Merge pull request #14746 from ggbecker/improve-nist-controls

nist_800_53: distribute other.yml entries into NIST family files

Author: Mab879

products/rhel10/controls/nist_800_53/ac.yml

@@ -41,9 +41,12 @@ controls:
       levels:
           - moderate
       rules:
+          - accounts_tmout
           - no_invalid_shell_accounts_unlocked
           - no_password_auth_for_systemaccounts
           - no_shelllogin_for_systemaccounts
+          - inactivity_timeout_value=15_minutes
+          - var_accounts_tmout=15_min
       status: automated
     - id: ac-2.6
       title: Dynamic Privilege Management
@@ -216,6 +219,9 @@ controls:
           - sysctl_fs_protected_hardlinks
           - sysctl_fs_protected_symlinks
           - use_pam_wheel_group_for_su
+          - var_accounts_user_umask=027
+          - var_pam_wheel_group_for_su=cis
+          - var_selinux_policy_name=targeted
       status: automated
     - id: ac-3.1
       title: Restricted Access to Privileged Functions
@@ -491,6 +497,13 @@ controls:
       rules:
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
+          - accounts_passwords_pam_faillock_deny
+          - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time
+          - accounts_passwords_pam_faillock_unlock_time_with_zero
+          - var_accounts_passwords_pam_faillock_deny=5
+          - var_accounts_passwords_pam_faillock_dir=run
+          - var_accounts_passwords_pam_faillock_root_unlock_time=60
+          - var_accounts_passwords_pam_faillock_unlock_time=900
       status: automated
     - id: ac-7.1
       title: Automatic Account Lock
@@ -551,6 +564,7 @@ controls:
           - dconf_gnome_screensaver_lock_delay
           - dconf_gnome_screensaver_user_locks
           - dconf_gnome_session_idle_user_locks
+          - var_screensaver_lock_delay=5_seconds
       status: automated
     - id: ac-11.1
       title: Pattern-hiding Displays

products/rhel10/controls/nist_800_53/au.yml

@@ -32,6 +32,11 @@ controls:
           - service_systemd-journal-upload_enabled
           - service_systemd-journald_enabled
           - socket_systemd-journal-remote_disabled
+          - ensure_journald_and_rsyslog_not_active_together
+          - var_audit_backlog_limit=8192
+          - var_auditd_action_mail_acct=root
+          - var_auditd_admin_space_left_action=cis_rhel10
+          - var_auditd_space_left_action=cis_rhel10
       status: automated
     - id: au-2.1
       title: Compilation of Audit Records from Multiple Sources
@@ -119,6 +124,9 @@ controls:
           - sudo_custom_logfile
           - sysctl_net_ipv4_conf_all_log_martians
           - sysctl_net_ipv4_conf_default_log_martians
+          - chronyd_run_as_chrony_user
+          - sshd_max_auth_tries_value=4
+          - var_multiple_time_servers=rhel
       status: automated
     - id: au-3.1
       title: Additional Audit Information
@@ -152,6 +160,8 @@ controls:
       rules:
           - auditd_data_disk_error_action
           - auditd_data_disk_full_action
+          - var_auditd_disk_error_action=cis_rhel10
+          - var_auditd_disk_full_action=cis_rhel10
       status: automated
     - id: au-5.1
       title: Storage Capacity Warning
@@ -254,6 +264,8 @@ controls:
       rules:
           - auditd_data_retention_max_log_file
           - auditd_data_retention_max_log_file_action
+          - var_auditd_max_log_file=8
+          - var_auditd_max_log_file_action=keep_logs
       status: automated
     - id: au-8.1
       title: Synchronization with Authoritative Time Source
@@ -269,6 +281,9 @@ controls:
           - low
       rules:
           - audit_rules_immutable
+          - file_groupownership_audit_configuration
+          - file_ownership_audit_binaries
+          - file_ownership_audit_configuration
       status: automated
     - id: au-9.1
       title: Hardware Write-once Media
@@ -284,14 +299,17 @@ controls:
       title: Cryptographic Protection
       levels:
           - high
-      rules: []
-      status: pending
+      rules:
+          - aide_check_audit_tools
+      status: automated
     - id: au-9.4
       title: Access by Subset of Privileged Users
       levels:
           - moderate
-      rules: []
-      status: pending
+      rules:
+          - file_group_ownership_var_log_audit
+          - file_permissions_var_log_audit
+      status: automated
     - id: au-9.5
       title: Dual Authorization
       rules: []
@@ -359,6 +377,7 @@ controls:
           - audit_rules_dac_modification_lsetxattr
           - audit_rules_dac_modification_removexattr
           - audit_rules_dac_modification_setxattr
+          - audit_rules_continue_loading
           - audit_rules_execution_chcon
           - audit_rules_file_deletion_events_rename
           - audit_rules_file_deletion_events_renameat
@@ -388,6 +407,7 @@ controls:
           - audit_rules_usergroup_modification_pamd
           - audit_rules_usergroup_modification_passwd
           - audit_rules_usergroup_modification_shadow
+          - audit_sudo_log_events
           - file_permissions_audit_configuration
           - grub2_audit_argument
           - service_auditd_enabled

products/rhel10/controls/nist_800_53/cm.yml

@@ -62,6 +62,13 @@ controls:
           - sysctl_net_ipv6_conf_default_accept_ra
           - sysctl_net_ipv6_conf_default_accept_redirects
           - sysctl_net_ipv6_conf_default_accept_source_route
+          - sshd_idle_timeout_value=5_minutes
+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
+          - var_accounts_maximum_age_login_defs=365
+          - var_sshd_max_sessions=10
+          - var_sshd_set_keepalive=1
+          - var_sshd_set_maxstartups=10:30:60
+          - var_user_initialization_files_regex=all_dotfiles
       status: automated
     - id: cm-2
       title: Baseline Configuration
@@ -220,6 +227,7 @@ controls:
           - banner_etc_motd_cis
           - coredump_disable_backtraces
           - coredump_disable_storage
+          - dconf_db_up_to_date
           - dconf_gnome_disable_user_list
           - disable_host_auth
           - disable_users_coredumps
@@ -248,6 +256,7 @@ controls:
           - service_rpcbind_disabled
           - sshd_disable_gssapi_auth
           - sshd_set_login_grace_time
+          - sysctl_fs_suid_dumpable
           - sysctl_kernel_kptr_restrict
           - sysctl_kernel_randomize_va_space
           - sysctl_kernel_yama_ptrace_scope
@@ -276,6 +285,32 @@ controls:
           - sysctl_net_ipv6_conf_default_accept_redirects
           - sysctl_net_ipv6_conf_default_accept_source_route
           - sysctl_net_ipv6_conf_default_forwarding
+          - cis_banner_text=cis
+          - dconf_login_banner_contents=cis_default
+          - dconf_login_banner_text=cis_banners
+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
+          - var_accounts_user_umask=027
+          - var_sshd_set_login_grace_time=60
       status: automated
     - id: cm-6.1
       title: Automated Management, Application, and Verification
@@ -303,6 +338,7 @@ controls:
           - low
       rules:
           - dconf_gnome_disable_autorun
+          - disable_weak_deps
           - file_ownership_var_log_audit_stig
           - has_nonlocal_mta
           - kernel_module_atm_disabled
@@ -330,11 +366,14 @@ controls:
           - package_cyrus-imapd_removed
           - package_dovecot_removed
           - package_ftp_removed
+          - package_gdm_removed
           - package_httpd_removed
           - package_kea_removed
           - package_net-snmp_removed
           - package_nginx_removed
           - package_openldap-clients_removed
+          - package_postfix_installed
+          - package_sequoia-sq_installed
           - package_telnet-server_removed
           - package_telnet_removed
           - package_tftp-server_removed
@@ -354,6 +393,8 @@ controls:
           - service_dnsmasq_disabled
           - sshd_disable_forwarding
           - wireless_disable_interfaces
+          - xwayland_disabled
+          - var_postfix_inet_interfaces=loopback-only
       status: automated
     - id: cm-7.1
       title: Periodic Review

products/rhel10/controls/nist_800_53/ia.yml

@@ -104,8 +104,11 @@ controls:
       title: Identifier Management
       levels:
           - low
-      rules: []
-      status: pending
+      rules:
+          - account_disable_post_pw_expiration
+          - accounts_set_post_pw_existing
+          - var_account_disable_post_pw_expiration=45
+      status: automated
     - id: ia-4.1
       title: Prohibit Account Identifiers as Public Identifiers
       rules: []
@@ -151,21 +154,36 @@ controls:
       rules:
           - accounts_minimum_age_login_defs
           - accounts_password_all_shadowed
+          - accounts_password_last_change_is_in_past
           - accounts_password_pam_dictcheck
           - accounts_password_pam_difok
           - accounts_password_pam_enforce_root
           - accounts_password_pam_maxrepeat
           - accounts_password_pam_maxsequence
           - accounts_password_pam_minclass
           - accounts_password_pam_minlen
+          - accounts_password_pam_modules_in_authselect_profile
           - accounts_password_pam_pwhistory_enforce_for_root
           - accounts_password_pam_pwhistory_use_authtok
           - accounts_password_pam_unix_authtok
           - accounts_password_set_min_life_existing
+          - accounts_password_set_warn_age_existing
+          - accounts_password_warn_age_login_defs
+          - ensure_root_password_configured
           - no_empty_passwords_etc_shadow
           - set_password_hashing_algorithm_logindefs
           - set_password_hashing_algorithm_passwordauth
           - set_password_hashing_algorithm_systemauth
+          - var_accounts_minimum_age_login_defs=1
+          - var_accounts_password_warn_age_login_defs=7
+          - var_password_hashing_algorithm=cis_rhel10
+          - var_password_hashing_algorithm_pam=cis_rhel10
+          - var_password_pam_dictcheck=1
+          - var_password_pam_difok=2
+          - var_password_pam_maxrepeat=3
+          - var_password_pam_maxsequence=3
+          - var_password_pam_minclass=4
+          - var_password_pam_minlen=14
       status: automated
     - id: ia-5.1
       title: Password-based Authentication
@@ -175,6 +193,9 @@ controls:
           - accounts_password_pam_pwhistory_remember_password_auth
           - accounts_password_pam_pwhistory_remember_system_auth
           - accounts_password_pam_unix_enabled
+          - accounts_password_pam_unix_no_remember
+          - var_password_pam_remember=24
+          - var_password_pam_remember_control_flag=requisite_or_required
       status: automated
     - id: ia-5.2
       title: Public Key-based Authentication
@@ -318,6 +339,7 @@ controls:
           - low
       rules:
           - sudo_require_reauthentication
+          - var_sudo_timestamp_timeout=15_minutes
       status: automated
     - id: ia-12
       title: Identity Proofing