From 544b1caf4783b67b56bbc76b57999d0abe57d019 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 3 Mar 2026 15:33:04 -0600 Subject: [PATCH 1/4] Move to service_dnsmasq_disabled for CIS in RHEL Remove the package was causing issues in installs --- products/rhel10/controls/cis_rhel10.yml | 2 ++ products/rhel8/controls/cis_rhel8.yml | 2 ++ products/rhel9/controls/cis_rhel9.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 8269196f2993..f6abf020f44a 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -817,6 +817,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.7 diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index cbe5d4d6454e..57ff2e16abc4 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -860,6 +860,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.7 diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index f73fbd1f6d79..2ded1b128c92 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -819,6 +819,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.6 From 585678ed25d2312db054eb4d17f370b8e4ed0cda Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Mar 2026 12:45:25 +0100 Subject: [PATCH 2/4] update profile stability tests --- tests/data/profile_stability/rhel10/cis.profile | 2 +- tests/data/profile_stability/rhel10/cis_server_l1.profile | 2 +- tests/data/profile_stability/rhel10/cis_workstation_l1.profile | 2 +- tests/data/profile_stability/rhel10/cis_workstation_l2.profile | 2 +- tests/data/profile_stability/rhel8/cis.profile | 2 +- tests/data/profile_stability/rhel8/cis_server_l1.profile | 2 +- tests/data/profile_stability/rhel8/cis_workstation_l1.profile | 2 +- tests/data/profile_stability/rhel8/cis_workstation_l2.profile | 2 +- tests/data/profile_stability/rhel9/cis.profile | 2 +- tests/data/profile_stability/rhel9/cis_server_l1.profile | 2 +- tests/data/profile_stability/rhel9/cis_workstation_l1.profile | 2 +- tests/data/profile_stability/rhel9/cis_workstation_l2.profile | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index acb21b876b66..be281650fc10 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -322,7 +322,6 @@ package_audit_installed package_bind_removed package_cron_installed package_cyrus-imapd_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -369,6 +368,7 @@ service_bluetooth_disabled service_cockpit_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index 1a8d4a413244..40d910b58ee9 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -226,7 +226,6 @@ package_aide_installed package_bind_removed package_cron_installed package_cyrus-imapd_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -262,6 +261,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 63186a34c258..f2f820c05c60 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -222,7 +222,6 @@ package_aide_installed package_bind_removed package_cron_installed package_cyrus-imapd_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -253,6 +252,7 @@ rsyslog_files_permissions selinux_not_disabled selinux_policytype service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 221ffac17557..68ed725b2d73 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -322,7 +322,6 @@ package_audit_installed package_bind_removed package_cron_installed package_cyrus-imapd_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -365,6 +364,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_cockpit_disabled service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 40ef7718866d..f17b30ec001e 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -323,7 +323,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -376,6 +375,7 @@ service_bluetooth_disabled service_cockpit_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index c186914d253b..8acdac5b799c 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -237,7 +237,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -279,6 +278,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index f53d2e0dd714..3a115c19fbf6 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -234,7 +234,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -271,6 +270,7 @@ rsyslog_nolisten selinux_not_disabled selinux_policytype service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index f43c7d9ea9b5..c7700c1f700b 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -323,7 +323,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -372,6 +371,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_cockpit_disabled service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_rpcbind_disabled diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 65f2ddc07f7e..398d9f9c3132 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -292,7 +292,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -339,6 +338,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_nftables_disabled diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index ac83e2c0a321..549ae2ca45b2 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -201,7 +201,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -238,6 +237,7 @@ service_avahi-daemon_disabled service_bluetooth_disabled service_crond_enabled service_cups_disabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_nftables_disabled diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index fb685c741479..fc3d0e7e594a 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -198,7 +198,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -230,6 +229,7 @@ rsyslog_files_permissions selinux_not_disabled selinux_policytype service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_nftables_disabled diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 3fc4bebf0c4a..ac08a0eb2e05 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -292,7 +292,6 @@ package_chrony_installed package_cron_installed package_cyrus-imapd_removed package_dhcp_removed -package_dnsmasq_removed package_dovecot_removed package_firewalld_installed package_ftp_removed @@ -335,6 +334,7 @@ service_autofs_disabled service_avahi-daemon_disabled service_bluetooth_disabled service_crond_enabled +service_dnsmasq_disabled service_firewalld_enabled service_nfs_disabled service_nftables_disabled From e6ae4f5421f0eb6309580cf3d0ff703ede99845d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Mar 2026 12:52:40 +0100 Subject: [PATCH 3/4] add cces to service_dnsmasq_disabled --- linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml | 3 +++ shared/references/cce-redhat-avail.txt | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml index b030a645a893..51fe990a7a8f 100644 --- a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml +++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml @@ -13,6 +13,9 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90720-4 + cce@rhel9: CCE-90721-2 + cce@rhel10: CCE-90722-0 cce@sle15: CCE-92602-2 platform: system_with_kernel diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 19129c0f0065..3681684fcdf0 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2341,6 +2341,3 @@ CCE-90706-3 CCE-90707-1 CCE-90710-5 CCE-90715-4 -CCE-90720-4 -CCE-90721-2 -CCE-90722-0 From 5f342684b0d2521310eb8e6d886240c779c78712 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 4 Mar 2026 12:57:11 +0100 Subject: [PATCH 4/4] add package_dnsmasq_removed to default profiles for rhels --- products/rhel10/profiles/default.profile | 1 + products/rhel8/profiles/default.profile | 1 + products/rhel9/profiles/default.profile | 1 + 3 files changed, 3 insertions(+) diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index 4d9b46867bc6..3be6b3d8376a 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -45,3 +45,4 @@ selections: - file_etc_security_opasswd - sshd_use_strong_macs - configure_ssh_crypto_policy + - package_dnsmasq_removed diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 6865a9615f79..7e7401a04ac7 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -738,3 +738,4 @@ selections: - configure_openssl_tls_crypto_policy - sshd_use_approved_kex_ordered_stig - accounts_user_dot_no_world_writable_programs + - package_dnsmasq_removed diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 876e5516b32a..f817322dbdab 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -592,3 +592,4 @@ selections: - audit_rules_login_events_tallylog - configure_ssh_crypto_policy - accounts_user_dot_no_world_writable_programs + - package_dnsmasq_removed