From 79258bb71e844b940ca83df5e24cf1128af623d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Jul 2022 11:28:10 +0100 Subject: [PATCH] title updates Signed-off-by: Mark Bolwell --- section_3/cis_3.1/cis_3.1.1.yml | 6 +++--- section_3/cis_3.1/cis_3.1.2.yml | 2 +- section_3/cis_3.2/cis_3.2.x.yml | 8 ++++---- section_3/cis_3.3/cis_3.3.1.yml | 8 ++++---- section_3/cis_3.3/cis_3.3.2.yml | 8 ++++---- section_3/cis_3.3/cis_3.3.3.yml | 4 ++-- section_3/cis_3.3/cis_3.3.4.yml | 4 ++-- section_3/cis_3.3/cis_3.3.5.yml | 2 +- section_3/cis_3.3/cis_3.3.6.yml | 2 +- section_3/cis_3.3/cis_3.3.7.yml | 4 ++-- section_3/cis_3.3/cis_3.3.8.yml | 2 +- section_3/cis_3.3/cis_3.3.9.yml | 4 ++-- section_3/cis_3.4/cis_3.4.1.yml | 2 +- section_3/cis_3.4/cis_3.4.2.yml | 2 +- section_3/cis_3.5/cis_3.5.1.x.yml | 18 +++++++++--------- section_3/cis_3.5/cis_3.5.2.1.yml | 8 ++++---- section_3/cis_3.5/cis_3.5.2.10.yml | 2 +- section_3/cis_3.5/cis_3.5.2.11.yml | 2 +- section_3/cis_3.5/cis_3.5.2.4.yml | 4 ++-- section_3/cis_3.5/cis_3.5.2.5.yml | 2 +- section_3/cis_3.5/cis_3.5.2.6.yml | 2 +- section_3/cis_3.5/cis_3.5.2.7.yml | 6 +++--- section_3/cis_3.5/cis_3.5.2.8.yml | 2 +- section_3/cis_3.5/cis_3.5.2.9.yml | 6 +++--- section_3/cis_3.5/cis_3.5.3.1.x.yml | 8 ++++---- section_3/cis_3.5/cis_3.5.3.2.x.yml | 10 +++++----- section_3/cis_3.5/cis_3.5.3.3.x.yml | 10 +++++----- 27 files changed, 69 insertions(+), 69 deletions(-) diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml index 0a464c9..0e1b63a 100644 --- a/section_3/cis_3.1/cis_3.1.1.yml +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_1_1 }} command: ipv6_boot_grub: - title: 3.1.1 | L2 | disable IPv6 | grub + title: 3.1.1 | disable IPv6 | grub exit-status: 0 exec: 'grep "^\s*linux" {{ .Vars.rhel7cis_bootloader_file }} | grep -v ipv6.disable=1' stdout: ['!/./'] @@ -18,7 +18,7 @@ command: CISv8_IG2: true CISv8_IG3: true ipv6_default_grub: - title: 3.1.1 | L2 | disable IPv6 | grub + title: 3.1.1 | disable IPv6 | grub exit-status: 0 exec: 'grep "^\s*linux" /etc/default/grub | grep -v ipv6.disable=1' stdout: ['!/./'] @@ -34,7 +34,7 @@ command: CISv8_IG3: true kernel-param: net.ipv6.conf.all.disable_ipv6: - title: 3.1.1 | L2 | disable IPv6 | kernel + title: 3.1.1 | disable IPv6 | kernel value: '1' meta: server: 2 diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml index 54d39a1..7295e30 100644 --- a/section_3/cis_3.1/cis_3.1.2.yml +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -2,7 +2,7 @@ {{ if .Vars.rhel7cis_rule_3_1_2 }} command: iwconfig: - title: 3.1.2 | L1 | Ensure wireless interfaces are disabled + title: 3.1.2 | Ensure wireless interfaces are disabled exit-status: 127 exec: iwconfig meta: diff --git a/section_3/cis_3.2/cis_3.2.x.yml b/section_3/cis_3.2/cis_3.2.x.yml index 89efc73..3c216d7 100644 --- a/section_3/cis_3.2/cis_3.2.x.yml +++ b/section_3/cis_3.2/cis_3.2.x.yml @@ -3,7 +3,7 @@ kernel-param: {{ if .Vars.rhel7cis_rule_3_2_1 }} net.ipv4.ip_forward: - title: 3.2.1 | L1 | Ensure IP forwarding is disabled | IPv4 + title: 3.2.1 | Ensure IP forwarding is disabled | IPv4 value: '0' meta: server: 1 @@ -17,7 +17,7 @@ kernel-param: CISv8_IG3: true {{ if .Vars.rhel7cis_ipv6_required }} net.ipv6.conf.all.forwarding: - title: 3.2.1 | L1 | Ensure IP forwarding is disabled | IPv6 + title: 3.2.1 | Ensure IP forwarding is disabled | IPv6 value: '0' meta: server: 1 @@ -33,7 +33,7 @@ kernel-param: {{ end }} {{ if .Vars.rhel7cis_rule_3_2_2 }} net.ipv4.conf.all.send_redirects: - title: 3.2.2 | L1 | Ensure packet redirect sending is disabled | all + title: 3.2.2 | Ensure packet redirect sending is disabled | all value: '0' meta: server: 1 @@ -46,7 +46,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.default.send_redirects: - title: 3.2.2 | L1 | Ensure packet redirect sending is disabled | default + title: 3.2.2 | Ensure packet redirect sending is disabled | default value: '0' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.1.yml b/section_3/cis_3.3/cis_3.3.1.yml index 0584ccb..dba19ac 100644 --- a/section_3/cis_3.3/cis_3.3.1.yml +++ b/section_3/cis_3.3/cis_3.3.1.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_1 }} kernel-param: net.ipv4.conf.all.accept_source_route: - title: 3.3.1 | L1 | Ensure source routed packets are not accepted | IPv4_all + title: 3.3.1 | Ensure source routed packets are not accepted | IPv4_all value: '0' meta: server: 1 @@ -14,7 +14,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.default.accept_source_route: - title: 3.3.1 | L1 | Ensure source routed packets are not accepted | IPv4_default + title: 3.3.1 | Ensure source routed packets are not accepted | IPv4_default value: '0' meta: server: 1 @@ -28,7 +28,7 @@ kernel-param: CISv8_IG3: true {{ if .Vars.rhel7cis_ipv6_required }} net.ipv6.conf.all.accept_source_route: - title: 3.3.1 | L1 | Ensure source routed packets are not accepted | IPv6_all + title: 3.3.1 | Ensure source routed packets are not accepted | IPv6_all value: '0' meta: server: 1 @@ -41,7 +41,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv6.conf.default.accept_source_route: - title: 3.3.1 | L1 | Ensure source routed packets are not accepted | IPv6_default + title: 3.3.1 | Ensure source routed packets are not accepted | IPv6_default value: '0' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.2.yml b/section_3/cis_3.3/cis_3.3.2.yml index 9e3c5ed..bc9867a 100644 --- a/section_3/cis_3.3/cis_3.3.2.yml +++ b/section_3/cis_3.3/cis_3.3.2.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_2 }} kernel-param: net.ipv4.conf.all.accept_redirects: - title: 3.3.2 | L1 | Ensure ICMP redirects are not accepted | IPv4 + title: 3.3.2 | Ensure ICMP redirects are not accepted | IPv4 value: '0' meta: server: 1 @@ -14,7 +14,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.default.accept_redirects: - title: 3.3.2 | L1 | Ensure ICMP redirects are not accepted | IPv4_default + title: 3.3.2 | Ensure ICMP redirects are not accepted | IPv4_default value: '0' meta: server: 1 @@ -28,7 +28,7 @@ kernel-param: CISv8_IG3: true {{ if .Vars.rhel7cis_ipv6_required }} net.ipv6.conf.all.accept_redirects: - title: 3.3.2 | L1 | Ensure ICMP redirects are not accepted | IPv6 + title: 3.3.2 | Ensure ICMP redirects are not accepted | IPv6 value: '0' meta: server: 1 @@ -41,7 +41,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv6.conf.default.accept_redirects: - title: 3.3.2 | L1 | Ensure ICMP redirects are not accepted | IPv6_default + title: 3.3.2 | Ensure ICMP redirects are not accepted | IPv6_default value: '0' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.3.yml b/section_3/cis_3.3/cis_3.3.3.yml index c60ae20..6014c7a 100644 --- a/section_3/cis_3.3/cis_3.3.3.yml +++ b/section_3/cis_3.3/cis_3.3.3.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_3 }} kernel-param: net.ipv4.conf.all.secure_redirects: - title: 3.3.3 | L1 | Ensure secure ICMP redirects are not accepted | all + title: 3.3.3 | Ensure secure ICMP redirects are not accepted | all value: '0' meta: server: 1 @@ -14,7 +14,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.default.secure_redirects: - title: 3.3.3 | L1 | Ensure secure ICMP redirects are not accepted | default + title: 3.3.3 | Ensure secure ICMP redirects are not accepted | default value: '0' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.4.yml b/section_3/cis_3.3/cis_3.3.4.yml index d18603e..5137ca7 100644 --- a/section_3/cis_3.3/cis_3.3.4.yml +++ b/section_3/cis_3.3/cis_3.3.4.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_4 }} kernel-param: net.ipv4.conf.all.log_martians: - title: 3.3.4 | L1 | Ensure suspicious packets are logged | all + title: 3.3.4 | Ensure suspicious packets are logged | all value: '1' meta: server: 1 @@ -14,7 +14,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.default.log_martians: - title: 3.3.4 | L1 | Ensure suspicious packets are logged | default + title: 3.3.4 | Ensure suspicious packets are logged | default value: '1' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.5.yml b/section_3/cis_3.3/cis_3.3.5.yml index b9edd36..642aa86 100644 --- a/section_3/cis_3.3/cis_3.3.5.yml +++ b/section_3/cis_3.3/cis_3.3.5.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_5 }} kernel-param: net.ipv4.icmp_echo_ignore_broadcasts: - title: 3.3.5 | L1 | Ensure broadcast ICMP requests are ignored + title: 3.3.5 | Ensure broadcast ICMP requests are ignored value: '1' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.6.yml b/section_3/cis_3.3/cis_3.3.6.yml index a131e03..e2504ca 100644 --- a/section_3/cis_3.3/cis_3.3.6.yml +++ b/section_3/cis_3.3/cis_3.3.6.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_6 }} kernel-param: net.ipv4.icmp_ignore_bogus_error_responses: - title: 3.3.6 | L1 | Ensure bogus ICMP responses are ignored + title: 3.3.6 | Ensure bogus ICMP responses are ignored value: '1' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.7.yml b/section_3/cis_3.3/cis_3.3.7.yml index 2e2d85f..16722ae 100644 --- a/section_3/cis_3.3/cis_3.3.7.yml +++ b/section_3/cis_3.3/cis_3.3.7.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_7 }} kernel-param: net.ipv4.conf.all.rp_filter: - title: 3.3.7 | L1 | Ensure Reverse Path Filtering is enabled | all + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | all value: '1' meta: server: 1 @@ -14,7 +14,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv4.conf.all.rp_filter: - title: 3.3.7 | L1 | Ensure Reverse Path Filtering is enabled | default + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | default value: '1' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.8.yml b/section_3/cis_3.3/cis_3.3.8.yml index 24ddcd9..9be18dc 100644 --- a/section_3/cis_3.3/cis_3.3.8.yml +++ b/section_3/cis_3.3/cis_3.3.8.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel7cis_rule_3_3_8 }} kernel-param: net.ipv4.tcp_syncookies: - title: 3.3.8 | L1 | Ensure TCP SYN Cookies is enabled + title: 3.3.8 | Ensure TCP SYN Cookies is enabled value: '1' meta: server: 1 diff --git a/section_3/cis_3.3/cis_3.3.9.yml b/section_3/cis_3.3/cis_3.3.9.yml index 0a06a94..de08549 100644 --- a/section_3/cis_3.3/cis_3.3.9.yml +++ b/section_3/cis_3.3/cis_3.3.9.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_ipv6_required }} kernel-param: net.ipv6.conf.all.accept_ra: - title: 3.3.9 | L1 | Ensure IPv6 router advertisements are not accepted | all + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | all value: '0' meta: server: 1 @@ -16,7 +16,7 @@ kernel-param: CISv8_IG2: true CISv8_IG3: true net.ipv6.conf.default.accept_ra: - title: 3.3.9 | L1 | Ensure IPv6 router advertisements are not accepted | default + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | default value: '0' meta: server: 1 diff --git a/section_3/cis_3.4/cis_3.4.1.yml b/section_3/cis_3.4/cis_3.4.1.yml index 7f8d712..cf916b5 100644 --- a/section_3/cis_3.4/cis_3.4.1.yml +++ b/section_3/cis_3.4/cis_3.4.1.yml @@ -2,7 +2,7 @@ {{ if .Vars.rhel7cis_rule_3_4_1 }} command: modprobe_dccp: - title: 3.4.1 | L2 | Ensure DCCP is disabled + title: 3.4.1 | Ensure DCCP is disabled exit-status: 0 exec: 'modprobe -n -v dccp' stdout: ['install /bin/true'] diff --git a/section_3/cis_3.4/cis_3.4.2.yml b/section_3/cis_3.4/cis_3.4.2.yml index 39e140a..0c9fd20 100644 --- a/section_3/cis_3.4/cis_3.4.2.yml +++ b/section_3/cis_3.4/cis_3.4.2.yml @@ -2,7 +2,7 @@ {{ if .Vars.rhel7cis_rule_3_4_2 }} command: modprobe_sctp: - title: 3.4.2 | L2 | Ensure SCTP is disabled + title: 3.4.2 | Ensure SCTP is disabled exit-status: 0 exec: 'modprobe -n -v sctp' stdout: ['install /bin/true'] diff --git a/section_3/cis_3.5/cis_3.5.1.x.yml b/section_3/cis_3.5/cis_3.5.1.x.yml index 1f46b01..7f97127 100644 --- a/section_3/cis_3.5/cis_3.5.1.x.yml +++ b/section_3/cis_3.5/cis_3.5.1.x.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_1_1 }} package: firewalld: - title: 3.5.1.1 | L1 | Ensure FirewallD is installed + title: 3.5.1.1 | Ensure FirewallD is installed installed: true meta: server: 1 @@ -16,7 +16,7 @@ package: CISv8_IG2: true CISv8_IG3: true iptables: - title: 3.5.1.1 | L1 | Ensure FirewallD is installed + title: 3.5.1.1 | Ensure FirewallD is installed installed: true meta: server: 1 @@ -31,7 +31,7 @@ package: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_1_2 }} iptables-services: - title: 3.5.1.2 | L1 | Ensure iptables-services not installed with firewalld | IPv4 + title: 3.5.1.2 | Ensure iptables-services not installed with firewalld | IPv4 installed: false meta: server: 1 @@ -46,7 +46,7 @@ package: CISv8_IG3: true {{ if .Vars.rhel7cis_ipv6_required }} ip6tables-services: - title: 3.5.1.2 | L1 | Ensure iptables-services not installed with firewalld | IPv6 + title: 3.5.1.2 | Ensure iptables-services not installed with firewalld | IPv6 installed: false meta: server: 1 @@ -63,7 +63,7 @@ package: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_1_3 }} nftables: - title: 3.5.1.3 | L1 | Ensure nftables either not installed or masked with firewalld | package + title: 3.5.1.3 | Ensure nftables either not installed or masked with firewalld | package installed: false meta: server: 1 @@ -78,7 +78,7 @@ package: CISv8_IG3: true service: nftables: - title: 3.5.1.3 | L1 | Ensure nftables either not installed or masked with firewalld | masked + title: 3.5.1.3 | Ensure nftables either not installed or masked with firewalld | masked enabled: false running: false skip: false @@ -96,7 +96,7 @@ service: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_1_4 }} firewalld: - title: 3.5.1.4 | L1 | Ensure firewalld service is enabled and running + title: 3.5.1.4 | Ensure firewalld service is enabled and running enabled: true running: true meta: @@ -113,7 +113,7 @@ service: command: {{ if .Vars.rhel7cis_rule_3_5_1_5 }} default_zone: - title: 3.5.1.5 | L1 | Ensure default zone is set + title: 3.5.1.5 | Ensure default zone is set exec: firewall-cmd --get-default-zone exit-status: 0 stdout: @@ -131,7 +131,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_1_6 }} nic_assigned: - title: 3.5.1.6 | L1 | Ensure network interfaces are assigned to appropriate zone + title: 3.5.1.6 | Ensure network interfaces are assigned to appropriate zone exec: "nmcli -t connection show | awk -F ':' '{if($4){print $4}}' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" exit-status: 0 {{ range .Vars.rhel7cis_firewall_interface }} diff --git a/section_3/cis_3.5/cis_3.5.2.1.yml b/section_3/cis_3.5/cis_3.5.2.1.yml index 11c742b..1951902 100644 --- a/section_3/cis_3.5/cis_3.5.2.1.yml +++ b/section_3/cis_3.5/cis_3.5.2.1.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_1 }} package: nftables: - title: 3.5.2.1 | L1 | Ensure nftables is installed + title: 3.5.2.1 | Ensure nftables is installed installed: true meta: server: 1 @@ -18,7 +18,7 @@ package: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_2_2 }} firewalld: - title: 3.5.2.2 | L1 | Ensure firewalld is not installed or stopped and masked + title: 3.5.2.2 | Ensure firewalld is not installed or stopped and masked installed: false meta: server: 1 @@ -34,7 +34,7 @@ package: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_2_3 }} iptables-services: - title: 3.5.2.3 | L1 | Ensure iptables-services package is not installed | IPv4 + title: 3.5.2.3 | Ensure iptables-services package is not installed | IPv4 installed: false meta: server: 1 @@ -48,7 +48,7 @@ package: CISv8_IG2: true CISv8_IG3: true iptables6-services: - title: 3.5.2.3 | L1 | Ensure iptables6-services package is not installed | IPv6 + title: 3.5.2.3 | Ensure iptables6-services package is not installed | IPv6 installed: false meta: server: 1 diff --git a/section_3/cis_3.5/cis_3.5.2.10.yml b/section_3/cis_3.5/cis_3.5.2.10.yml index 53b0b10..901538f 100644 --- a/section_3/cis_3.5/cis_3.5.2.10.yml +++ b/section_3/cis_3.5/cis_3.5.2.10.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_10 }} service: nftables: - title: 3.5.2.10 | L1 | Ensure nftables service is enabled + title: 3.5.2.10 | Ensure nftables service is enabled enabled: true meta: server: 1 diff --git a/section_3/cis_3.5/cis_3.5.2.11.yml b/section_3/cis_3.5/cis_3.5.2.11.yml index c3b50a1..7fbaccf 100644 --- a/section_3/cis_3.5/cis_3.5.2.11.yml +++ b/section_3/cis_3.5/cis_3.5.2.11.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_11 }} command: nftables: - title: 3.5.2.11 | L1 | Ensure nftables rules are permanent + title: 3.5.2.11 | Ensure nftables rules are permanent exec: awk '/hook input/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/sysconfig/nftables.conf) exit-status: 0 meta: diff --git a/section_3/cis_3.5/cis_3.5.2.4.yml b/section_3/cis_3.5/cis_3.5.2.4.yml index 8b5cc46..8cf2d73 100644 --- a/section_3/cis_3.5/cis_3.5.2.4.yml +++ b/section_3/cis_3.5/cis_3.5.2.4.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_4 }} command: iptables_list: - title: 3.5.2.4 | L1 | Ensure iptables are flushed with nftables + title: 3.5.2.4 | Ensure iptables are flushed with nftables exec: iptables -L stdout: ['!/./'] exit-status: 0 @@ -18,7 +18,7 @@ command: CISv8_IG2: true CISv8_IG3: true iptables6_list: - title: 3.5.2.4 | L1 | Ensure ip6tables are flushed + title: 3.5.2.4 | Ensure ip6tables are flushed exec: ip6tables -L stdout: ['!/./'] exit-status: 0 diff --git a/section_3/cis_3.5/cis_3.5.2.5.yml b/section_3/cis_3.5/cis_3.5.2.5.yml index e32133f..25909bf 100644 --- a/section_3/cis_3.5/cis_3.5.2.5.yml +++ b/section_3/cis_3.5/cis_3.5.2.5.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_5 }} command: nft_list: - title: 3.5.2.5 | L1 | Ensure a table exists + title: 3.5.2.5 | Ensure a table exists exec: nft list tables exit-status: 0 stdout: ['inet filter'] diff --git a/section_3/cis_3.5/cis_3.5.2.6.yml b/section_3/cis_3.5/cis_3.5.2.6.yml index 5c1560e..243670b 100644 --- a/section_3/cis_3.5/cis_3.5.2.6.yml +++ b/section_3/cis_3.5/cis_3.5.2.6.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_6 }} command: nft_list: - title: 3.5.2.6 | L1 | Ensure base chains exists + title: 3.5.2.6 | Ensure base chains exists exec: nft list ruleset | egrep -c "input|forward|output" exit-status: 0 stdout: diff --git a/section_3/cis_3.5/cis_3.5.2.7.yml b/section_3/cis_3.5/cis_3.5.2.7.yml index 1ab29ef..0ec1251 100644 --- a/section_3/cis_3.5/cis_3.5.2.7.yml +++ b/section_3/cis_3.5/cis_3.5.2.7.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_7 }} command: nft_IPv4_local: - title: 3.5.2.7 | L1 | Ensure loopback traffic configured + title: 3.5.2.7 | Ensure loopback traffic configured exec: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' exit-status: 0 stdout: ['iif "lo" accept'] @@ -18,7 +18,7 @@ command: CISv8_IG2: true CISv8_IG3: true nft_IPv4_127: - title: 3.5.2.7 | L1 | Ensure loopback traffic configured + title: 3.5.2.7 | Ensure loopback traffic configured exec: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' exit-status: 0 stdout: ['ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop'] @@ -34,7 +34,7 @@ command: CISv8_IG3: true {{ if .Vars.rhel7cis_ipv6_required }} nft_IPv6_local: - title: 3.5.2.7 | L1 | Ensure loopback traffic configured + title: 3.5.2.7 | Ensure loopback traffic configured exec: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' exit-status: 0 stdout: ['ip6 saddr ::1 counter packets 0 bytes 0 drop'] diff --git a/section_3/cis_3.5/cis_3.5.2.8.yml b/section_3/cis_3.5/cis_3.5.2.8.yml index d27ab27..7b1b1ce 100644 --- a/section_3/cis_3.5/cis_3.5.2.8.yml +++ b/section_3/cis_3.5/cis_3.5.2.8.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_8 }} command: nft_list: - title: 3.5.2.8 | L1 | Ensure outbound and established connections are configured + title: 3.5.2.8 | Ensure outbound and established connections are configured exec: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' exit-status: 0 stdout: ['accept'] diff --git a/section_3/cis_3.5/cis_3.5.2.9.yml b/section_3/cis_3.5/cis_3.5.2.9.yml index 5391ef6..017387d 100644 --- a/section_3/cis_3.5/cis_3.5.2.9.yml +++ b/section_3/cis_3.5/cis_3.5.2.9.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_2_9 }} command: nft_drop_input: - title: 3.5.2.9 | L1 | Ensure default deny firewall policy + title: 3.5.2.9 | Ensure default deny firewall policy exec: nft list ruleset | grep 'hook input' exit-status: 0 stdout: ['type filter hook input priority 0; policy drop'] @@ -18,7 +18,7 @@ command: CISv8_IG2: true CISv8_IG3: true nft_drop_forward: - title: 3.5.2.9 | L1 | Ensure default deny firewall policy + title: 3.5.2.9 | Ensure default deny firewall policy exec: nft list ruleset | grep 'hook forward' exit-status: 0 stdout: ['type filter hook forward priority 0; policy drop'] @@ -33,7 +33,7 @@ command: CISv8_IG2: true CISv8_IG3: true nft_drop_output: - title: 3.5.2.9 | L1 | Ensure default deny firewall policy + title: 3.5.2.9 | Ensure default deny firewall policy exec: nft list ruleset | grep 'hook output' exit-status: 0 stdout: ['type filter hook output priority 0; policy drop'] diff --git a/section_3/cis_3.5/cis_3.5.3.1.x.yml b/section_3/cis_3.5/cis_3.5.3.1.x.yml index d8d0138..be1a1f0 100644 --- a/section_3/cis_3.5/cis_3.5.3.1.x.yml +++ b/section_3/cis_3.5/cis_3.5.3.1.x.yml @@ -2,7 +2,7 @@ {{ if .Vars.rhel7cis_rule_3_5_3_1_1 }} package: iptables: - title: 3.5.3.1.1 | L1 | Ensure iptables packages are installed + title: 3.5.3.1.1 | Ensure iptables packages are installed installed: true meta: server: 1 @@ -15,7 +15,7 @@ package: CISv8_IG2: true CISv8_IG3: true iptables-services: - title: 3.5.3.1.1 | L1 | Ensure iptables packages are installed + title: 3.5.3.1.1 | Ensure iptables packages are installed installed: true meta: server: 1 @@ -29,7 +29,7 @@ package: CISv8_IG3: true {{ if .Vars.rhel7cis_rule_3_5_3_1_2 }} nftables: - title: 3.5.3.1.2 | L1 | Ensure nftables is not installed with iptables + title: 3.5.3.1.2 | Ensure nftables is not installed with iptables installed: false meta: server: 1 @@ -45,7 +45,7 @@ package: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_1_3 }} nftables: - title: 3.5.3.1.3 | L1 | Ensure firewalld is either not installed or masked with iptables + title: 3.5.3.1.3 | Ensure firewalld is either not installed or masked with iptables installed: false meta: server: 1 diff --git a/section_3/cis_3.5/cis_3.5.3.2.x.yml b/section_3/cis_3.5/cis_3.5.3.2.x.yml index d4db685..7a8d9a9 100644 --- a/section_3/cis_3.5/cis_3.5.3.2.x.yml +++ b/section_3/cis_3.5/cis_3.5.3.2.x.yml @@ -3,7 +3,7 @@ {{ if .Vars.rhel7cis_rule_3_5_3_2_1 }} command: iptables_loopback: - title: 3.5.3.2.1 | L1 | Ensure iptables loopback traffic is configured + title: 3.5.3.2.1 | Ensure iptables loopback traffic is configured exec: cat {{ .Vars.iptables_boot_config }} exit-status: 0 stdout: @@ -26,7 +26,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_2_2 }} iptables_outbound_est: - title: 3.5.3.2.2 | L1 | Ensure iptables outbound and established connections are configured + title: 3.5.3.2.2 | Ensure iptables outbound and established connections are configured exec: cat {{ .Vars.iptables_boot_config }} exit-status: 0 stdout: @@ -54,7 +54,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_2_3 }} iptables_manual: - title: 3.5.3.2.3 | L1 | Ensure iptables rules exist for all open ports + title: 3.5.3.2.3 | Ensure iptables rules exist for all open ports exec: echo "Manual - Ensure iptables rules exist for all open ports" exit-status: 0 stdout: @@ -72,7 +72,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_2_4 }} iptable_def_deny: - title: 3.5.3.2.4 | L1 | Ensure iptables default deny firewall policy + title: 3.5.3.2.4 | Ensure iptables default deny firewall policy exec: iptables -L | grep Chain exit-status: 0 stdout: @@ -94,7 +94,7 @@ command: {{ if .Vars.rhel7cis_rule_3_5_3_2_5 }} file: {{ .Vars.iptables_boot_config }}: - title: 3.5.3.2.5 | L1 | Ensure iptables rules are saved + title: 3.5.3.2.5 | Ensure iptables rules are saved exists: true meta: server: 1 diff --git a/section_3/cis_3.5/cis_3.5.3.3.x.yml b/section_3/cis_3.5/cis_3.5.3.3.x.yml index 1f142fb..8c6af94 100644 --- a/section_3/cis_3.5/cis_3.5.3.3.x.yml +++ b/section_3/cis_3.5/cis_3.5.3.3.x.yml @@ -4,7 +4,7 @@ {{ if .Vars.rhel7cis_rule_3_5_3_3_1 }} command: ip6tables_loopback: - title: 3.5.3.3.1 | L1 | Ensure ip6tables loopback traffic is configured + title: 3.5.3.3.1 | Ensure ip6tables loopback traffic is configured exec: cat {{ .Vars.ip6tables_boot_config }} exit-status: 0 stdout: @@ -27,7 +27,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_3_2 }} ip6tables_outbound_est: - title: 3.5.3.3.2 | L1 | Ensure ip6tables outbound and established connections are configured + title: 3.5.3.3.2 | Ensure ip6tables outbound and established connections are configured exec: cat {{ .Vars.ip6tables_boot_config }} exit-status: 0 stdout: @@ -55,7 +55,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_3_3 }} ip6tables_manual: - title: 3.5.3.3.3 | L1 | Ensure ip6tables rules exist for all open ports + title: 3.5.3.3.3 | Ensure ip6tables rules exist for all open ports exec: echo "Manual - Ensure ip6tables rules exist for all open ports" exit-status: 0 stdout: @@ -73,7 +73,7 @@ command: {{ end }} {{ if .Vars.rhel7cis_rule_3_5_3_3_4 }} iptable_def_deny: - title: 3.5.3.3.4 | L1 | Ensure ip6tables default deny firewall policy + title: 3.5.3.3.4 | Ensure ip6tables default deny firewall policy exec: ip6tables -L | grep Chain exit-status: 0 stdout: @@ -95,7 +95,7 @@ command: {{ if .Vars.rhel7cis_rule_3_5_3_3_5 }} file: {{ .Vars.ip6tables_boot_config }}: - title: 3.5.3.3.5 | L1 | Ensure ip6tables rules are saved + title: 3.5.3.3.5 | Ensure ip6tables rules are saved exists: true meta: server: 1