Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,22 @@
cis@sle12: 4.1.8
cis@sle15: 4.1.8
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01

Check failure on line 43 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

43:100 [line-length] line too long (254 > 99 characters)
cui: 3.1.7
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)

Check failure on line 45 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

45:100 [line-length] line too long (123 > 99 characters)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4

Check failure on line 46 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

46:100 [line-length] line too long (132 > 99 characters)
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'

Check failure on line 47 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

47:100 [line-length] line too long (158 > 99 characters)
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2

Check failure on line 48 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

48:100 [line-length] line too long (169 > 99 characters)
nist: AU-2(d),AU-12(c),CM-6(a)
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4

Check failure on line 50 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

50:100 [line-length] line too long (101 > 99 characters)
pcidss: Req-10.2.3
srg: SRG-APP-000505-CTR-001285

ocil_clause: 'the system is not configured to audit attempts to alter process and session initiation information'

Check failure on line 54 in linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

54:100 [line-length] line too long (113 > 99 characters)

ocil: |-
To determine if the system is configured to audit attempts to alter
process and session initiation information, run the following command:
<pre>auditctl -l | grep -E '(/var/run/utmp|/var/log/btmp|/var/log/wtmp)'</pre>
If the system is configured to watch for these events, lines should be returned for
each file specified (and with <tt>-p wa</tt> for each).
Comment on lines +59 to +61

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The returned auditctl -l lines include the permission flags inline (e.g. -w /var/run/utmp -p wa -k session), and the OCIL already directs the reviewer to confirm -p wa is present for each file, so the procedure does verify both the watched paths and the wa permissions. I kept the phrasing consistent with the established sibling rule audit_rules_usergroup_modification, whose OCIL uses the same auditctl -l | grep -E ... approach with an explicit perm=wa confirmation note.

Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,17 @@ references:
nist: CM-6(a),AU-8(1)(a),AU-8(2),AU-12(1)
nist-csf: PR.PT-1
pcidss: Req-10.4.3

ocil_clause: 'no additional NTP servers are specified'

ocil: |-
To verify that additional NTP servers are configured for time synchronization,
open the following file:
<ul>
<li><pre>{{{ chrony_conf_path }}}</pre> in the case the system in question is
configured to use the <tt>chronyd</tt> as the NTP daemon (default setting)</li>
<li><pre>/etc/ntp.conf</pre> in the case the system in question is configured
to use the <tt>ntpd</tt> as the NTP daemon</li>
</ul>
In the file, there should be multiple lines similar to the following:
<pre>server <i>ntpserver</i></pre>
Comment on lines +119 to +120

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks — I looked at the rule's OVAL before deciding. The check (shared/checks/oval/chronyd_specify_multiple_servers.xml) matches only server directives with the pattern ^([\s]*server[\s]+.+$){2,}$; it does not count pool lines. Keeping the OCIL to server keeps the manual check aligned with the automated check — if the OCIL told auditors to count pool entries, a system could pass the manual review while still failing the scan. This also matches the sibling rule chronyd_or_ntpd_specify_remote_server, whose OCIL references server only.

13 changes: 13 additions & 0 deletions linux_os/guide/system/software/integrity/disable_prelink/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,25 @@
cis@sle12: 1.6.4
cis@sle15: 1.6.4
cjis: 5.10.1.3
cobit5: APO01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS04.07,DSS05.03,DSS06.02,DSS06.06

Check failure on line 31 in linux_os/guide/system/software/integrity/disable_prelink/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

31:100 [line-length] line too long (119 > 99 characters)
cui: 3.13.11
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 4.1,SR 7.6'
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.3

Check failure on line 35 in linux_os/guide/system/software/integrity/disable_prelink/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

35:100 [line-length] line too long (116 > 99 characters)
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-13,CM-6(a)
nist-csf: PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1
pcidss: Req-11.5

ocil_clause: 'prelinking is enabled'

ocil: |-
To determine if prelinking is disabled, first check whether the
<tt>prelink</tt> package is installed by running the following command:
<pre>$ rpm -q prelink</pre>
If the package is not installed, prelinking is not enabled and the rule is
satisfied. If the <tt>prelink</tt> package is installed, verify that prelinking
is disabled by running the following command:
<pre>$ grep PRELINKING /etc/sysconfig/prelink</pre>
If prelinking is disabled, the output should contain the following line:
<pre>PRELINKING=no</pre>
Loading