Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1314

CIS Level 1 : Missing check lists as defined in CIS standards and causing deviation from cissecurity benchmark

    • None
    • Critical
    • sst_security_compliance
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      When system is scanned and remediated as per CIS Level 1 on RHEL 8.8, following checks/rules are not performed and hence not remediated.

      5.1.8 Ensure cron is restricted to authorized users (Automated) ...
      5.2.4 Ensure SSH access is limited (Automated)
      5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

      As per definitions in CIS benchmarks v1 and v2, above rules should be checked/validated, but its not being done.

      Required checks :

      5.1.8 Ensure cron is restricted to authorized users (Automated) ...

      • No check for /etc/cron.allow exists or not. No remediation to create such a file.

      5.2.4 Ensure SSH access is limited (Automated)

      • No checks for AllowUsers and AllowGroups parameters in /etc/ssh/sshd_config

      5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

      • Only ClientAliveCount Max is checked, but no such rule for ClientAliveInterval

      Version-Release number of selected component (if applicable):
      scap-security-guide-0.1.66-2.el8_7.noarch

      How reproducible:

      Scan the system for cis level 1 profile and attempt to remediate

      1. oscap xccdf eval --profile cis_server_l1 --remediate --results-arf /var/tmp/arf-post-level1.xml --report /var/tmp/post-level1-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

      Steps to Reproduce:
      1. Fresh install RHEL 8.8
      2. Install openscap-utils and scap-security-guide packages
      3. Scan system for CIS level 1 profile.

      Actual results:

      • There are rules/checks corresponding to following checklist in benchmark

      5.1.8 Ensure cron is restricted to authorized users (Automated) ...
      5.2.4 Ensure SSH access is limited (Automated)
      5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)

      • As rules are missing, remediation does not work properly.

      Expected results:

      • Expect checks to be performed for these referred rules.
      • Additionally, once they are checked, then remediation should be attempted accordingly on these rules.

      Additional info:

      With above changes, expectation is to have following things checked/created

      • /etc/cron.allow file
      • AllowUsers and AllowGroups in /etc/ssh/sshd_config
      • ClientAliveInterval in /etc/ssh/sshd_config

            vpolasek@redhat.com Vojtech Polasek
            rhn-support-ravpatil Ravindra Patil
            Vojtech Polasek Vojtech Polasek
            Milan Lysonek Milan Lysonek
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: