About profile

CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation

This profile defines a baseline that aligns to the "Level 2 - Workstation" configuration from the Center for Internet Security® Red Hat Enterprise Linux 7 Benchmark™, v4.0.0, released 2023-12-21. This profile includes Center for Internet Security® Red Hat Enterprise Linux 7 CIS Benchmarks™ content.

Compliance and Scoring

Success alert: There were no failed or uncertain rules. It seems that no action is necessary.

Rule results

1 Pass

100.00 of 100.00

Rule Overview

Rule Severity Result

medium

pass

Rule ID:

xccdf_org.ssgproject.content_rule_service_bluetooth_disabled

Result:

pass

Time:

2024-02-06T04:00:37

Description:

The bluetooth service can be disabled with the following command:

$ sudo systemctl mask --now bluetooth.service

$ sudo service bluetooth stop

Rationale:

Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.

Severity:

medium

Identifiers:

CCE-27328-4

References:

CCI:	CCI-000085, CCI-001551
CIS:	11, 12, 14, 15, 3, 8, 9
CIS for RHEL:	3.1.3
COBIT:	APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
CUI:	3.1.16
ISA-62443-2009:	4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
ISA-62443-2013:	SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
NIST 800-53:	AC-18(3), AC-18(a), CM-6(a), CM-7(a), CM-7(b), MP-7
NIST CSF:	PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
https://www.iso.org/contents/data/standard/05/45/54534.html:	A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2

Remediation OSBuild Blueprint snippet

[customizations.services]
disabled = ["bluetooth"]

Remediation Ansible snippet


Complexity:	low
Disruption:	low
Strategy:	disable

- name: Block Disable service bluetooth
  block:

  - name: Disable service bluetooth
    block:

    - name: Disable service bluetooth
      systemd:
        name: bluetooth.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service bluetooth' failure, service
        was already disabled
      meta: noop
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-27328-4
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_bluetooth_disabled

- name: Unit Socket Exists - bluetooth.socket
  command: systemctl -q list-unit-files bluetooth.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-27328-4
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_bluetooth_disabled

- name: Disable socket bluetooth
  systemd:
    name: bluetooth.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - socket_file_exists.stdout_lines is search("bluetooth.socket",multiline=True)
  tags:
  - CCE-27328-4
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(3)
  - NIST-800-53-AC-18(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_bluetooth_disabled

Remediation Puppet snippet


Complexity:	low
Disruption:	low
Strategy:	enable

include disable_bluetooth

class disable_bluetooth {
  service {'bluetooth':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation Kubernetes snippet


Complexity:	low
Disruption:	medium
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: bluetooth.service
        enabled: false
        mask: true
      - name: bluetooth.socket
        enabled: false
        mask: true

Remediation Shell script


Complexity:	low
Disruption:	low
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'bluetooth.service'
"$SYSTEMCTL_EXEC" disable 'bluetooth.service'
"$SYSTEMCTL_EXEC" mask 'bluetooth.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files bluetooth.socket; then
    "$SYSTEMCTL_EXEC" stop 'bluetooth.socket'
    "$SYSTEMCTL_EXEC" mask 'bluetooth.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

OVAL definition:

Definition ID:

oval:ssg-service_bluetooth_disabled:def:1

Class:

compliance

Title:

Disable Bluetooth Service

Description:

The bluetooth service should be disabled.

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

OVAL graph of OVAL definition: oval:ssg-service_bluetooth_disabled:def:1

Applicability checks:

CPE platform required by profile:

cpe:/o:redhat:enterprise_linux:7::client Profile platform

cpe:/o:redhat:enterprise_linux:7::computenode Profile platform

cpe:/o:redhat:enterprise_linux:7 Profile platform

cpe:/o:redhat:enterprise_linux:7::server Profile platform

cpe:/o:redhat:enterprise_linux:7::workstation Profile platform

CPE platform required by rule:

#machine

SCAP Evaluation Report

About profile

Compliance and Scoring

Rule results

Score

Rule Overview

Advanced filtering options

OVAL definition:

Applicability checks:

About profile

Compliance and Scoring

Rule results

Score

Evaluation Characteristics

Rule Overview

Advanced filtering options

OVAL definition:

Applicability checks: