Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Q] rhel7 3.0.0 #69

Open
marcelfischer opened this issue Dec 10, 2020 · 5 comments
Open

[Q] rhel7 3.0.0 #69

marcelfischer opened this issue Dec 10, 2020 · 5 comments

Comments

@marcelfischer
Copy link

Hi, 3.0.0 and 3.0.1 for rhel7 was released some time ago. I adjusted the module for 3.0.0.
Are you interested in a pull-request?
But since we're not using the firewall part, this would be missing.
@bjvrielink
Copy link
Collaborator

For what products are these versions?

@marcelfischer
Copy link
Author

marcelfischer commented Dec 10, 2020
edited
Loading

Sorry, Im talking about "CIS Red Hat Enterprise Linux 7 Benchmark"
Version 3.0.0 was released on Jun 25 2020. The rules numbering changed a lot.
Probably there is also a new Version for CentOS and Oracle Linux, but I havent checked that.
See: https://www.cisecurity.org/blog/cis-benchmarks-july-2020-update/

@bjvrielink
Copy link
Collaborator

Pull requests are always welcome. I haven't looked into detail into this update; are there other changes except the numbering?

A renumbering of the rules also means that people that use the $include_rules/$exclude_rules parameters for this module must change their Puppet configuration to match this change. We may want to bump the major version of this module when it is released?

@marcelfischer
Copy link
Author

Yes sadly we had to review all activated rules to make sure that we do not accidently activate something else now.
Some content changed also:

  • at and cron (allow/deny) are now separated rules, but content is the same
  • selinux should be set to permissive (level1) or enforcing (level2)
  • nfs-utils and rpcbind rules are now separated, and you should remove the packages or mask (systemctl mask) the services instead of disabling (systemctl disable) them
  • there is one completely new rule called "6.2.1 Ensure accounts in /etc/passwd use shadowed passwords"
  • and like I said, there were some changes to firewall, but we're having our own puppet code for firewall, probably its possible to use the code from rhel8

So I had to create 6 new rules classes. And you need to change almost every class in distribution::rhel7 and distribution::centos7.

Probably it makes sense to bump the major version

@marcelfischer
Copy link
Author

I quickly checked the difference in firewall between rhel7 and rhel8 CIS. Looks pretty similar. So I guess I could also make the changes for this.

@bjvrielink bjvrielink mentioned this issue Jan 29, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcelfischer @bjvrielink