CIS: Oracle Linux 8
This document provides information about the Center for Internet Security (CIS) templates for Oracle Linux 8 Benchmark Version 1.0.1. This template contains implementation for 286 rules that can be installed on TrueSight Server Automation 20.02.01 or later.
Determine whether you need to install the template
If you have done a fresh installation of version 21.3 or later, you don't need to do anything because this template is installed as part of the 21.3 installation process.
If you have upgraded to 21.3 or later, this template is not installed automatically. To install this template, do one of the following actions:
- Perform the steps mentioned in this topic.
Through this method, the CIS template for Oracle Linux 8 is installed. Upgrade the compliance content by using one of the following methods:
- Through the Auto Content Import Job after the upgrade. During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content.
Through this method, the latest version of all the templates that are available in version 21.3 are installed. For the complete list of supported templates and their versions, see Compliance-Content-support-and-requirements. - Install manually by using the content installer. Ensure that you use the content installer of the same version as the Application Server version. For information about how to install the compliance content manually, see Walkthrough-Loading-compliance-content.
When you use this method, you have the flexibility to choose the template that you want to install from the set of templates that are available in version 21.3.
- Through the Auto Content Import Job after the upgrade. During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content.
Before you begin
Before you import this template, ensure that the following requirements are met:
- Review the default values of the template's local and global properties and ensure that they meet the organization standards.
- Rename any existing customized template before you import the latest template.
- Back up the sensors folder located in the <AppServerInstallDir>/share directory on all the Application Servers in a multiple Application Server environment. This folder contains the extended object scripts.
Step 1: Download the files
- Log in to the ftp.bmc.com host using the SFTP protocol.
Download the CIS - Oracle Linux 8.zip and ExtendedObjects.zip packages from the following location:
- Extract the contents of ExtendedObjects.zip to a temporary directory and copy the extracted files to the existing <APPRSERVER_INSTALL_DIR>/share/sensors directory on all the Application Servers.
- Move CIS - Oracle Linux 8.zip to the server where the TrueSight Server Automation console is installed.
Step 2: Import the compliance content
- Log in to the TrueSight Server Automation console.
- Right-click Component Templates and select Import.
- Select Import (Version-neutral).
- From the temporary directory, select the CIS - Oracle Linux 8.zip package and click Next. The CIS - Oracle Linux 8.zip package contains the CIS template for Oracle Linux 8.
To import the template, select CIS - Oracle Linux 8 and click Next.
- Navigate to the last screen of the wizard and then click Finish.
The template is imported successfully.
Rules within the template
Template version 1.0.1 contains the following types of rules:
- Rules that check for compliance and provides remediation - 219
- Rules that check for compliance but do not provide remediation - 52
- Rules that do not check for compliance and do not provide remediation - 15
The following are the details of the rules that are divided into parts:
- Rules not divided into parts - 201
- Rules divided into two parts - (23 * 2) = 46
- Rules divided into three parts - (4 * 3) = 18
- Rules divided into four parts - (1 * 4) = 4
- Rules divided into five parts - (1 * 5) = 5
- Rules divided into six parts - (2 * 6) = 12
So, the current rule count as per CIS - Oracle Linux 8 template after running the compliance job is 286 (201+46+18+4+5+12).
The following tables list the compliance checks with comments:
Rule IDs without compliance checks | Comments |
|---|---|
3.4.2.5, 3.4.2.6, 3.4.3.1, 3.4.3.4, 3.4.3.5, 3.4.3.8, 3.4.4.1.2, 3.4.4.1.3, 3.4.4.1.4, 3.4.4.2.2, 3.4.4.2.3, 3.4.4.2.4 | Changing the firewall settings when you are connected to the network can result in being locked out of the system. |
1.2.5, 5.2.3, 5.2.4, 5.3.1, 5.3.2 | As an administrator, review these values based on the organization policy. |
Rules with compliance checks but no remediation | Comments |
|---|---|
1.9, 3.5, 5.6, 4.1.17, 2.2.1.2.1, 2.2.1.2.2, 1.1.6, 1.1.7, 1.1.11, 1.1.12, 1.1.13 | Remediation not provided as it needs manual intervention by a system administrator. |
3.4.4.1.5, 3.4.4.2.5, 3.4.3.6, 6.1.1, 6.2.2, 6.2.3, 6.2.5, 6.2.6, 6.2.14, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 5.3.3, 5.5.1.5, 5.5.2, 5.5.4, 5.7, 4.2.1.5, 3.4.2.1, 3.4.2.4, 3.4.3.2, 3.4.3.3, 3.4.4.1.1, 3.4.4.2.1 | Remediation configures the system to immutable mode. |
1.8.2, 6.2.1, 6.2.4, 6.2.10, 6.2.11, 6.2.13, 4.2.1.4, 4.3, 1.5.2 | As a system administrator, approve the configuration changes based on the organizational processes and policies. |
1.2.1, 1.2.3, 1.1.2 | Remediation is not available as the package update or configuration information depends upon the organization. |
1.7.1.2.3, 1.7.1.3.2, 1.7.1.4.2, 1.7.1.5 | Remediation must be performed manually with required permission. |