[Q] rhel7 3.0.0 about secure_linux_cis HOT 5 OPEN

For what products are these versions?

from secure_linux_cis.

Sorry, Im talking about "CIS Red Hat Enterprise Linux 7 Benchmark"
Version 3.0.0 was released on Jun 25 2020. The rules numbering changed a lot.
Probably there is also a new Version for CentOS and Oracle Linux, but I havent checked that.
See: https://www.cisecurity.org/blog/cis-benchmarks-july-2020-update/

from secure_linux_cis.

Pull requests are always welcome. I haven't looked into detail into this update; are there other changes except the numbering?

A renumbering of the rules also means that people that use the $include_rules/$exclude_rules parameters for this module must change their Puppet configuration to match this change. We may want to bump the major version of this module when it is released?

from secure_linux_cis.

Yes sadly we had to review all activated rules to make sure that we do not accidently activate something else now.
Some content changed also:

• at and cron (allow/deny) are now separated rules, but content is the same
• selinux should be set to permissive (level1) or enforcing (level2)
• nfs-utils and rpcbind rules are now separated, and you should remove the packages or mask (systemctl mask) the services instead of disabling (systemctl disable) them
• there is one completely new rule called "6.2.1 Ensure accounts in /etc/passwd use shadowed passwords"
• and like I said, there were some changes to firewall, but we're having our own puppet code for firewall, probably its possible to use the code from rhel8

So I had to create 6 new rules classes. And you need to change almost every class in distribution::rhel7 and distribution::centos7.

Probably it makes sense to bump the major version

from secure_linux_cis.

I quickly checked the difference in firewall between rhel7 and rhel8 CIS. Looks pretty similar. So I guess I could also make the changes for this.

from secure_linux_cis.