CIS: Red Hat Enterprise Linux 8

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Red Hat Enterprise Linux 8 Benchmark Version 1.0.0, with implementation for 234 rules that can be installed on TrueSight Server Automation 20.02.01.

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to version 20.02.01.
  • Back up the sensors folders, which are available on all the Application Servers in your environment. The sensors folders contain extended object scripts and are located at the following path on an Application Server:
    <Application_Server_installation_directory >/share/sensors

Step 1: Download the files

  1. Log in to the ftp.bmc.com host using the SFTP protocol. 

  2. Download the CIS - Red Hat Enterprise Linux 8.zip and extended_objects.zip packages from the following location:
    You must log in or register to view this page

    Expand to view the checksum-related information

    Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    CIS - Red Hat Enterprise Linux 8.zip

    1d8838e6dbdc00b08ef4cc5b0f50ebca

    2

    extended_objects.zip

    5ad4934e052bdfb5eaea8fe3e0d7c2b1

    Verify the extended objects present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

  3. Move the CIS - Red Hat Enterprise Linux 8.zip package to the server where the TrueSight Server Automation console is installed.
  4. Extract the contents of the extended_objects.zip package to a temporary directory on one of the Application Servers.
  5. Replace the extended object scripts in the following directory on all the Application Servers:
    <Application_Server_installation_directory >/share/sensors/

Step 2: Import the compliance content

  1. Log in to the TrueSight Server Automation console.
  2. Right-click Component Templates and select Import
  3. Select Import (Version-neutral).

    import_2.png

  4. From the temporary directory, select the CIS - Red Hat Enterprise Linux 8.zip package to be imported and click Next. The CIS - Red Hat Enterprise Linux 8.zip package contains the CIS template for Red Hat Enterprise Linux 8.

    import_3.png

  5. To import the template, select CIS - Red Hat Enterprise Linux 8 and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

    import_4.png

  6. Navigate to the last screen of the wizard and then click Finish.

    import_5.png

    The template is imported successfully.

    import_7.png

Rules within the template

The template contains the following types of rules:

  • Rules that check for compliance and provide remediation - 193
  • Rules that check for compliance but do not provide remediation - 70
  • Rules that do not check for compliance and do not provide remediation - 22

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 203
  • Rules divided into two parts - (22 * 2) = 44
  • Rules divided into three parts - (6 * 3) = 18
  • Rules divided into four parts - (1 * 4) = 4
  • Rules divided into five parts - (1 * 5) = 5
  • Rules divided into six parts - (2 * 6) = 12

So, the current rule count as per CIS - Red Hat Enterprise Linux 8 template after running the compliance job is 286 (203+44+18+4+5+12).

The following tables list the compliance checks with comments:

Rule IDs without compliance checks

Comments

3.4.2.5, 3.4.2.6, 3.4.3.1, 3.4.3.4, 3.4.3.5, 3.4.3.8, 3.4.4.1.2, 3.4.4.1.3, 3.4.4.1.4, 3.4.4.2.2, 3.4.4.2.3, 3.4.4.2.4

Changing the firewall settings when you are connected to the network can result in being locked out of the system. 

1.2.5, 5.2.3, 5.2.4, 5.3.1, 5.3.2

As an administrator, review these values based on the organization policy.

Rules with compliance checks but no remediation

Comments

1.9, 3.5, 5.6, 4.1.17, 2.2.1.2.1, 2.2.1.2.2, 1.1.6, 1.1.7, 1.1.11, 1.1.12, 1.1.13

Remediation not provided as it needs manual intervention by a system administrator.

3.4.3.6, 6.1.1, 6.2.2, 6.2.3, 6.2.5, 6.2.6, 6.2.14, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 5.3.3, 5.5.1.5, 5.5.2, 5.5.4, 5.7, 4.2.1.5, 3.4.2.1, 3.4.2.4, 3.4.3.2, 3.4.3.3, 3.4.4.1.1, 3.4.4.2.1

Remediation configures the system to immutable mode.

1.8.2, 6.2.1, 6.2.4, 6.2.10, 6.2.11, 6.2.13, 4.2.1.4, 4.3, 1.5.2

As a system administrator, approve the configuration changes based on the organizational processes and policies.

1.2.1, 1.2.3, 1.1.2

Remediation is not available as the package update or configuration information depends upon the organization.

1.7.1.2.3, 1.7.1.3.2, 1.7.1.4.2, 1.7.1.5

Remediation must be performed manually with required permission.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*