Updating CIS for Red Hat Enterprise Linux 7 to newer benchmarks

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Red Hat Enterprise Linux 7 Benchmark Version 3.0.1. This template contains implementation for 247 rules that can be installed on TrueSight Server Automation 8.9.00 or later.

Before you begin

Before you install this hotfix, make sure that the following requirements are met:

  • All the compliance content provided by BMC is at least updated to version 8.9.
  • For all application servers in your environment, back up the following directory:
    <Application_Server_installation_directory >/share/sensors
    This directory contains extended object scripts.

Step 1: Download the template file

Do the following:

  1. Log in to the ftp.bmc.com host using the SFTP protocol. 

  2. Download the CIS - Red Hat Enterprise Linux 7.zip and extended_objects.zip packages from the following location:

     Expand to view the checksum-related information

    Verify the downloaded content by using the following check sums.

    Sr.

    File name

    MD5SUM

    1

    CIS - Red Hat Enterprise Linux 7.zip

    6eb843ee1252a11b0416d31de9e6d318

    2extended_objects.zip

    e1ccb9fda19fd612a71456dfd1f647c4

    Verify the extended objects present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

Step 2: Import the compliance template

Do the following:

  1. Log in to the TrueSight Server Automation console.
  2. Right-click Component Templates and select Import
  3. Select Import (Version-neutral).

  4. From the temporary directory, select the CIS - Red Hat Enterprise Linux 7.zip package, and click Next. The CIS - Red Hat Enterprise Linux 7.zip package contains the CIS template for Red Hat Enterprise Linux 7. 

  5. To import the template, select CIS - Red Hat Enterprise Linux 7 and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.


  6. Navigate to the last screen of the wizard and then click Finish.

    The template is imported successfully.

Rules within the template

The template contains the following types of rules:

  • Rules that check for compliance and provides remediation - 177
  • Rules that check for compliance but do not provide remediation - 53
  • Rules that do not check for compliance and do not provide remediation – 17

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 207

  • Rules divided into two parts - (25 rules divided into 2 parts) so (25 * 2) = 52

  • Rules divided into three parts - (10 rules divided into 3 parts) so (10 * 3) = 30

  • Rules divided into four parts – (1 rule divided into 4 parts) so (1 * 4) = 4

  • Rules divided into five parts – (1 rule divided into 5 parts) so (1 * 5) = 5

  • Rules divided into six parts - (2 rules divided into 6 parts) so (2 * 6) = 12

So, the current rule count as per CIS - Red Hat Enterprise Linux 7 template after running the compliance job is 310 (207 + 52 + 30 + 4 + 5 +12)

The following table lists the compliance checks with comments:

Rule IDs without compliance checksComments
3.5.2.11, 3.5.2.4, 3.5.2.7, 3.5.2.8, 3.5.3.2.2, 3.5.3.2.3, 3.5.3.2.4, 3.5.3.2.5, 3.5.3.3.2, 3.5.3.3.3, 3.5.3.3.4, 3.5.3.3.5Changing the firewall settings when you are connected to the network can result in being locked out of the system. 
2.4, 3.5.1.6, 3.5.1.7, 5.2.3, 5.2.2

As an administrator, review these values based on the organization policy.

Rules with compliance checks but no remediationComments
1.1.10, 1.1.11,1.1.15, 1.1.16, 1.1.17,1.1.2,1.10, 1.2.1,1.2.2, 1.6.2, 1.9, 2.2.1.2.1, 2.2.1.3.2, 4.1.17, 4.2.1.4, 4.2.1.5, 4.2.4, 5.5, 5.6, 6.1.1, 6.2.1,Remediation not provided as it needs manual intervention by a system administrator.
1.5.1,1.7.1.2.3, 1.7.1.3.2, 1.7.1.6, 3.5.1.4, 3.5.1.5, 3.5.2.5, 3.5.2.6, 3.5.2.9, 3.5.3.2.1, 3.5.3.2.6, 3.5.3.3.1, 3.5.3.3.6, 5.4.1.5, 5.4.2,Remediation configures the system to immutable mode.
2.2.2, 3.1.2

Remediation is not available as the package update or configuration information depends upon the organization.

5.4.3, 6.2.10, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.9Remediation must be performed manually with required permission.
Was this page helpful? Yes No Submitting... Thank you

Comments