postfix_prevent_unrestricted_relay +- selinux_state +- sudo_require_reauthentication +- tftpd_uses_secure_mode +- aide_verify_ext_attributes +- sysctl_net_ipv4_conf_default_accept_redirects +- no_empty_passwords +- accounts_password_set_min_life_existing +- dconf_gnome_screensaver_idle_activation_locked +- sshd_use_approved_kex_ordered_stig +- sudoers_default_includedir +- auditd_data_retention_space_left_action +- no_host_based_files +- sudo_remove_no_authenticate +- configure_firewalld_ports +- selinux_policytype +- file_ownership_home_directories +- grub2_no_removeable_media +- sshd_set_idle_timeout +- sysctl_net_ipv4_conf_all_send_redirects +- set_password_hashing_algorithm_systemauth +- dconf_gnome_screensaver_user_locks +- accounts_password_pam_ucredit +- accounts_password_pam_maxclassrepeat +- audit_rules_dac_modification_chown +- dconf_gnome_screensaver_idle_delay +- rsyslog_cron_logging +- rsyslog_nolisten +- audit_rules_privileged_commands_passwd +- sshd_disable_gssapi_auth +- sshd_print_last_log +- aide_verify_acls +- audit_rules_privileged_commands_crontab +- dir_perms_world_writable_system_owned +- audit_rules_privileged_commands_gpasswd +- sudo_restrict_privilege_elevation_to_authorized +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_max_concurrent_login_sessions +- aide_build_database +- kernel_module_usb-storage_disabled +- set_firewalld_default_zone +- auditd_data_retention_space_left_percentage +- package_aide_installed +- package_mcafeetp_installed +- audit_rules_media_export +- service_auditd_enabled +- service_firewalld_enabled +- sshd_use_approved_macs_ordered_stig +- sysctl_net_ipv4_conf_default_accept_source_route +- audit_rules_privileged_commands_chsh +- accounts_tmout +- install_smartcard_packages +- accounts_password_set_max_life_existing +- ensure_gpgcheck_local_packages +- sshd_disable_kerb_auth +- sshd_disable_x11_forwarding +- service_autofs_disabled +- no_user_host_based_files +- audit_rules_privileged_commands_su +- accounts_password_pam_ocredit +- accounts_password_pam_dcredit +- audit_rules_execution_setsebool +- sysctl_net_ipv4_conf_default_send_redirects +- audit_rules_privileged_commands_kmod +- accounts_umask_etc_login_defs +- network_configure_name_resolution +- grub2_uefi_password +- accounts_user_dot_no_world_writable_programs +- set_password_hashing_algorithm_logindefs +- file_permissions_sshd_private_key +- sshd_enable_strictmodes +- sysctl_kernel_randomize_va_space +- auditd_audispd_network_failure_action +- package_openssh-server_installed +- grub2_uefi_admin_username +- accounts_password_pam_maxrepeat +- authconfig_config_files_symlinks +- accounts_no_uid_except_zero +- accounts_password_pam_lcredit +- sssd_ldap_start_tls +- accounts_passwords_pam_faillock_unlock_time +- audit_rules_file_deletion_events_rename +- audit_rules_kernel_module_loading_delete +- audit_rules_file_deletion_events_unlinkat +- partition_for_var +- auditd_audispd_remote_daemon_direction +- sebool_ssh_sysadm_login +- audit_rules_kernel_module_loading_finit +- chronyd_or_ntpd_set_maxpoll +- sshd_use_approved_ciphers_ordered_stig +- audit_rules_dac_modification_removexattr +- audit_rules_privileged_commands_postqueue +- auditd_audispd_encrypt_sent_records +- audit_rules_usergroup_modification_gshadow +- dconf_db_up_to_date +- install_antivirus +- audit_rules_dac_modification_fchmodat +- file_groupowner_cron_allow +- audit_rules_unsuccessful_file_modification_creat +- no_empty_passwords_etc_shadow +- aide_periodic_cron_checking +- accounts_logon_fail_delay +- require_singleuser_auth +- disallow_bypass_password_sudo +- sssd_ldap_configure_tls_ca +- sysctl_net_ipv4_ip_forward +- audit_rules_execution_setfiles +- selinux_user_login_roles +- package_tftp-server_removed +- audit_rules_unsuccessful_file_modification_ftruncate +- audit_rules_privileged_commands_postdrop +- file_permission_user_init_files +- gnome_gdm_disable_automatic_login +- uefi_no_removeable_media +- audit_rules_kernel_module_loading_init +- accounts_users_home_files_groupownership +- aide_scan_notification +- file_permissions_ungroupowned +- dconf_gnome_disable_automount_open +- no_files_unowned_by_user +- package_telnet-server_removed +- partition_for_var_log_audit +- audit_rules_privileged_commands_ssh_keysign +- audit_rules_usergroup_modification_opasswd +- accounts_user_dot_group_ownership +- audit_rules_privileged_commands_sudo +- dconf_gnome_disable_user_list +- set_password_hashing_algorithm_libuserconf +- service_kdump_disabled +- accounts_password_pam_minclass +- selinux_context_elevation_for_sudo +- sshd_use_priv_separation +- login_banner_text=dod_banners +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- sshd_idle_timeout_value=10_minutes +- var_accounts_fail_delay=4 +- var_selinux_state=enforcing +- var_selinux_policy_name=targeted +- var_password_pam_minlen=15 +- var_password_pam_ocredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_ucredit=1 +- var_accounts_passwords_pam_faillock_unlock_time=never +- var_accounts_passwords_pam_faillock_fail_interval=900 +- var_accounts_passwords_pam_faillock_deny=3 +- var_password_pam_unix_remember=5 +- var_password_pam_maxclassrepeat=4 +- var_password_pam_difok=8 +- var_password_pam_dcredit=1 +- var_password_pam_minclass=4 +- var_accounts_minimum_age_login_defs=1 +- var_password_pam_maxrepeat=3 +- var_accounts_maximum_age_login_defs=60 +- var_account_disable_post_pw_expiration=35 +- var_removable_partition=dev_cdrom +- var_auditd_action_mail_acct=root +- var_auditd_space_left_action=email +- var_auditd_space_left_percentage=25pc +- var_accounts_user_umask=077 +- var_password_pam_retry=3 +- var_accounts_max_concurrent_login_sessions=10 +- var_accounts_tmout=15_min +- var_accounts_authorized_local_users_regex=rhel7 +- var_time_service_set_maxpoll=18_hours +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- var_audit_failure_mode=panic +- var_accounts_passwords_pam_faillock_dir=run +- sshd_required=yes +- var_sshd_set_keepalive=0 +- var_auditd_name_format=stig +- sssd_ldap_start_tls.severity=medium +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: [] +title: DISA STIG with GUI for Red Hat Enterprise Linux 7 +definition_location: /home/jcerny/work/git/content/products/rhel7/profiles/stig_gui.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile new file mode 100644 index 00000000000..3be751e113b --- /dev/null +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -0,0 +1,483 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 8 Benchmark\u2122, + v3.0.0, released 2023-10-30.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 8 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 3.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- file_groupowner_backup_etc_gshadow +- package_tftp-server_removed +- banner_etc_issue +- file_owner_etc_gshadow +- audit_rules_time_adjtimex +- sshd_enable_pam +- audit_rules_privileged_commands_usermod +- file_permissions_var_log_audit +- audit_rules_mac_modification_usr_share +- audit_rules_usergroup_modification_gshadow +- accounts_umask_etc_profile +- accounts_password_pam_pwhistory_remember_password_auth +- service_systemd-journald_enabled +- service_bluetooth_disabled +- kernel_module_hfsplus_disabled +- dconf_gnome_login_banner_text +- file_permissions_cron_daily +- selinux_confinement_of_daemons +- kernel_module_sctp_disabled +- no_empty_passwords_etc_shadow +- file_permissions_audit_configuration +- audit_sudo_log_events +- file_owner_efi_grub2_cfg +- audit_rules_mac_modification +- audit_rules_kernel_module_loading_delete +- file_owner_crontab +- auditd_data_retention_max_log_file_action +- sysctl_net_ipv6_conf_all_accept_source_route +- audit_rules_execution_chcon +- journald_forward_to_syslog +- file_groupowner_etc_issue +- sshd_set_maxstartups +- package_nftables_installed +- audit_rules_time_clock_settime +- dconf_db_up_to_date +- accounts_users_netrc_file_permissions +- set_password_hashing_algorithm_passwordauth +- accounts_password_set_max_life_existing +- file_ownership_audit_configuration +- file_cron_deny_not_exist +- file_owner_cron_allow +- kernel_module_usb-storage_disabled +- package_cyrus-imapd_removed +- file_ownership_var_log_audit_stig +- file_at_deny_not_exist +- file_owner_cron_daily +- accounts_umask_etc_bashrc +- configure_ssh_crypto_policy +- file_groupowner_cron_monthly +- dconf_gnome_session_idle_user_locks +- accounts_user_dot_group_ownership +- auditd_data_retention_action_mail_acct +- audit_rules_time_watch_localtime +- accounts_set_post_pw_existing +- package_openldap-clients_removed +- accounts_password_all_shadowed +- file_groupowner_efi_grub2_cfg +- set_password_hashing_algorithm_systemauth +- group_unique_id +- file_groupowner_cron_weekly +- file_owner_sshd_config +- audit_rules_execution_setfacl +- file_owner_cron_d +- rsyslog_nolisten +- file_groupowner_etc_issue_net +- ensure_gpgcheck_globally_activated +- sysctl_net_ipv6_conf_default_accept_redirects +- sudo_add_use_pty +- service_autofs_disabled +- audit_rules_kernel_module_loading_query +- file_owner_cron_hourly +- auditd_data_disk_error_action +- rsyslog_files_ownership +- xwindows_runlevel_target +- mount_option_var_tmp_nodev +- dconf_gnome_disable_user_list +- journald_storage +- audit_rules_file_deletion_events_rename +- package_xorg-x11-server-common_removed +- mount_option_dev_shm_nosuid +- mount_option_var_log_audit_nosuid +- file_owner_cron_weekly +- firewalld_loopback_traffic_trusted +- package_ypserv_removed +- file_owner_etc_motd +- accounts_root_path_dirs_no_write +- sysctl_net_ipv4_conf_all_secure_redirects +- package_telnet-server_removed +- package_net-snmp_removed +- file_permissions_home_directories +- package_dhcp_removed +- file_groupowner_etc_motd +- service_rpcbind_disabled +- journald_compress +- chronyd_run_as_chrony_user +- service_firewalld_enabled +- package_mcstrans_removed +- rsyslog_filecreatemode +- audit_rules_dac_modification_fremovexattr +- service_nfs_disabled +- accounts_password_last_change_is_in_past +- kernel_module_hfs_disabled +- file_permissions_backup_etc_shadow +- directory_permissions_var_log_audit +- ensure_pam_wheel_group_empty +- accounts_password_pam_pwhistory_remember_system_auth +- package_bind_removed +- package_firewalld_installed +- service_crond_enabled +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- sshd_set_idle_timeout +- audit_rules_session_events +- audit_rules_time_stime +- use_pam_wheel_group_for_su +- kernel_module_cramfs_disabled +- dir_perms_world_writable_sticky_bits +- partition_for_var_log +- file_permissions_sshd_pub_key +- file_permissions_etc_issue +- accounts_password_pam_minlen +- file_permissions_cron_d +- package_ypbind_removed +- auditd_data_retention_space_left_action +- service_rsyslog_enabled +- kernel_module_tipc_disabled +- sshd_do_not_permit_user_env +- file_etc_security_opasswd +- selinux_policytype +- audit_rules_dac_modification_lsetxattr +- file_groupowner_at_allow +- rsyslog_files_groupownership +- mount_option_tmp_noexec +- file_owner_backup_etc_gshadow +- audit_rules_sysadmin_actions +- file_permissions_sshd_config +- partition_for_var_tmp +- sudo_custom_logfile +- file_group_ownership_var_log_audit +- file_permissions_crontab +- package_gdm_removed +- sysctl_net_ipv4_conf_default_log_martians +- file_groupownership_sshd_pub_key +- file_permissions_cron_monthly +- file_permission_user_init_files +- partition_for_tmp +- ensure_gpgcheck_never_disabled +- sshd_set_loglevel_verbose +- kernel_module_dccp_disabled +- audit_rules_privileged_commands_kmod +- file_owner_grub2_cfg +- file_permissions_etc_gshadow +- grub2_enable_selinux +- selinux_state +- audit_rules_file_deletion_events_unlinkat +- file_permissions_audit_binaries +- audit_rules_time_settimeofday +- mount_option_var_nosuid +- mount_option_dev_shm_nodev +- auditd_data_retention_admin_space_left_action +- package_ftp_removed +- file_owner_backup_etc_group +- sshd_set_login_grace_time +- accounts_no_uid_except_zero +- mount_option_dev_shm_noexec +- grub2_audit_backlog_limit_argument +- set_password_hashing_algorithm_logindefs +- file_permissions_etc_issue_net +- audit_rules_kernel_module_loading_init +- file_groupowner_efi_user_cfg +- audit_rules_dac_modification_setxattr +- file_groupowner_etc_shadow +- sshd_use_strong_macs +- sshd_set_keepalive +- mount_option_var_log_nodev +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_password_set_warn_age_existing +- dconf_gnome_banner_enabled +- accounts_password_pam_minclass +- file_permissions_backup_etc_gshadow +- package_avahi_removed +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- audit_rules_dac_modification_lremovexattr +- accounts_passwords_pam_faillock_deny_root +- audit_rules_dac_modification_removexattr +- partition_for_home +- auditd_data_disk_full_action +- file_owner_backup_etc_passwd +- file_ownership_sshd_pub_key +- has_nonlocal_mta +- partition_for_var +- audit_rules_execution_chacl +- audit_rules_dac_modification_fchownat +- package_aide_installed +- kernel_module_jffs2_disabled +- banner_etc_issue_net +- file_ownership_home_directories +- audit_rules_login_events_lastlog +- audit_rules_usergroup_modification_group +- file_permissions_cron_hourly +- account_unique_id +- no_password_auth_for_systemaccounts +- accounts_password_pam_dictcheck +- accounts_user_interactive_home_directory_exists +- sshd_limit_user_access +- audit_rules_media_export +- file_groupownership_sshd_private_key +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- accounts_password_pam_enforce_root +- root_path_no_dot +- package_pam_pwquality_installed +- banner_etc_motd +- package_vsftpd_removed +- sysctl_net_ipv4_conf_default_send_redirects +- aide_check_audit_tools +- package_squid_removed +- group_unique_name +- postfix_network_listening_disabled +- audit_rules_unsuccessful_file_modification_open +- file_permissions_etc_shadow +- file_owner_backup_etc_shadow +- sysctl_net_ipv6_conf_default_accept_ra +- auditd_data_retention_max_log_file +- socket_systemd-journal-remote_disabled +- set_password_hashing_algorithm_libuserconf +- kernel_module_rds_disabled +- audit_rules_dac_modification_fchown +- rsyslog_files_permissions +- file_groupowner_etc_group +- file_permissions_etc_passwd +- sysctl_net_ipv4_conf_all_log_martians +- audit_rules_kernel_module_loading_create +- file_permissions_etc_group +- file_permissions_backup_etc_group +- sysctl_net_ipv4_ip_forward +- selinux_not_disabled +- audit_rules_dac_modification_chown +- sysctl_net_ipv4_conf_default_rp_filter +- kernel_module_freevxfs_disabled +- partition_for_dev_shm +- sysctl_kernel_yama_ptrace_scope +- dconf_gnome_disable_automount_open +- file_permissions_user_cfg +- file_permissions_unauthorized_world_writable +- accounts_password_pam_maxrepeat +- disable_host_auth +- kernel_module_udf_disabled +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_suid_auid_privilege_function +- audit_rules_usergroup_modification_opasswd +- service_nftables_disabled +- package_sudo_installed +- file_permissions_ungroupowned +- file_permissions_etc_motd +- file_groupowner_etc_passwd +- no_forward_files +- no_empty_passwords +- accounts_user_dot_user_ownership +- file_groupowner_etc_gshadow +- sshd_set_max_auth_tries +- file_groupowner_cron_d +- file_owner_etc_group +- audit_rules_privileged_commands +- sysctl_net_ipv6_conf_all_accept_redirects +- file_owner_user_cfg +- file_owner_etc_issue +- sudo_require_reauthentication +- sysctl_net_ipv4_conf_all_send_redirects +- package_samba_removed +- aide_periodic_cron_checking +- audit_rules_file_deletion_events_unlink +- file_groupownership_audit_configuration +- audit_rules_usergroup_modification_passwd +- file_owner_etc_shadow +- package_dovecot_removed +- package_httpd_removed +- package_nginx_removed +- sshd_disable_rhosts +- file_owner_etc_issue_net +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- dconf_gnome_disable_automount +- file_permissions_cron_weekly +- audit_rules_dac_modification_fsetxattr +- sshd_disable_root_login +- sudo_require_authentication +- file_permissions_efi_grub2_cfg +- file_groupowner_user_cfg +- mount_option_var_tmp_nosuid +- file_ownership_sshd_private_key +- configure_crypto_policy +- audit_rules_immutable +- file_owner_efi_user_cfg +- dconf_gnome_screensaver_idle_delay +- account_unique_name +- mount_option_var_nodev +- package_tftp_removed +- service_auditd_enabled +- accounts_root_gid_zero +- accounts_passwords_pam_faillock_deny +- audit_rules_unsuccessful_file_modification_creat +- sshd_use_approved_ciphers +- gid_passwd_group_same +- mount_option_var_log_nosuid +- dconf_gnome_disable_autorun +- audit_rules_unsuccessful_file_modification_truncate +- file_permissions_at_allow +- file_owner_etc_shells +- accounts_umask_etc_login_defs +- coredump_disable_backtraces +- kernel_module_squashfs_disabled +- package_cups_removed +- audit_rules_dac_modification_fchmodat +- accounts_tmout +- mount_option_var_log_audit_noexec +- mount_option_tmp_nodev +- audit_rules_kernel_module_loading_finit +- file_ownership_audit_binaries +- mount_option_home_nodev +- gnome_gdm_disable_xdmcp +- file_groupowner_cron_daily +- aide_build_database +- grub2_password +- mount_option_var_log_audit_nodev +- dconf_gnome_screensaver_user_locks +- package_telnet_removed +- firewalld_loopback_traffic_restricted +- audit_rules_dac_modification_chmod +- no_shelllogin_for_systemaccounts +- file_owner_cron_monthly +- sshd_disable_empty_passwords +- package_xinetd_removed +- sysctl_net_ipv4_conf_all_accept_redirects +- account_password_pam_faillock_system_auth +- file_permissions_cron_allow +- sysctl_kernel_randomize_va_space +- mount_option_var_tmp_noexec +- no_rsh_trust_files +- mount_option_tmp_nosuid +- file_permissions_backup_etc_passwd +- ensure_root_password_configured +- sysctl_net_ipv4_conf_default_accept_redirects +- file_groupowner_cron_hourly +- file_groupowner_crontab +- file_permissions_sshd_private_key +- partition_for_var_log_audit +- file_cron_allow_exists +- enable_authselect +- chronyd_specify_remote_server +- package_rsyslog_installed +- accounts_passwords_pam_faillock_unlock_time +- sshd_use_strong_kex +- no_files_unowned_by_user +- sysctl_net_ipv6_conf_all_accept_ra +- wireless_disable_interfaces +- file_groupownership_audit_binaries +- file_permissions_etc_shells +- file_owner_etc_passwd +- file_permissions_grub2_cfg +- grub2_uefi_password +- package_chrony_installed +- audit_rules_dac_modification_fchmod +- mount_option_var_log_noexec +- audit_rules_dac_modification_lchown +- coredump_disable_storage +- sshd_set_max_sessions +- package_libselinux_installed +- audit_rules_login_events_faillock +- package_setroubleshoot_removed +- file_groupowner_etc_shells +- file_groupowner_backup_etc_passwd +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_networkconfig_modification +- package_audit_installed +- accounts_password_pam_difok +- account_disable_post_pw_expiration +- audit_rules_file_deletion_events_renameat +- account_password_pam_faillock_password_auth +- grub2_audit_argument +- accounts_maximum_age_login_defs +- file_groupowner_sshd_config +- audit_rules_unsuccessful_file_modification_ftruncate +- package_rsync_removed +- accounts_password_warn_age_login_defs +- audit_rules_usergroup_modification_shadow +- mount_option_home_nosuid +- sysctl_net_ipv4_conf_all_accept_source_route +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- sshd_enable_warning_banner_net +- file_permissions_efi_user_cfg +- dconf_gnome_screensaver_lock_delay +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel8 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel8 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel8 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +- var_accounts_passwords_pam_faillock_dir=run +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=cis_rhel8 +- var_auditd_space_left_action=cis_rhel8 +- var_auditd_disk_error_action=cis_rhel8 +- var_auditd_disk_full_action=cis_rhel8 +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel8 +title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server +definition_location: /home/jcerny/work/git/content/products/rhel8/profiles/cis.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile new file mode 100644 index 00000000000..202570fed35 --- /dev/null +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -0,0 +1,377 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 8 Benchmark\u2122, + v3.0.0, released 2023-10-30.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 8 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 3.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- banner_etc_issue_net +- file_owner_cron_weekly +- file_ownership_home_directories +- file_permissions_cron_hourly +- firewalld_loopback_traffic_trusted +- account_unique_id +- gid_passwd_group_same +- file_owner_etc_motd +- package_ypserv_removed +- file_groupowner_backup_etc_gshadow +- no_password_auth_for_systemaccounts +- accounts_password_pam_dictcheck +- accounts_user_interactive_home_directory_exists +- mount_option_var_log_nosuid +- banner_etc_issue +- accounts_root_path_dirs_no_write +- file_groupownership_sshd_private_key +- file_owner_etc_gshadow +- package_telnet-server_removed +- package_net-snmp_removed +- sshd_enable_pam +- sshd_limit_user_access +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- accounts_password_pam_enforce_root +- file_permissions_home_directories +- root_path_no_dot +- dconf_gnome_disable_autorun +- package_dhcp_removed +- file_groupowner_etc_motd +- package_pam_pwquality_installed +- accounts_umask_etc_profile +- banner_etc_motd +- package_vsftpd_removed +- service_rpcbind_disabled +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_at_allow +- aide_check_audit_tools +- journald_compress +- chronyd_run_as_chrony_user +- file_owner_etc_shells +- service_firewalld_enabled +- package_mcstrans_removed +- accounts_password_pam_pwhistory_remember_password_auth +- rsyslog_filecreatemode +- accounts_umask_etc_login_defs +- coredump_disable_backtraces +- package_squid_removed +- group_unique_name +- service_nfs_disabled +- service_systemd-journald_enabled +- postfix_network_listening_disabled +- service_bluetooth_disabled +- file_permissions_etc_shadow +- file_owner_backup_etc_shadow +- package_cups_removed +- accounts_password_last_change_is_in_past +- sysctl_net_ipv6_conf_default_accept_ra +- socket_systemd-journal-remote_disabled +- file_permissions_backup_etc_shadow +- ensure_pam_wheel_group_empty +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_tmout +- mount_option_var_log_audit_noexec +- dconf_gnome_login_banner_text +- mount_option_tmp_nodev +- set_password_hashing_algorithm_libuserconf +- package_bind_removed +- package_firewalld_installed +- service_crond_enabled +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- file_permissions_cron_daily +- sshd_set_idle_timeout +- selinux_confinement_of_daemons +- mount_option_home_nodev +- rsyslog_files_permissions +- use_pam_wheel_group_for_su +- file_groupowner_etc_group +- file_permissions_etc_passwd +- sysctl_net_ipv4_conf_all_log_martians +- no_empty_passwords_etc_shadow +- kernel_module_cramfs_disabled +- dir_perms_world_writable_sticky_bits +- file_permissions_etc_group +- file_permissions_backup_etc_group +- gnome_gdm_disable_xdmcp +- file_groupowner_cron_daily +- aide_build_database +- file_owner_efi_grub2_cfg +- file_permissions_etc_issue +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_ip_forward +- accounts_password_pam_minlen +- file_permissions_cron_d +- file_owner_crontab +- grub2_password +- selinux_not_disabled +- mount_option_var_log_audit_nodev +- package_ypbind_removed +- dconf_gnome_screensaver_user_locks +- service_rsyslog_enabled +- package_telnet_removed +- firewalld_loopback_traffic_restricted +- sysctl_net_ipv4_conf_default_rp_filter +- no_shelllogin_for_systemaccounts +- file_owner_cron_monthly +- sysctl_net_ipv6_conf_all_accept_source_route +- sshd_disable_empty_passwords +- package_xinetd_removed +- journald_forward_to_syslog +- partition_for_dev_shm +- sshd_do_not_permit_user_env +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_kernel_yama_ptrace_scope +- account_password_pam_faillock_system_auth +- file_groupowner_etc_issue +- file_etc_security_opasswd +- dconf_gnome_disable_automount_open +- selinux_policytype +- sshd_set_maxstartups +- file_permissions_cron_allow +- file_permissions_user_cfg +- package_nftables_installed +- file_permissions_unauthorized_world_writable +- file_groupowner_at_allow +- dconf_db_up_to_date +- accounts_password_pam_maxrepeat +- rsyslog_files_groupownership +- disable_host_auth +- accounts_users_netrc_file_permissions +- mount_option_tmp_noexec +- set_password_hashing_algorithm_passwordauth +- file_owner_backup_etc_gshadow +- sysctl_kernel_randomize_va_space +- sysctl_net_ipv6_conf_all_accept_redirects +- file_permissions_sshd_config +- mount_option_var_tmp_noexec +- service_nftables_disabled +- package_sudo_installed +- sudo_custom_logfile +- accounts_password_set_max_life_existing +- file_permissions_ungroupowned +- file_permissions_etc_motd +- file_groupowner_etc_passwd +- file_cron_deny_not_exist +- no_forward_files +- file_owner_cron_allow +- no_rsh_trust_files +- mount_option_tmp_nosuid +- package_cyrus-imapd_removed +- file_permissions_backup_etc_passwd +- accounts_user_dot_user_ownership +- file_permissions_crontab +- no_empty_passwords +- file_groupowner_etc_gshadow +- ensure_root_password_configured +- sysctl_net_ipv4_conf_default_log_martians +- sshd_set_max_auth_tries +- file_groupownership_sshd_pub_key +- sysctl_net_ipv4_conf_default_accept_redirects +- file_permissions_cron_monthly +- file_groupowner_cron_hourly +- file_groupowner_crontab +- file_groupowner_cron_d +- file_at_deny_not_exist +- file_owner_cron_daily +- accounts_umask_etc_bashrc +- file_owner_etc_group +- file_permission_user_init_files +- file_owner_user_cfg +- file_permissions_sshd_private_key +- partition_for_tmp +- configure_ssh_crypto_policy +- file_cron_allow_exists +- dconf_gnome_session_idle_user_locks +- ensure_gpgcheck_never_disabled +- file_groupowner_cron_monthly +- sshd_set_loglevel_verbose +- accounts_user_dot_group_ownership +- file_owner_etc_issue +- file_owner_grub2_cfg +- file_permissions_etc_gshadow +- grub2_enable_selinux +- enable_authselect +- sshd_use_approved_ciphers +- chronyd_specify_remote_server +- package_rsyslog_installed +- accounts_passwords_pam_faillock_unlock_time +- mount_option_dev_shm_nodev +- mount_option_var_nosuid +- package_ftp_removed +- sudo_require_reauthentication +- sshd_use_strong_kex +- file_owner_backup_etc_group +- sshd_set_login_grace_time +- sysctl_net_ipv4_conf_all_send_redirects +- accounts_no_uid_except_zero +- no_files_unowned_by_user +- accounts_set_post_pw_existing +- package_samba_removed +- sysctl_net_ipv6_conf_all_accept_ra +- mount_option_dev_shm_noexec +- wireless_disable_interfaces +- set_password_hashing_algorithm_logindefs +- file_permissions_etc_issue_net +- file_permissions_etc_shells +- accounts_password_all_shadowed +- aide_periodic_cron_checking +- file_groupowner_efi_grub2_cfg +- file_groupowner_efi_user_cfg +- file_owner_etc_passwd +- file_permissions_grub2_cfg +- grub2_uefi_password +- package_chrony_installed +- file_groupowner_etc_shadow +- mount_option_dev_shm_nosuid +- mount_option_var_log_noexec +- sshd_use_strong_macs +- set_password_hashing_algorithm_systemauth +- coredump_disable_storage +- sshd_set_max_sessions +- group_unique_id +- package_libselinux_installed +- package_tftp-server_removed +- sshd_set_keepalive +- mount_option_var_log_nodev +- file_owner_etc_shadow +- package_setroubleshoot_removed +- package_dovecot_removed +- file_groupowner_etc_shells +- file_groupowner_cron_weekly +- file_groupowner_backup_etc_passwd +- file_owner_sshd_config +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- package_httpd_removed +- sysctl_net_ipv4_conf_all_rp_filter +- package_nginx_removed +- sshd_disable_rhosts +- file_owner_etc_issue_net +- sysctl_net_ipv4_tcp_syncookies +- accounts_password_set_warn_age_existing +- dconf_gnome_banner_enabled +- accounts_password_pam_minclass +- file_owner_cron_d +- file_permissions_backup_etc_gshadow +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- dconf_gnome_disable_automount +- accounts_password_pam_difok +- file_permissions_cron_weekly +- package_avahi_removed +- sysctl_net_ipv4_conf_default_accept_source_route +- rsyslog_nolisten +- sshd_disable_root_login +- file_groupowner_etc_issue_net +- sysctl_net_ipv6_conf_all_forwarding +- ensure_gpgcheck_globally_activated +- account_disable_post_pw_expiration +- sysctl_net_ipv6_conf_default_accept_redirects +- sudo_require_authentication +- file_permissions_efi_grub2_cfg +- account_password_pam_faillock_password_auth +- file_groupowner_user_cfg +- sudo_add_use_pty +- accounts_maximum_age_login_defs +- file_groupowner_sshd_config +- mount_option_var_tmp_nosuid +- file_ownership_sshd_private_key +- service_autofs_disabled +- configure_crypto_policy +- file_owner_cron_hourly +- rsyslog_files_ownership +- file_owner_efi_user_cfg +- package_rsync_removed +- dconf_gnome_screensaver_idle_delay +- file_owner_backup_etc_passwd +- account_unique_name +- file_ownership_sshd_pub_key +- mount_option_var_nodev +- mount_option_var_tmp_nodev +- dconf_gnome_disable_user_list +- accounts_password_warn_age_login_defs +- package_tftp_removed +- journald_storage +- accounts_root_gid_zero +- mount_option_home_nosuid +- has_nonlocal_mta +- accounts_passwords_pam_faillock_deny +- sysctl_net_ipv4_conf_all_accept_source_route +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- sshd_enable_warning_banner_net +- file_permissions_efi_user_cfg +- dconf_gnome_screensaver_lock_delay +- mount_option_var_log_audit_nosuid +- package_aide_installed +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel8 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel8 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel8 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel8 +title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server +definition_location: /home/jcerny/work/git/content/products/rhel8/profiles/cis_server_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile new file mode 100644 index 00000000000..65a00c135fd --- /dev/null +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -0,0 +1,371 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 8 Benchmark\u2122, + v3.0.0, released 2023-10-30.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 8 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 3.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- banner_etc_issue_net +- file_owner_cron_weekly +- file_ownership_home_directories +- file_permissions_cron_hourly +- firewalld_loopback_traffic_trusted +- account_unique_id +- gid_passwd_group_same +- file_owner_etc_motd +- package_ypserv_removed +- file_groupowner_backup_etc_gshadow +- no_password_auth_for_systemaccounts +- accounts_password_pam_dictcheck +- accounts_user_interactive_home_directory_exists +- mount_option_var_log_nosuid +- banner_etc_issue +- accounts_root_path_dirs_no_write +- file_groupownership_sshd_private_key +- file_owner_etc_gshadow +- package_telnet-server_removed +- package_net-snmp_removed +- sshd_enable_pam +- sshd_limit_user_access +- sysctl_net_ipv4_conf_all_secure_redirects +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- accounts_password_pam_enforce_root +- file_permissions_home_directories +- root_path_no_dot +- dconf_gnome_disable_autorun +- package_dhcp_removed +- file_groupowner_etc_motd +- package_pam_pwquality_installed +- accounts_umask_etc_profile +- banner_etc_motd +- package_vsftpd_removed +- service_rpcbind_disabled +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_at_allow +- aide_check_audit_tools +- journald_compress +- chronyd_run_as_chrony_user +- file_owner_etc_shells +- service_firewalld_enabled +- package_mcstrans_removed +- accounts_password_pam_pwhistory_remember_password_auth +- rsyslog_filecreatemode +- accounts_umask_etc_login_defs +- coredump_disable_backtraces +- package_squid_removed +- group_unique_name +- service_nfs_disabled +- service_systemd-journald_enabled +- postfix_network_listening_disabled +- file_permissions_etc_shadow +- file_owner_backup_etc_shadow +- accounts_password_last_change_is_in_past +- sysctl_net_ipv6_conf_default_accept_ra +- socket_systemd-journal-remote_disabled +- file_permissions_backup_etc_shadow +- ensure_pam_wheel_group_empty +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_tmout +- mount_option_var_log_audit_noexec +- dconf_gnome_login_banner_text +- mount_option_tmp_nodev +- set_password_hashing_algorithm_libuserconf +- package_bind_removed +- package_firewalld_installed +- service_crond_enabled +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- file_permissions_cron_daily +- sshd_set_idle_timeout +- selinux_confinement_of_daemons +- mount_option_home_nodev +- rsyslog_files_permissions +- use_pam_wheel_group_for_su +- file_groupowner_etc_group +- file_permissions_etc_passwd +- sysctl_net_ipv4_conf_all_log_martians +- no_empty_passwords_etc_shadow +- kernel_module_cramfs_disabled +- dir_perms_world_writable_sticky_bits +- file_permissions_etc_group +- file_permissions_backup_etc_group +- gnome_gdm_disable_xdmcp +- file_groupowner_cron_daily +- aide_build_database +- file_owner_efi_grub2_cfg +- file_permissions_etc_issue +- file_permissions_sshd_pub_key +- sysctl_net_ipv4_ip_forward +- accounts_password_pam_minlen +- file_permissions_cron_d +- file_owner_crontab +- grub2_password +- selinux_not_disabled +- mount_option_var_log_audit_nodev +- package_ypbind_removed +- dconf_gnome_screensaver_user_locks +- service_rsyslog_enabled +- package_telnet_removed +- firewalld_loopback_traffic_restricted +- sysctl_net_ipv4_conf_default_rp_filter +- no_shelllogin_for_systemaccounts +- file_owner_cron_monthly +- sysctl_net_ipv6_conf_all_accept_source_route +- sshd_disable_empty_passwords +- package_xinetd_removed +- journald_forward_to_syslog +- partition_for_dev_shm +- sshd_do_not_permit_user_env +- sysctl_net_ipv4_conf_all_accept_redirects +- sysctl_kernel_yama_ptrace_scope +- account_password_pam_faillock_system_auth +- file_groupowner_etc_issue +- file_etc_security_opasswd +- dconf_gnome_disable_automount_open +- selinux_policytype +- sshd_set_maxstartups +- file_permissions_cron_allow +- file_permissions_user_cfg +- package_nftables_installed +- file_permissions_unauthorized_world_writable +- file_groupowner_at_allow +- dconf_db_up_to_date +- accounts_password_pam_maxrepeat +- rsyslog_files_groupownership +- disable_host_auth +- accounts_users_netrc_file_permissions +- mount_option_tmp_noexec +- set_password_hashing_algorithm_passwordauth +- file_owner_backup_etc_gshadow +- sysctl_kernel_randomize_va_space +- sysctl_net_ipv6_conf_all_accept_redirects +- file_permissions_sshd_config +- mount_option_var_tmp_noexec +- service_nftables_disabled +- package_sudo_installed +- sudo_custom_logfile +- accounts_password_set_max_life_existing +- file_permissions_ungroupowned +- file_permissions_etc_motd +- file_groupowner_etc_passwd +- file_cron_deny_not_exist +- no_forward_files +- file_owner_cron_allow +- no_rsh_trust_files +- mount_option_tmp_nosuid +- package_cyrus-imapd_removed +- file_permissions_backup_etc_passwd +- accounts_user_dot_user_ownership +- file_permissions_crontab +- no_empty_passwords +- file_groupowner_etc_gshadow +- ensure_root_password_configured +- sysctl_net_ipv4_conf_default_log_martians +- sshd_set_max_auth_tries +- file_groupownership_sshd_pub_key +- sysctl_net_ipv4_conf_default_accept_redirects +- file_permissions_cron_monthly +- file_groupowner_cron_hourly +- file_groupowner_crontab +- file_groupowner_cron_d +- file_at_deny_not_exist +- file_owner_cron_daily +- accounts_umask_etc_bashrc +- file_owner_etc_group +- file_permission_user_init_files +- file_owner_user_cfg +- file_permissions_sshd_private_key +- partition_for_tmp +- configure_ssh_crypto_policy +- file_cron_allow_exists +- dconf_gnome_session_idle_user_locks +- ensure_gpgcheck_never_disabled +- file_groupowner_cron_monthly +- sshd_set_loglevel_verbose +- accounts_user_dot_group_ownership +- file_owner_etc_issue +- file_owner_grub2_cfg +- file_permissions_etc_gshadow +- grub2_enable_selinux +- enable_authselect +- sshd_use_approved_ciphers +- chronyd_specify_remote_server +- package_rsyslog_installed +- accounts_passwords_pam_faillock_unlock_time +- mount_option_dev_shm_nodev +- mount_option_var_nosuid +- package_ftp_removed +- sudo_require_reauthentication +- sshd_use_strong_kex +- file_owner_backup_etc_group +- sshd_set_login_grace_time +- sysctl_net_ipv4_conf_all_send_redirects +- accounts_no_uid_except_zero +- no_files_unowned_by_user +- accounts_set_post_pw_existing +- package_samba_removed +- sysctl_net_ipv6_conf_all_accept_ra +- mount_option_dev_shm_noexec +- set_password_hashing_algorithm_logindefs +- file_permissions_etc_issue_net +- file_permissions_etc_shells +- accounts_password_all_shadowed +- aide_periodic_cron_checking +- file_groupowner_efi_grub2_cfg +- file_groupowner_efi_user_cfg +- file_owner_etc_passwd +- file_permissions_grub2_cfg +- grub2_uefi_password +- package_chrony_installed +- file_groupowner_etc_shadow +- mount_option_dev_shm_nosuid +- mount_option_var_log_noexec +- sshd_use_strong_macs +- set_password_hashing_algorithm_systemauth +- coredump_disable_storage +- sshd_set_max_sessions +- group_unique_id +- package_libselinux_installed +- package_tftp-server_removed +- sshd_set_keepalive +- mount_option_var_log_nodev +- file_owner_etc_shadow +- package_dovecot_removed +- file_groupowner_etc_shells +- file_groupowner_cron_weekly +- file_groupowner_backup_etc_passwd +- file_owner_sshd_config +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv6_conf_default_accept_source_route +- package_httpd_removed +- sysctl_net_ipv4_conf_all_rp_filter +- package_nginx_removed +- sshd_disable_rhosts +- file_owner_etc_issue_net +- sysctl_net_ipv4_tcp_syncookies +- accounts_password_set_warn_age_existing +- dconf_gnome_banner_enabled +- accounts_password_pam_minclass +- file_owner_cron_d +- file_permissions_backup_etc_gshadow +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- dconf_gnome_disable_automount +- accounts_password_pam_difok +- file_permissions_cron_weekly +- sysctl_net_ipv4_conf_default_accept_source_route +- rsyslog_nolisten +- sshd_disable_root_login +- file_groupowner_etc_issue_net +- sysctl_net_ipv6_conf_all_forwarding +- ensure_gpgcheck_globally_activated +- account_disable_post_pw_expiration +- sysctl_net_ipv6_conf_default_accept_redirects +- sudo_require_authentication +- file_permissions_efi_grub2_cfg +- account_password_pam_faillock_password_auth +- file_groupowner_user_cfg +- sudo_add_use_pty +- accounts_maximum_age_login_defs +- file_groupowner_sshd_config +- mount_option_var_tmp_nosuid +- file_ownership_sshd_private_key +- configure_crypto_policy +- file_owner_cron_hourly +- rsyslog_files_ownership +- file_owner_efi_user_cfg +- package_rsync_removed +- dconf_gnome_screensaver_idle_delay +- file_owner_backup_etc_passwd +- account_unique_name +- file_ownership_sshd_pub_key +- mount_option_var_nodev +- mount_option_var_tmp_nodev +- dconf_gnome_disable_user_list +- accounts_password_warn_age_login_defs +- package_tftp_removed +- journald_storage +- accounts_root_gid_zero +- mount_option_home_nosuid +- has_nonlocal_mta +- accounts_passwords_pam_faillock_deny +- sysctl_net_ipv4_conf_all_accept_source_route +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- sshd_enable_warning_banner_net +- file_permissions_efi_user_cfg +- dconf_gnome_screensaver_lock_delay +- mount_option_var_log_audit_nosuid +- package_aide_installed +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel8 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel8 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel8 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel8 +title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel8/profiles/cis_workstation_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile new file mode 100644 index 00000000000..c4f71c90422 --- /dev/null +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -0,0 +1,477 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 8 Benchmark\u2122, + v3.0.0, released 2023-10-30.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 8 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 3.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- file_groupowner_backup_etc_gshadow +- package_tftp-server_removed +- banner_etc_issue +- file_owner_etc_gshadow +- audit_rules_time_adjtimex +- sshd_enable_pam +- audit_rules_privileged_commands_usermod +- file_permissions_var_log_audit +- audit_rules_mac_modification_usr_share +- audit_rules_usergroup_modification_gshadow +- accounts_umask_etc_profile +- accounts_password_pam_pwhistory_remember_password_auth +- service_systemd-journald_enabled +- service_bluetooth_disabled +- kernel_module_hfsplus_disabled +- dconf_gnome_login_banner_text +- file_permissions_cron_daily +- selinux_confinement_of_daemons +- kernel_module_sctp_disabled +- no_empty_passwords_etc_shadow +- file_permissions_audit_configuration +- audit_sudo_log_events +- file_owner_efi_grub2_cfg +- audit_rules_mac_modification +- audit_rules_kernel_module_loading_delete +- file_owner_crontab +- auditd_data_retention_max_log_file_action +- sysctl_net_ipv6_conf_all_accept_source_route +- audit_rules_execution_chcon +- journald_forward_to_syslog +- file_groupowner_etc_issue +- sshd_set_maxstartups +- package_nftables_installed +- audit_rules_time_clock_settime +- dconf_db_up_to_date +- accounts_users_netrc_file_permissions +- set_password_hashing_algorithm_passwordauth +- accounts_password_set_max_life_existing +- file_ownership_audit_configuration +- file_cron_deny_not_exist +- file_owner_cron_allow +- kernel_module_usb-storage_disabled +- package_cyrus-imapd_removed +- file_ownership_var_log_audit_stig +- file_at_deny_not_exist +- file_owner_cron_daily +- accounts_umask_etc_bashrc +- configure_ssh_crypto_policy +- file_groupowner_cron_monthly +- dconf_gnome_session_idle_user_locks +- accounts_user_dot_group_ownership +- auditd_data_retention_action_mail_acct +- audit_rules_time_watch_localtime +- accounts_set_post_pw_existing +- package_openldap-clients_removed +- accounts_password_all_shadowed +- file_groupowner_efi_grub2_cfg +- set_password_hashing_algorithm_systemauth +- group_unique_id +- file_groupowner_cron_weekly +- file_owner_sshd_config +- audit_rules_execution_setfacl +- file_owner_cron_d +- rsyslog_nolisten +- file_groupowner_etc_issue_net +- ensure_gpgcheck_globally_activated +- sysctl_net_ipv6_conf_default_accept_redirects +- sudo_add_use_pty +- service_autofs_disabled +- audit_rules_kernel_module_loading_query +- file_owner_cron_hourly +- auditd_data_disk_error_action +- rsyslog_files_ownership +- mount_option_var_tmp_nodev +- dconf_gnome_disable_user_list +- journald_storage +- audit_rules_file_deletion_events_rename +- mount_option_dev_shm_nosuid +- mount_option_var_log_audit_nosuid +- file_owner_cron_weekly +- firewalld_loopback_traffic_trusted +- package_ypserv_removed +- file_owner_etc_motd +- accounts_root_path_dirs_no_write +- sysctl_net_ipv4_conf_all_secure_redirects +- package_telnet-server_removed +- package_net-snmp_removed +- file_permissions_home_directories +- package_dhcp_removed +- file_groupowner_etc_motd +- service_rpcbind_disabled +- journald_compress +- chronyd_run_as_chrony_user +- service_firewalld_enabled +- package_mcstrans_removed +- rsyslog_filecreatemode +- audit_rules_dac_modification_fremovexattr +- service_nfs_disabled +- accounts_password_last_change_is_in_past +- kernel_module_hfs_disabled +- file_permissions_backup_etc_shadow +- directory_permissions_var_log_audit +- ensure_pam_wheel_group_empty +- accounts_password_pam_pwhistory_remember_system_auth +- package_bind_removed +- package_firewalld_installed +- service_crond_enabled +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- sshd_set_idle_timeout +- audit_rules_session_events +- audit_rules_time_stime +- use_pam_wheel_group_for_su +- kernel_module_cramfs_disabled +- dir_perms_world_writable_sticky_bits +- partition_for_var_log +- file_permissions_sshd_pub_key +- file_permissions_etc_issue +- accounts_password_pam_minlen +- file_permissions_cron_d +- package_ypbind_removed +- auditd_data_retention_space_left_action +- service_rsyslog_enabled +- kernel_module_tipc_disabled +- sshd_do_not_permit_user_env +- file_etc_security_opasswd +- selinux_policytype +- audit_rules_dac_modification_lsetxattr +- file_groupowner_at_allow +- rsyslog_files_groupownership +- mount_option_tmp_noexec +- file_owner_backup_etc_gshadow +- audit_rules_sysadmin_actions +- file_permissions_sshd_config +- partition_for_var_tmp +- sudo_custom_logfile +- file_group_ownership_var_log_audit +- file_permissions_crontab +- sysctl_net_ipv4_conf_default_log_martians +- file_groupownership_sshd_pub_key +- file_permissions_cron_monthly +- file_permission_user_init_files +- partition_for_tmp +- ensure_gpgcheck_never_disabled +- sshd_set_loglevel_verbose +- kernel_module_dccp_disabled +- audit_rules_privileged_commands_kmod +- file_owner_grub2_cfg +- file_permissions_etc_gshadow +- grub2_enable_selinux +- selinux_state +- audit_rules_file_deletion_events_unlinkat +- file_permissions_audit_binaries +- audit_rules_time_settimeofday +- mount_option_var_nosuid +- mount_option_dev_shm_nodev +- auditd_data_retention_admin_space_left_action +- package_ftp_removed +- file_owner_backup_etc_group +- sshd_set_login_grace_time +- accounts_no_uid_except_zero +- mount_option_dev_shm_noexec +- grub2_audit_backlog_limit_argument +- set_password_hashing_algorithm_logindefs +- file_permissions_etc_issue_net +- audit_rules_kernel_module_loading_init +- file_groupowner_efi_user_cfg +- audit_rules_dac_modification_setxattr +- file_groupowner_etc_shadow +- sshd_use_strong_macs +- sshd_set_keepalive +- mount_option_var_log_nodev +- sysctl_net_ipv4_conf_default_secure_redirects +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_password_set_warn_age_existing +- dconf_gnome_banner_enabled +- accounts_password_pam_minclass +- file_permissions_backup_etc_gshadow +- package_avahi_removed +- sysctl_net_ipv4_conf_default_accept_source_route +- sysctl_net_ipv6_conf_all_forwarding +- audit_rules_dac_modification_lremovexattr +- accounts_passwords_pam_faillock_deny_root +- audit_rules_dac_modification_removexattr +- partition_for_home +- auditd_data_disk_full_action +- file_owner_backup_etc_passwd +- file_ownership_sshd_pub_key +- has_nonlocal_mta +- partition_for_var +- audit_rules_execution_chacl +- audit_rules_dac_modification_fchownat +- package_aide_installed +- kernel_module_jffs2_disabled +- banner_etc_issue_net +- file_ownership_home_directories +- audit_rules_login_events_lastlog +- audit_rules_usergroup_modification_group +- file_permissions_cron_hourly +- account_unique_id +- no_password_auth_for_systemaccounts +- accounts_password_pam_dictcheck +- accounts_user_interactive_home_directory_exists +- sshd_limit_user_access +- audit_rules_media_export +- file_groupownership_sshd_private_key +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- accounts_password_pam_enforce_root +- root_path_no_dot +- package_pam_pwquality_installed +- banner_etc_motd +- package_vsftpd_removed +- sysctl_net_ipv4_conf_default_send_redirects +- aide_check_audit_tools +- package_squid_removed +- group_unique_name +- postfix_network_listening_disabled +- audit_rules_unsuccessful_file_modification_open +- file_permissions_etc_shadow +- file_owner_backup_etc_shadow +- sysctl_net_ipv6_conf_default_accept_ra +- auditd_data_retention_max_log_file +- socket_systemd-journal-remote_disabled +- set_password_hashing_algorithm_libuserconf +- kernel_module_rds_disabled +- audit_rules_dac_modification_fchown +- rsyslog_files_permissions +- file_groupowner_etc_group +- file_permissions_etc_passwd +- sysctl_net_ipv4_conf_all_log_martians +- audit_rules_kernel_module_loading_create +- file_permissions_etc_group +- file_permissions_backup_etc_group +- sysctl_net_ipv4_ip_forward +- selinux_not_disabled +- audit_rules_dac_modification_chown +- sysctl_net_ipv4_conf_default_rp_filter +- kernel_module_freevxfs_disabled +- partition_for_dev_shm +- sysctl_kernel_yama_ptrace_scope +- dconf_gnome_disable_automount_open +- file_permissions_user_cfg +- file_permissions_unauthorized_world_writable +- accounts_password_pam_maxrepeat +- disable_host_auth +- kernel_module_udf_disabled +- audit_rules_unsuccessful_file_modification_openat +- audit_rules_suid_auid_privilege_function +- audit_rules_usergroup_modification_opasswd +- service_nftables_disabled +- package_sudo_installed +- file_permissions_ungroupowned +- file_permissions_etc_motd +- file_groupowner_etc_passwd +- no_forward_files +- no_empty_passwords +- accounts_user_dot_user_ownership +- file_groupowner_etc_gshadow +- sshd_set_max_auth_tries +- file_groupowner_cron_d +- file_owner_etc_group +- audit_rules_privileged_commands +- sysctl_net_ipv6_conf_all_accept_redirects +- file_owner_user_cfg +- file_owner_etc_issue +- sudo_require_reauthentication +- sysctl_net_ipv4_conf_all_send_redirects +- package_samba_removed +- aide_periodic_cron_checking +- audit_rules_file_deletion_events_unlink +- file_groupownership_audit_configuration +- audit_rules_usergroup_modification_passwd +- file_owner_etc_shadow +- package_dovecot_removed +- package_httpd_removed +- package_nginx_removed +- sshd_disable_rhosts +- file_owner_etc_issue_net +- sysctl_net_ipv4_tcp_syncookies +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- dconf_gnome_disable_automount +- file_permissions_cron_weekly +- audit_rules_dac_modification_fsetxattr +- sshd_disable_root_login +- sudo_require_authentication +- file_permissions_efi_grub2_cfg +- file_groupowner_user_cfg +- mount_option_var_tmp_nosuid +- file_ownership_sshd_private_key +- configure_crypto_policy +- audit_rules_immutable +- file_owner_efi_user_cfg +- dconf_gnome_screensaver_idle_delay +- account_unique_name +- mount_option_var_nodev +- package_tftp_removed +- service_auditd_enabled +- accounts_root_gid_zero +- accounts_passwords_pam_faillock_deny +- audit_rules_unsuccessful_file_modification_creat +- sshd_use_approved_ciphers +- gid_passwd_group_same +- mount_option_var_log_nosuid +- dconf_gnome_disable_autorun +- audit_rules_unsuccessful_file_modification_truncate +- file_permissions_at_allow +- file_owner_etc_shells +- accounts_umask_etc_login_defs +- coredump_disable_backtraces +- kernel_module_squashfs_disabled +- audit_rules_dac_modification_fchmodat +- accounts_tmout +- mount_option_var_log_audit_noexec +- mount_option_tmp_nodev +- audit_rules_kernel_module_loading_finit +- file_ownership_audit_binaries +- mount_option_home_nodev +- gnome_gdm_disable_xdmcp +- file_groupowner_cron_daily +- aide_build_database +- grub2_password +- mount_option_var_log_audit_nodev +- dconf_gnome_screensaver_user_locks +- package_telnet_removed +- firewalld_loopback_traffic_restricted +- audit_rules_dac_modification_chmod +- no_shelllogin_for_systemaccounts +- file_owner_cron_monthly +- sshd_disable_empty_passwords +- package_xinetd_removed +- sysctl_net_ipv4_conf_all_accept_redirects +- account_password_pam_faillock_system_auth +- file_permissions_cron_allow +- sysctl_kernel_randomize_va_space +- mount_option_var_tmp_noexec +- no_rsh_trust_files +- mount_option_tmp_nosuid +- file_permissions_backup_etc_passwd +- ensure_root_password_configured +- sysctl_net_ipv4_conf_default_accept_redirects +- file_groupowner_cron_hourly +- file_groupowner_crontab +- file_permissions_sshd_private_key +- partition_for_var_log_audit +- file_cron_allow_exists +- enable_authselect +- chronyd_specify_remote_server +- package_rsyslog_installed +- accounts_passwords_pam_faillock_unlock_time +- sshd_use_strong_kex +- no_files_unowned_by_user +- sysctl_net_ipv6_conf_all_accept_ra +- file_groupownership_audit_binaries +- file_permissions_etc_shells +- file_owner_etc_passwd +- file_permissions_grub2_cfg +- grub2_uefi_password +- package_chrony_installed +- audit_rules_dac_modification_fchmod +- mount_option_var_log_noexec +- audit_rules_dac_modification_lchown +- coredump_disable_storage +- sshd_set_max_sessions +- package_libselinux_installed +- audit_rules_login_events_faillock +- file_groupowner_etc_shells +- file_groupowner_backup_etc_passwd +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_networkconfig_modification +- package_audit_installed +- accounts_password_pam_difok +- account_disable_post_pw_expiration +- audit_rules_file_deletion_events_renameat +- account_password_pam_faillock_password_auth +- grub2_audit_argument +- accounts_maximum_age_login_defs +- file_groupowner_sshd_config +- audit_rules_unsuccessful_file_modification_ftruncate +- package_rsync_removed +- accounts_password_warn_age_login_defs +- audit_rules_usergroup_modification_shadow +- mount_option_home_nosuid +- sysctl_net_ipv4_conf_all_accept_source_route +- file_groupowner_backup_etc_shadow +- file_groupowner_cron_allow +- sshd_enable_warning_banner_net +- file_permissions_efi_user_cfg +- dconf_gnome_screensaver_lock_delay +- var_user_initialization_files_regex=all_dotfiles +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=24 +- var_password_pam_dictcheck=1 +- var_password_pam_maxrepeat=3 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_password_pam_difok=2 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_accounts_passwords_pam_faillock_deny=5 +- var_pam_wheel_group_for_su=cis +- var_sshd_set_maxstartups=10:30:60 +- var_sshd_max_sessions=10 +- sshd_max_auth_tries_value=4 +- sshd_strong_macs=cis_rhel8 +- var_sshd_set_login_grace_time=60 +- sshd_strong_kex=cis_rhel8 +- sshd_idle_timeout_value=5_minutes +- var_sshd_set_keepalive=1 +- sshd_approved_ciphers=cis_rhel8 +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_system_crypto_policy=default_nosha1 +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +- var_accounts_passwords_pam_faillock_dir=run +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=cis_rhel8 +- var_auditd_space_left_action=cis_rhel8 +- var_auditd_disk_error_action=cis_rhel8 +- var_auditd_disk_full_action=cis_rhel8 +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel8 +title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel8/profiles/cis_workstation_l2.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile new file mode 100644 index 00000000000..49af6d02529 --- /dev/null +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -0,0 +1,442 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, + v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- sysctl_net_ipv4_conf_all_accept_redirects +- auditd_data_retention_max_log_file +- audit_rules_session_events +- sysctl_net_ipv6_conf_all_accept_redirects +- audit_rules_login_events_lastlog +- file_owner_cron_daily +- ensure_root_password_configured +- file_owner_backup_etc_shadow +- package_setroubleshoot_removed +- audit_rules_dac_modification_lsetxattr +- audit_rules_networkconfig_modification +- sysctl_net_ipv4_conf_default_log_martians +- audit_rules_unsuccessful_file_modification_truncate +- auditd_data_retention_space_left_action +- audit_sudo_log_events +- grub2_audit_backlog_limit_argument +- audit_rules_file_deletion_events_unlinkat +- file_permissions_home_directories +- file_permissions_crontab +- audit_rules_kernel_module_loading_finit +- sudo_require_reauthentication +- file_cron_deny_not_exist +- accounts_no_uid_except_zero +- disable_host_auth +- package_tftp-server_removed +- file_groupowner_backup_etc_gshadow +- account_unique_id +- file_groupowner_etc_motd +- grub2_password +- accounts_maximum_age_login_defs +- file_owner_etc_group +- audit_rules_execution_setfacl +- service_crond_enabled +- file_permissions_backup_etc_gshadow +- file_owner_crontab +- sysctl_net_ipv4_tcp_syncookies +- file_owner_etc_issue_net +- sshd_set_keepalive +- set_firewalld_default_zone +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- service_auditd_enabled +- file_permissions_grub2_cfg +- audit_rules_kernel_module_loading_delete +- dconf_gnome_screensaver_user_locks +- no_empty_passwords +- audit_rules_time_adjtimex +- accounts_password_pam_minlen +- audit_rules_dac_modification_fchmodat +- grub2_audit_argument +- sysctl_net_ipv4_conf_all_secure_redirects +- file_groupowner_sshd_config +- audit_rules_time_clock_settime +- dir_perms_world_writable_sticky_bits +- mount_option_var_log_audit_nosuid +- kernel_module_squashfs_disabled +- accounts_user_dot_no_world_writable_programs +- sshd_set_max_auth_tries +- package_telnet-server_removed +- audit_rules_time_settimeofday +- file_groupownership_home_directories +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_dac_modification_fsetxattr +- package_cyrus-imapd_removed +- file_permissions_sshd_config +- no_netrc_files +- audit_rules_immutable +- mount_option_dev_shm_nodev +- package_cups_removed +- file_permissions_cron_monthly +- dconf_gnome_login_banner_text +- chronyd_specify_remote_server +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- audit_rules_dac_modification_fchownat +- kernel_module_usb-storage_disabled +- mount_option_tmp_nodev +- audit_rules_usergroup_modification_gshadow +- gid_passwd_group_same +- sysctl_net_ipv6_conf_default_accept_redirects +- set_password_hashing_algorithm_passwordauth +- dconf_gnome_session_idle_user_locks +- sudo_require_authentication +- accounts_password_set_min_life_existing +- kernel_module_tipc_disabled +- dconf_gnome_banner_enabled +- sysctl_net_ipv4_conf_default_secure_redirects +- file_groupowner_cron_d +- audit_rules_usergroup_modification_opasswd +- audit_rules_mac_modification_usr_share +- accounts_passwords_pam_faillock_unlock_time +- file_owner_grub2_cfg +- audit_rules_kernel_module_loading_query +- no_shelllogin_for_systemaccounts +- file_owner_cron_allow +- dconf_gnome_screensaver_idle_delay +- directory_permissions_var_log_audit +- package_samba_removed +- sshd_set_loglevel_verbose +- audit_rules_time_stime +- accounts_user_interactive_home_directory_exists +- accounts_tmout +- file_groupowner_backup_etc_shadow +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- partition_for_home +- audit_rules_file_deletion_events_rename +- package_rsync_removed +- accounts_password_pam_retry +- chronyd_run_as_chrony_user +- file_permissions_cron_weekly +- file_permissions_etc_group +- file_permissions_ungroupowned +- aide_build_database +- accounts_password_all_shadowed +- set_nftables_table +- file_permissions_etc_motd +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- package_xorg-x11-server-common_removed +- service_firewalld_enabled +- rsyslog_nolisten +- accounts_password_pam_pwhistory_remember_password_auth +- package_net-snmp_removed +- coredump_disable_backtraces +- partition_for_dev_shm +- auditd_data_retention_admin_space_left_action +- configure_ssh_crypto_policy +- ensure_pam_wheel_group_empty +- package_vsftpd_removed +- auditd_data_retention_max_log_file_action +- sshd_disable_x11_forwarding +- sshd_enable_pam +- audit_rules_kernel_module_loading_init +- audit_rules_time_watch_localtime +- package_dnsmasq_removed +- sshd_enable_warning_banner_net +- file_permissions_sshd_pub_key +- file_permissions_cron_allow +- file_owner_etc_motd +- rsyslog_filecreatemode +- file_owner_cron_d +- audit_rules_unsuccessful_file_modification_open +- accounts_umask_etc_login_defs +- mount_option_home_nodev +- mount_option_dev_shm_noexec +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- journald_forward_to_syslog +- audit_rules_execution_chcon +- audit_rules_dac_modification_lremovexattr +- package_ftp_removed +- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- file_groupowner_etc_group +- package_libselinux_installed +- file_owner_cron_weekly +- mount_option_var_nosuid +- file_owner_etc_shadow +- account_unique_name +- sshd_set_idle_timeout +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_dac_modification_chown +- has_nonlocal_mta +- accounts_password_warn_age_login_defs +- mount_option_var_log_nosuid +- file_groupowner_etc_shadow +- file_permissions_cron_hourly +- coredump_disable_storage +- auditd_data_retention_action_mail_acct +- file_groupowner_etc_gshadow +- audit_rules_unsuccessful_file_modification_ftruncate +- no_rsh_trust_files +- rsyslog_files_permissions +- account_password_pam_faillock_system_auth +- mount_option_var_tmp_noexec +- mount_option_var_nodev +- audit_rules_privileged_commands_kmod +- audit_rules_sysadmin_actions +- file_groupowner_etc_issue +- file_owner_backup_etc_group +- file_permissions_cron_daily +- file_groupowner_backup_etc_passwd +- set_password_hashing_algorithm_systemauth +- sshd_set_max_sessions +- journald_compress +- package_sudo_installed +- file_owner_backup_etc_passwd +- audit_rules_login_events_faillock +- file_groupowner_etc_passwd +- package_firewalld_installed +- file_permissions_unauthorized_world_writable +- sysctl_net_ipv4_conf_all_accept_source_route +- audit_rules_dac_modification_fchown +- file_at_deny_not_exist +- mount_option_home_nosuid +- file_permissions_var_log_audit +- mount_option_dev_shm_nosuid +- file_owner_user_cfg +- sysctl_net_ipv6_conf_all_forwarding +- audit_rules_mac_modification +- file_permissions_cron_d +- dconf_db_up_to_date +- sysctl_net_ipv4_ip_forward +- audit_rules_usergroup_modification_passwd +- accounts_password_pam_minclass +- service_rsyslog_enabled +- sshd_set_maxstartups +- file_groupowner_cron_allow +- sudo_add_use_pty +- sysctl_net_ipv6_conf_all_accept_ra +- package_httpd_removed +- audit_rules_dac_modification_lchown +- audit_rules_kernel_module_loading_create +- group_unique_id +- file_cron_allow_exists +- file_groupowner_user_cfg +- dconf_gnome_disable_automount +- package_bind_removed +- file_groupowner_cron_weekly +- socket_systemd-journal-remote_disabled +- enable_authselect +- kernel_module_udf_disabled +- file_groupowner_etc_issue_net +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv4_conf_all_send_redirects +- account_password_pam_faillock_password_auth +- banner_etc_motd +- file_permissions_backup_etc_shadow +- journald_storage +- sudo_custom_logfile +- audit_rules_dac_modification_fchmod +- account_disable_post_pw_expiration +- aide_check_audit_tools +- file_ownership_audit_configuration +- selinux_state +- service_nfs_disabled +- partition_for_var_tmp +- grub2_enable_selinux +- service_nftables_disabled +- use_pam_wheel_group_for_su +- file_permissions_audit_configuration +- package_nginx_removed +- accounts_password_pam_pwhistory_remember_system_auth +- file_permissions_etc_issue_net +- file_ownership_sshd_pub_key +- file_ownership_audit_binaries +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_default_accept_redirects +- file_permissions_backup_etc_passwd +- file_ownership_var_log_audit_stig +- package_tftp_removed +- file_groupownership_audit_binaries +- no_empty_passwords_etc_shadow +- package_dhcp_removed +- file_groupowner_at_allow +- package_aide_installed +- mount_option_tmp_noexec +- sshd_disable_rhosts +- file_permissions_audit_binaries +- package_avahi_removed +- service_rpcbind_disabled +- accounts_umask_etc_profile +- file_owner_etc_issue +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- accounts_root_path_dirs_no_write +- package_squid_removed +- file_groupowner_cron_daily +- package_openldap-clients_removed +- partition_for_var_log +- audit_rules_suid_auid_privilege_function +- file_groupowner_cron_monthly +- ensure_gpgcheck_globally_activated +- configure_crypto_policy +- aide_periodic_cron_checking +- file_permissions_etc_passwd +- file_groupownership_sshd_private_key +- package_dovecot_removed +- firewalld_loopback_traffic_restricted +- mount_option_var_log_nodev +- mount_option_var_log_audit_noexec +- sshd_set_login_grace_time +- file_owner_cron_hourly +- dconf_gnome_disable_automount_open +- selinux_not_disabled +- service_systemd-journald_enabled +- package_nftables_installed +- mount_option_var_log_noexec +- partition_for_var +- package_mcstrans_removed +- sshd_limit_user_access +- root_path_no_dot +- file_permissions_at_allow +- file_permissions_etc_shadow +- mount_option_var_tmp_nosuid +- package_telnet_removed +- file_groupowner_crontab +- selinux_confinement_of_daemons +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- package_audit_installed +- sshd_disable_empty_passwords +- audit_rules_execution_chacl +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_usermod +- accounts_set_post_pw_existing +- file_groupowner_cron_hourly +- file_owner_sshd_config +- file_owner_cron_monthly +- no_password_auth_for_systemaccounts +- audit_rules_privileged_commands +- file_permissions_etc_issue +- no_forward_files +- selinux_policytype +- file_permissions_user_cfg +- package_gdm_removed +- dconf_gnome_screensaver_lock_delay +- audit_rules_usergroup_modification_shadow +- sshd_disable_tcp_forwarding +- file_groupownership_sshd_pub_key +- audit_rules_file_deletion_events_unlink +- postfix_network_listening_disabled +- rsyslog_files_groupownership +- accounts_minimum_age_login_defs +- file_permissions_etc_gshadow +- file_ownership_sshd_private_key +- file_permissions_sshd_private_key +- sysctl_net_ipv6_conf_all_accept_source_route +- file_owner_etc_gshadow +- package_rsyslog_installed +- sysctl_kernel_randomize_va_space +- audit_rules_dac_modification_chmod +- gnome_gdm_disable_xdmcp +- sshd_disable_root_login +- file_groupownership_audit_configuration +- file_group_ownership_var_log_audit +- audit_rules_unsuccessful_file_modification_openat +- banner_etc_issue_net +- audit_rules_media_export +- sysctl_net_ipv4_conf_default_accept_source_route +- rsyslog_files_ownership +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- banner_etc_issue +- dconf_gnome_disable_user_list +- partition_for_tmp +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- accounts_passwords_pam_faillock_deny +- no_files_unowned_by_user +- audit_rules_dac_modification_fremovexattr +- firewalld_loopback_traffic_trusted +- partition_for_var_log_audit +- wireless_disable_interfaces +- accounts_root_gid_zero +- audit_rules_unsuccessful_file_modification_creat +- accounts_password_set_warn_age_existing +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_minimum_age_login_defs=1 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=5 +- var_accounts_passwords_pam_faillock_deny=3 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_pam_wheel_group_for_su=cis +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_sshd_set_login_grace_time=60 +- var_sshd_max_sessions=10 +- var_sshd_set_maxstartups=10:30:60 +- sshd_max_auth_tries_value=4 +- var_nftables_family=inet +- var_nftables_table=firewalld +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- var_system_crypto_policy=default_policy +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +- var_accounts_passwords_pam_faillock_dir=run +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=halt +- var_auditd_space_left_action=email +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel9 +title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile new file mode 100644 index 00000000000..3c0a607bee9 --- /dev/null +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -0,0 +1,350 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Server\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, + v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- coredump_disable_storage +- package_dovecot_removed +- accounts_passwords_pam_faillock_unlock_time +- sysctl_net_ipv4_conf_all_accept_redirects +- firewalld_loopback_traffic_restricted +- sysctl_net_ipv6_conf_all_accept_redirects +- mount_option_var_log_nodev +- file_groupowner_etc_gshadow +- file_owner_grub2_cfg +- no_shelllogin_for_systemaccounts +- file_owner_cron_allow +- dconf_gnome_screensaver_idle_delay +- ensure_root_password_configured +- file_owner_cron_daily +- file_owner_backup_etc_shadow +- mount_option_var_log_audit_noexec +- package_setroubleshoot_removed +- sshd_set_login_grace_time +- file_owner_cron_hourly +- package_samba_removed +- no_rsh_trust_files +- rsyslog_files_permissions +- account_password_pam_faillock_system_auth +- dconf_gnome_disable_automount_open +- mount_option_var_tmp_noexec +- selinux_not_disabled +- sshd_set_loglevel_verbose +- sysctl_net_ipv4_conf_default_log_martians +- service_systemd-journald_enabled +- package_nftables_installed +- mount_option_var_nodev +- accounts_user_interactive_home_directory_exists +- accounts_tmout +- file_groupowner_etc_issue +- mount_option_var_log_noexec +- file_owner_backup_etc_group +- file_permissions_cron_daily +- file_groupowner_backup_etc_shadow +- file_permissions_home_directories +- file_groupowner_backup_etc_passwd +- set_password_hashing_algorithm_systemauth +- package_mcstrans_removed +- sshd_limit_user_access +- sshd_set_max_sessions +- file_permissions_crontab +- journald_compress +- file_permissions_at_allow +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- file_owner_backup_etc_passwd +- package_sudo_installed +- root_path_no_dot +- file_permissions_etc_shadow +- file_groupowner_etc_passwd +- mount_option_var_tmp_nosuid +- package_rsync_removed +- accounts_password_pam_retry +- package_firewalld_installed +- package_telnet_removed +- sudo_require_reauthentication +- file_permissions_unauthorized_world_writable +- sysctl_net_ipv4_conf_all_accept_source_route +- chronyd_run_as_chrony_user +- file_at_deny_not_exist +- file_groupowner_crontab +- selinux_confinement_of_daemons +- mount_option_home_nosuid +- file_permissions_cron_weekly +- file_cron_deny_not_exist +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- file_permissions_etc_group +- accounts_no_uid_except_zero +- disable_host_auth +- file_permissions_ungroupowned +- sshd_disable_empty_passwords +- mount_option_dev_shm_nosuid +- aide_build_database +- file_owner_user_cfg +- package_tftp-server_removed +- sysctl_net_ipv6_conf_all_forwarding +- file_groupowner_backup_etc_gshadow +- accounts_password_all_shadowed +- account_unique_id +- set_nftables_table +- accounts_set_post_pw_existing +- file_groupowner_etc_motd +- file_permissions_cron_d +- grub2_password +- file_groupowner_cron_hourly +- dconf_db_up_to_date +- sysctl_net_ipv4_ip_forward +- file_owner_sshd_config +- file_owner_cron_monthly +- file_permissions_etc_motd +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- no_password_auth_for_systemaccounts +- accounts_password_pam_minclass +- service_rsyslog_enabled +- sshd_set_maxstartups +- file_groupowner_cron_allow +- sudo_add_use_pty +- sysctl_net_ipv6_conf_all_accept_ra +- accounts_maximum_age_login_defs +- file_permissions_etc_issue +- package_httpd_removed +- no_forward_files +- service_firewalld_enabled +- rsyslog_nolisten +- file_owner_etc_group +- accounts_password_pam_pwhistory_remember_password_auth +- group_unique_id +- selinux_policytype +- sysctl_net_ipv4_conf_default_secure_redirects +- file_cron_allow_exists +- file_groupowner_user_cfg +- dconf_gnome_disable_automount +- package_bind_removed +- file_groupowner_cron_weekly +- socket_systemd-journal-remote_disabled +- package_net-snmp_removed +- coredump_disable_backtraces +- enable_authselect +- partition_for_dev_shm +- kernel_module_udf_disabled +- file_groupowner_etc_issue_net +- file_permissions_user_cfg +- service_crond_enabled +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv6_conf_default_accept_ra +- dconf_gnome_screensaver_lock_delay +- configure_ssh_crypto_policy +- account_password_pam_faillock_password_auth +- banner_etc_motd +- file_permissions_backup_etc_gshadow +- file_permissions_etc_passwd +- ensure_pam_wheel_group_empty +- file_permissions_backup_etc_shadow +- journald_storage +- file_owner_crontab +- package_vsftpd_removed +- sudo_custom_logfile +- file_groupownership_sshd_pub_key +- file_owner_etc_issue_net +- account_disable_post_pw_expiration +- sshd_enable_pam +- sshd_set_keepalive +- sysctl_net_ipv4_tcp_syncookies +- set_firewalld_default_zone +- aide_check_audit_tools +- postfix_network_listening_disabled +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- rsyslog_files_groupownership +- service_nfs_disabled +- accounts_minimum_age_login_defs +- file_permissions_grub2_cfg +- dconf_gnome_screensaver_user_locks +- file_permissions_etc_gshadow +- sshd_enable_warning_banner_net +- package_dnsmasq_removed +- file_ownership_sshd_private_key +- file_permissions_sshd_private_key +- no_empty_passwords +- grub2_enable_selinux +- file_permissions_sshd_pub_key +- service_nftables_disabled +- mount_option_var_log_nosuid +- accounts_password_pam_minlen +- file_permissions_cron_allow +- sysctl_net_ipv6_conf_all_accept_source_route +- file_owner_etc_motd +- use_pam_wheel_group_for_su +- rsyslog_filecreatemode +- sysctl_net_ipv4_conf_all_secure_redirects +- file_owner_cron_d +- file_groupowner_sshd_config +- file_owner_etc_gshadow +- accounts_password_pam_pwhistory_remember_system_auth +- file_permissions_etc_issue_net +- package_nginx_removed +- dir_perms_world_writable_sticky_bits +- file_ownership_sshd_pub_key +- mount_option_var_log_audit_nosuid +- package_rsyslog_installed +- accounts_umask_etc_login_defs +- kernel_module_squashfs_disabled +- sysctl_kernel_randomize_va_space +- accounts_user_dot_no_world_writable_programs +- sysctl_net_ipv4_conf_all_rp_filter +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_accept_redirects +- package_telnet-server_removed +- gnome_gdm_disable_xdmcp +- mount_option_home_nodev +- file_groupownership_home_directories +- sshd_disable_root_login +- mount_option_dev_shm_noexec +- sysctl_net_ipv6_conf_default_accept_source_route +- file_permissions_backup_etc_passwd +- package_cyrus-imapd_removed +- file_permissions_sshd_config +- no_netrc_files +- banner_etc_issue_net +- journald_forward_to_syslog +- package_tftp_removed +- no_empty_passwords_etc_shadow +- package_dhcp_removed +- file_groupowner_at_allow +- mount_option_dev_shm_nodev +- package_aide_installed +- package_cups_removed +- file_permissions_cron_monthly +- mount_option_tmp_noexec +- sysctl_net_ipv4_conf_default_accept_source_route +- package_ftp_removed +- rsyslog_files_ownership +- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- sshd_disable_rhosts +- dconf_gnome_login_banner_text +- chronyd_specify_remote_server +- file_groupowner_etc_group +- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- file_groupowner_grub2_cfg +- package_avahi_removed +- banner_etc_issue +- accounts_umask_etc_profile +- kernel_module_usb-storage_disabled +- file_owner_etc_issue +- mount_option_tmp_nodev +- package_libselinux_installed +- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- accounts_root_path_dirs_no_write +- dconf_gnome_disable_user_list +- file_owner_cron_weekly +- gid_passwd_group_same +- sysctl_net_ipv6_conf_default_accept_redirects +- partition_for_tmp +- mount_option_var_nosuid +- set_password_hashing_algorithm_passwordauth +- package_squid_removed +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- dconf_gnome_session_idle_user_locks +- accounts_passwords_pam_faillock_deny +- accounts_password_set_min_life_existing +- file_groupowner_cron_daily +- file_owner_etc_shadow +- package_openldap-clients_removed +- account_unique_name +- sshd_set_idle_timeout +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- no_files_unowned_by_user +- file_groupowner_cron_monthly +- ensure_gpgcheck_globally_activated +- firewalld_loopback_traffic_trusted +- configure_crypto_policy +- has_nonlocal_mta +- wireless_disable_interfaces +- accounts_root_gid_zero +- dconf_gnome_banner_enabled +- accounts_password_warn_age_login_defs +- accounts_password_set_warn_age_existing +- aide_periodic_cron_checking +- file_groupowner_etc_shadow +- file_groupowner_cron_d +- file_groupownership_sshd_private_key +- file_permissions_cron_hourly +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_minimum_age_login_defs=1 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=5 +- var_accounts_passwords_pam_faillock_deny=3 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_pam_wheel_group_for_su=cis +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_sshd_set_login_grace_time=60 +- var_sshd_max_sessions=10 +- var_sshd_set_maxstartups=10:30:60 +- sshd_max_auth_tries_value=4 +- var_nftables_family=inet +- var_nftables_table=firewalld +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- var_system_crypto_policy=default_policy +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel9 +title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_server_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile new file mode 100644 index 00000000000..9eb576f65a2 --- /dev/null +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -0,0 +1,346 @@ +description: "This profile defines a baseline that aligns to the \"Level 1 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, + v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- coredump_disable_storage +- package_dovecot_removed +- accounts_passwords_pam_faillock_unlock_time +- sysctl_net_ipv4_conf_all_accept_redirects +- firewalld_loopback_traffic_restricted +- sysctl_net_ipv6_conf_all_accept_redirects +- mount_option_var_log_nodev +- file_groupowner_etc_gshadow +- file_owner_grub2_cfg +- no_shelllogin_for_systemaccounts +- file_owner_cron_allow +- dconf_gnome_screensaver_idle_delay +- ensure_root_password_configured +- file_owner_cron_daily +- file_owner_backup_etc_shadow +- mount_option_var_log_audit_noexec +- sshd_set_login_grace_time +- file_owner_cron_hourly +- package_samba_removed +- no_rsh_trust_files +- rsyslog_files_permissions +- account_password_pam_faillock_system_auth +- dconf_gnome_disable_automount_open +- mount_option_var_tmp_noexec +- selinux_not_disabled +- sshd_set_loglevel_verbose +- sysctl_net_ipv4_conf_default_log_martians +- service_systemd-journald_enabled +- package_nftables_installed +- mount_option_var_nodev +- accounts_user_interactive_home_directory_exists +- accounts_tmout +- file_groupowner_etc_issue +- mount_option_var_log_noexec +- file_owner_backup_etc_group +- file_permissions_cron_daily +- file_groupowner_backup_etc_shadow +- file_permissions_home_directories +- file_groupowner_backup_etc_passwd +- set_password_hashing_algorithm_systemauth +- package_mcstrans_removed +- sshd_limit_user_access +- sshd_set_max_sessions +- file_permissions_crontab +- journald_compress +- file_permissions_at_allow +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- file_owner_backup_etc_passwd +- package_sudo_installed +- root_path_no_dot +- file_permissions_etc_shadow +- file_groupowner_etc_passwd +- mount_option_var_tmp_nosuid +- package_rsync_removed +- accounts_password_pam_retry +- package_firewalld_installed +- package_telnet_removed +- sudo_require_reauthentication +- file_permissions_unauthorized_world_writable +- sysctl_net_ipv4_conf_all_accept_source_route +- chronyd_run_as_chrony_user +- file_at_deny_not_exist +- file_groupowner_crontab +- selinux_confinement_of_daemons +- mount_option_home_nosuid +- file_permissions_cron_weekly +- file_cron_deny_not_exist +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- file_permissions_etc_group +- accounts_no_uid_except_zero +- disable_host_auth +- file_permissions_ungroupowned +- sshd_disable_empty_passwords +- mount_option_dev_shm_nosuid +- aide_build_database +- file_owner_user_cfg +- package_tftp-server_removed +- sysctl_net_ipv6_conf_all_forwarding +- file_groupowner_backup_etc_gshadow +- accounts_password_all_shadowed +- account_unique_id +- set_nftables_table +- accounts_set_post_pw_existing +- file_groupowner_etc_motd +- file_permissions_cron_d +- grub2_password +- file_groupowner_cron_hourly +- dconf_db_up_to_date +- sysctl_net_ipv4_ip_forward +- file_owner_sshd_config +- file_owner_cron_monthly +- file_permissions_etc_motd +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- no_password_auth_for_systemaccounts +- accounts_password_pam_minclass +- service_rsyslog_enabled +- sshd_set_maxstartups +- file_groupowner_cron_allow +- sudo_add_use_pty +- sysctl_net_ipv6_conf_all_accept_ra +- accounts_maximum_age_login_defs +- file_permissions_etc_issue +- package_httpd_removed +- no_forward_files +- service_firewalld_enabled +- rsyslog_nolisten +- file_owner_etc_group +- accounts_password_pam_pwhistory_remember_password_auth +- group_unique_id +- selinux_policytype +- sysctl_net_ipv4_conf_default_secure_redirects +- file_cron_allow_exists +- file_groupowner_user_cfg +- dconf_gnome_disable_automount +- package_bind_removed +- file_groupowner_cron_weekly +- socket_systemd-journal-remote_disabled +- package_net-snmp_removed +- coredump_disable_backtraces +- enable_authselect +- partition_for_dev_shm +- kernel_module_udf_disabled +- file_groupowner_etc_issue_net +- file_permissions_user_cfg +- service_crond_enabled +- sysctl_net_ipv4_conf_all_send_redirects +- sysctl_net_ipv6_conf_default_accept_ra +- dconf_gnome_screensaver_lock_delay +- configure_ssh_crypto_policy +- account_password_pam_faillock_password_auth +- banner_etc_motd +- file_permissions_backup_etc_gshadow +- file_permissions_etc_passwd +- ensure_pam_wheel_group_empty +- file_permissions_backup_etc_shadow +- journald_storage +- file_owner_crontab +- package_vsftpd_removed +- sudo_custom_logfile +- sshd_disable_x11_forwarding +- file_groupownership_sshd_pub_key +- file_owner_etc_issue_net +- account_disable_post_pw_expiration +- sshd_enable_pam +- sshd_set_keepalive +- sysctl_net_ipv4_tcp_syncookies +- set_firewalld_default_zone +- aide_check_audit_tools +- postfix_network_listening_disabled +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- rsyslog_files_groupownership +- service_nfs_disabled +- accounts_minimum_age_login_defs +- file_permissions_grub2_cfg +- dconf_gnome_screensaver_user_locks +- file_permissions_etc_gshadow +- sshd_enable_warning_banner_net +- package_dnsmasq_removed +- file_ownership_sshd_private_key +- file_permissions_sshd_private_key +- no_empty_passwords +- grub2_enable_selinux +- file_permissions_sshd_pub_key +- service_nftables_disabled +- mount_option_var_log_nosuid +- accounts_password_pam_minlen +- file_permissions_cron_allow +- sysctl_net_ipv6_conf_all_accept_source_route +- file_owner_etc_motd +- use_pam_wheel_group_for_su +- rsyslog_filecreatemode +- sysctl_net_ipv4_conf_all_secure_redirects +- file_owner_cron_d +- file_groupowner_sshd_config +- file_owner_etc_gshadow +- accounts_password_pam_pwhistory_remember_system_auth +- file_permissions_etc_issue_net +- package_nginx_removed +- dir_perms_world_writable_sticky_bits +- file_ownership_sshd_pub_key +- mount_option_var_log_audit_nosuid +- package_rsyslog_installed +- accounts_umask_etc_login_defs +- kernel_module_squashfs_disabled +- sysctl_kernel_randomize_va_space +- accounts_user_dot_no_world_writable_programs +- sysctl_net_ipv4_conf_all_rp_filter +- sshd_set_max_auth_tries +- sysctl_net_ipv4_conf_default_accept_redirects +- package_telnet-server_removed +- gnome_gdm_disable_xdmcp +- mount_option_home_nodev +- file_groupownership_home_directories +- sshd_disable_root_login +- mount_option_dev_shm_noexec +- sysctl_net_ipv6_conf_default_accept_source_route +- file_permissions_backup_etc_passwd +- package_cyrus-imapd_removed +- file_permissions_sshd_config +- no_netrc_files +- banner_etc_issue_net +- journald_forward_to_syslog +- package_tftp_removed +- no_empty_passwords_etc_shadow +- package_dhcp_removed +- file_groupowner_at_allow +- mount_option_dev_shm_nodev +- package_aide_installed +- file_permissions_cron_monthly +- mount_option_tmp_noexec +- sysctl_net_ipv4_conf_default_accept_source_route +- package_ftp_removed +- rsyslog_files_ownership +- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- sshd_disable_rhosts +- dconf_gnome_login_banner_text +- chronyd_specify_remote_server +- file_groupowner_etc_group +- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- file_groupowner_grub2_cfg +- banner_etc_issue +- accounts_umask_etc_profile +- mount_option_tmp_nodev +- file_owner_etc_issue +- package_libselinux_installed +- service_rpcbind_disabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- accounts_root_path_dirs_no_write +- dconf_gnome_disable_user_list +- file_owner_cron_weekly +- gid_passwd_group_same +- sysctl_net_ipv6_conf_default_accept_redirects +- partition_for_tmp +- mount_option_var_nosuid +- set_password_hashing_algorithm_passwordauth +- package_squid_removed +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- dconf_gnome_session_idle_user_locks +- accounts_passwords_pam_faillock_deny +- accounts_password_set_min_life_existing +- file_groupowner_cron_daily +- file_owner_etc_shadow +- package_openldap-clients_removed +- account_unique_name +- sshd_set_idle_timeout +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- no_files_unowned_by_user +- file_groupowner_cron_monthly +- ensure_gpgcheck_globally_activated +- firewalld_loopback_traffic_trusted +- configure_crypto_policy +- has_nonlocal_mta +- accounts_root_gid_zero +- dconf_gnome_banner_enabled +- accounts_password_warn_age_login_defs +- accounts_password_set_warn_age_existing +- aide_periodic_cron_checking +- file_groupowner_etc_shadow +- file_groupowner_cron_d +- file_groupownership_sshd_private_key +- file_permissions_cron_hourly +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_minimum_age_login_defs=1 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=5 +- var_accounts_passwords_pam_faillock_deny=3 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_pam_wheel_group_for_su=cis +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_sshd_set_login_grace_time=60 +- var_sshd_max_sessions=10 +- var_sshd_set_maxstartups=10:30:60 +- sshd_max_auth_tries_value=4 +- var_nftables_family=inet +- var_nftables_table=firewalld +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- var_system_crypto_policy=default_policy +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel9 +title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l1.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile new file mode 100644 index 00000000000..631ad00ee95 --- /dev/null +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -0,0 +1,436 @@ +description: "This profile defines a baseline that aligns to the \"Level 2 - Workstation\"\nconfiguration + from the Center for Internet Security\xAE Red Hat Enterprise\nLinux 9 Benchmark\u2122, + v1.0.0, released 2022-11-28.\n\nThis profile includes Center for Internet Security\xAE\nRed + Hat Enterprise Linux 9 CIS Benchmarks\u2122 content." +extends: null +hidden: '' +metadata: + version: 1.0.0 + SMEs: + - marcusburghardt + - vojtapolasek + - yuumasato +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ +selections: +- sysctl_net_ipv4_conf_all_accept_redirects +- auditd_data_retention_max_log_file +- audit_rules_session_events +- sysctl_net_ipv6_conf_all_accept_redirects +- audit_rules_login_events_lastlog +- file_owner_cron_daily +- ensure_root_password_configured +- file_owner_backup_etc_shadow +- audit_rules_dac_modification_lsetxattr +- audit_rules_networkconfig_modification +- sysctl_net_ipv4_conf_default_log_martians +- audit_rules_unsuccessful_file_modification_truncate +- auditd_data_retention_space_left_action +- audit_sudo_log_events +- grub2_audit_backlog_limit_argument +- audit_rules_file_deletion_events_unlinkat +- file_permissions_home_directories +- file_permissions_crontab +- audit_rules_kernel_module_loading_finit +- sudo_require_reauthentication +- file_cron_deny_not_exist +- accounts_no_uid_except_zero +- disable_host_auth +- package_tftp-server_removed +- file_groupowner_backup_etc_gshadow +- account_unique_id +- file_groupowner_etc_motd +- grub2_password +- accounts_maximum_age_login_defs +- file_owner_etc_group +- audit_rules_execution_setfacl +- service_crond_enabled +- file_permissions_backup_etc_gshadow +- file_owner_crontab +- sysctl_net_ipv4_tcp_syncookies +- file_owner_etc_issue_net +- sshd_set_keepalive +- set_firewalld_default_zone +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- service_auditd_enabled +- file_permissions_grub2_cfg +- audit_rules_kernel_module_loading_delete +- dconf_gnome_screensaver_user_locks +- no_empty_passwords +- audit_rules_time_adjtimex +- accounts_password_pam_minlen +- audit_rules_dac_modification_fchmodat +- grub2_audit_argument +- sysctl_net_ipv4_conf_all_secure_redirects +- file_groupowner_sshd_config +- audit_rules_time_clock_settime +- dir_perms_world_writable_sticky_bits +- mount_option_var_log_audit_nosuid +- kernel_module_squashfs_disabled +- accounts_user_dot_no_world_writable_programs +- sshd_set_max_auth_tries +- package_telnet-server_removed +- audit_rules_time_settimeofday +- file_groupownership_home_directories +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_dac_modification_fsetxattr +- package_cyrus-imapd_removed +- file_permissions_sshd_config +- no_netrc_files +- audit_rules_immutable +- mount_option_dev_shm_nodev +- file_permissions_cron_monthly +- dconf_gnome_login_banner_text +- chronyd_specify_remote_server +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- audit_rules_dac_modification_fchownat +- kernel_module_usb-storage_disabled +- mount_option_tmp_nodev +- audit_rules_usergroup_modification_gshadow +- gid_passwd_group_same +- sysctl_net_ipv6_conf_default_accept_redirects +- set_password_hashing_algorithm_passwordauth +- dconf_gnome_session_idle_user_locks +- sudo_require_authentication +- accounts_password_set_min_life_existing +- kernel_module_tipc_disabled +- dconf_gnome_banner_enabled +- sysctl_net_ipv4_conf_default_secure_redirects +- file_groupowner_cron_d +- audit_rules_usergroup_modification_opasswd +- audit_rules_mac_modification_usr_share +- accounts_passwords_pam_faillock_unlock_time +- file_owner_grub2_cfg +- audit_rules_kernel_module_loading_query +- no_shelllogin_for_systemaccounts +- file_owner_cron_allow +- dconf_gnome_screensaver_idle_delay +- directory_permissions_var_log_audit +- package_samba_removed +- sshd_set_loglevel_verbose +- audit_rules_time_stime +- accounts_user_interactive_home_directory_exists +- accounts_tmout +- file_groupowner_backup_etc_shadow +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- partition_for_home +- audit_rules_file_deletion_events_rename +- package_rsync_removed +- accounts_password_pam_retry +- chronyd_run_as_chrony_user +- file_permissions_cron_weekly +- file_permissions_etc_group +- file_permissions_ungroupowned +- aide_build_database +- accounts_password_all_shadowed +- set_nftables_table +- file_permissions_etc_motd +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- service_firewalld_enabled +- rsyslog_nolisten +- accounts_password_pam_pwhistory_remember_password_auth +- package_net-snmp_removed +- coredump_disable_backtraces +- partition_for_dev_shm +- auditd_data_retention_admin_space_left_action +- configure_ssh_crypto_policy +- ensure_pam_wheel_group_empty +- package_vsftpd_removed +- auditd_data_retention_max_log_file_action +- sshd_disable_x11_forwarding +- sshd_enable_pam +- audit_rules_kernel_module_loading_init +- audit_rules_time_watch_localtime +- package_dnsmasq_removed +- sshd_enable_warning_banner_net +- file_permissions_sshd_pub_key +- file_permissions_cron_allow +- file_owner_etc_motd +- rsyslog_filecreatemode +- file_owner_cron_d +- audit_rules_unsuccessful_file_modification_open +- accounts_umask_etc_login_defs +- mount_option_home_nodev +- mount_option_dev_shm_noexec +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- journald_forward_to_syslog +- audit_rules_execution_chcon +- audit_rules_dac_modification_lremovexattr +- package_ftp_removed +- accounts_password_last_change_is_in_past +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- file_groupowner_etc_group +- package_libselinux_installed +- file_owner_cron_weekly +- mount_option_var_nosuid +- file_owner_etc_shadow +- account_unique_name +- sshd_set_idle_timeout +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_dac_modification_chown +- has_nonlocal_mta +- accounts_password_warn_age_login_defs +- mount_option_var_log_nosuid +- file_groupowner_etc_shadow +- file_permissions_cron_hourly +- coredump_disable_storage +- auditd_data_retention_action_mail_acct +- file_groupowner_etc_gshadow +- audit_rules_unsuccessful_file_modification_ftruncate +- no_rsh_trust_files +- rsyslog_files_permissions +- account_password_pam_faillock_system_auth +- mount_option_var_tmp_noexec +- mount_option_var_nodev +- audit_rules_privileged_commands_kmod +- audit_rules_sysadmin_actions +- file_groupowner_etc_issue +- file_owner_backup_etc_group +- file_permissions_cron_daily +- file_groupowner_backup_etc_passwd +- set_password_hashing_algorithm_systemauth +- sshd_set_max_sessions +- journald_compress +- package_sudo_installed +- file_owner_backup_etc_passwd +- audit_rules_login_events_faillock +- file_groupowner_etc_passwd +- package_firewalld_installed +- file_permissions_unauthorized_world_writable +- sysctl_net_ipv4_conf_all_accept_source_route +- audit_rules_dac_modification_fchown +- file_at_deny_not_exist +- mount_option_home_nosuid +- file_permissions_var_log_audit +- mount_option_dev_shm_nosuid +- file_owner_user_cfg +- sysctl_net_ipv6_conf_all_forwarding +- audit_rules_mac_modification +- file_permissions_cron_d +- dconf_db_up_to_date +- sysctl_net_ipv4_ip_forward +- audit_rules_usergroup_modification_passwd +- accounts_password_pam_minclass +- service_rsyslog_enabled +- sshd_set_maxstartups +- file_groupowner_cron_allow +- sudo_add_use_pty +- sysctl_net_ipv6_conf_all_accept_ra +- package_httpd_removed +- audit_rules_dac_modification_lchown +- audit_rules_kernel_module_loading_create +- group_unique_id +- file_cron_allow_exists +- file_groupowner_user_cfg +- dconf_gnome_disable_automount +- package_bind_removed +- file_groupowner_cron_weekly +- socket_systemd-journal-remote_disabled +- enable_authselect +- kernel_module_udf_disabled +- file_groupowner_etc_issue_net +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv4_conf_all_send_redirects +- account_password_pam_faillock_password_auth +- banner_etc_motd +- file_permissions_backup_etc_shadow +- journald_storage +- sudo_custom_logfile +- audit_rules_dac_modification_fchmod +- account_disable_post_pw_expiration +- aide_check_audit_tools +- file_ownership_audit_configuration +- selinux_state +- service_nfs_disabled +- partition_for_var_tmp +- grub2_enable_selinux +- service_nftables_disabled +- use_pam_wheel_group_for_su +- file_permissions_audit_configuration +- package_nginx_removed +- accounts_password_pam_pwhistory_remember_system_auth +- file_permissions_etc_issue_net +- file_ownership_sshd_pub_key +- file_ownership_audit_binaries +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_default_accept_redirects +- file_permissions_backup_etc_passwd +- file_ownership_var_log_audit_stig +- package_tftp_removed +- file_groupownership_audit_binaries +- no_empty_passwords_etc_shadow +- package_dhcp_removed +- file_groupowner_at_allow +- package_aide_installed +- mount_option_tmp_noexec +- sshd_disable_rhosts +- file_permissions_audit_binaries +- service_rpcbind_disabled +- accounts_umask_etc_profile +- file_owner_etc_issue +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- accounts_root_path_dirs_no_write +- package_squid_removed +- file_groupowner_cron_daily +- package_openldap-clients_removed +- partition_for_var_log +- audit_rules_suid_auid_privilege_function +- file_groupowner_cron_monthly +- ensure_gpgcheck_globally_activated +- configure_crypto_policy +- aide_periodic_cron_checking +- file_permissions_etc_passwd +- file_groupownership_sshd_private_key +- package_dovecot_removed +- firewalld_loopback_traffic_restricted +- mount_option_var_log_nodev +- mount_option_var_log_audit_noexec +- sshd_set_login_grace_time +- file_owner_cron_hourly +- dconf_gnome_disable_automount_open +- selinux_not_disabled +- service_systemd-journald_enabled +- package_nftables_installed +- mount_option_var_log_noexec +- partition_for_var +- package_mcstrans_removed +- sshd_limit_user_access +- root_path_no_dot +- file_permissions_at_allow +- file_permissions_etc_shadow +- mount_option_var_tmp_nosuid +- package_telnet_removed +- file_groupowner_crontab +- selinux_confinement_of_daemons +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- package_audit_installed +- sshd_disable_empty_passwords +- audit_rules_execution_chacl +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_usermod +- accounts_set_post_pw_existing +- file_groupowner_cron_hourly +- file_owner_sshd_config +- file_owner_cron_monthly +- no_password_auth_for_systemaccounts +- audit_rules_privileged_commands +- file_permissions_etc_issue +- no_forward_files +- selinux_policytype +- file_permissions_user_cfg +- dconf_gnome_screensaver_lock_delay +- audit_rules_usergroup_modification_shadow +- sshd_disable_tcp_forwarding +- file_groupownership_sshd_pub_key +- audit_rules_file_deletion_events_unlink +- postfix_network_listening_disabled +- rsyslog_files_groupownership +- accounts_minimum_age_login_defs +- file_permissions_etc_gshadow +- file_ownership_sshd_private_key +- file_permissions_sshd_private_key +- sysctl_net_ipv6_conf_all_accept_source_route +- file_owner_etc_gshadow +- package_rsyslog_installed +- sysctl_kernel_randomize_va_space +- audit_rules_dac_modification_chmod +- gnome_gdm_disable_xdmcp +- sshd_disable_root_login +- file_groupownership_audit_configuration +- file_group_ownership_var_log_audit +- audit_rules_unsuccessful_file_modification_openat +- banner_etc_issue_net +- audit_rules_media_export +- sysctl_net_ipv4_conf_default_accept_source_route +- rsyslog_files_ownership +- file_groupowner_backup_etc_group +- file_groupowner_grub2_cfg +- banner_etc_issue +- dconf_gnome_disable_user_list +- partition_for_tmp +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- accounts_passwords_pam_faillock_deny +- no_files_unowned_by_user +- audit_rules_dac_modification_fremovexattr +- firewalld_loopback_traffic_trusted +- partition_for_var_log_audit +- accounts_root_gid_zero +- audit_rules_unsuccessful_file_modification_creat +- accounts_password_set_warn_age_existing +- var_accounts_user_umask=027 +- var_accounts_tmout=15_min +- var_account_disable_post_pw_expiration=30 +- var_accounts_password_warn_age_login_defs=7 +- var_accounts_minimum_age_login_defs=1 +- var_accounts_maximum_age_login_defs=365 +- var_password_hashing_algorithm=SHA512 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_remember=5 +- var_accounts_passwords_pam_faillock_deny=3 +- var_accounts_passwords_pam_faillock_unlock_time=900 +- var_password_pam_minclass=4 +- var_password_pam_minlen=14 +- var_pam_wheel_group_for_su=cis +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_sshd_set_login_grace_time=60 +- var_sshd_max_sessions=10 +- var_sshd_set_maxstartups=10:30:60 +- sshd_max_auth_tries_value=4 +- var_nftables_family=inet +- var_nftables_table=firewalld +- sysctl_net_ipv6_conf_all_accept_ra_value=disabled +- sysctl_net_ipv6_conf_default_accept_ra_value=disabled +- sysctl_net_ipv4_tcp_syncookies_value=enabled +- sysctl_net_ipv4_conf_all_rp_filter_value=enabled +- sysctl_net_ipv4_conf_default_rp_filter_value=enabled +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +- sysctl_net_ipv4_conf_all_log_martians_value=enabled +- sysctl_net_ipv4_conf_default_log_martians_value=enabled +- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled +- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled +- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled +- sysctl_net_ipv6_conf_all_forwarding_value=disabled +- var_postfix_inet_interfaces=loopback-only +- var_multiple_time_servers=rhel +- var_system_crypto_policy=default_policy +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=5_seconds +- remote_login_banner_text=cis_banners +- login_banner_text=cis_banners +- motd_banner_text=cis_banners +- var_selinux_policy_name=targeted +- var_authselect_profile=sssd +- var_accounts_passwords_pam_faillock_dir=run +- var_auditd_action_mail_acct=root +- var_auditd_admin_space_left_action=halt +- var_auditd_space_left_action=email +- var_auditd_max_log_file_action=keep_logs +- var_auditd_max_log_file=6 +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- cis_rhel9 +title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/cis_workstation_l2.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile new file mode 100644 index 00000000000..9106e5801b7 --- /dev/null +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -0,0 +1,307 @@ +description: 'Payment Card Industry - Data Security Standard (PCI-DSS) is a set of + + security standards designed to ensure the secure handling of payment card + + data, with the goal of preventing data breaches and protecting sensitive + + financial information. + + + This profile ensures Red Hat Enterprise Linux 9 is configured in alignment + + with PCI-DSS v4.0 requirements.' +extends: null +hidden: '' +metadata: + version: '4.0' + SMEs: + - marcusburghardt + - mab879 + - vojtapolasek +reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf +selections: +- coredump_disable_storage +- accounts_passwords_pam_faillock_unlock_time +- audit_rules_session_events +- firewalld_loopback_traffic_restricted +- set_password_hashing_algorithm_libuserconf +- audit_rules_login_events_lastlog +- directory_access_var_log_audit +- file_owner_grub2_cfg +- no_shelllogin_for_systemaccounts +- file_owner_cron_allow +- dconf_gnome_screensaver_idle_delay +- ensure_root_password_configured +- file_owner_cron_daily +- file_owner_backup_etc_shadow +- service_avahi-daemon_disabled +- package_audispd-plugins_installed +- sshd_set_login_grace_time +- file_owner_cron_hourly +- audit_rules_dac_modification_lsetxattr +- file_groupowner_cron_d +- package_logrotate_installed +- audit_rules_networkconfig_modification +- rsyslog_files_permissions +- dconf_gnome_disable_automount_open +- sshd_set_loglevel_verbose +- package_nftables_installed +- audit_rules_time_stime +- auditd_data_retention_space_left_action +- bios_enable_execution_restrictions +- audit_sudo_log_events +- audit_rules_sysadmin_actions +- accounts_tmout +- file_owner_backup_etc_group +- grub2_audit_backlog_limit_argument +- audit_rules_file_deletion_events_unlinkat +- file_groupowner_backup_etc_shadow +- file_permissions_cron_daily +- file_groupowner_backup_etc_passwd +- set_password_hashing_algorithm_systemauth +- sshd_limit_user_access +- sshd_set_max_sessions +- file_permissions_crontab +- file_permissions_at_allow +- file_owner_etc_passwd +- package_sudo_installed +- file_owner_backup_etc_passwd +- audit_rules_login_events_faillock +- audit_rules_file_deletion_events_rename +- file_groupowner_etc_passwd +- file_permissions_etc_shadow +- sudo_require_reauthentication +- package_telnet_removed +- file_permissions_unauthorized_world_writable +- audit_rules_dac_modification_fchown +- chronyd_run_as_chrony_user +- file_at_deny_not_exist +- file_groupowner_crontab +- sysctl_fs_suid_dumpable +- selinux_confinement_of_daemons +- security_patches_up_to_date +- file_permissions_cron_weekly +- file_cron_deny_not_exist +- file_permissions_etc_group +- accounts_password_set_max_life_existing +- package_audit_installed +- file_permissions_var_log_audit +- accounts_no_uid_except_zero +- disable_host_auth +- file_permissions_ungroupowned +- dconf_gnome_screensaver_lock_enabled +- sshd_disable_empty_passwords +- aide_build_database +- file_owner_user_cfg +- package_tftp-server_removed +- dconf_gnome_screensaver_mode_blank +- audit_rules_file_deletion_events_renameat +- accounts_password_all_shadowed +- audit_rules_mac_modification +- account_unique_id +- accounts_set_post_pw_existing +- audit_rules_login_events_tallylog +- file_ownership_var_log_audit +- file_permissions_cron_d +- disable_users_coredumps +- file_groupowner_cron_hourly +- dconf_db_up_to_date +- sysctl_net_ipv4_ip_forward +- file_owner_cron_monthly +- set_password_hashing_algorithm_logindefs +- audit_rules_usergroup_modification_passwd +- no_password_auth_for_systemaccounts +- sshd_set_maxstartups +- dconf_gnome_screensaver_idle_activation_enabled +- file_groupowner_cron_allow +- sudo_add_use_pty +- accounts_maximum_age_login_defs +- configure_firewalld_ports +- service_firewalld_enabled +- audit_rules_dac_modification_lchown +- ensure_redhat_gpgkey_installed +- file_owner_etc_group +- accounts_password_pam_pwhistory_remember_password_auth +- display_login_attempts +- group_unique_id +- kernel_module_sctp_disabled +- selinux_policytype +- file_groupowner_user_cfg +- dconf_gnome_disable_automount +- timer_logrotate_enabled +- file_groupowner_cron_weekly +- package_net-snmp_removed +- coredump_disable_backtraces +- enable_authselect +- auditd_data_retention_admin_space_left_action +- file_groupowner_etc_issue_net +- file_permissions_user_cfg +- network_nmcli_permissions +- sysctl_net_ipv4_conf_all_send_redirects +- gnome_gdm_disable_automatic_login +- rpm_verify_ownership +- configure_ssh_crypto_policy +- dconf_gnome_screensaver_lock_delay +- audit_rules_usergroup_modification_shadow +- file_permissions_etc_passwd +- ensure_pam_wheel_group_empty +- file_permissions_backup_etc_shadow +- kernel_module_dccp_disabled +- file_owner_crontab +- sudo_custom_logfile +- sshd_disable_tcp_forwarding +- sshd_disable_x11_forwarding +- ensure_gpgcheck_never_disabled +- audit_rules_dac_modification_fchmod +- file_owner_etc_issue_net +- account_disable_post_pw_expiration +- accounts_password_pam_lcredit +- sshd_enable_pam +- audit_rules_file_deletion_events_unlink +- set_firewalld_default_zone +- sshd_set_keepalive +- sysctl_net_ipv4_tcp_syncookies +- postfix_network_listening_disabled +- rsyslog_files_groupownership +- selinux_state +- no_direct_root_logins +- service_auditd_enabled +- file_permissions_grub2_cfg +- audit_rules_time_watch_localtime +- file_permissions_sshd_private_key +- accounts_password_pam_unix_remember +- audit_rules_time_adjtimex +- no_empty_passwords +- package_cryptsetup-luks_installed +- grub2_enable_selinux +- file_permissions_sshd_pub_key +- service_nftables_disabled +- accounts_password_pam_minlen +- file_permissions_cron_allow +- audit_rules_dac_modification_fchmodat +- use_pam_wheel_group_for_su +- grub2_audit_argument +- sysctl_net_ipv4_conf_all_secure_redirects +- auditd_audispd_syslog_plugin_activated +- file_owner_cron_d +- accounts_password_pam_pwhistory_remember_system_auth +- audit_rules_time_clock_settime +- file_permissions_etc_issue_net +- dir_perms_world_writable_sticky_bits +- service_rsyncd_disabled +- auditd_data_retention_space_left +- sysctl_kernel_randomize_va_space +- sysctl_net_ipv4_conf_all_rp_filter +- sshd_set_max_auth_tries +- audit_rules_dac_modification_chmod +- sysctl_net_ipv4_conf_default_accept_redirects +- package_telnet-server_removed +- audit_rules_suid_privilege_function +- audit_rules_time_settimeofday +- sshd_disable_root_login +- sysctl_net_ipv6_conf_default_accept_source_route +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_fsetxattr +- file_permissions_backup_etc_passwd +- audit_rules_dac_modification_removexattr +- file_permissions_sshd_config +- file_group_ownership_var_log_audit +- audit_rules_dac_modification_setxattr +- audit_rules_immutable +- package_tftp_removed +- network_sniffer_disabled +- auditd_name_format +- no_empty_passwords_etc_shadow +- package_dhcp_removed +- audit_rules_dac_modification_lremovexattr +- file_groupowner_at_allow +- package_aide_installed +- audit_rules_media_export +- rpm_verify_hashes +- file_permissions_cron_monthly +- package_ftp_removed +- securetty_root_login_console_only +- rsyslog_files_ownership +- accounts_password_last_change_is_in_past +- sshd_disable_rhosts +- chronyd_specify_remote_server +- file_groupowner_etc_group +- file_groupowner_backup_etc_group +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- audit_rules_dac_modification_fchownat +- file_groupowner_grub2_cfg +- kernel_module_usb-storage_disabled +- package_libselinux_installed +- accounts_password_pam_dcredit +- service_rpcbind_disabled +- audit_rules_file_deletion_events_rmdir +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- file_owner_cron_weekly +- audit_rules_usergroup_modification_gshadow +- gid_passwd_group_same +- package_chrony_installed +- sshd_do_not_permit_user_env +- dconf_gnome_session_idle_user_locks +- sudo_require_authentication +- accounts_passwords_pam_faillock_deny +- file_groupowner_cron_daily +- file_owner_etc_shadow +- account_unique_name +- sshd_set_idle_timeout +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- no_files_unowned_by_user +- sysctl_kernel_core_pattern +- file_groupowner_cron_monthly +- audit_rules_dac_modification_chown +- set_ip6tables_default_rule +- audit_rules_dac_modification_fremovexattr +- ensure_gpgcheck_globally_activated +- firewalld_loopback_traffic_trusted +- configure_crypto_policy +- wireless_disable_interfaces +- accounts_root_gid_zero +- accounts_password_warn_age_login_defs +- accounts_password_set_warn_age_existing +- aide_periodic_cron_checking +- file_groupowner_etc_shadow +- audit_rules_usergroup_modification_opasswd +- file_permissions_cron_hourly +- var_multiple_time_servers=generic +- var_auditd_admin_space_left_action=single +- var_auditd_space_left=100MB +- var_auditd_space_left_action=email +- var_auditd_name_format=fqd +- var_accounts_maximum_age_login_defs=90 +- var_accounts_password_warn_age_login_defs=7 +- var_password_pam_unix_remember=4 +- var_password_pam_remember=4 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_dcredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_minlen=12 +- var_accounts_passwords_pam_faillock_deny=10 +- var_accounts_passwords_pam_faillock_unlock_time=1800 +- var_password_pam_tally2=10 +- var_accounts_passwords_pam_tally2_unlock_time=1800 +- var_password_hashing_algorithm=SHA512 +- inactivity_timeout_value=15_minutes +- var_screensaver_lock_delay=10_seconds +- sshd_idle_timeout_value=15_minutes +- var_sshd_set_keepalive=0 +- var_account_disable_post_pw_expiration=90 +- var_system_crypto_policy=default_policy +- var_sshd_set_login_grace_time=60 +- var_postfix_inet_interfaces=loopback-only +- var_selinux_policy_name=targeted +- var_selinux_state=enforcing +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- pcidss_4 +title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9 +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/pci-dss.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile new file mode 100644 index 00000000000..3f0ac1a0def --- /dev/null +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -0,0 +1,587 @@ +description: 'This profile contains configuration checks that align to the + + DISA STIG for Red Hat Enterprise Linux 9 V1R2. + + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes + this + + configuration baseline as applicable to the operating system tier of + + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + + - Red Hat Enterprise Linux Server + + - Red Hat Enterprise Linux Workstation and Desktop + + - Red Hat Enterprise Linux for HPC + + - Red Hat Storage + + - Red Hat Containers with a Red Hat Enterprise Linux 9 image' +extends: null +hidden: '' +metadata: + version: V1R2 + SMEs: + - mab879 + - ggbecker +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +selections: +- configure_bashrc_tmux +- package_crypto-policies_installed +- sysctl_net_ipv4_conf_all_accept_redirects +- set_password_hashing_min_rounds_logindefs +- sysctl_net_ipv6_conf_all_accept_redirects +- audit_rules_login_events_lastlog +- tftpd_uses_secure_mode +- file_owner_cron_daily +- accounts_logon_fail_delay +- file_owner_backup_etc_shadow +- mount_option_nodev_removable_partitions +- sshd_disable_compression +- audit_rules_dac_modification_lsetxattr +- audit_rules_privileged_commands_chsh +- configure_opensc_card_drivers +- installed_OS_is_vendor_supported +- sysctl_net_ipv4_conf_default_log_martians +- audit_rules_unsuccessful_file_modification_truncate +- auditd_data_retention_space_left_action +- configure_usbguard_auditbackend +- accounts_password_pam_unix_rounds_system_auth +- grub2_audit_backlog_limit_argument +- audit_rules_file_deletion_events_unlinkat +- file_permissions_home_directories +- file_permissions_crontab +- audit_rules_kernel_module_loading_finit +- require_emergency_target_auth +- no_host_based_files +- file_permissions_var_log_messages +- sudo_require_reauthentication +- sysctl_fs_protected_symlinks +- accounts_no_uid_except_zero +- disable_host_auth +- dir_group_ownership_library_dirs +- accounts_passwords_pam_faillock_deny_root +- audit_rules_privileged_commands_unix_chkpwd +- package_tftp-server_removed +- service_usbguard_enabled +- package_sendmail_removed +- file_groupowner_backup_etc_gshadow +- package_nss-tools_installed +- account_unique_id +- grub2_password +- rsyslog_encrypt_offload_actionsendstreamdrivermode +- audit_rules_privileged_commands_crontab +- accounts_maximum_age_login_defs +- configure_bind_crypto_policy +- configure_firewalld_ports +- postfix_client_configure_mail_alias +- enable_dracut_fips_module +- file_owner_etc_group +- require_singleuser_auth +- file_permission_user_init_files +- sshd_use_priv_separation +- service_autofs_disabled +- audit_rules_execution_setfacl +- file_permissions_backup_etc_gshadow +- sysctl_net_core_bpf_jit_harden +- accounts_password_pam_enforce_root +- no_user_host_based_files +- file_owner_crontab +- package_rsyslog-gnutls_installed +- package_iprutils_removed +- package_s-nail_installed +- ensure_gpgcheck_never_disabled +- aide_verify_ext_attributes +- sshd_set_keepalive +- sysctl_net_ipv4_tcp_syncookies +- accounts_password_pam_lcredit +- directory_group_ownership_var_log_audit +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- service_auditd_enabled +- audit_rules_kernel_module_loading_delete +- dconf_gnome_screensaver_user_locks +- no_empty_passwords +- file_permissions_binary_dirs +- accounts_password_pam_minlen +- audit_rules_dac_modification_fchmodat +- firewalld-backend +- accounts_password_pam_ocredit +- grub2_audit_argument +- package_pcsc-lite_installed +- file_groupowner_sshd_config +- dir_perms_world_writable_sticky_bits +- mount_option_var_log_audit_nosuid +- logind_session_timeout +- accounts_password_pam_ucredit +- package_fapolicyd_installed +- accounts_user_dot_no_world_writable_programs +- harden_sshd_ciphers_opensshserver_conf_crypto_policy +- package_telnet-server_removed +- audit_rules_suid_privilege_function +- accounts_user_home_paths_only +- file_groupownership_home_directories +- package_subscription-manager_installed +- sysctl_net_ipv6_conf_default_accept_source_route +- auditd_data_retention_admin_space_left_percentage +- audit_rules_dac_modification_fsetxattr +- sshd_disable_gssapi_auth +- file_permissions_sshd_config +- file_permissions_var_log +- audit_rules_immutable +- file_groupownership_system_commands_dirs +- accounts_umask_interactive_users +- mount_option_dev_shm_nodev +- file_permissions_cron_monthly +- account_temp_expire_date +- audit_rules_privileged_commands_umount +- chronyd_specify_remote_server +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- audit_rules_dac_modification_fchownat +- file_audit_tools_permissions +- kernel_module_usb-storage_disabled +- mount_option_tmp_nodev +- service_chronyd_enabled +- file_owner_var_log_messages +- audit_rules_file_deletion_events_rmdir +- audit_rules_usergroup_modification_gshadow +- gid_passwd_group_same +- install_smartcard_packages +- sysctl_net_ipv6_conf_default_accept_redirects +- package_tuned_removed +- set_password_hashing_algorithm_passwordauth +- sysctl_kernel_perf_event_paranoid +- dconf_gnome_session_idle_user_locks +- accounts_password_set_min_life_existing +- package_openssh-server_installed +- audit_rules_privileged_commands_gpasswd +- audit_privileged_commands_init +- kernel_module_tipc_disabled +- agent_mfetpd_running +- disable_ctrlaltdel_reboot +- dconf_gnome_banner_enabled +- accounts_authorized_local_users +- file_groupowner_cron_d +- audit_rules_usergroup_modification_opasswd +- service_kdump_disabled +- accounts_passwords_pam_faillock_unlock_time +- package_usbguard_installed +- dir_perms_world_writable_root_owned +- file_owner_grub2_cfg +- auditd_audispd_configure_sufficiently_large_partition +- sssd_has_trust_anchor +- no_shelllogin_for_systemaccounts +- audit_rules_privileged_commands_postqueue +- dconf_gnome_screensaver_idle_delay +- package_gnutls-utils_installed +- sshd_enable_warning_banner +- sudo_remove_no_authenticate +- configure_kerberos_crypto_policy +- file_groupowner_var_log_messages +- kernel_module_can_disabled +- sshd_set_loglevel_verbose +- accounts_user_interactive_home_directory_exists +- configure_tmux_lock_after_time +- accounts_tmout +- file_audit_tools_group_ownership +- accounts_password_pam_maxclassrepeat +- sshd_x11_use_localhost +- file_groupowner_backup_etc_shadow +- audit_rules_privileged_commands_newgrp +- selinux_all_devicefiles_labeled +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- partition_for_home +- audit_rules_file_deletion_events_rename +- grub2_vsyscall_argument +- account_password_selinux_faillock_dir +- accounts_password_pam_retry +- audit_rules_privileged_commands_ssh_agent +- audit_rules_system_shutdown +- audit_privileged_commands_shutdown +- file_permissions_cron_weekly +- file_permissions_etc_group +- sysctl_kernel_exec_shield +- file_permissions_ungroupowned +- accounts_have_homedir_login_defs +- accounts_password_pam_difok +- file_permissions_etc_audit_auditd +- encrypt_partitions +- audit_rules_privileged_commands_postdrop +- clean_components_post_updating +- audit_rules_login_events_tallylog +- accounts_passwords_pam_faillock_audit +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- audit_rules_privileged_commands_sudoedit +- service_firewalld_enabled +- no_tmux_in_shells +- sysctl_net_ipv4_conf_all_forwarding +- rsyslog_nolisten +- accounts_password_pam_pwhistory_remember_password_auth +- display_login_attempts +- kernel_module_sctp_disabled +- coredump_disable_backtraces +- auditd_data_retention_admin_space_left_action +- accounts_user_interactive_home_directory_defined +- configure_ssh_crypto_policy +- xwindows_runlevel_target +- chronyd_no_chronyc_network +- sysctl_user_max_user_namespaces +- package_vsftpd_removed +- mount_option_nosuid_remote_filesystems +- sshd_disable_x11_forwarding +- sshd_enable_pam +- audit_rules_kernel_module_loading_init +- audit_rules_dac_modification_umount +- file_permissions_sshd_pub_key +- file_owner_cron_d +- audit_rules_unsuccessful_file_modification_open +- configure_libreswan_crypto_policy +- mount_option_boot_nodev +- accounts_umask_etc_login_defs +- package_rsh-server_removed +- network_configure_name_resolution +- service_fapolicyd_enabled +- mount_option_home_nodev +- audit_rules_privileged_commands_unix_update +- mount_option_dev_shm_noexec +- auditd_local_events +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chcon +- dir_permissions_library_dirs +- grub2_disable_interactive_boot +- audit_rules_dac_modification_lremovexattr +- sudoers_validate_passwd +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- dconf_gnome_lock_screen_on_smartcard_removal +- file_groupowner_etc_group +- sysctl_kernel_unprivileged_bpf_disabled +- file_ownership_binary_dirs +- sshd_enable_pubkey_auth +- file_owner_cron_weekly +- package_chrony_installed +- audit_rules_sudoers +- auditd_overflow_action +- file_owner_etc_shadow +- sshd_set_idle_timeout +- service_sshd_enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_dac_modification_chown +- firewalld_sshd_port_enabled +- file_groupowner_etc_shadow +- mount_option_var_log_nosuid +- file_permissions_cron_hourly +- coredump_disable_storage +- auditd_data_retention_action_mail_acct +- file_groupowner_etc_gshadow +- audit_rules_unsuccessful_file_modification_ftruncate +- package_quagga_removed +- package_nfs-utils_removed +- kerberos_disable_no_keytab +- kernel_module_firewire-core_disabled +- package_audispd-plugins_installed +- disallow_bypass_password_sudo +- account_password_pam_faillock_system_auth +- mount_option_var_tmp_noexec +- audit_rules_privileged_commands_chage +- mount_option_var_nodev +- audit_rules_privileged_commands_kmod +- auditd_log_format +- file_permissions_etc_audit_rulesd +- file_owner_backup_etc_group +- auditd_write_logs +- file_permissions_cron_daily +- file_groupowner_backup_etc_passwd +- file_audit_tools_ownership +- aide_use_fips_hashes +- dconf_gnome_disable_ctrlaltdel_reboot +- package_sudo_installed +- mount_option_noexec_remote_filesystems +- file_owner_backup_etc_passwd +- sshd_print_last_log +- audit_rules_login_events_faillock +- package_openssh-clients_installed +- file_groupowner_etc_passwd +- package_firewalld_installed +- sysctl_net_ipv4_conf_all_accept_source_route +- audit_rules_dac_modification_fchown +- mount_option_home_nosuid +- security_patches_up_to_date +- auditd_data_disk_error_action_stig +- grub2_admin_username +- file_permissions_var_log_audit +- mount_option_dev_shm_nosuid +- sysctl_net_ipv6_conf_all_forwarding +- file_permissions_cron_d +- audit_rules_privileged_commands_sudo +- postfix_client_configure_mail_alias_postmaster +- mount_option_nodev_remote_filesystems +- dconf_db_up_to_date +- audit_rules_usergroup_modification_passwd +- accounts_password_pam_minclass +- service_rsyslog_enabled +- aide_scan_notification +- sysctl_net_ipv6_conf_all_accept_ra +- audit_rules_dac_modification_lchown +- ensure_redhat_gpgkey_installed +- group_unique_id +- rsyslog_remote_access_monitoring +- file_groupowner_cron_weekly +- enable_authselect +- harden_sshd_ciphers_openssh_conf_crypto_policy +- audit_rules_execution_semanage +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv4_conf_all_send_redirects +- account_password_pam_faillock_password_auth +- mount_option_home_noexec +- file_permissions_backup_etc_shadow +- sssd_certificate_verification +- sysctl_kernel_dmesg_restrict +- mount_option_krb_sec_remote_filesystems +- mount_option_nosuid_removable_partitions +- audit_rules_dac_modification_fchmod +- audit_rules_privileged_commands_passwd +- account_disable_post_pw_expiration +- sshd_enable_strictmodes +- aide_check_audit_tools +- selinux_state +- grub2_pti_argument +- partition_for_var_tmp +- file_owner_var_log +- postfix_prevent_unrestricted_relay +- sssd_offline_cred_expiration +- audit_rules_privileged_commands_su +- accounts_passwords_pam_faillock_interval +- package_mcafeetp_installed +- auditd_audispd_syslog_plugin_activated +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_max_concurrent_login_sessions +- chronyd_server_directive +- grub2_slub_debug_argument +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_password_pam_pwquality_system_auth +- sysctl_net_ipv4_conf_default_accept_redirects +- configure_openssl_tls_crypto_policy +- audit_rules_privileged_commands_ssh_keysign +- sudo_remove_nopasswd +- configure_tmux_lock_command +- file_permissions_backup_etc_passwd +- audit_rules_execution_setsebool +- auditd_name_format +- no_empty_passwords_etc_shadow +- package_aide_installed +- mount_option_tmp_noexec +- enable_fips_mode +- sshd_disable_rhosts +- accounts_umask_etc_profile +- auditd_data_retention_max_log_file_action_stig +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- networkmanager_dns_mode +- package_gssproxy_removed +- grub2_page_poison_argument +- file_groupowner_cron_daily +- partition_for_var_log +- aide_verify_acls +- sysctl_kernel_core_pattern +- file_groupowner_cron_monthly +- accounts_password_minlen_login_defs +- sshd_disable_kerb_auth +- configure_openssl_crypto_policy +- disable_ctrlaltdel_burstaction +- ensure_gpgcheck_globally_activated +- configure_crypto_policy +- aide_periodic_cron_checking +- file_permissions_etc_passwd +- dconf_gnome_disable_restart_shutdown +- set_password_hashing_algorithm_libuserconf +- audit_privileged_commands_reboot +- mount_option_var_log_nodev +- sssd_enable_certmap +- ssh_keys_passphrase_protected +- sshd_disable_user_known_hosts +- sysctl_fs_protected_hardlinks +- mount_option_var_log_audit_noexec +- audit_privileged_commands_poweroff +- package_rng-tools_installed +- file_owner_cron_hourly +- dconf_gnome_disable_automount_open +- service_systemd-journald_enabled +- sssd_enable_smartcards +- mount_option_var_log_noexec +- partition_for_var +- sshd_rekey_limit +- package_policycoreutils_installed +- mount_option_boot_efi_nosuid +- sysctl_kernel_kptr_restrict +- file_permissions_etc_shadow +- sudo_restrict_privilege_elevation_to_authorized +- mount_option_var_tmp_nosuid +- xwindows_remove_packages +- audit_rules_privileged_commands_userhelper +- auditd_freq +- accounts_password_pam_maxrepeat +- file_groupowner_crontab +- file_permissions_library_dirs +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- package_audit_installed +- file_ownership_library_dirs +- sshd_disable_empty_passwords +- dconf_gnome_screensaver_lock_enabled +- sysctl_kernel_yama_ptrace_scope +- rsyslog_cron_logging +- ensure_gpgcheck_local_packages +- audit_rules_privileged_commands_mount +- dconf_gnome_screensaver_mode_blank +- audit_rules_execution_chacl +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_usermod +- mount_option_nodev_nonroot_local_partitions +- disable_users_coredumps +- file_groupowner_cron_hourly +- file_owner_sshd_config +- file_owner_cron_monthly +- service_systemd-coredump_disabled +- file_owner_cron_deny +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode +- package_tmux_installed +- audit_rules_sudoers_d +- usbguard_generate_policy +- selinux_policytype +- audit_rules_dac_modification_umount2 +- audit_rules_execution_setfiles +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- root_permissions_syslibrary_files +- file_groupowner_cron_deny +- gnome_gdm_disable_automatic_login +- dconf_gnome_screensaver_lock_delay +- audit_rules_usergroup_modification_shadow +- configured_firewalld_default_deny +- package_libreswan_installed +- dir_ownership_library_dirs +- audit_rules_file_deletion_events_unlink +- accounts_umask_etc_csh_cshrc +- accounts_minimum_age_login_defs +- accounts_password_pam_pwquality_password_auth +- file_permissions_etc_gshadow +- file_permissions_sshd_private_key +- use_pam_wheel_for_su +- mount_option_boot_nosuid +- mount_option_noexec_removable_partitions +- sysctl_net_ipv6_conf_all_accept_source_route +- kernel_module_bluetooth_disabled +- file_owner_etc_gshadow +- auditd_data_disk_full_action_stig +- libreswan_approved_tunnels +- package_rsyslog_installed +- sysctl_kernel_randomize_va_space +- package_opensc_installed +- accounts_password_pam_unix_rounds_password_auth +- file_groupowner_var_log +- audit_rules_dac_modification_chmod +- sysctl_kernel_kexec_load_disabled +- sshd_disable_root_login +- rsyslog_encrypt_offload_defaultnetstreamdriver +- audit_rules_unsuccessful_file_modification_openat +- accounts_password_all_shadowed_sha512 +- accounts_password_pam_dictcheck +- network_sniffer_disabled +- auditd_data_retention_space_left_percentage +- chronyd_client_only +- sysctl_net_ipv4_conf_default_accept_source_route +- package_policycoreutils-python-utils_installed +- directory_ownership_var_log_audit +- file_groupowner_backup_etc_group +- kernel_module_atm_disabled +- file_groupowner_grub2_cfg +- chronyd_or_ntpd_set_maxpoll +- banner_etc_issue +- accounts_password_pam_dcredit +- sysctl_crypto_fips_enabled +- dconf_gnome_disable_user_list +- partition_for_tmp +- accounts_passwords_pam_faillock_dir +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- accounts_passwords_pam_faillock_deny +- package_ypserv_removed +- no_files_unowned_by_user +- service_debug-shell_disabled +- audit_rules_dac_modification_fremovexattr +- partition_for_var_log_audit +- wireless_disable_interfaces +- kernel_module_cramfs_disabled +- audit_rules_unsuccessful_file_modification_creat +- rsyslog_remote_loghost +- service_pcscd_enabled +- var_system_crypto_policy=fips +- var_auditd_freq=100 +- var_auditd_action_mail_acct=root +- var_auditd_name_format=stig +- var_auditd_max_log_file_action=rotate +- var_auditd_admin_space_left_action=halt +- var_auditd_admin_space_left_percentage=5pc +- var_auditd_space_left_action=email +- var_auditd_space_left_percentage=25pc +- var_auditd_disk_full_action=halt +- var_auditd_disk_error_action=halt +- var_sssd_certificate_verification_digest_function=sha512 +- var_smartcard_drivers=cac +- var_password_hashing_algorithm=SHA512 +- var_password_pam_minclass=4 +- var_password_pam_maxrepeat=3 +- var_password_pam_maxclassrepeat=4 +- var_password_pam_difok=8 +- var_password_pam_ucredit=1 +- var_password_pam_dictcheck=1 +- var_password_pam_ocredit=1 +- var_password_pam_minlen=15 +- var_accounts_minimum_age_login_defs=1 +- var_password_pam_dcredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_unix_rounds=5000 +- var_password_pam_remember=5 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_retry=3 +- var_selinux_policy_name=targeted +- var_selinux_state=enforcing +- var_logind_session_timeout=15_minutes +- var_accounts_fail_delay=4 +- var_accounts_max_concurrent_login_sessions=10 +- var_accounts_authorized_local_users_regex=rhel9 +- var_accounts_passwords_pam_faillock_unlock_time=never +- var_accounts_passwords_pam_faillock_fail_interval=900 +- var_accounts_passwords_pam_faillock_deny=3 +- var_account_disable_post_pw_expiration=35 +- var_accounts_user_umask=077 +- var_accounts_maximum_age_login_defs=60 +- var_sshd_disable_compression=no +- sshd_idle_timeout_value=10_minutes +- var_sshd_set_keepalive=1 +- var_rekey_limit_size=1G +- var_rekey_limit_time=1hour +- sshd_approved_ciphers=stig_extended +- var_networkmanager_dns_mode=none +- var_multiple_time_servers=stig +- var_time_service_set_maxpoll=18_hours +- login_banner_text=dod_banners +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: +- stig_rhel9 +title: DISA STIG for Red Hat Enterprise Linux 9 +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/stig.profile +documentation_complete: true diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile new file mode 100644 index 00000000000..f015b1493f3 --- /dev/null +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -0,0 +1,595 @@ +description: 'This profile contains configuration checks that align to the + + DISA STIG for Red Hat Enterprise Linux 9 V1R2. + + + + In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes + this + + configuration baseline as applicable to the operating system tier of + + Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: + + + - Red Hat Enterprise Linux Server + + - Red Hat Enterprise Linux Workstation and Desktop + + - Red Hat Enterprise Linux for HPC + + - Red Hat Storage + + - Red Hat Containers with a Red Hat Enterprise Linux 9 image + + + Warning: The installation and use of a Graphical User Interface (GUI) + + increases your attack vector and decreases your overall security posture. If + + your Information Systems Security Officer (ISSO) lacks a documented operational + + requirement for a graphical user interface, please consider using the + + standard DISA STIG for Red Hat Enterprise Linux 9 profile.' +extends: null +hidden: '' +metadata: + version: V1R2 + SMEs: + - mab879 + - ggbecker +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +selections: +- configure_bashrc_tmux +- package_crypto-policies_installed +- sysctl_net_ipv4_conf_all_accept_redirects +- set_password_hashing_min_rounds_logindefs +- sysctl_net_ipv6_conf_all_accept_redirects +- audit_rules_login_events_lastlog +- tftpd_uses_secure_mode +- file_owner_cron_daily +- accounts_logon_fail_delay +- file_owner_backup_etc_shadow +- mount_option_nodev_removable_partitions +- sshd_disable_compression +- audit_rules_dac_modification_lsetxattr +- audit_rules_privileged_commands_chsh +- configure_opensc_card_drivers +- installed_OS_is_vendor_supported +- sysctl_net_ipv4_conf_default_log_martians +- audit_rules_unsuccessful_file_modification_truncate +- auditd_data_retention_space_left_action +- configure_usbguard_auditbackend +- accounts_password_pam_unix_rounds_system_auth +- grub2_audit_backlog_limit_argument +- audit_rules_file_deletion_events_unlinkat +- file_permissions_home_directories +- file_permissions_crontab +- audit_rules_kernel_module_loading_finit +- require_emergency_target_auth +- no_host_based_files +- file_permissions_var_log_messages +- sudo_require_reauthentication +- sysctl_fs_protected_symlinks +- accounts_no_uid_except_zero +- disable_host_auth +- dir_group_ownership_library_dirs +- accounts_passwords_pam_faillock_deny_root +- audit_rules_privileged_commands_unix_chkpwd +- package_tftp-server_removed +- service_usbguard_enabled +- package_sendmail_removed +- file_groupowner_backup_etc_gshadow +- package_nss-tools_installed +- account_unique_id +- grub2_password +- rsyslog_encrypt_offload_actionsendstreamdrivermode +- audit_rules_privileged_commands_crontab +- accounts_maximum_age_login_defs +- configure_bind_crypto_policy +- configure_firewalld_ports +- postfix_client_configure_mail_alias +- enable_dracut_fips_module +- file_owner_etc_group +- require_singleuser_auth +- file_permission_user_init_files +- sshd_use_priv_separation +- service_autofs_disabled +- audit_rules_execution_setfacl +- file_permissions_backup_etc_gshadow +- sysctl_net_core_bpf_jit_harden +- accounts_password_pam_enforce_root +- no_user_host_based_files +- file_owner_crontab +- package_rsyslog-gnutls_installed +- package_iprutils_removed +- package_s-nail_installed +- ensure_gpgcheck_never_disabled +- aide_verify_ext_attributes +- sshd_set_keepalive +- sysctl_net_ipv4_tcp_syncookies +- accounts_password_pam_lcredit +- directory_group_ownership_var_log_audit +- accounts_umask_etc_bashrc +- mount_option_var_log_audit_nodev +- service_auditd_enabled +- audit_rules_kernel_module_loading_delete +- dconf_gnome_screensaver_user_locks +- no_empty_passwords +- file_permissions_binary_dirs +- accounts_password_pam_minlen +- audit_rules_dac_modification_fchmodat +- firewalld-backend +- accounts_password_pam_ocredit +- grub2_audit_argument +- package_pcsc-lite_installed +- file_groupowner_sshd_config +- dir_perms_world_writable_sticky_bits +- mount_option_var_log_audit_nosuid +- logind_session_timeout +- accounts_password_pam_ucredit +- package_fapolicyd_installed +- accounts_user_dot_no_world_writable_programs +- harden_sshd_ciphers_opensshserver_conf_crypto_policy +- package_telnet-server_removed +- audit_rules_suid_privilege_function +- accounts_user_home_paths_only +- file_groupownership_home_directories +- package_subscription-manager_installed +- sysctl_net_ipv6_conf_default_accept_source_route +- auditd_data_retention_admin_space_left_percentage +- audit_rules_dac_modification_fsetxattr +- sshd_disable_gssapi_auth +- file_permissions_sshd_config +- file_permissions_var_log +- audit_rules_immutable +- file_groupownership_system_commands_dirs +- accounts_umask_interactive_users +- mount_option_dev_shm_nodev +- file_permissions_cron_monthly +- account_temp_expire_date +- audit_rules_privileged_commands_umount +- chronyd_specify_remote_server +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_backup_etc_group +- audit_rules_dac_modification_fchownat +- file_audit_tools_permissions +- kernel_module_usb-storage_disabled +- mount_option_tmp_nodev +- service_chronyd_enabled +- file_owner_var_log_messages +- audit_rules_file_deletion_events_rmdir +- audit_rules_usergroup_modification_gshadow +- gid_passwd_group_same +- install_smartcard_packages +- sysctl_net_ipv6_conf_default_accept_redirects +- package_tuned_removed +- set_password_hashing_algorithm_passwordauth +- sysctl_kernel_perf_event_paranoid +- dconf_gnome_session_idle_user_locks +- accounts_password_set_min_life_existing +- package_openssh-server_installed +- audit_rules_privileged_commands_gpasswd +- audit_privileged_commands_init +- kernel_module_tipc_disabled +- agent_mfetpd_running +- disable_ctrlaltdel_reboot +- dconf_gnome_banner_enabled +- accounts_authorized_local_users +- file_groupowner_cron_d +- audit_rules_usergroup_modification_opasswd +- service_kdump_disabled +- accounts_passwords_pam_faillock_unlock_time +- package_usbguard_installed +- dir_perms_world_writable_root_owned +- file_owner_grub2_cfg +- auditd_audispd_configure_sufficiently_large_partition +- sssd_has_trust_anchor +- no_shelllogin_for_systemaccounts +- audit_rules_privileged_commands_postqueue +- dconf_gnome_screensaver_idle_delay +- package_gnutls-utils_installed +- sshd_enable_warning_banner +- sudo_remove_no_authenticate +- configure_kerberos_crypto_policy +- file_groupowner_var_log_messages +- kernel_module_can_disabled +- sshd_set_loglevel_verbose +- accounts_user_interactive_home_directory_exists +- configure_tmux_lock_after_time +- accounts_tmout +- file_audit_tools_group_ownership +- accounts_password_pam_maxclassrepeat +- sshd_x11_use_localhost +- file_groupowner_backup_etc_shadow +- audit_rules_privileged_commands_newgrp +- selinux_all_devicefiles_labeled +- file_owner_etc_passwd +- mount_option_var_tmp_nodev +- partition_for_home +- audit_rules_file_deletion_events_rename +- grub2_vsyscall_argument +- account_password_selinux_faillock_dir +- accounts_password_pam_retry +- audit_rules_privileged_commands_ssh_agent +- audit_rules_system_shutdown +- audit_privileged_commands_shutdown +- file_permissions_cron_weekly +- file_permissions_etc_group +- sysctl_kernel_exec_shield +- file_permissions_ungroupowned +- accounts_have_homedir_login_defs +- accounts_password_pam_difok +- file_permissions_etc_audit_auditd +- encrypt_partitions +- audit_rules_privileged_commands_postdrop +- clean_components_post_updating +- audit_rules_login_events_tallylog +- accounts_passwords_pam_faillock_audit +- set_password_hashing_algorithm_logindefs +- mount_option_tmp_nosuid +- audit_rules_privileged_commands_sudoedit +- service_firewalld_enabled +- no_tmux_in_shells +- sysctl_net_ipv4_conf_all_forwarding +- rsyslog_nolisten +- accounts_password_pam_pwhistory_remember_password_auth +- display_login_attempts +- kernel_module_sctp_disabled +- coredump_disable_backtraces +- auditd_data_retention_admin_space_left_action +- accounts_user_interactive_home_directory_defined +- configure_ssh_crypto_policy +- chronyd_no_chronyc_network +- sysctl_user_max_user_namespaces +- package_vsftpd_removed +- mount_option_nosuid_remote_filesystems +- sshd_disable_x11_forwarding +- sshd_enable_pam +- audit_rules_kernel_module_loading_init +- audit_rules_dac_modification_umount +- file_permissions_sshd_pub_key +- file_owner_cron_d +- audit_rules_unsuccessful_file_modification_open +- configure_libreswan_crypto_policy +- mount_option_boot_nodev +- accounts_umask_etc_login_defs +- package_rsh-server_removed +- network_configure_name_resolution +- service_fapolicyd_enabled +- mount_option_home_nodev +- audit_rules_privileged_commands_unix_update +- mount_option_dev_shm_noexec +- auditd_local_events +- audit_rules_usergroup_modification_group +- audit_rules_dac_modification_removexattr +- audit_rules_dac_modification_setxattr +- audit_rules_execution_chcon +- dir_permissions_library_dirs +- grub2_disable_interactive_boot +- audit_rules_dac_modification_lremovexattr +- sudoers_validate_passwd +- sysctl_net_ipv4_conf_default_rp_filter +- sysctl_net_ipv4_conf_all_log_martians +- dconf_gnome_lock_screen_on_smartcard_removal +- file_groupowner_etc_group +- sysctl_kernel_unprivileged_bpf_disabled +- file_ownership_binary_dirs +- sshd_enable_pubkey_auth +- file_owner_cron_weekly +- package_chrony_installed +- audit_rules_sudoers +- auditd_overflow_action +- file_owner_etc_shadow +- sshd_set_idle_timeout +- service_sshd_enabled +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- audit_rules_dac_modification_chown +- firewalld_sshd_port_enabled +- file_groupowner_etc_shadow +- mount_option_var_log_nosuid +- file_permissions_cron_hourly +- coredump_disable_storage +- auditd_data_retention_action_mail_acct +- file_groupowner_etc_gshadow +- audit_rules_unsuccessful_file_modification_ftruncate +- package_quagga_removed +- kerberos_disable_no_keytab +- kernel_module_firewire-core_disabled +- package_audispd-plugins_installed +- disallow_bypass_password_sudo +- account_password_pam_faillock_system_auth +- mount_option_var_tmp_noexec +- audit_rules_privileged_commands_chage +- mount_option_var_nodev +- audit_rules_privileged_commands_kmod +- auditd_log_format +- file_permissions_etc_audit_rulesd +- file_owner_backup_etc_group +- auditd_write_logs +- file_permissions_cron_daily +- file_groupowner_backup_etc_passwd +- file_audit_tools_ownership +- aide_use_fips_hashes +- dconf_gnome_disable_ctrlaltdel_reboot +- package_sudo_installed +- mount_option_noexec_remote_filesystems +- file_owner_backup_etc_passwd +- sshd_print_last_log +- audit_rules_login_events_faillock +- package_openssh-clients_installed +- file_groupowner_etc_passwd +- package_firewalld_installed +- sysctl_net_ipv4_conf_all_accept_source_route +- audit_rules_dac_modification_fchown +- mount_option_home_nosuid +- security_patches_up_to_date +- auditd_data_disk_error_action_stig +- grub2_admin_username +- file_permissions_var_log_audit +- mount_option_dev_shm_nosuid +- sysctl_net_ipv6_conf_all_forwarding +- file_permissions_cron_d +- audit_rules_privileged_commands_sudo +- postfix_client_configure_mail_alias_postmaster +- mount_option_nodev_remote_filesystems +- dconf_db_up_to_date +- audit_rules_usergroup_modification_passwd +- accounts_password_pam_minclass +- service_rsyslog_enabled +- aide_scan_notification +- sysctl_net_ipv6_conf_all_accept_ra +- audit_rules_dac_modification_lchown +- ensure_redhat_gpgkey_installed +- group_unique_id +- rsyslog_remote_access_monitoring +- file_groupowner_cron_weekly +- enable_authselect +- harden_sshd_ciphers_openssh_conf_crypto_policy +- audit_rules_execution_semanage +- sysctl_net_ipv6_conf_default_accept_ra +- sysctl_net_ipv4_conf_all_send_redirects +- account_password_pam_faillock_password_auth +- mount_option_home_noexec +- file_permissions_backup_etc_shadow +- sssd_certificate_verification +- sysctl_kernel_dmesg_restrict +- mount_option_krb_sec_remote_filesystems +- mount_option_nosuid_removable_partitions +- audit_rules_dac_modification_fchmod +- audit_rules_privileged_commands_passwd +- account_disable_post_pw_expiration +- sshd_enable_strictmodes +- aide_check_audit_tools +- selinux_state +- grub2_pti_argument +- partition_for_var_tmp +- file_owner_var_log +- postfix_prevent_unrestricted_relay +- sssd_offline_cred_expiration +- audit_rules_privileged_commands_su +- accounts_passwords_pam_faillock_interval +- package_mcafeetp_installed +- auditd_audispd_syslog_plugin_activated +- accounts_password_pam_pwhistory_remember_system_auth +- accounts_max_concurrent_login_sessions +- chronyd_server_directive +- grub2_slub_debug_argument +- sysctl_net_ipv4_conf_all_rp_filter +- accounts_password_pam_pwquality_system_auth +- sysctl_net_ipv4_conf_default_accept_redirects +- configure_openssl_tls_crypto_policy +- audit_rules_privileged_commands_ssh_keysign +- sudo_remove_nopasswd +- configure_tmux_lock_command +- file_permissions_backup_etc_passwd +- audit_rules_execution_setsebool +- auditd_name_format +- no_empty_passwords_etc_shadow +- package_aide_installed +- mount_option_tmp_noexec +- enable_fips_mode +- sshd_disable_rhosts +- accounts_umask_etc_profile +- auditd_data_retention_max_log_file_action_stig +- sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- networkmanager_dns_mode +- package_gssproxy_removed +- grub2_page_poison_argument +- file_groupowner_cron_daily +- partition_for_var_log +- aide_verify_acls +- sysctl_kernel_core_pattern +- file_groupowner_cron_monthly +- accounts_password_minlen_login_defs +- sshd_disable_kerb_auth +- configure_openssl_crypto_policy +- disable_ctrlaltdel_burstaction +- ensure_gpgcheck_globally_activated +- configure_crypto_policy +- aide_periodic_cron_checking +- file_permissions_etc_passwd +- dconf_gnome_disable_restart_shutdown +- set_password_hashing_algorithm_libuserconf +- audit_privileged_commands_reboot +- mount_option_var_log_nodev +- sssd_enable_certmap +- ssh_keys_passphrase_protected +- sshd_disable_user_known_hosts +- sysctl_fs_protected_hardlinks +- mount_option_var_log_audit_noexec +- audit_privileged_commands_poweroff +- package_rng-tools_installed +- file_owner_cron_hourly +- dconf_gnome_disable_automount_open +- service_systemd-journald_enabled +- sssd_enable_smartcards +- mount_option_var_log_noexec +- partition_for_var +- sshd_rekey_limit +- package_policycoreutils_installed +- mount_option_boot_efi_nosuid +- sysctl_kernel_kptr_restrict +- file_permissions_etc_shadow +- sudo_restrict_privilege_elevation_to_authorized +- mount_option_var_tmp_nosuid +- audit_rules_privileged_commands_userhelper +- auditd_freq +- accounts_password_pam_maxrepeat +- file_groupowner_crontab +- file_permissions_library_dirs +- dconf_gnome_disable_autorun +- accounts_password_set_max_life_existing +- package_audit_installed +- file_ownership_library_dirs +- sshd_disable_empty_passwords +- dconf_gnome_screensaver_lock_enabled +- sysctl_kernel_yama_ptrace_scope +- rsyslog_cron_logging +- ensure_gpgcheck_local_packages +- audit_rules_privileged_commands_mount +- dconf_gnome_screensaver_mode_blank +- audit_rules_execution_chacl +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_usermod +- mount_option_nodev_nonroot_local_partitions +- disable_users_coredumps +- file_groupowner_cron_hourly +- file_owner_sshd_config +- file_owner_cron_monthly +- service_systemd-coredump_disabled +- file_owner_cron_deny +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode +- package_tmux_installed +- audit_rules_sudoers_d +- usbguard_generate_policy +- selinux_policytype +- audit_rules_dac_modification_umount2 +- audit_rules_execution_setfiles +- audit_rules_privileged_commands_pam_timestamp_check +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- root_permissions_syslibrary_files +- file_groupowner_cron_deny +- gnome_gdm_disable_automatic_login +- dconf_gnome_screensaver_lock_delay +- audit_rules_usergroup_modification_shadow +- configured_firewalld_default_deny +- package_libreswan_installed +- dir_ownership_library_dirs +- audit_rules_file_deletion_events_unlink +- accounts_umask_etc_csh_cshrc +- accounts_minimum_age_login_defs +- accounts_password_pam_pwquality_password_auth +- file_permissions_etc_gshadow +- file_permissions_sshd_private_key +- use_pam_wheel_for_su +- mount_option_boot_nosuid +- mount_option_noexec_removable_partitions +- sysctl_net_ipv6_conf_all_accept_source_route +- kernel_module_bluetooth_disabled +- file_owner_etc_gshadow +- auditd_data_disk_full_action_stig +- libreswan_approved_tunnels +- package_rsyslog_installed +- sysctl_kernel_randomize_va_space +- package_opensc_installed +- accounts_password_pam_unix_rounds_password_auth +- file_groupowner_var_log +- audit_rules_dac_modification_chmod +- sysctl_kernel_kexec_load_disabled +- sshd_disable_root_login +- rsyslog_encrypt_offload_defaultnetstreamdriver +- audit_rules_unsuccessful_file_modification_openat +- accounts_password_all_shadowed_sha512 +- accounts_password_pam_dictcheck +- network_sniffer_disabled +- auditd_data_retention_space_left_percentage +- chronyd_client_only +- sysctl_net_ipv4_conf_default_accept_source_route +- package_policycoreutils-python-utils_installed +- directory_ownership_var_log_audit +- file_groupowner_backup_etc_group +- kernel_module_atm_disabled +- file_groupowner_grub2_cfg +- chronyd_or_ntpd_set_maxpoll +- banner_etc_issue +- accounts_password_pam_dcredit +- sysctl_crypto_fips_enabled +- dconf_gnome_disable_user_list +- partition_for_tmp +- accounts_passwords_pam_faillock_dir +- sshd_do_not_permit_user_env +- file_owner_backup_etc_gshadow +- accounts_passwords_pam_faillock_deny +- package_ypserv_removed +- no_files_unowned_by_user +- service_debug-shell_disabled +- audit_rules_dac_modification_fremovexattr +- partition_for_var_log_audit +- wireless_disable_interfaces +- kernel_module_cramfs_disabled +- audit_rules_unsuccessful_file_modification_creat +- rsyslog_remote_loghost +- service_pcscd_enabled +- var_system_crypto_policy=fips +- var_auditd_freq=100 +- var_auditd_action_mail_acct=root +- var_auditd_name_format=stig +- var_auditd_max_log_file_action=rotate +- var_auditd_admin_space_left_action=halt +- var_auditd_admin_space_left_percentage=5pc +- var_auditd_space_left_action=email +- var_auditd_space_left_percentage=25pc +- var_auditd_disk_full_action=halt +- var_auditd_disk_error_action=halt +- var_sssd_certificate_verification_digest_function=sha512 +- var_smartcard_drivers=cac +- var_password_hashing_algorithm=SHA512 +- var_password_pam_minclass=4 +- var_password_pam_maxrepeat=3 +- var_password_pam_maxclassrepeat=4 +- var_password_pam_difok=8 +- var_password_pam_ucredit=1 +- var_password_pam_dictcheck=1 +- var_password_pam_ocredit=1 +- var_password_pam_minlen=15 +- var_accounts_minimum_age_login_defs=1 +- var_password_pam_dcredit=1 +- var_password_pam_lcredit=1 +- var_password_pam_unix_rounds=5000 +- var_password_pam_remember=5 +- var_password_pam_remember_control_flag=requisite_or_required +- var_password_pam_retry=3 +- var_selinux_policy_name=targeted +- var_selinux_state=enforcing +- var_logind_session_timeout=15_minutes +- var_accounts_fail_delay=4 +- var_accounts_max_concurrent_login_sessions=10 +- var_accounts_authorized_local_users_regex=rhel9 +- var_accounts_passwords_pam_faillock_unlock_time=never +- var_accounts_passwords_pam_faillock_fail_interval=900 +- var_accounts_passwords_pam_faillock_deny=3 +- var_account_disable_post_pw_expiration=35 +- var_accounts_user_umask=077 +- var_accounts_maximum_age_login_defs=60 +- var_sshd_disable_compression=no +- sshd_idle_timeout_value=10_minutes +- var_sshd_set_keepalive=1 +- var_rekey_limit_size=1G +- var_rekey_limit_time=1hour +- sshd_approved_ciphers=stig_extended +- var_networkmanager_dns_mode=none +- var_multiple_time_servers=stig +- var_time_service_set_maxpoll=18_hours +- login_banner_text=dod_banners +- var_authselect_profile=sssd +unselected_groups: [] +platforms: !!set {} +cpe_names: !!set {} +platform: null +filter_rules: '' +policies: [] +title: DISA STIG with GUI for Red Hat Enterprise Linux 9 +definition_location: /home/jcerny/work/git/content/products/rhel9/profiles/stig_gui.profile +documentation_complete: true