From 4df42c4f6155958ab2eb19f86cb0c74cc208fddd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 28 Jun 2026 14:42:30 +0000 Subject: [PATCH] Update NIST 800-53 CIS reference from latest mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This automated update regenerates the CIS→NIST reference file from the latest OSCAL catalog and CIS benchmark mappings. Changes: +184/-91 lines in CIS reference files ⚠️ MANUAL ACTION REQUIRED: Review the diff and manually update the product control files. Generated by: Weekly NIST 800-53 Sync Workflow Co-Authored-By: github-actions[bot] --- .../nist_800_53_cis_reference_rhel10/ac.yml | 6 +- .../nist_800_53_cis_reference_rhel10/au.yml | 16 ++++- .../nist_800_53_cis_reference_rhel10/cm.yml | 55 ++++++++++------ .../nist_800_53_cis_reference_rhel10/ia.yml | 16 +++-- .../nist_800_53_cis_reference_rhel8/ac.yml | 4 +- .../nist_800_53_cis_reference_rhel8/au.yml | 12 +++- .../nist_800_53_cis_reference_rhel8/cm.yml | 63 ++++++++++++------- .../nist_800_53_cis_reference_rhel8/ia.yml | 12 ++-- .../nist_800_53_cis_reference_rhel9/ac.yml | 4 +- .../nist_800_53_cis_reference_rhel9/au.yml | 20 ++++-- .../nist_800_53_cis_reference_rhel9/cm.yml | 53 ++++++++++------ .../nist_800_53_cis_reference_rhel9/ia.yml | 14 +++-- 12 files changed, 184 insertions(+), 91 deletions(-) diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml index 66e1a43c67a..bf515d4dfe6 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml @@ -90,9 +90,9 @@ controls: levels: - low rules: + - var_accounts_user_umask=027 - var_selinux_policy_name=targeted - var_pam_wheel_group_for_su=cis - - var_accounts_user_umask=027 - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs - accounts_umask_etc_profile @@ -495,8 +495,8 @@ controls: levels: - low rules: - - var_accounts_passwords_pam_faillock_root_unlock_time=60 - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_root_unlock_time=60 - var_accounts_passwords_pam_faillock_unlock_time=900 - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth @@ -561,8 +561,8 @@ controls: levels: - moderate rules: - - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds + - inactivity_timeout_value=15_minutes - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_user_locks diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml index 8d0587ceeaf..3cb6bf9d136 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml @@ -11,10 +11,16 @@ controls: levels: - low rules: - - var_auditd_admin_space_left_action=cis_rhel10 - var_audit_backlog_limit=8192 + - var_auditd_admin_space_left_action=cis_rhel10 + - var_auditd_space_left_action=cis_rhel10 + - var_auditd_admin_space_left_action=cis_rhel10 + - var_auditd_space_left_action=cis_rhel10 - var_auditd_space_left_action=cis_rhel10 - var_auditd_action_mail_acct=root + - var_auditd_admin_space_left_action=cis_rhel10 + - var_auditd_disk_error_action=cis_rhel10 + - var_auditd_disk_full_action=cis_rhel10 - aide_build_database - aide_periodic_cron_checking - audit_rules_execution_chacl @@ -59,10 +65,11 @@ controls: levels: - low rules: - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - var_multiple_time_servers=rhel - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - var_accounts_passwords_pam_faillock_dir=run - sshd_max_auth_tries_value=4 + - var_multiple_time_servers=rhel + - sysctl_net_ipv4_conf_all_log_martians_value=enabled - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod @@ -160,6 +167,8 @@ controls: levels: - low rules: + - var_auditd_disk_full_action=cis_rhel10 + - var_auditd_disk_error_action=cis_rhel10 - var_auditd_disk_full_action=cis_rhel10 - var_auditd_disk_error_action=cis_rhel10 - auditd_data_disk_error_action @@ -264,6 +273,7 @@ controls: levels: - low rules: + - var_auditd_max_log_file=8 - var_auditd_max_log_file=8 - var_auditd_max_log_file_action=keep_logs - auditd_data_retention_max_log_file diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml index 9640a2ad942..c5b47a3e09b 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml @@ -5,12 +5,30 @@ controls: levels: - low rules: - - var_user_initialization_files_regex=all_dotfiles - var_sshd_set_maxstartups=10:30:60 - sshd_idle_timeout_value=5_minutes + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - var_user_initialization_files_regex=all_dotfiles + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled - var_sshd_set_keepalive=1 - - var_accounts_maximum_age_login_defs=365 + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - var_sshd_max_sessions=10 + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - var_accounts_maximum_age_login_defs=365 + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - account_unique_id @@ -61,7 +79,6 @@ controls: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route @@ -215,29 +232,29 @@ controls: levels: - low rules: - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_forwarding_value=disabled + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - var_accounts_user_umask=027 + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - var_sshd_set_login_grace_time=60 - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - cis_banner_text=cis - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - var_accounts_user_umask=027 - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - var_sshd_set_login_grace_time=60 + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - cis_banner_text=cis + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv6_conf_default_forwarding_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_forwarding_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - accounts_password_pam_modules_in_authselect_profile - accounts_password_pam_pwquality_password_auth diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml index 8aea46b94e5..c9bc3e5ac56 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml @@ -152,16 +152,20 @@ controls: levels: - low rules: - - var_password_hashing_algorithm_pam=cis_rhel10 - var_password_hashing_algorithm=cis_rhel10 - - var_accounts_minimum_age_login_defs=1 - - var_password_pam_maxsequence=3 + - var_password_pam_difok=2 + - var_password_hashing_algorithm_pam=cis_rhel10 + - var_password_pam_minlen=14 - var_password_pam_maxrepeat=3 + - var_password_hashing_algorithm=cis_rhel10 - var_accounts_password_warn_age_login_defs=7 - - var_password_pam_dictcheck=1 - var_password_pam_minclass=4 - - var_password_pam_minlen=14 - - var_password_pam_difok=2 + - var_password_hashing_algorithm_pam=cis_rhel10 + - var_password_hashing_algorithm_pam=cis_rhel10 + - var_password_pam_maxsequence=3 + - var_password_pam_dictcheck=1 + - var_accounts_minimum_age_login_defs=1 + - var_password_hashing_algorithm=cis_rhel10 - accounts_minimum_age_login_defs - accounts_password_all_shadowed - accounts_password_last_change_is_in_past diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml index 8a46a2087a4..d6b6228231c 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml @@ -90,8 +90,8 @@ controls: levels: - low rules: - - var_pam_wheel_group_for_su=cis - var_accounts_user_umask=027 + - var_pam_wheel_group_for_su=cis - var_selinux_policy_name=targeted - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs @@ -499,9 +499,9 @@ controls: levels: - low rules: - - var_accounts_passwords_pam_faillock_unlock_time=900 - var_accounts_passwords_pam_faillock_deny=5 - var_accounts_passwords_pam_faillock_root_unlock_time=60 + - var_accounts_passwords_pam_faillock_unlock_time=900 - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - accounts_passwords_pam_faillock_deny diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml index 414296282b3..a441809c4d5 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml @@ -11,9 +11,15 @@ controls: levels: - low rules: + - var_auditd_space_left_action=cis_rhel8 + - var_auditd_space_left_action=cis_rhel8 - var_auditd_admin_space_left_action=cis_rhel8 + - var_auditd_disk_error_action=cis_rhel8 + - var_auditd_disk_full_action=cis_rhel8 - var_auditd_space_left_action=cis_rhel8 + - var_auditd_admin_space_left_action=cis_rhel8 - var_audit_backlog_limit=8192 + - var_auditd_admin_space_left_action=cis_rhel8 - aide_build_database - aide_periodic_cron_checking - audit_rules_execution_chacl @@ -59,9 +65,10 @@ controls: - low rules: - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sshd_max_auth_tries_value=4 - var_multiple_time_servers=rhel - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - var_accounts_passwords_pam_faillock_dir=run + - sshd_max_auth_tries_value=4 - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod @@ -156,6 +163,8 @@ controls: rules: - var_auditd_disk_error_action=cis_rhel8 - var_auditd_disk_full_action=cis_rhel8 + - var_auditd_disk_full_action=cis_rhel8 + - var_auditd_disk_error_action=cis_rhel8 - auditd_data_disk_error_action - auditd_data_disk_full_action status: automated @@ -260,6 +269,7 @@ controls: rules: - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=8 + - var_auditd_max_log_file=8 - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml index d1d2f995047..0cbc861848a 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml @@ -5,12 +5,30 @@ controls: levels: - low rules: - - sshd_idle_timeout_value=5_minutes + - var_accounts_maximum_age_login_defs=365 + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - var_sshd_max_sessions=10 - - var_sshd_set_keepalive=1 + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - var_sshd_set_maxstartups=10:30:60 + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - var_sshd_set_keepalive=1 + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sshd_idle_timeout_value=5_minutes - var_user_initialization_files_regex=all_dotfiles - - var_accounts_maximum_age_login_defs=365 - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - account_unique_id @@ -61,7 +79,6 @@ controls: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route @@ -215,31 +232,31 @@ controls: levels: - low rules: - - var_sshd_set_login_grace_time=60 - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - - cis_banner_text=cis - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - var_authselect_profile=sssd - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - var_accounts_user_umask=027 + - sysctl_net_ipv6_conf_default_forwarding_value=disabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - var_authselect_profile=sssd - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_forwarding_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv6_conf_default_forwarding_value=disabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - var_accounts_user_umask=027 - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - cis_banner_text=cis - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - sysctl_net_ipv4_conf_default_forwarding_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - var_sshd_set_login_grace_time=60 + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - accounts_password_pam_modules_in_authselect_profile - accounts_password_pam_pwquality_password_auth - accounts_password_pam_pwquality_system_auth diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml index 7c0aff2603f..e96059190f4 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml @@ -152,13 +152,17 @@ controls: levels: - low rules: - - var_password_pam_maxrepeat=3 + - var_accounts_password_warn_age_login_defs=7 + - var_password_hashing_algorithm_pam=cis_rhel8 + - var_password_pam_dictcheck=1 - var_password_pam_minlen=14 - var_password_hashing_algorithm=cis_rhel8 - - var_password_hashing_algorithm_pam=cis_rhel8 + - var_password_hashing_algorithm=cis_rhel8 - var_password_pam_maxsequence=3 - - var_accounts_password_warn_age_login_defs=7 - - var_password_pam_dictcheck=1 + - var_password_hashing_algorithm=cis_rhel8 + - var_password_hashing_algorithm_pam=cis_rhel8 + - var_password_pam_maxrepeat=3 + - var_password_hashing_algorithm_pam=cis_rhel8 - var_password_pam_difok=2 - accounts_password_all_shadowed - accounts_password_last_change_is_in_past diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml index be0a5b5086f..f539d89f9b6 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml @@ -90,8 +90,8 @@ controls: levels: - low rules: - - var_accounts_user_umask=027 - var_pam_wheel_group_for_su=cis + - var_accounts_user_umask=027 - var_selinux_policy_name=targeted - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs @@ -516,8 +516,8 @@ controls: levels: - low rules: - - dconf_login_banner_contents=cis_default - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml index 32267e291a9..ab5d1de1415 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/au.yml @@ -11,10 +11,16 @@ controls: levels: - low rules: - - var_auditd_action_mail_acct=root - - var_auditd_space_left_action=cis_rhel9 - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_space_left_action=cis_rhel9 + - var_auditd_space_left_action=cis_rhel9 - var_audit_backlog_limit=8192 + - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_action_mail_acct=root + - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_admin_space_left_action=cis_rhel9 + - var_auditd_disk_full_action=cis_rhel9 + - var_auditd_space_left_action=cis_rhel9 - aide_build_database - aide_periodic_cron_checking - audit_rules_execution_chacl @@ -56,10 +62,11 @@ controls: levels: - low rules: - - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_conf_default_log_martians_value=enabled - var_multiple_time_servers=rhel + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - var_accounts_passwords_pam_faillock_dir=run - sshd_max_auth_tries_value=4 + - sysctl_net_ipv4_conf_default_log_martians_value=enabled - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod @@ -156,6 +163,8 @@ controls: rules: - var_auditd_disk_full_action=cis_rhel9 - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_disk_error_action=cis_rhel9 + - var_auditd_disk_full_action=cis_rhel9 - auditd_data_disk_error_action - auditd_data_disk_full_action status: automated @@ -258,8 +267,9 @@ controls: levels: - low rules: - - var_auditd_max_log_file_action=keep_logs - var_auditd_max_log_file=6 + - var_auditd_max_log_file=6 + - var_auditd_max_log_file_action=keep_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action status: automated diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml index 896573ca794..6ad32b8f997 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/cm.yml @@ -5,12 +5,30 @@ controls: levels: - low rules: - - var_sshd_max_sessions=10 + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled - var_user_initialization_files_regex=all_dotfiles - - var_sshd_set_keepalive=1 - - var_sshd_set_maxstartups=10:30:60 + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sshd_idle_timeout_value=5_minutes + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - var_sshd_set_keepalive=1 - var_accounts_maximum_age_login_defs=365 + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - var_sshd_max_sessions=10 + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - var_sshd_set_maxstartups=10:30:60 + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - account_password_pam_faillock_password_auth - account_password_pam_faillock_system_auth - account_unique_id @@ -61,7 +79,6 @@ controls: - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv4_tcp_syncookies_value=enabled - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route @@ -215,29 +232,29 @@ controls: levels: - low rules: - - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - var_sshd_set_login_grace_time=60 - - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - cis_banner_text=cis - - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - - var_accounts_user_umask=027 + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - - var_authselect_profile=sssd + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_default_log_martians_value=enabled - - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - var_authselect_profile=sssd + - var_accounts_user_umask=027 + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - - sysctl_net_ipv6_conf_all_accept_ra_value=disabled - - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - accounts_password_pam_modules_in_authselect_profile - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs diff --git a/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml b/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml index 355d0a031a5..f9e05516329 100644 --- a/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml +++ b/shared/references/controls/nist_800_53_cis_reference_rhel9/ia.yml @@ -152,16 +152,20 @@ controls: levels: - low rules: - - var_password_pam_minlen=14 + - var_password_pam_maxsequence=3 + - var_password_hashing_algorithm_pam=sha512 - var_password_pam_dictcheck=1 + - var_accounts_minimum_age_login_defs=1 + - var_password_hashing_algorithm=SHA512 - var_password_hashing_algorithm_pam=sha512 + - var_password_pam_minclass=4 - var_accounts_password_warn_age_login_defs=7 - - var_password_hashing_algorithm=SHA512 + - var_password_pam_minlen=14 - var_password_pam_maxrepeat=3 - - var_password_pam_maxsequence=3 - - var_password_pam_minclass=4 + - var_password_hashing_algorithm_pam=sha512 + - var_password_hashing_algorithm=SHA512 - var_password_pam_difok=2 - - var_accounts_minimum_age_login_defs=1 + - var_password_hashing_algorithm=SHA512 - accounts_minimum_age_login_defs - accounts_password_all_shadowed - accounts_password_last_change_is_in_past