From aaf7f6af9889754d2c1b3c3b2ab1d0219e05807a Mon Sep 17 00:00:00 2001 From: j-ode Date: Fri, 3 Mar 2023 15:46:38 +0100 Subject: [PATCH 01/46] Create cup_fedora controls file Source of the controls file will be my thesis on the Fedora Common User Profile, source will be added later --- controls/cup_fedora.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 controls/cup_fedora.yml diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml new file mode 100644 index 00000000000..718c09f9b55 --- /dev/null +++ b/controls/cup_fedora.yml @@ -0,0 +1,13 @@ +--- +policy: 'Fedora Common User Profile' +title: 'Fedora Common User Profile' +id: cup_fedora +version: '1.0.0' +source: TBD + +controls: + - id: 1.1 + title: Protection of the BIOS or UEFI + description: >- + Users should protect their BIOS or UEFI with a password + status: manual From c5ba27cf02e89ac077e24ac961f7dac08a8bc341 Mon Sep 17 00:00:00 2001 From: j-ode Date: Fri, 3 Mar 2023 15:54:05 +0100 Subject: [PATCH 02/46] Add rules to section 1 --- controls/cup_fedora.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 718c09f9b55..de832823e3b 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -6,8 +6,21 @@ version: '1.0.0' source: TBD controls: +### 1. Hardware and its configuration - id: 1.1 title: Protection of the BIOS or UEFI description: >- Users should protect their BIOS or UEFI with a password status: manual + + - id: 1.2 + title: Proper BIOS or UEFI configuration + description: >- + Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order + status: manual + + - id: 1.3 + title: 64-bit OS + description: >- + When possible, users should use a 64-bit system and hardware that supports it + status: manual From f94204aa50bc76a7cefa162aa2945db8da9ca0ea Mon Sep 17 00:00:00 2001 From: j-ode Date: Fri, 10 Mar 2023 16:59:15 +0100 Subject: [PATCH 03/46] Rename profile to policy --- controls/cup_fedora.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index de832823e3b..2786e019bd4 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -1,6 +1,6 @@ --- -policy: 'Fedora Common User Profile' -title: 'Fedora Common User Profile' +policy: 'Fedora Common User Policy' +title: 'Fedora Common User Policy' id: cup_fedora version: '1.0.0' source: TBD From d43fc81f3715d4a4f5938b7af15492f38e865549 Mon Sep 17 00:00:00 2001 From: j-ode Date: Fri, 10 Mar 2023 17:00:10 +0100 Subject: [PATCH 04/46] Rename policy to security policy --- controls/cup_fedora.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 2786e019bd4..74d7abd6a00 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -1,7 +1,7 @@ --- -policy: 'Fedora Common User Policy' -title: 'Fedora Common User Policy' -id: cup_fedora +policy: 'Fedora Common User Security Policy' +title: 'Fedora Common User Security Policy' +id: cusp_fedora version: '1.0.0' source: TBD From 8874fb5ef79a9dda86d10f10927219cfbd0dae70 Mon Sep 17 00:00:00 2001 From: j-ode Date: Mon, 20 Mar 2023 17:07:43 +0100 Subject: [PATCH 05/46] Add section 2. System installation --- controls/cup_fedora.yml | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 74d7abd6a00..537afbc8ec0 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -6,21 +6,49 @@ version: '1.0.0' source: TBD controls: +### ### 1. Hardware and its configuration +### - id: 1.1 title: Protection of the BIOS or UEFI description: >- - Users should protect their BIOS or UEFI with a password + Users should protect their BIOS or UEFI with a password. status: manual - id: 1.2 title: Proper BIOS or UEFI configuration description: >- - Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order + Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order. status: manual - id: 1.3 title: 64-bit OS description: >- - When possible, users should use a 64-bit system and hardware that supports it + When possible, users should use a 64-bit system and hardware that supports it. + status: manual + ### + ### 2. System installation + ### + - id: 2.1 + title: Security policy selection + description: >- + Users should apply the “Fedora Common User Security Policy” in the installer. + status: manual + + - id: 2.2 + title: Disk partitioning + description: >- + Users should put the /home, /tmp, /var, /var/tmp and /var/log directories on separate partitions. + status: manual + + - id: 2.3 + title: Password security + description: >- + Users should ensure that all account passwords adhere to the password rules in rule 4.1. + status: manual + + - id: 2.4 + title: Disk encryption + description: >- + Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1. status: manual From e88450a64be76089b00a504ce48b9dbbbf099563 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 21 Mar 2023 15:45:39 +0100 Subject: [PATCH 06/46] Add rule 3.1 --- controls/cup_fedora.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 537afbc8ec0..38a5c5f5119 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -52,3 +52,28 @@ controls: description: >- Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1. status: manual +### +### 3. General system configuration +### + - id: 3.1 + title: Bootloader security + description: >- + If the BIOS or UEFI does not allow password protection of the boot process, users should set a bootloader password. + status: partial + rules: + # BIOS + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_password # only check + # UEFI + - file_groupowner_efi_grub2_cfg + - file_groupowner_efi_user_cfg + - file_owner_efi_grub2_cfg + - file_owner_efi_user_cfg + - file_permissions_efi_grub2_cfg + - file_permissions_efi_user_cfg + - grub2_uefi_password # only check From c99a7c6df2a021708afb5923bb498261afce65fb Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 21 Mar 2023 18:20:23 +0100 Subject: [PATCH 07/46] Add rule 3.2 and 3.3 --- controls/cup_fedora.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 38a5c5f5119..908ca54cfc3 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -77,3 +77,33 @@ controls: - file_permissions_efi_grub2_cfg - file_permissions_efi_user_cfg - grub2_uefi_password # only check + + - id: 3.2 + title: Software updates + description: >- + Users should apply updates from the GNOME Software application at least once per day. + status: manual + + - id: 3.3 + title: Filesystem configuration + description: >- + AUTOMATIC /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration + status: partial + rules: + - mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_tmp_nodev + - mount_option_tmp_nosuid + - mount_option_tmp_noexec + - mount_option_var_nodev + - mount_option_var_nosuid + - mount_option_var_noexec + - mount_option_var_tmp_nodev + - mount_option_var_tmp_nosuid + - mount_option_var_tmp_noexec + - mount_option_var_log_nodev + - mount_option_var_log_nosuid + - mount_option_var_log_noexec + - kernel_module_cramfs_disabled + - kernel_module_squashfs_disabled + - kernel_module_udf_disabled From c1b801cef9f5a1c6e9b12b0bd0745d4c3de51de8 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 21 Mar 2023 18:20:58 +0100 Subject: [PATCH 08/46] Fix rule 3.3 status --- controls/cup_fedora.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index 908ca54cfc3..e11edd00341 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -87,8 +87,8 @@ controls: - id: 3.3 title: Filesystem configuration description: >- - AUTOMATIC /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration - status: partial + /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration + status: automatic rules: - mount_option_home_nodev - mount_option_home_nosuid From 09ed67634d2facc8132bb7d0d838e7249f3a1a54 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 22 Mar 2023 11:41:06 +0100 Subject: [PATCH 09/46] Add rule 3.4 --- controls/cup_fedora.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/controls/cup_fedora.yml b/controls/cup_fedora.yml index e11edd00341..bc7c954bf7c 100644 --- a/controls/cup_fedora.yml +++ b/controls/cup_fedora.yml @@ -107,3 +107,19 @@ controls: - kernel_module_cramfs_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled + + - id: 3.4 + title: Crypto policy + description: >- + system cryto policy configuation and ensuring it is not overridden in critical components + status: automatic + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + - configure_bind_crypto_policy + - configure_gnutls_tls_crypto_policy + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - configure_openssl_crypto_policy + - configure_openssl_tls_crypto_policy + - configure_ssh_crypto_policy From 70596e96d5cb393e80eeec0022e1617a2cab5438 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Wed, 22 Mar 2023 16:19:35 +0100 Subject: [PATCH 10/46] Add new rule to ensure gnome-software is installed and add it to cusp_fedora controls --- controls/{cup_fedora.yml => cusp_fedora.yml} | 4 ++- .../package_gnome_software_installed/rule.yml | 27 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) rename controls/{cup_fedora.yml => cusp_fedora.yml} (98%) create mode 100644 linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml diff --git a/controls/cup_fedora.yml b/controls/cusp_fedora.yml similarity index 98% rename from controls/cup_fedora.yml rename to controls/cusp_fedora.yml index bc7c954bf7c..856d2967b61 100644 --- a/controls/cup_fedora.yml +++ b/controls/cusp_fedora.yml @@ -82,7 +82,9 @@ controls: title: Software updates description: >- Users should apply updates from the GNOME Software application at least once per day. - status: manual + status: partial + rules: + - package_gnome_software_installed - id: 3.3 title: Filesystem configuration diff --git a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml new file mode 100644 index 00000000000..5d882fad38d --- /dev/null +++ b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: fedora + +title: 'Install GNOME software' + +description: |- + {{{ describe_package_install(package="gnome-software") }}} + +rationale: 'The GNOME software package must be installed so that it can be used for software and firmware updates.' + +severity: medium + +references: + cusp_fedora: 3.2 + +ocil_clause: 'the package is not installed' + +ocil: '{{{ ocil_package(package="gnome-software") }}}' + +fixtext: |- + {{{ describe_package_install("gnome-software") }}} + +template: + name: package_installed + vars: + pkgname: gnome-software From 71ad3d580b83fe7d620e50462cbc980f328f3cac Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 22 Mar 2023 16:53:12 +0100 Subject: [PATCH 11/46] Remove misplaced rule in 3.4 --- controls/cusp_fedora.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 856d2967b61..4c1e4eefc54 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -123,5 +123,4 @@ controls: - configure_kerberos_crypto_policy - configure_libreswan_crypto_policy - configure_openssl_crypto_policy - - configure_openssl_tls_crypto_policy - configure_ssh_crypto_policy From d64d95d73dc2e0a1c022cf4bec9b4b5890eeb041 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 16:21:04 +0200 Subject: [PATCH 12/46] Add rule 3.6 --- controls/cusp_fedora.yml | 51 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 4c1e4eefc54..dac0eaee7ba 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -124,3 +124,54 @@ controls: - configure_libreswan_crypto_policy - configure_openssl_crypto_policy - configure_ssh_crypto_policy + +- id: 3.6 + title: Files, permissions, and ownership + description: >- + user and critical system file permissions and ownership, user identifiers, + status: partial + rules: + # file config + - dir_perms_world_writable_sticky_bits + - file_permissions_unauthorized_world_writable + - no_files_unowned_by_user + - file_permissions_ungroupowned + # permission and ownership of critical files + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + - file_groupowner_etc_shadow + - file_owner_etc_shadow + - file_permissions_etc_shadow + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + # user and group config + - no_empty_passwords_etc_shadow + - gid_passwd_group_same + - account_unique_id + - group_unique_id + - account_unique_name + - group_unique_name + - accounts_root_path_dirs_no_write + - accounts_no_uid_except_zero + - user_interactive_home_directory_exists + - file_ownership_home_directories + - file_groupownership_home_directories + - file_permissions_home_directories + - user_dot_no_world_writable_programs From 3ab8d34451ae7b70e8b2ab084974e7eb6d910115 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 17:26:04 +0200 Subject: [PATCH 13/46] Add rule 3.7 --- controls/cusp_fedora.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index dac0eaee7ba..7f8c2459a5d 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -175,3 +175,13 @@ controls: - file_groupownership_home_directories - file_permissions_home_directories - user_dot_no_world_writable_programs + + - id: 3.7 + title: Memory protection + description: >- + enable ASLR and ExecShield, restrict exposed kernel pointer + status: automated + rules: + - sysctl_kernel_randomize_va_space + - sysctl_kernel_exec_shield + - sysctl_kernel_kptr_restrict From b101bdbf2f02a6c7b92dc2ad1f71a97dd5a73ec4 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 17:45:15 +0200 Subject: [PATCH 14/46] Add rule 3.8 --- controls/cusp_fedora.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 7f8c2459a5d..ac840a2406a 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -185,3 +185,20 @@ controls: - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - sysctl_kernel_kptr_restrict + + - id: 3.8 + title: GUI configuration + description: >- + + status: automated + rules: + - dconf_gnome_disable_user_list + - gnome_gdm_disable_xdmcp + - gdm_disable_automatic_login + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_user_locks + - dconf_gnome_session_idle_user_locks + + From a5b2cd6eb327bf4b22bf709fc844317a5a1d8fba Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 17:48:53 +0200 Subject: [PATCH 15/46] Update cusp_fedora.yml --- controls/cusp_fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index ac840a2406a..b16134502b5 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -189,7 +189,7 @@ controls: - id: 3.8 title: GUI configuration description: >- - + do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings status: automated rules: - dconf_gnome_disable_user_list From 7c757ba2c7173c6349ff730f7b965af6a6249fe6 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 18:22:18 +0200 Subject: [PATCH 16/46] Add rule 3.9 --- controls/cusp_fedora.yml | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index b16134502b5..9ac6eee70b9 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -201,4 +201,41 @@ controls: - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - + - id: 3.9 + title: Time and schedulers + description: >- + chrony and time-based scheduler security configuration + status: automated + rules: + # chrony + - chronyd_client_only + - chronyd_no_chronyc_network + - chronyd_or_ntpd_set_maxpoll + - chronyd_run_as_chrony_user + - chronyd_specify_remote_server + # schedulers + - service_crond_enabled + - file_owner_crontab + - file_groupowner_crontab + - file_permissions_crontab + - file_owner_cron_hourly + - file_groupowner_cron_hourly + - file_permissions_cron_hourly + - file_owner_cron_daily + - file_groupowner_cron_daily + - file_permissions_cron_daily + - file_owner_cron_weekly + - file_groupowner_cron_weekly + - file_permissions_cron_weekly + - file_owner_cron_monthly + - file_groupowner_cron_monthly + - file_permissions_cron_monthly + - file_owner_cron_d + - file_groupowner_cron_d + - file_permissions_cron_d + - file_owner_cron_allow + - file_groupowner_cron_allow + - file_permissions_cron_allow + - file_owner_at_allow + - file_groupowner_at_allow + - file_permissions_at_allow From 1bcdf06056d343c670175c759f65841d487159af Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 19:02:43 +0200 Subject: [PATCH 17/46] Add rule 3.6 --- controls/cusp_fedora.yml | 79 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 9ac6eee70b9..c29b9559bbc 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -125,6 +125,85 @@ controls: - configure_openssl_crypto_policy - configure_ssh_crypto_policy + - id: 3.5 + title: Auditing and logging + description: >- + auditd and journald configutation + status: automated + rules: + # auditd config + - package_audit_installed + - service_auditd_enabled + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - auditd_data_retention_max_log_file + - var_auditd_max_log_file=6 + - auditd_data_retention_max_log_file_action + - var_auditd_max_log_file_action=rotate + # auditd rules + - audit_rules_sysadmin_actions + - audit_rules_suid_privilege_function + - audit_sudo_log_events + - audit_rules_time_adjtimex + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - audit_rules_networkconfig_modification + - audit_rules_privileged_commands + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_media_export + - audit_rules_session_events + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_execution_chcon + - audit_rules_execution_setfacl + - audit_rules_execution_chacl + - audit_rules_privileged_commands_usermod + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_init + - audit_rules_privileged_commands_insmod + - audit_rules_privileged_commands_modprobe + - audit_rules_privileged_commands_rmmod + - audit_rules_immutable + # journald config + - socket_systemd-journal-remote_disabled + - service_systemd-journald_enabled + - journald_compress + - id: 3.6 title: Files, permissions, and ownership description: >- From a29535c7a3bcae1fd0b2e00e700f1177650cd66f Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 28 Mar 2023 19:03:28 +0200 Subject: [PATCH 18/46] Add journald rule to 3.6 --- controls/cusp_fedora.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index c29b9559bbc..f73e2be0e19 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -203,6 +203,7 @@ controls: - socket_systemd-journal-remote_disabled - service_systemd-journald_enabled - journald_compress + - journald_storage - id: 3.6 title: Files, permissions, and ownership From b176e96d27b58dc983c5b8f544af8ab52b62f05d Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 29 Mar 2023 17:21:06 +0200 Subject: [PATCH 19/46] Add rule 4.1 --- controls/cusp_fedora.yml | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index f73e2be0e19..8d92126a253 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -319,3 +319,51 @@ controls: - file_owner_at_allow - file_groupowner_at_allow - file_permissions_at_allow +### +### 4. User access and control +### + - id: 4.1 + title: Account protection + description: >- + All account passwords must be passphrases of at least 4 words and 15 characters with at least three character classes, generated with a large wordlist and a source of randomness. + status: partial + rules: + - no_empty_passwords + - accounts_passwords_pam_faillock_deny + - set_password_hashing_algorithm_systemauth + - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + - no_password_auth_for_systemaccounts + - accounts_tmout + - var_accounts_tmout=15_min + - accounts_root_gid_zero + - accounts_umask_etc_bashrc + - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + - account_password_selinux_faillock_dir + - rule_enable_authselect + # password requirements + - accounts_password_pam_pwquality_password_auth + - accounts_password_pam_pwquality_system_auth + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=3 + - var_password_pam_minlen=15 + # account lockout + - accounts_passwords_pam_faillock_dir + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=900 + # password reuse + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=requisite_or_required + - var_password_pam_remember=5 + - accounts_password_pam_difok + - var_password_pam_difok=8 + From 7240834badaa123b658822b3067a40eab2645d38 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 29 Mar 2023 17:46:01 +0200 Subject: [PATCH 20/46] Add rule 4.2 and update 3.5 to audit sudo config --- controls/cusp_fedora.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 8d92126a253..f1627c264ae 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -140,6 +140,7 @@ controls: - var_auditd_max_log_file=6 - auditd_data_retention_max_log_file_action - var_auditd_max_log_file_action=rotate + - audit_rules_immutable # auditd rules - audit_rules_sysadmin_actions - audit_rules_suid_privilege_function @@ -198,7 +199,8 @@ controls: - audit_rules_privileged_commands_insmod - audit_rules_privileged_commands_modprobe - audit_rules_privileged_commands_rmmod - - audit_rules_immutable + - audit_rules_sudoers + - audit_rules_sudoers_d # journald config - socket_systemd-journal-remote_disabled - service_systemd-journald_enabled @@ -367,3 +369,17 @@ controls: - accounts_password_pam_difok - var_password_pam_difok=8 + - id: 4.2 + title: Sudo + description: >- + secure sudo configuration + status: automated + rules: + - package_sudo_installed + - sudo_add_use_pty + - sudo_custom_logfile + - sudo_require_authentication + - sudo_require_reauthentication + - use_pam_wheel_for_su + - sudoers_default_includedir + From f65fa3465bbbbf9a613082dd3dc32190c8ac3802 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 29 Mar 2023 19:31:32 +0200 Subject: [PATCH 21/46] Add rule 4.3 --- controls/cusp_fedora.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index f1627c264ae..5fbaa59c92e 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -383,3 +383,40 @@ controls: - use_pam_wheel_for_su - sudoers_default_includedir + - id: 4.3 + title: SSH Server + description: >- + secure ssh server configuration + status: automated + rules: + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key + - sshd_limit_user_access + - sshd_set_loglevel_verbose + - sshd_enable_pam + - sshd_disable_root_login + - disable_host_auth + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + - sshd_disable_rhosts + - sshd_disable_x11_forwarding + - sshd_disable_tcp_forwarding + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + - sshd_x11_use_localhost + - sshd_disable_kerb_auth + - sshd_disable_gssapi_auth + - sshd_enable_strictmodes From b3f50c82051baeb6a511ffe7d10ca5f0bb6a5ca1 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 29 Mar 2023 19:46:06 +0200 Subject: [PATCH 22/46] Add rules to 4.3 --- controls/cusp_fedora.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 5fbaa59c92e..91f62186342 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -420,3 +420,7 @@ controls: - sshd_disable_kerb_auth - sshd_disable_gssapi_auth - sshd_enable_strictmodes + - sshd_rekey_limit + - var_rekey_limit_size='1G' + - var_rekey_limit_time='1h' + - sshd_use_strong_rng From 0f74106ba00cd82c82e1240b0f1ccc18f6a38947 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 4 Apr 2023 11:07:50 +0200 Subject: [PATCH 23/46] Add rule 3.10 --- controls/cusp_fedora.yml | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 91f62186342..e790828ed7a 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -283,7 +283,7 @@ controls: - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - - id: 3.9 + - id: 3.9 title: Time and schedulers description: >- chrony and time-based scheduler security configuration @@ -321,6 +321,40 @@ controls: - file_owner_at_allow - file_groupowner_at_allow - file_permissions_at_allow + + - id: 3.10 + title: Service and package minimization + description: >- + The user should remove any services that are not necessary for normal system usage. + status: partial + rules: + - package_xinetd_removed + - package_dhcp_removed + - package_bind_removed + - package_vsftpd_removed + - package_tftp-server_removed + - package_tftp_removed + - package_httpd_removed + - package_nginx_removed + - package_cyrus-imapd_removed + - package_dovecot_removed + - package_samba_removed + - package_squid_removed + - package_net-snmp_removed + - package_ypserv_removed + - package_telnet_removed + - package_telnet-server_removed + - postfix_network_listening_disabled + - service_nfs_disabled + - service_rpcbind_disabled + - package_rsync_removed + - package_rsh_removed + - package_rsh-server_removed + - package_sendmail_removed + - package_ypbind_removed + - package_ypserv_removed + - package_talk-server_removed + - package_talk_removed ### ### 4. User access and control ### From 8d310b0575773182dfbafb6ed019abd2c3e393b1 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 4 Apr 2023 11:08:31 +0200 Subject: [PATCH 24/46] Fix rule 3.10 title --- controls/cusp_fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index e790828ed7a..fa64645b1eb 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -323,7 +323,7 @@ controls: - file_permissions_at_allow - id: 3.10 - title: Service and package minimization + title: Service minimization description: >- The user should remove any services that are not necessary for normal system usage. status: partial From 564e59d0504d31780afaf4e3185b60b14c19e401 Mon Sep 17 00:00:00 2001 From: j-ode Date: Tue, 4 Apr 2023 18:32:28 +0200 Subject: [PATCH 25/46] Add rule 5.1 --- controls/cusp_fedora.yml | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index fa64645b1eb..b3687c8322f 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -458,3 +458,53 @@ controls: - var_rekey_limit_size='1G' - var_rekey_limit_time='1h' - sshd_use_strong_rng +### +### 5. Networking +### + - id: 5.1 + title: General network configuration + description: >- + If the user did not configure IPv6 on the system and it is not needed, it should be disabled. + status: partial + rules: + - kernel_module_sctp_disabled + - kernel_module_dccp_disabled + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled From 041d13c8425906486df65e1c644bd3add38067ea Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 5 Apr 2023 16:12:14 +0200 Subject: [PATCH 26/46] Add rule 5.2 --- controls/cusp_fedora.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index b3687c8322f..f4dfe8fecad 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -508,3 +508,14 @@ controls: - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 5.2 + title: Firewall configuration + description: >- + Users should ensure that all network interfaces are in the appropriate firewall zone and that ports and services allowed by the firewall are reduced to the necessary minimum. + status: partial + rules: + - package_firewalld_installed + - service_nftables_disabled + - service_firewalld_enabled + From 9e0e586487b871bd8fedf3837ec318e23e3e01d7 Mon Sep 17 00:00:00 2001 From: j-ode Date: Thu, 6 Apr 2023 19:15:49 +0200 Subject: [PATCH 27/46] Add placeholder for rule 6.1 --- controls/cusp_fedora.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index f4dfe8fecad..eea239a59d5 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -518,4 +518,20 @@ controls: - package_firewalld_installed - service_nftables_disabled - service_firewalld_enabled - +### +### 6. User applications +### + - id: 6.1 + title: Web browser + description: >- + + status: partial + rules: + - firefox_policy-autoplay_video + - firefox_policy-cryptomining + - firefox_policy-enhanced_tracking # locked = bad + - firefox_policy-fingerprinting_protection + - firefox_policy-javascript_window_changes # locked = bad + - firefox_policy-javascript_window_resizing # locked = bad + - firefox_policy-pop-up_windows # locked = bad + - firefox_policy-ssl_minimum_version From d949cc5aed7548485d8a1668c38b7276e57a5cb1 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 11 Apr 2023 11:13:39 +0200 Subject: [PATCH 28/46] Add CaC rule to rule 6.1, add rules 6.2, 7.1, 7.2 --- controls/cusp_fedora.yml | 31 ++++++++++++++++- .../firefox_policy-content_blocker/rule.yml | 33 +++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index eea239a59d5..c5aa701f15e 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -524,7 +524,7 @@ controls: - id: 6.1 title: Web browser description: >- - + The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. status: partial rules: - firefox_policy-autoplay_video @@ -535,3 +535,32 @@ controls: - firefox_policy-javascript_window_resizing # locked = bad - firefox_policy-pop-up_windows # locked = bad - firefox_policy-ssl_minimum_version + - firefox_policy-content_blocker + + - id: 6.2 + title: Password management + description: >- + Users should install the Bitwarden AppImage from the Bitwarden site and use it to generate and store passwords for online accounts. + status: manual +### +### 7. Advanced security features +### + - id: 7.1 + title: Mandatory Access Control + description: >- + The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. + status: partial + rules: + - package_libselinux_installed + - grub2_enable_selinux + - selinux_policytype + - selinux_state + - mcstrans_removed + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + + - id: 7.2 + title: Periodic compliance scans + description: >- + Users should perform periodic system scans and remediations with the Common User Security Profile by using the oscap tool or SCAP Workbench. + status: manual \ No newline at end of file diff --git a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml new file mode 100644 index 00000000000..8edfe782afa --- /dev/null +++ b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +prodtype: firefox,fedora + +title: 'Ensure the content blocker uBlock Origin is installed' + +description: |- + The uBlock Origin will be installed automatically by configuring Firefox policy, and updates will be enabled. It can also be installed through the Mozilla Add-Ons store at https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/. + +rationale: |- + The content blocking feature of uBlock Origin stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the lists uBlock Origin uses, then the content will not be loaded from that site. + This may prevent malicious ads from confusing users and concealing the page contents, as well as the loading of content that may contain malware. +severity: medium + +#references: +# cusp_fedora: 6.1 + +ocil: |- + To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled, + type the following into the browser address bar: + 
about:policies
+ The output should have the following under ExtensionSettings: + 
"uBlock0@raymondhill.net": {
+ 
"    "installation_mode":"normal_installed",
+ 
"    "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
+ 
"    "updates_disabled":false}
+ +template: + name: firefox_policy-setting + vars: + name: Ensure the content blocker uBlock Origin is installed + policies: + - {path: "ExtensionSettings", parameter: "uBlock0@raymondhill.net", value: '{"installation_mode":"normal_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi","updates_disabled":false}'} From a26283c2b9d1d6514230cedcced455e48be1c8aa Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 11 Apr 2023 11:15:36 +0200 Subject: [PATCH 29/46] test - enable fedora product build with cusp_fedora profile --- .../updating/package_gnome_software_installed/rule.yml | 4 ++-- products/fedora/product.yml | 2 ++ products/fedora/profiles/cusp_fedora.profile | 9 +++++++++ .../guide/firefox/firefox_policy-autoplay_video/rule.yml | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 products/fedora/profiles/cusp_fedora.profile diff --git a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml index 5d882fad38d..259241c4a23 100644 --- a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml +++ b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml @@ -11,8 +11,8 @@ rationale: 'The GNOME software package must be installed so that it can be used severity: medium -references: - cusp_fedora: 3.2 +#references: +# cusp_fedora: 3.2 ocil_clause: 'the package is not installed' diff --git a/products/fedora/product.yml b/products/fedora/product.yml index 3508fd3d268..415b5b0ab66 100644 --- a/products/fedora/product.yml +++ b/products/fedora/product.yml @@ -4,6 +4,8 @@ type: platform benchmark_id: FEDORA benchmark_root: "../../linux_os/guide" +additional_content_directories: + - "products/firefox/guide" profiles_root: "./profiles" diff --git a/products/fedora/profiles/cusp_fedora.profile b/products/fedora/profiles/cusp_fedora.profile new file mode 100644 index 00000000000..4debb0776e4 --- /dev/null +++ b/products/fedora/profiles/cusp_fedora.profile @@ -0,0 +1,9 @@ +documentation_complete: true + +title: 'CUSP - Common User Security Profile for Fedora Workstation' + +description: |- + To be added later. + +selections: + - cusp_fedora:all \ No newline at end of file diff --git a/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml b/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml index 8419986f533..532086b6033 100644 --- a/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: firefox +prodtype: firefox,fedora title: 'Firefox autoplay must be disabled.' From 6e488fd50dbdb0ad1883037570ecd5ad562d3fa0 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 11 Apr 2023 16:28:16 +0200 Subject: [PATCH 30/46] Fix YAML errors --- controls/cusp_fedora.yml | 122 +++++++++++++++++++-------------------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index c5aa701f15e..8d7cff83d5a 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -6,55 +6,55 @@ version: '1.0.0' source: TBD controls: -### -### 1. Hardware and its configuration -### + ### + ### 1. Hardware and its configuration + ### - id: 1.1 title: Protection of the BIOS or UEFI description: >- Users should protect their BIOS or UEFI with a password. status: manual - + - id: 1.2 title: Proper BIOS or UEFI configuration description: >- Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order. status: manual - + - id: 1.3 title: 64-bit OS description: >- When possible, users should use a 64-bit system and hardware that supports it. status: manual - ### - ### 2. System installation - ### + ### + ### 2. System installation + ### - id: 2.1 title: Security policy selection description: >- Users should apply the “Fedora Common User Security Policy” in the installer. status: manual - + - id: 2.2 title: Disk partitioning description: >- Users should put the /home, /tmp, /var, /var/tmp and /var/log directories on separate partitions. - status: manual - + status: manual + - id: 2.3 title: Password security description: >- Users should ensure that all account passwords adhere to the password rules in rule 4.1. status: manual - + - id: 2.4 title: Disk encryption description: >- Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1. status: manual -### -### 3. General system configuration -### + ### + ### 3. General system configuration + ### - id: 3.1 title: Bootloader security description: >- @@ -68,7 +68,7 @@ controls: - file_owner_user_cfg - file_permissions_grub2_cfg - file_permissions_user_cfg - - grub2_password # only check + - grub2_password # only check # UEFI - file_groupowner_efi_grub2_cfg - file_groupowner_efi_user_cfg @@ -76,7 +76,7 @@ controls: - file_owner_efi_user_cfg - file_permissions_efi_grub2_cfg - file_permissions_efi_user_cfg - - grub2_uefi_password # only check + - grub2_uefi_password # only check - id: 3.2 title: Software updates @@ -85,12 +85,12 @@ controls: status: partial rules: - package_gnome_software_installed - + - id: 3.3 title: Filesystem configuration description: >- /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration - status: automatic + status: automated rules: - mount_option_home_nodev - mount_option_home_nosuid @@ -114,7 +114,7 @@ controls: title: Crypto policy description: >- system cryto policy configuation and ensuring it is not overridden in critical components - status: automatic + status: automated rules: - configure_crypto_policy - var_system_crypto_policy=default_policy @@ -130,7 +130,7 @@ controls: description: >- auditd and journald configutation status: automated - rules: + rules: # auditd config - package_audit_installed - service_auditd_enabled @@ -207,18 +207,18 @@ controls: - journald_compress - journald_storage -- id: 3.6 + - id: 3.6 title: Files, permissions, and ownership description: >- - user and critical system file permissions and ownership, user identifiers, + user and critical system file permissions and ownership, user identifiers, status: partial - rules: - # file config + rules: + # file config - dir_perms_world_writable_sticky_bits - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - # permission and ownership of critical files + # permission and ownership of critical files - file_groupowner_etc_passwd - file_owner_etc_passwd - file_permissions_etc_passwd @@ -240,10 +240,10 @@ controls: - file_groupowner_backup_etc_group - file_owner_backup_etc_group - file_permissions_backup_etc_group - - file_groupowner_backup_etc_gshadow + - file_groupowner_backup_etc_gshadow - file_owner_backup_etc_gshadow - file_permissions_backup_etc_gshadow - # user and group config + # user and group config - no_empty_passwords_etc_shadow - gid_passwd_group_same - account_unique_id @@ -263,7 +263,7 @@ controls: description: >- enable ASLR and ExecShield, restrict exposed kernel pointer status: automated - rules: + rules: - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - sysctl_kernel_kptr_restrict @@ -273,7 +273,7 @@ controls: description: >- do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings status: automated - rules: + rules: - dconf_gnome_disable_user_list - gnome_gdm_disable_xdmcp - gdm_disable_automatic_login @@ -282,20 +282,20 @@ controls: - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - + - id: 3.9 title: Time and schedulers description: >- chrony and time-based scheduler security configuration status: automated - rules: - # chrony + rules: + # chrony - chronyd_client_only - chronyd_no_chronyc_network - chronyd_or_ntpd_set_maxpoll - chronyd_run_as_chrony_user - chronyd_specify_remote_server - # schedulers + # schedulers - service_crond_enabled - file_owner_crontab - file_groupowner_crontab @@ -321,13 +321,13 @@ controls: - file_owner_at_allow - file_groupowner_at_allow - file_permissions_at_allow - + - id: 3.10 title: Service minimization description: >- - The user should remove any services that are not necessary for normal system usage. + The user should remove any services that are not necessary for normal system usage. status: partial - rules: + rules: - package_xinetd_removed - package_dhcp_removed - package_bind_removed @@ -355,9 +355,9 @@ controls: - package_ypserv_removed - package_talk-server_removed - package_talk_removed -### -### 4. User access and control -### + ### + ### 4. User access and control + ### - id: 4.1 title: Account protection description: >- @@ -380,7 +380,7 @@ controls: - var_accounts_user_umask=027 - account_password_selinux_faillock_dir - rule_enable_authselect - # password requirements + # password requirements - accounts_password_pam_pwquality_password_auth - accounts_password_pam_pwquality_system_auth - accounts_password_pam_maxrepeat @@ -389,20 +389,20 @@ controls: - accounts_password_pam_retry - var_password_pam_minclass=3 - var_password_pam_minlen=15 - # account lockout + # account lockout - accounts_passwords_pam_faillock_dir - accounts_passwords_pam_faillock_deny - var_accounts_passwords_pam_faillock_deny=3 - accounts_passwords_pam_faillock_unlock_time - var_accounts_passwords_pam_faillock_unlock_time=900 - # password reuse + # password reuse - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth - var_password_pam_remember_control_flag=requisite_or_required - var_password_pam_remember=5 - accounts_password_pam_difok - var_password_pam_difok=8 - + - id: 4.2 title: Sudo description: >- @@ -416,7 +416,7 @@ controls: - sudo_require_reauthentication - use_pam_wheel_for_su - sudoers_default_includedir - + - id: 4.3 title: SSH Server description: >- @@ -455,12 +455,12 @@ controls: - sshd_disable_gssapi_auth - sshd_enable_strictmodes - sshd_rekey_limit - - var_rekey_limit_size='1G' - - var_rekey_limit_time='1h' + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour - sshd_use_strong_rng -### -### 5. Networking -### + ### + ### 5. Networking + ### - id: 5.1 title: General network configuration description: >- @@ -518,9 +518,9 @@ controls: - package_firewalld_installed - service_nftables_disabled - service_firewalld_enabled -### -### 6. User applications -### + ### + ### 6. User applications + ### - id: 6.1 title: Web browser description: >- @@ -529,11 +529,11 @@ controls: rules: - firefox_policy-autoplay_video - firefox_policy-cryptomining - - firefox_policy-enhanced_tracking # locked = bad + - firefox_policy-enhanced_tracking # locked = bad - firefox_policy-fingerprinting_protection - - firefox_policy-javascript_window_changes # locked = bad - - firefox_policy-javascript_window_resizing # locked = bad - - firefox_policy-pop-up_windows # locked = bad + - firefox_policy-javascript_window_changes # locked = bad + - firefox_policy-javascript_window_resizing # locked = bad + - firefox_policy-pop-up_windows # locked = bad - firefox_policy-ssl_minimum_version - firefox_policy-content_blocker @@ -542,9 +542,9 @@ controls: description: >- Users should install the Bitwarden AppImage from the Bitwarden site and use it to generate and store passwords for online accounts. status: manual -### -### 7. Advanced security features -### + ### + ### 7. Advanced security features + ### - id: 7.1 title: Mandatory Access Control description: >- @@ -563,4 +563,4 @@ controls: title: Periodic compliance scans description: >- Users should perform periodic system scans and remediations with the Common User Security Profile by using the oscap tool or SCAP Workbench. - status: manual \ No newline at end of file + status: manual From c51c90dc6c5fd04a60b64802ea2572c4c8dde5b0 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Fri, 14 Apr 2023 14:23:40 +0200 Subject: [PATCH 31/46] Fix firefox rule, create new cusp_firefox profile and update rule 6.1 to reflect --- controls/cusp_fedora.yml | 14 ++------------ products/fedora/product.yml | 2 -- .../firefox_policy-autoplay_video/rule.yml | 2 +- .../firefox_policy-content_blocker/rule.yml | 8 +++++--- products/firefox/profiles/cusp_firefox.profile | 17 +++++++++++++++++ .../firefox_policy-setting/oval.template | 12 ++++++------ 6 files changed, 31 insertions(+), 24 deletions(-) create mode 100644 products/firefox/profiles/cusp_firefox.profile diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 8d7cff83d5a..eed3823a324 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -524,18 +524,8 @@ controls: - id: 6.1 title: Web browser description: >- - The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. - status: partial - rules: - - firefox_policy-autoplay_video - - firefox_policy-cryptomining - - firefox_policy-enhanced_tracking # locked = bad - - firefox_policy-fingerprinting_protection - - firefox_policy-javascript_window_changes # locked = bad - - firefox_policy-javascript_window_resizing # locked = bad - - firefox_policy-pop-up_windows # locked = bad - - firefox_policy-ssl_minimum_version - - firefox_policy-content_blocker + The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the user should apply the Common User Security Profile for Mozilla Firefox CaC profile. + status: manual - id: 6.2 title: Password management diff --git a/products/fedora/product.yml b/products/fedora/product.yml index 415b5b0ab66..3508fd3d268 100644 --- a/products/fedora/product.yml +++ b/products/fedora/product.yml @@ -4,8 +4,6 @@ type: platform benchmark_id: FEDORA benchmark_root: "../../linux_os/guide" -additional_content_directories: - - "products/firefox/guide" profiles_root: "./profiles" diff --git a/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml b/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml index 532086b6033..8419986f533 100644 --- a/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-autoplay_video/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: firefox,fedora +prodtype: firefox title: 'Firefox autoplay must be disabled.' diff --git a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml index 8edfe782afa..da8a8ec4219 100644 --- a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: firefox,fedora +prodtype: firefox title: 'Ensure the content blocker uBlock Origin is installed' @@ -12,7 +12,7 @@ rationale: |- This may prevent malicious ads from confusing users and concealing the page contents, as well as the loading of content that may contain malware. severity: medium -#references: +# references: # cusp_fedora: 6.1 ocil: |- @@ -30,4 +30,6 @@ template: vars: name: Ensure the content blocker uBlock Origin is installed policies: - - {path: "ExtensionSettings", parameter: "uBlock0@raymondhill.net", value: '{"installation_mode":"normal_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi","updates_disabled":false}'} + - {path: "ExtensionSettings uBlock0@raymondhill.net", parameter: "installation_mode", value: "normal_installed"} + - {path: "ExtensionSettings uBlock0@raymondhill.net", parameter: "install_url", value: "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"} + - {path: "ExtensionSettings uBlock0@raymondhill.net", parameter: "updates_disabled", value: "false"} diff --git a/products/firefox/profiles/cusp_firefox.profile b/products/firefox/profiles/cusp_firefox.profile new file mode 100644 index 00000000000..5f60fff5e10 --- /dev/null +++ b/products/firefox/profiles/cusp_firefox.profile @@ -0,0 +1,17 @@ +documentation_complete: true + +title: 'CUSP - Common User Security Profile for Mozilla Firefox' + +description: |- + To be added later. + +selections: + - firefox_policy-autoplay_video + - firefox_policy-cryptomining + - firefox_policy-enhanced_tracking + - firefox_policy-fingerprinting_protection + - firefox_policy-javascript_window_changes + - firefox_policy-javascript_window_resizing + - firefox_policy-pop-up_windows + - firefox_policy-ssl_minimum_version + - firefox_policy-content_blocker diff --git a/shared/templates/firefox_policy-setting/oval.template b/shared/templates/firefox_policy-setting/oval.template index f5e34cf6d8f..c5af42d41db 100644 --- a/shared/templates/firefox_policy-setting/oval.template +++ b/shared/templates/firefox_policy-setting/oval.template @@ -3,7 +3,7 @@ {{{ oval_metadata("Check setting of " + NAME + " in Firefox policy", affected_platforms=['Mozilla Firefox']) }}} {{% for policy_item in POLICIES %}} - + {{% endfor %}} @@ -11,9 +11,9 @@ {{% for policy_item in POLICIES %}} - - + id="test_{{{ rule_id }}}_{{{ policy_item.subpath_string | replace ("@", "_at_") }}}_{{{ policy_item.parameter }}}" version="1"> + + {{% endfor %}} @@ -32,13 +32,13 @@ {{% for policy_item in POLICIES %}} - + policies.json {{{ policy_item.oval_regex }}} 1 - + {{{ policy_item.oval_state }}} {{% endfor %}} From 8cc943ab5489d73749cfdc55542018bf4b604748 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Fri, 14 Apr 2023 16:06:42 +0200 Subject: [PATCH 32/46] fix control file and add fedora prodtype to rules --- controls/cusp_fedora.yml | 10 +++++----- .../cron_and_at/file_groupowner_cron_d/rule.yml | 2 +- .../cron_and_at/file_groupowner_cron_daily/rule.yml | 2 +- .../cron_and_at/file_groupowner_cron_hourly/rule.yml | 2 +- .../cron_and_at/file_groupowner_cron_monthly/rule.yml | 2 +- .../cron_and_at/file_groupowner_cron_weekly/rule.yml | 2 +- .../cron_and_at/file_groupowner_crontab/rule.yml | 2 +- .../services/cron_and_at/file_owner_cron_d/rule.yml | 2 +- .../cron_and_at/file_owner_cron_daily/rule.yml | 2 +- .../cron_and_at/file_owner_cron_hourly/rule.yml | 2 +- .../cron_and_at/file_owner_cron_monthly/rule.yml | 2 +- .../cron_and_at/file_owner_cron_weekly/rule.yml | 2 +- .../services/cron_and_at/file_owner_crontab/rule.yml | 2 +- .../cron_and_at/file_permissions_cron_d/rule.yml | 2 +- .../cron_and_at/file_permissions_cron_daily/rule.yml | 2 +- .../cron_and_at/file_permissions_cron_hourly/rule.yml | 2 +- .../cron_and_at/file_permissions_cron_monthly/rule.yml | 2 +- .../cron_and_at/file_permissions_cron_weekly/rule.yml | 2 +- .../cron_and_at/file_permissions_crontab/rule.yml | 2 +- .../file_groupowner_at_allow/rule.yml | 2 +- .../file_groupowner_cron_allow/rule.yml | 2 +- .../file_owner_at_allow/rule.yml | 2 +- .../file_owner_cron_allow/rule.yml | 2 +- .../file_permissions_at_allow/rule.yml | 2 +- .../file_permissions_cron_allow/rule.yml | 2 +- .../package_dhcp_removed/rule.yml | 2 +- .../disabling_httpd/package_httpd_removed/rule.yml | 2 +- .../disabling_nginx/package_nginx_removed/rule.yml | 2 +- .../package_cyrus-imapd_removed/rule.yml | 2 +- .../disabling_dovecot/package_dovecot_removed/rule.yml | 2 +- .../postfix_network_listening_disabled/rule.yml | 2 +- .../service_rpcbind_disabled/rule.yml | 2 +- .../inetd_and_xinetd/package_xinetd_removed/rule.yml | 2 +- .../obsolete/nis/package_ypbind_removed/rule.yml | 2 +- .../obsolete/nis/package_ypserv_removed/rule.yml | 2 +- .../services/obsolete/package_rsync_removed/rule.yml | 2 +- .../r_services/package_rsh-server_removed/rule.yml | 2 +- .../obsolete/r_services/package_rsh_removed/rule.yml | 2 +- .../obsolete/talk/package_talk-server_removed/rule.yml | 2 +- .../obsolete/talk/package_talk_removed/rule.yml | 2 +- .../telnet/package_telnet-server_removed/rule.yml | 2 +- .../obsolete/telnet/package_telnet_removed/rule.yml | 2 +- .../obsolete/tftp/package_tftp-server_removed/rule.yml | 2 +- .../obsolete/tftp/package_tftp_removed/rule.yml | 2 +- .../disabling_squid/package_squid_removed/rule.yml | 2 +- .../smb/disabling_samba/package_samba_removed/rule.yml | 2 +- .../services/ssh/file_groupowner_sshd_config/rule.yml | 2 +- .../guide/services/ssh/file_owner_sshd_config/rule.yml | 2 +- .../services/ssh/file_permissions_sshd_config/rule.yml | 2 +- .../ssh/ssh_server/sshd_use_strong_rng/rule.yml | 2 +- .../account_password_selinux_faillock_dir/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../file_groupownership_home_directories/rule.yml | 2 +- .../file_ownership_home_directories/rule.yml | 2 +- .../file_permissions_home_directories/rule.yml | 2 +- .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- .../audit_rules_execution_chacl/rule.yml | 2 +- .../audit_rules_execution_setfacl/rule.yml | 2 +- .../audit_rules_privileged_commands_insmod/rule.yml | 2 +- .../audit_rules_privileged_commands_modprobe/rule.yml | 2 +- .../audit_rules_privileged_commands_rmmod/rule.yml | 2 +- .../audit_rules_privileged_commands_usermod/rule.yml | 2 +- .../audit_rules_sudoers/rule.yml | 2 +- .../audit_rules_sudoers_d/rule.yml | 2 +- .../audit_sudo_log_events/rule.yml | 2 +- .../system/logging/journald/journald_compress/rule.yml | 2 +- .../system/logging/journald/journald_storage/rule.yml | 2 +- .../socket_systemd-journal-remote_disabled/rule.yml | 2 +- .../package_firewalld_installed/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_forwarding/rule.yml | 2 +- .../rule.yml | 2 +- .../service_nftables_disabled/rule.yml | 2 +- .../kernel_module_sctp_disabled/rule.yml | 2 +- .../partitions/mount_option_home_nodev/rule.yml | 2 +- .../partitions/mount_option_home_nosuid/rule.yml | 2 +- .../partitions/mount_option_var_tmp_nodev/rule.yml | 2 +- .../partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- .../partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- .../sudo/sudo_require_reauthentication/rule.yml | 2 +- 82 files changed, 86 insertions(+), 86 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index eed3823a324..e9d268cbff4 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -252,11 +252,11 @@ controls: - group_unique_name - accounts_root_path_dirs_no_write - accounts_no_uid_except_zero - - user_interactive_home_directory_exists + - accounts_user_interactive_home_directory_exists - file_ownership_home_directories - file_groupownership_home_directories - file_permissions_home_directories - - user_dot_no_world_writable_programs + - accounts_user_dot_no_world_writable_programs - id: 3.7 title: Memory protection @@ -276,7 +276,7 @@ controls: rules: - dconf_gnome_disable_user_list - gnome_gdm_disable_xdmcp - - gdm_disable_automatic_login + - gnome_gdm_disable_automatic_login - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_lock_enabled @@ -379,7 +379,7 @@ controls: - accounts_umask_etc_profile - var_accounts_user_umask=027 - account_password_selinux_faillock_dir - - rule_enable_authselect + - enable_authselect # password requirements - accounts_password_pam_pwquality_password_auth - accounts_password_pam_pwquality_system_auth @@ -545,7 +545,7 @@ controls: - grub2_enable_selinux - selinux_policytype - selinux_state - - mcstrans_removed + - package_mcstrans_removed - sysctl_fs_protected_hardlinks - sysctl_fs_protected_symlinks diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 6208e9c1188..4d1a2d68181 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index fb2e10ea9ed..a7f70b64a53 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index 764956956ae..193e63193b7 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index 1bbde44e9b2..abd0efe90e1 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index a1bfae62a2e..0480c87278c 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 689124f8f86..78301257d82 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns Crontab' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 0b1b4e62caf..7c1e493a63e 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index 72c7c66bc0b..522610b05dd 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index 8ba3c8d7712..e7134e58417 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index 75175c36c7c..a6c494aee0d 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index acfcaeeeaa4..cd7c92720b1 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index 6f663062e88..5ba2c973045 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on crontab' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index fe364f1c33c..1ab68d87a1b 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index f75ca2a69a1..ec24f242a89 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index 667d8c04293..a8133c40b1b 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index 17c0f64b5ff..a1c82a92ea9 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 614463fc07a..9798e472a10 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 8550a75b562..76a564519c9 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on crontab' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index 07f55d36693..16df0ec3080 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index b84e8f4d03a..676d2a38e99 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index efccd2e2e67..9c399817b91 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index 355a6749521..4847de3dcfb 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index 14ed90baa94..c4acb0a083e 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index 3dc5960ae2e..7cc09ea4ffd 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/cron.allow file' diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml index 5ea8fbb77c8..cd80412b37b 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall DHCP Server Package' diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml index 25d54de3239..044177ba388 100644 --- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall httpd Package' diff --git a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml index 1b8ff3a7b9d..171b5262d87 100644 --- a/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml +++ b/linux_os/guide/services/http/disabling_nginx/package_nginx_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Uninstall nginx Package' diff --git a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml index 0a0183e51c3..b9deabd69c8 100644 --- a/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_cyrus-imapd/package_cyrus-imapd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Uninstall cyrus-imapd Package' diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index 27457df040d..399a24b252d 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall dovecot Package' diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 6366a2d1ac9..9b71f7047de 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Postfix Network Listening' diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 8daa8263222..68680453b67 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index 80d6b5e365a..0b9ca3fecbc 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall xinetd Package' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 3ec5982650b..4c0711f7375 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index 4b23e0c11de..b057fc5a891 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall ypserv Package' diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml index d3139b99909..b7beb612c2e 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -6,7 +6,7 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsync Package' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index b2e65993212..ccfe39dee5a 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsh-server Package' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 1731c7c7978..2df4c4412ab 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsh Package' diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index 8ca257b6f4f..04cb5be830d 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall talk-server Package' diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 95dac3f3667..a15655315cc 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall talk Package' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index e6b91199b72..6b59559150e 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall telnet-server Package' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml index 07b097d3083..bfe72e75fd9 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Remove telnet Clients' diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index f9328616afe..93fd7127ad7 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall tftp-server Package' diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml index ac1bafde05f..35e0a2f939d 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 title: 'Remove tftp Daemon' diff --git a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml index c0d33e434ab..11b45e84968 100644 --- a/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml +++ b/linux_os/guide/services/proxy/disabling_squid/package_squid_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall squid Package' diff --git a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml index 2867985a0bd..1b633c64834 100644 --- a/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml +++ b/linux_os/guide/services/smb/disabling_samba/package_samba_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall Samba Package' diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index 79179b1df15..20cc581ac7d 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns SSH Server config file' diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index 0d3780da636..af897be4d3c 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on SSH Server config file' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index a81d4fff850..67e7a4c8f53 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on SSH Server config file' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml index 69f4b7c74f1..f1e9853d6f2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true # TODO: The plan is not to need this for RHEL>=8.4 # TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more -prodtype: ol8,rhel8,rhel9 +prodtype: fedora,ol8,rhel8,rhel9 title: 'SSH server uses strong entropy to seed' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml index 4ef1e17f9d9..61e58c8a056 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol8,ol9,rhel8,rhel9 +prodtype: fedora,ol8,ol9,rhel8,rhel9 title: 'An SELinux Context must be configured for the pam_faillock.so records directory' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 0e9fb3a72bf..0d91d5d4a79 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 title: 'User Initialization Files Must Not Run World-Writable Programs' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index b767d7ad977..a6136970f28 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive Users Home Directories Must Exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index fcdd765fda5..e268ab81bf6 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary Group' diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml index a6000c8cb86..0bc25ef2208 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Be Owned By The Primary User' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index bc5015b51dd..528b966e0bf 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 28e57a9dc68..641d2544307 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Default Bash Umask is Set Correctly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index ab8d29d87a9..0180f6fc347 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run chacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index c0290cb8b67..2080cfbfa6c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run setfacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 233236920e6..763eed8b926 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 532a59bedf9..b3af5ec2fe9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index b9bdb75a7e7..7af0803829c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index e94508b6cd3..87d65f451e9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml index 65cd15d0b98..628dc4fd83c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol8,ol9,rhel8,rhel9 +prodtype: fedora,ol8,ol9,rhel8,rhel9 title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml index 7f32fc3d011..a8b33956b7b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol8,ol9,rhel8,rhel9 +prodtype: fedora,ol8,ol9,rhel8,rhel9 title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml index c5c5f61b5b6..92c10c6898d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,ubuntu2004,ubuntu2204 +prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204 title: 'Record Attempts to perform maintenance activities' diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml index 0d40fda29c4..aa6b102ac73 100644 --- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to compress large log files diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml index 1cd25a0d412..9a3f58ab7f6 100644 --- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to write log files to persistent disk diff --git a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml index 097094e656b..5a07ca924f4 100644 --- a/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml +++ b/linux_os/guide/system/logging/journald/socket_systemd-journal-remote_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel8,rhel9,ubuntu2204 +prodtype: fedora,rhel8,rhel9,ubuntu2204 title: 'Disable systemd-journal-remote Socket' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 2b6853afdae..68634145780 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 title: 'Install firewalld Package' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index ae79bcbe882..0da365e0e49 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index 92d5ddb81bf..9d56bfc7239 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 07e1ea1a8ba..ad10783de41 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IPv6 Forwarding' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index bf84b2f7a20..5fe8e89b428 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml index 7394d64084c..daa924401ce 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux3,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 title: 'Verify nftables Service is Disabled' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 8d82b357449..676d5709004 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable SCTP Support' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index 54551f48f9e..0845a189a6e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index 0c6ae4463a1..f51c9bb502b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 +prodtype: fedora,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 title: 'Add nosuid Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index 48856ab1bd3..572d16866fc 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index 548d665fc21..a3faed2f2da 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add noexec Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index 43758040c86..bb34647df64 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nosuid Option to /var/tmp' diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index 42ee12c9cd3..eec8612cbb1 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2204 title: 'Require Re-Authentication When Using the sudo Command' From 580d8940d0c7abb86e87162877c771a6504ff8e0 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Mon, 17 Apr 2023 11:12:44 +0200 Subject: [PATCH 33/46] remove superfluous rule --- controls/cusp_fedora.yml | 3 --- .../postfix_client/postfix_network_listening_disabled/rule.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index e9d268cbff4..0be10fbc1d9 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -344,7 +344,6 @@ controls: - package_ypserv_removed - package_telnet_removed - package_telnet-server_removed - - postfix_network_listening_disabled - service_nfs_disabled - service_rpcbind_disabled - package_rsync_removed @@ -370,7 +369,6 @@ controls: - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_logindefs - var_password_hashing_algorithm=SHA512 - - no_password_auth_for_systemaccounts - accounts_tmout - var_accounts_tmout=15_min - accounts_root_gid_zero @@ -428,7 +426,6 @@ controls: - file_permissions_sshd_config - file_permissions_sshd_private_key - file_permissions_sshd_pub_key - - sshd_limit_user_access - sshd_set_loglevel_verbose - sshd_enable_pam - sshd_disable_root_login diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml index 9b71f7047de..6366a2d1ac9 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Postfix Network Listening' From bfa8c82a1b99090bdbc3db25a21aa9a62f9d8363 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Mon, 17 Apr 2023 15:17:04 +0200 Subject: [PATCH 34/46] remove rule references --- .../updating/package_gnome_software_installed/rule.yml | 3 --- .../guide/firefox/firefox_policy-content_blocker/rule.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml index 259241c4a23..04556fa4dd0 100644 --- a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml +++ b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml @@ -11,9 +11,6 @@ rationale: 'The GNOME software package must be installed so that it can be used severity: medium -#references: -# cusp_fedora: 3.2 - ocil_clause: 'the package is not installed' ocil: '{{{ ocil_package(package="gnome-software") }}}' diff --git a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml index da8a8ec4219..154f5b4b843 100644 --- a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml @@ -12,9 +12,6 @@ rationale: |- This may prevent malicious ads from confusing users and concealing the page contents, as well as the loading of content that may contain malware. severity: medium -# references: -# cusp_fedora: 6.1 - ocil: |- To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled, type the following into the browser address bar: From f9f17523ea2591c5f0719c66438dd2c64ab9a640 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Mon, 17 Apr 2023 17:26:21 +0200 Subject: [PATCH 35/46] Add Firefox controls, remove duplicate rules in fedora controls --- controls/cusp_fedora.yml | 15 ++++-------- controls/cusp_firefox.yml | 23 +++++++++++++++++++ products/fedora/profiles/cusp_fedora.profile | 2 +- .../firefox/profiles/cusp_firefox.profile | 12 ++-------- 4 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 controls/cusp_firefox.yml diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 0be10fbc1d9..5578db5891f 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -3,7 +3,7 @@ policy: 'Fedora Common User Security Policy' title: 'Fedora Common User Security Policy' id: cusp_fedora version: '1.0.0' -source: TBD +source: jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication controls: ### @@ -68,7 +68,7 @@ controls: - file_owner_user_cfg - file_permissions_grub2_cfg - file_permissions_user_cfg - - grub2_password # only check + - grub2_password # UEFI - file_groupowner_efi_grub2_cfg - file_groupowner_efi_user_cfg @@ -76,7 +76,7 @@ controls: - file_owner_efi_user_cfg - file_permissions_efi_grub2_cfg - file_permissions_efi_user_cfg - - grub2_uefi_password # only check + - grub2_uefi_password - id: 3.2 title: Software updates @@ -157,11 +157,6 @@ controls: - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_opasswd @@ -322,7 +317,7 @@ controls: - file_groupowner_at_allow - file_permissions_at_allow - - id: 3.10 + - id: "3.10" title: Service minimization description: >- The user should remove any services that are not necessary for normal system usage. @@ -351,7 +346,6 @@ controls: - package_rsh-server_removed - package_sendmail_removed - package_ypbind_removed - - package_ypserv_removed - package_talk-server_removed - package_talk_removed ### @@ -364,7 +358,6 @@ controls: status: partial rules: - no_empty_passwords - - accounts_passwords_pam_faillock_deny - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_logindefs diff --git a/controls/cusp_firefox.yml b/controls/cusp_firefox.yml new file mode 100644 index 00000000000..871e9deaf9e --- /dev/null +++ b/controls/cusp_firefox.yml @@ -0,0 +1,23 @@ +--- +policy: 'Firefox Common User Security Policy' +title: 'Firefox Common User Security Policy' +id: cusp_firefox +version: '1.0.0' +source: jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication + +controls: + id: 1.0 + title: Firefox hardening + description: >- + Secure configuration of Mozilla Firefox. + status: automated + rules: + - firefox_policy-autoplay_video + - firefox_policy-cryptomining + - firefox_policy-enhanced_tracking + - firefox_policy-fingerprinting_protection + - firefox_policy-javascript_window_changes + - firefox_policy-javascript_window_resizing + - firefox_policy-pop-up_windows + - firefox_policy-ssl_minimum_version + - firefox_policy-content_blocker \ No newline at end of file diff --git a/products/fedora/profiles/cusp_fedora.profile b/products/fedora/profiles/cusp_fedora.profile index 4debb0776e4..f4e64064d09 100644 --- a/products/fedora/profiles/cusp_fedora.profile +++ b/products/fedora/profiles/cusp_fedora.profile @@ -3,7 +3,7 @@ documentation_complete: true title: 'CUSP - Common User Security Profile for Fedora Workstation' description: |- - To be added later. + This profile contains rules to harden Fedora Linux according to the Common User Security Guide for Fedora Workstation. selections: - cusp_fedora:all \ No newline at end of file diff --git a/products/firefox/profiles/cusp_firefox.profile b/products/firefox/profiles/cusp_firefox.profile index 5f60fff5e10..c4394ed6ecb 100644 --- a/products/firefox/profiles/cusp_firefox.profile +++ b/products/firefox/profiles/cusp_firefox.profile @@ -3,15 +3,7 @@ documentation_complete: true title: 'CUSP - Common User Security Profile for Mozilla Firefox' description: |- - To be added later. + This profile contains rules to harden Mozilla Firefox according to rule 6.1 in the Common User Security Guide for Fedora Workstation. selections: - - firefox_policy-autoplay_video - - firefox_policy-cryptomining - - firefox_policy-enhanced_tracking - - firefox_policy-fingerprinting_protection - - firefox_policy-javascript_window_changes - - firefox_policy-javascript_window_resizing - - firefox_policy-pop-up_windows - - firefox_policy-ssl_minimum_version - - firefox_policy-content_blocker + - cusp_firefox:all From 6a61997304d38a6a0b59b5a513ba458c1695b94b Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Mon, 17 Apr 2023 17:32:04 +0200 Subject: [PATCH 36/46] Fix controls yaml --- controls/cusp_fedora.yml | 2 +- controls/cusp_firefox.yml | 32 ++++++++++++++++---------------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 5578db5891f..a61b2437b31 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -3,7 +3,7 @@ policy: 'Fedora Common User Security Policy' title: 'Fedora Common User Security Policy' id: cusp_fedora version: '1.0.0' -source: jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication +source: "jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication" controls: ### diff --git a/controls/cusp_firefox.yml b/controls/cusp_firefox.yml index 871e9deaf9e..39b55568469 100644 --- a/controls/cusp_firefox.yml +++ b/controls/cusp_firefox.yml @@ -3,21 +3,21 @@ policy: 'Firefox Common User Security Policy' title: 'Firefox Common User Security Policy' id: cusp_firefox version: '1.0.0' -source: jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication +source: "jodehnal's bachelor thesis on creating a SCAP profile for common users of Fedora workstation - link will be added after publication" controls: - id: 1.0 - title: Firefox hardening - description: >- - Secure configuration of Mozilla Firefox. - status: automated - rules: - - firefox_policy-autoplay_video - - firefox_policy-cryptomining - - firefox_policy-enhanced_tracking - - firefox_policy-fingerprinting_protection - - firefox_policy-javascript_window_changes - - firefox_policy-javascript_window_resizing - - firefox_policy-pop-up_windows - - firefox_policy-ssl_minimum_version - - firefox_policy-content_blocker \ No newline at end of file + - id: 1.0 + title: Firefox hardening + description: >- + Secure configuration of Mozilla Firefox. + status: automated + rules: + - firefox_policy-autoplay_video + - firefox_policy-cryptomining + - firefox_policy-enhanced_tracking + - firefox_policy-fingerprinting_protection + - firefox_policy-javascript_window_changes + - firefox_policy-javascript_window_resizing + - firefox_policy-pop-up_windows + - firefox_policy-ssl_minimum_version + - firefox_policy-content_blocker \ No newline at end of file From 7467ed1abe3a47af66e0586b2a86fe10816ada77 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Wed, 26 Apr 2023 11:16:36 +0200 Subject: [PATCH 37/46] Remove rules based on testing the profile --- controls/cusp_fedora.yml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index a61b2437b31..179d6bb450c 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -191,9 +191,6 @@ controls: - audit_rules_privileged_commands_usermod - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_init - - audit_rules_privileged_commands_insmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_rmmod - audit_rules_sudoers - audit_rules_sudoers_d # journald config @@ -269,14 +266,8 @@ controls: do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings status: automated rules: - - dconf_gnome_disable_user_list - gnome_gdm_disable_xdmcp - gnome_gdm_disable_automatic_login - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay - - dconf_gnome_screensaver_lock_enabled - - dconf_gnome_screensaver_user_locks - - dconf_gnome_session_idle_user_locks - id: 3.9 title: Time and schedulers @@ -291,7 +282,6 @@ controls: - chronyd_run_as_chrony_user - chronyd_specify_remote_server # schedulers - - service_crond_enabled - file_owner_crontab - file_groupowner_crontab - file_permissions_crontab @@ -380,15 +370,7 @@ controls: - accounts_password_pam_retry - var_password_pam_minclass=3 - var_password_pam_minlen=15 - # account lockout - - accounts_passwords_pam_faillock_dir - - accounts_passwords_pam_faillock_deny - - var_accounts_passwords_pam_faillock_deny=3 - - accounts_passwords_pam_faillock_unlock_time - - var_accounts_passwords_pam_faillock_unlock_time=900 # password reuse - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - var_password_pam_remember_control_flag=requisite_or_required - var_password_pam_remember=5 - accounts_password_pam_difok @@ -448,6 +430,7 @@ controls: - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - sshd_use_strong_rng + - sshd_set_keepalive_0 ### ### 5. Networking ### From a5d37c03e6585d1f3801b898a966e54137d614c8 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Thu, 27 Apr 2023 14:36:24 +0200 Subject: [PATCH 38/46] Remove mount option rules due to inconsistencies, fix remediation platforms --- controls/cusp_fedora.yml | 12 ------------ .../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml | 2 +- .../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 2 +- .../accounts_umask_etc_login_defs/ansible/shared.yml | 2 +- .../accounts_umask_etc_login_defs/bash/shared.sh | 2 +- 5 files changed, 4 insertions(+), 16 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 179d6bb450c..0e836051eb6 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -94,18 +94,6 @@ controls: rules: - mount_option_home_nodev - mount_option_home_nosuid - - mount_option_tmp_nodev - - mount_option_tmp_nosuid - - mount_option_tmp_noexec - - mount_option_var_nodev - - mount_option_var_nosuid - - mount_option_var_noexec - - mount_option_var_tmp_nodev - - mount_option_var_tmp_nosuid - - mount_option_var_tmp_noexec - - mount_option_var_log_nodev - - mount_option_var_log_nosuid - - mount_option_var_log_noexec - kernel_module_cramfs_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml index e571e6ee295..c747c997afa 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel +# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh index f1bb759d954..4bfae45b85a 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_all {{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}} diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml index 678f568fa31..89dbf74c470 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh index acb272c05de..15254a62f2f 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_all {{{ bash_instantiate_variables("var_accounts_user_umask") }}} From 74062c317a9a658175fcf85f49f4461d64602ccd Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Fri, 28 Apr 2023 18:16:40 +0200 Subject: [PATCH 39/46] Fix order of fedora prodtype in rules This reverts commit 7ca5bf4f3f41dba92acb8ea221d6858bdd9e0d67. Fix EOL newline and wrong prodtype --- controls/cusp_firefox.yml | 2 +- .../guide/services/cron_and_at/file_groupowner_cron_d/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_daily/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_hourly/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_monthly/rule.yml | 2 +- .../services/cron_and_at/file_groupowner_cron_weekly/rule.yml | 2 +- .../guide/services/cron_and_at/file_groupowner_crontab/rule.yml | 2 +- linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_daily/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_hourly/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_monthly/rule.yml | 2 +- .../guide/services/cron_and_at/file_owner_cron_weekly/rule.yml | 2 +- linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml | 2 +- .../guide/services/cron_and_at/file_permissions_cron_d/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_daily/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_hourly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_monthly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_cron_weekly/rule.yml | 2 +- .../services/cron_and_at/file_permissions_crontab/rule.yml | 2 +- .../restrict_at_cron_users/file_groupowner_at_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_groupowner_cron_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_owner_at_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_owner_cron_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_permissions_at_allow/rule.yml | 2 +- .../restrict_at_cron_users/file_permissions_cron_allow/rule.yml | 2 +- .../imap/disabling_dovecot/package_dovecot_removed/rule.yml | 2 +- .../disabling_nfs_services/service_rpcbind_disabled/rule.yml | 2 +- .../obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml | 2 +- .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- .../services/obsolete/r_services/package_rsh_removed/rule.yml | 2 +- .../services/obsolete/talk/package_talk-server_removed/rule.yml | 2 +- .../guide/services/obsolete/talk/package_talk_removed/rule.yml | 2 +- .../services/obsolete/telnet/package_telnet_removed/rule.yml | 2 +- .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 2 +- linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 2 +- .../guide/services/ssh/file_permissions_sshd_config/rule.yml | 2 +- .../accounts_user_dot_no_world_writable_programs/rule.yml | 2 +- .../accounts_user_interactive_home_directory_exists/rule.yml | 2 +- .../file_groupownership_home_directories/rule.yml | 2 +- .../accounts-session/file_ownership_home_directories/rule.yml | 2 +- .../accounts-session/file_permissions_home_directories/rule.yml | 2 +- .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- .../audit_rules_execution_chacl/rule.yml | 2 +- .../audit_rules_execution_setfacl/rule.yml | 2 +- .../audit_rules_privileged_commands_insmod/rule.yml | 2 +- .../audit_rules_privileged_commands_modprobe/rule.yml | 2 +- .../audit_rules_privileged_commands_rmmod/rule.yml | 2 +- .../audit_rules_privileged_commands_usermod/rule.yml | 2 +- .../guide/system/logging/journald/journald_compress/rule.yml | 2 +- .../guide/system/logging/journald/journald_storage/rule.yml | 2 +- .../firewalld_activation/package_firewalld_installed/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_forwarding/rule.yml | 2 +- .../sysctl_net_ipv6_conf_default_accept_source_route/rule.yml | 2 +- .../network/network-nftables/service_nftables_disabled/rule.yml | 2 +- .../network-uncommon/kernel_module_sctp_disabled/rule.yml | 2 +- .../permissions/partitions/mount_option_home_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_home_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- products/fedora/profiles/cusp_fedora.profile | 2 +- 63 files changed, 63 insertions(+), 63 deletions(-) diff --git a/controls/cusp_firefox.yml b/controls/cusp_firefox.yml index 39b55568469..060f46b9b47 100644 --- a/controls/cusp_firefox.yml +++ b/controls/cusp_firefox.yml @@ -20,4 +20,4 @@ controls: - firefox_policy-javascript_window_resizing - firefox_policy-pop-up_windows - firefox_policy-ssl_minimum_version - - firefox_policy-content_blocker \ No newline at end of file + - firefox_policy-content_blocker diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml index 4d1a2d68181..4ce4b1ec786 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml index a7f70b64a53..032b15e3637 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml index 193e63193b7..2d4f1f95c48 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml index abd0efe90e1..d47730c7bab 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml index 0480c87278c..c63c3de9546 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml index 78301257d82..3f43b81c5c6 100644 --- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns Crontab' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml index 7c1e493a63e..49b2e3a9aff 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml index 522610b05dd..74210b6ab13 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml index e7134e58417..9e4ab04ceed 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml index a6c494aee0d..78dadccc7ab 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml index cd7c92720b1..69001b6e5d6 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml index 5ba2c973045..2636571d8e9 100644 --- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on crontab' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml index 1ab68d87a1b..8d5e6dda638 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.d' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml index ec24f242a89..175ba80a215 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.daily' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml index a8133c40b1b..7578b5d3729 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.hourly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml index a1c82a92ea9..4694a9192b1 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.monthly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml index 9798e472a10..5409311cee9 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on cron.weekly' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml index 76a564519c9..009a2338248 100644 --- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on crontab' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index 16df0ec3080..c0609514933 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml index 676d2a38e99..a62e314ff68 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index 9c399817b91..dafb8d4e500 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml index 4847de3dcfb..4e59001c9b7 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify User Who Owns /etc/cron.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index c4acb0a083e..aaa429ebc98 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/at.allow file' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml index 7cc09ea4ffd..c2710c47e21 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on /etc/cron.allow file' diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml index 399a24b252d..57e70cc0e55 100644 --- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml +++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall dovecot Package' diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml index 68680453b67..9071b7e31f3 100644 --- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 title: 'Disable rpcbind Service' diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index 0b9ca3fecbc..4bef92d9648 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall xinetd Package' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 4c0711f7375..c5f90c4950c 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 2df4c4412ab..45e79f6de61 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall rsh Package' diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index 04cb5be830d..0331db92eeb 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 +prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Uninstall talk-server Package' diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index a15655315cc..14317060b90 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Uninstall talk Package' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml index bfe72e75fd9..2571d5072e6 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Remove telnet Clients' diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index 20cc581ac7d..731f801303a 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Group Who Owns SSH Server config file' diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index af897be4d3c..17c3693f77f 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Owner on SSH Server config file' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index 67e7a4c8f53..776e92329c4 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Verify Permissions on SSH Server config file' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 0d91d5d4a79..e56be2792c9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 title: 'User Initialization Files Must Not Run World-Writable Programs' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index a6136970f28..e58fb7dd058 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive Users Home Directories Must Exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index e268ab81bf6..f9eb5080ed4 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary Group' diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml index 0bc25ef2208..4147dceac29 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Be Owned By The Primary User' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 528b966e0bf..bda4bfd3630 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 641d2544307..1795face487 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Default Bash Umask is Set Correctly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 0180f6fc347..2a15e8610ef 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run chacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index 2080cfbfa6c..8c1cec42e89 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Record Any Attempts to Run setfacl' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 763eed8b926..1086361988d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - insmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index b3af5ec2fe9..19e74ab6136 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - modprobe' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index 7af0803829c..bb5b567f20f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,fedora,rhel7,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - rmmod' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index 87d65f451e9..8af4359877a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,ol8,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml index aa6b102ac73..fdcf5f7e2bc 100644 --- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to compress large log files diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml index 9a3f58ab7f6..2d7a1934131 100644 --- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml +++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,anolis8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: Ensure journald is configured to write log files to persistent disk diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 68634145780..cbdd9962f04 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 title: 'Install firewalld Package' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 0da365e0e49..9a697949b44 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index 9d56bfc7239..c1f0dc4066b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index ad10783de41..c02cdc495f2 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for IPv6 Forwarding' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index 5fe8e89b428..e985040e1da 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' diff --git a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml index daa924401ce..b78974e4d2c 100644 --- a/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml +++ b/linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux3,fedora,rhel8,rhel9,sle15,ubuntu2004,ubuntu2204 title: 'Verify nftables Service is Disabled' diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 676d5709004..20eeb3ef495 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Disable SCTP Support' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index 0845a189a6e..9d237c21cce 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index f51c9bb502b..24a6839c357 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 +prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2204 title: 'Add nosuid Option to /home' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index 572d16866fc..0496b5523cf 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nodev Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index a3faed2f2da..355ed84dde0 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add noexec Option to /var/tmp' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index bb34647df64..6a586265037 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Add nosuid Option to /var/tmp' diff --git a/products/fedora/profiles/cusp_fedora.profile b/products/fedora/profiles/cusp_fedora.profile index f4e64064d09..ab75aa2bcb6 100644 --- a/products/fedora/profiles/cusp_fedora.profile +++ b/products/fedora/profiles/cusp_fedora.profile @@ -6,4 +6,4 @@ description: |- This profile contains rules to harden Fedora Linux according to the Common User Security Guide for Fedora Workstation. selections: - - cusp_fedora:all \ No newline at end of file + - cusp_fedora:all From 4ba59ae82ed40962e939faeeed2ae60bbac8cb74 Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 2 May 2023 14:25:59 +0200 Subject: [PATCH 40/46] Remove rules that disable ip forwarding due to hardening of VM guests --- controls/cusp_fedora.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 0e836051eb6..c87c7c559dd 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -430,9 +430,6 @@ controls: rules: - kernel_module_sctp_disabled - kernel_module_dccp_disabled - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_forwarding_value=disabled - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_accept_source_route From c24c696c9bde90755215cd823372830518cbd76b Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 2 May 2023 14:42:20 +0200 Subject: [PATCH 41/46] Remove trailing space --- .../guide/firefox/firefox_policy-content_blocker/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml index 154f5b4b843..1c868964863 100644 --- a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml @@ -25,7 +25,7 @@ ocil: |- template: name: firefox_policy-setting vars: - name: Ensure the content blocker uBlock Origin is installed + name: Ensure the content blocker uBlock Origin is installed policies: - {path: "ExtensionSettings uBlock0@raymondhill.net", parameter: "installation_mode", value: "normal_installed"} - {path: "ExtensionSettings uBlock0@raymondhill.net", parameter: "install_url", value: "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"} From 32e3c519504f65cbab281a615631f0db38958196 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 3 May 2023 15:56:51 +0200 Subject: [PATCH 42/46] Update controls/cusp_fedora.yml Co-authored-by: Matthew Burket --- controls/cusp_fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index c87c7c559dd..4dd45c74aa4 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -32,7 +32,7 @@ controls: - id: 2.1 title: Security policy selection description: >- - Users should apply the “Fedora Common User Security Policy” in the installer. + Users should apply the "Fedora Common User Security Policy" in the installer. status: manual - id: 2.2 From d41367564d8ee0dea47aa98fd9ff675a4ef15d7e Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 3 May 2023 15:56:58 +0200 Subject: [PATCH 43/46] Update controls/cusp_fedora.yml Co-authored-by: Matthew Burket --- controls/cusp_fedora.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 4dd45c74aa4..ed68303447e 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -269,7 +269,7 @@ controls: - chronyd_or_ntpd_set_maxpoll - chronyd_run_as_chrony_user - chronyd_specify_remote_server - # schedulers + # file permissions - file_owner_crontab - file_groupowner_crontab - file_permissions_crontab From 78a6651a2ba7cad6db3237bd11d603747e0d56d5 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 3 May 2023 17:52:48 +0200 Subject: [PATCH 44/46] Update cusp_fedora.yml Make titles title case, descriptions sentence case --- controls/cusp_fedora.yml | 62 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index ed68303447e..657b66e2ae5 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -16,7 +16,7 @@ controls: status: manual - id: 1.2 - title: Proper BIOS or UEFI configuration + title: Proper BIOS or UEFI Configuration description: >- Users should disable features and devices in the BIOS or UEFI that are not in use and should only include trusted devices in the boot order. status: manual @@ -30,25 +30,25 @@ controls: ### 2. System installation ### - id: 2.1 - title: Security policy selection + title: Security Policy Selection description: >- - Users should apply the "Fedora Common User Security Policy" in the installer. + Users should apply the Fedora Common User Security Policy in the installer. status: manual - id: 2.2 - title: Disk partitioning + title: Disk Partitioning description: >- Users should put the /home, /tmp, /var, /var/tmp and /var/log directories on separate partitions. status: manual - id: 2.3 - title: Password security + title: Password Security description: >- Users should ensure that all account passwords adhere to the password rules in rule 4.1. status: manual - id: 2.4 - title: Disk encryption + title: Disk Encryption description: >- Users should encrypt their disk with a passphrase that adheres to the password rules in rule 4.1. status: manual @@ -56,7 +56,7 @@ controls: ### 3. General system configuration ### - id: 3.1 - title: Bootloader security + title: Bootloader Security description: >- If the BIOS or UEFI does not allow password protection of the boot process, users should set a bootloader password. status: partial @@ -79,7 +79,7 @@ controls: - grub2_uefi_password - id: 3.2 - title: Software updates + title: Software Updates description: >- Users should apply updates from the GNOME Software application at least once per day. status: partial @@ -87,9 +87,9 @@ controls: - package_gnome_software_installed - id: 3.3 - title: Filesystem configuration + title: Filesystem Configuration description: >- - /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration + Directories /home (-noexec), /tmp, /var, /var/tmp and /var/log mount option configuration. status: automated rules: - mount_option_home_nodev @@ -99,9 +99,9 @@ controls: - kernel_module_udf_disabled - id: 3.4 - title: Crypto policy + title: Crypto Policy description: >- - system cryto policy configuation and ensuring it is not overridden in critical components + System cryto policy configuation and ensuring it is not overridden in critical components. status: automated rules: - configure_crypto_policy @@ -114,9 +114,9 @@ controls: - configure_ssh_crypto_policy - id: 3.5 - title: Auditing and logging + title: Auditing and Logging description: >- - auditd and journald configutation + Auditd and journald configutation. status: automated rules: # auditd config @@ -188,9 +188,9 @@ controls: - journald_storage - id: 3.6 - title: Files, permissions, and ownership + title: Files, Permissions, and Ownership description: >- - user and critical system file permissions and ownership, user identifiers, + User and critical system file permissions and ownership, user and group file and directory ownership, identifiers. status: partial rules: # file config @@ -239,9 +239,9 @@ controls: - accounts_user_dot_no_world_writable_programs - id: 3.7 - title: Memory protection + title: Memory Protection description: >- - enable ASLR and ExecShield, restrict exposed kernel pointer + Enable ASLR and ExecShield, restrict exposed kernel pointer. status: automated rules: - sysctl_kernel_randomize_va_space @@ -249,18 +249,18 @@ controls: - sysctl_kernel_kptr_restrict - id: 3.8 - title: GUI configuration + title: GUI Configuration description: >- - do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings + Do not show user list, disable xdmpc and auto login, set up idle lock and protect the settings. status: automated rules: - gnome_gdm_disable_xdmcp - gnome_gdm_disable_automatic_login - id: 3.9 - title: Time and schedulers + title: Time and Schedulers description: >- - chrony and time-based scheduler security configuration + Chrony and time-based scheduler security configuration. status: automated rules: # chrony @@ -296,7 +296,7 @@ controls: - file_permissions_at_allow - id: "3.10" - title: Service minimization + title: Service Minimization description: >- The user should remove any services that are not necessary for normal system usage. status: partial @@ -330,7 +330,7 @@ controls: ### 4. User access and control ### - id: 4.1 - title: Account protection + title: Account Protection description: >- All account passwords must be passphrases of at least 4 words and 15 characters with at least three character classes, generated with a large wordlist and a source of randomness. status: partial @@ -367,7 +367,7 @@ controls: - id: 4.2 title: Sudo description: >- - secure sudo configuration + Secure sudo configuration. status: automated rules: - package_sudo_installed @@ -381,7 +381,7 @@ controls: - id: 4.3 title: SSH Server description: >- - secure ssh server configuration + Secure ssh server configuration. status: automated rules: - file_groupowner_sshd_config @@ -423,7 +423,7 @@ controls: ### 5. Networking ### - id: 5.1 - title: General network configuration + title: General Network Configuration description: >- If the user did not configure IPv6 on the system and it is not needed, it should be disabled. status: partial @@ -468,7 +468,7 @@ controls: - sysctl_net_ipv4_tcp_syncookies_value=enabled - id: 5.2 - title: Firewall configuration + title: Firewall Configuration description: >- Users should ensure that all network interfaces are in the appropriate firewall zone and that ports and services allowed by the firewall are reduced to the necessary minimum. status: partial @@ -480,13 +480,13 @@ controls: ### 6. User applications ### - id: 6.1 - title: Web browser + title: Web Browser description: >- The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the user should apply the Common User Security Profile for Mozilla Firefox CaC profile. status: manual - id: 6.2 - title: Password management + title: Password Management description: >- Users should install the Bitwarden AppImage from the Bitwarden site and use it to generate and store passwords for online accounts. status: manual @@ -508,7 +508,7 @@ controls: - sysctl_fs_protected_symlinks - id: 7.2 - title: Periodic compliance scans + title: Periodic Compliance Scans description: >- Users should perform periodic system scans and remediations with the Common User Security Profile by using the oscap tool or SCAP Workbench. status: manual From 714abaeb36138efb3b785c0fe686f3d79388fe16 Mon Sep 17 00:00:00 2001 From: j-ode Date: Wed, 3 May 2023 17:53:14 +0200 Subject: [PATCH 45/46] Update cusp_firefox.yml Make titles title case, descriptions sentence case --- controls/cusp_firefox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cusp_firefox.yml b/controls/cusp_firefox.yml index 060f46b9b47..dee7dea2055 100644 --- a/controls/cusp_firefox.yml +++ b/controls/cusp_firefox.yml @@ -7,7 +7,7 @@ source: "jodehnal's bachelor thesis on creating a SCAP profile for common users controls: - id: 1.0 - title: Firefox hardening + title: Firefox Hardening description: >- Secure configuration of Mozilla Firefox. status: automated From 4bd2e87dad6863c037e70b0425e04047de8014fb Mon Sep 17 00:00:00 2001 From: Jiri Odehnal Date: Tue, 9 May 2023 14:32:19 +0200 Subject: [PATCH 46/46] fix letter cases, remove abandoned rule, fix rule 7.1 description and add vars --- controls/cusp_fedora.yml | 16 ++++++---------- .../package_gnome_software_installed/rule.yml | 2 +- .../firefox_policy-content_blocker/rule.yml | 2 +- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/controls/cusp_fedora.yml b/controls/cusp_fedora.yml index 657b66e2ae5..1eb585dd4c8 100644 --- a/controls/cusp_fedora.yml +++ b/controls/cusp_fedora.yml @@ -298,7 +298,7 @@ controls: - id: "3.10" title: Service Minimization description: >- - The user should remove any services that are not necessary for normal system usage. + Users should remove any services that are not necessary for normal system usage. status: partial rules: - package_xinetd_removed @@ -425,7 +425,7 @@ controls: - id: 5.1 title: General Network Configuration description: >- - If the user did not configure IPv6 on the system and it is not needed, it should be disabled. + If users did not configure IPv6 on the system and it is not needed, it should be disabled. status: partial rules: - kernel_module_sctp_disabled @@ -482,13 +482,7 @@ controls: - id: 6.1 title: Web Browser description: >- - The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the user should apply the Common User Security Profile for Mozilla Firefox CaC profile. - status: manual - - - id: 6.2 - title: Password Management - description: >- - Users should install the Bitwarden AppImage from the Bitwarden site and use it to generate and store passwords for online accounts. + Users should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. If the default Firefox application must be used, the users should apply the Common User Security Profile for Mozilla Firefox CaC profile. status: manual ### ### 7. Advanced security features @@ -496,12 +490,14 @@ controls: - id: 7.1 title: Mandatory Access Control description: >- - The user should install the Firefox Flatpak from FlatHub and use it instead of the default Firefox application. + Ensure SELinux is installed and enabled, in enforcing mode using targeted policy. status: partial rules: - package_libselinux_installed - grub2_enable_selinux + - var_selinux_policy_name=targeted - selinux_policytype + - var_selinux_state=enforcing - selinux_state - package_mcstrans_removed - sysctl_fs_protected_hardlinks diff --git a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml index 04556fa4dd0..4934516eb65 100644 --- a/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml +++ b/linux_os/guide/system/software/updating/package_gnome_software_installed/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: fedora -title: 'Install GNOME software' +title: 'Install GNOME Software' description: |- {{{ describe_package_install(package="gnome-software") }}} diff --git a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml index 1c868964863..057a233f900 100644 --- a/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml +++ b/products/firefox/guide/firefox/firefox_policy-content_blocker/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: firefox -title: 'Ensure the content blocker uBlock Origin is installed' +title: 'Ensure the Content Blocker uBlock Origin is Installed' description: |- The uBlock Origin will be installed automatically by configuring Firefox policy, and updates will be enabled. It can also be installed through the Mozilla Add-Ons store at https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/.