diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 8821c83a893d..b22ccfbd7f1c 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -369,9 +369,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_fedora_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 5873a002486d..9ab136c4be7a 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -366,9 +366,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index 9b8c5aa06bb2..69773b6030d3 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -379,9 +379,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index afc2df9a3be7..d96d8ad21fed 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -361,9 +361,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is globally activated (Automated) diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index 2854ceaf8c8c..d59c4fb53bde 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -153,6 +153,7 @@ disable_weak_deps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index e7202ee09736..4eb3eeccf11e 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -74,6 +74,7 @@ disable_users_coredumps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index 422c2734e667..ee18ebf6b8ed 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -72,6 +72,7 @@ disable_users_coredumps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 4305d8353fef..44b0fc37e7ec 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -153,6 +153,7 @@ disable_weak_deps ensure_gpgcheck_globally_activated ensure_journald_and_rsyslog_not_active_together ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index d57ea698141e..bd44b63338dc 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -141,6 +141,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index 7dbac7629c95..02e03741db9a 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -72,6 +72,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index 3850f302bb71..2576b980b21d 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -70,6 +70,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 45cd14d4e218..165fa1148947 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -141,6 +141,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 6a5d215dcd14..a2f7813238af 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -137,6 +137,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index 3592f0f99e85..fb24601f97fe 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -65,6 +65,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index d6f2aaf4a60b..799da33423e1 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -63,6 +63,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index ec0bfe8d2be8..4e0da9c5fe6a 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -137,6 +137,7 @@ enable_authselect ensure_gpgcheck_globally_activated ensure_gpgcheck_never_disabled ensure_pam_wheel_group_empty +ensure_redhat_gpgkey_installed ensure_root_password_configured file_at_allow_exists file_at_deny_not_exist