Align RHEL 10 CIS profile with CIS Benchmark requirement 7.2.9

components/pam.yml

@@ -140,6 +140,7 @@ rules:
 - no_netrc_files
 - no_nologin_in_shells
 - no_password_auth_for_systemaccounts
+- no_rhost_files
 - no_root_webbrowsing
 - no_shelllogin_for_systemaccounts
 - package_nss_sss_installed

controls/cis_rhel10.yml

@@ -3279,8 +3279,7 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: partial
-      notes: Missing a rule to check that .bash_history is mode 0600 or more restrictive.
+      status: automated
       rules:
           - accounts_user_dot_group_ownership
           - accounts_user_dot_user_ownership
@@ -3289,5 +3288,7 @@ controls:
           - var_user_initialization_files_regex=all_dotfiles
           - no_forward_files
           - no_netrc_files
+          - no_rhost_files
+          - file_permission_user_bash_history
       related_rules:
           - accounts_users_netrc_file_permissions

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/oval/shared.xml

@@ -0,0 +1,16 @@
+<def-group>
+  <definition class="compliance" id="no_rhost_files" version="1">
+    {{{ oval_metadata("Local system users should not have a .rhost file in their home directory.", rule_title=rule_title) }}}
+    <criteria>
+      <criterion test_ref="test_no_rhost_files" negate="true" />
+    </criteria>
+  </definition>
+  <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhost in /home" id="test_no_rhost_files" version="1">
+    <unix:object object_ref="object_no_rhost_files" />
+  </unix:file_test>
+  <unix:file_object comment="look for .rhost in /home" id="object_no_rhost_files" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" />
+    <unix:path operation="equals">/home</unix:path>
+    <unix:filename operation="pattern match">^\.rhost$</unix:filename>
+  </unix:file_object>
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Verify No .rhost Files Exist'
+
+description: |-
+    Local system users should not have a <tt>.rhost</tt> file in their home directory.
+
+rationale: |-
+    User configuration files with excessive or incorrect access may enable malicious users
+    to steal or modify other users' data or to gain another user's system privileges.
+    The <tt>.rhost</tt> file provides the "remote authentication" database for the rcp, rlogin, and
+    rsh commands and the rcmd() function. These files bypass the standard
+    password-based user authentication mechanism. They specify remote hosts and
+    users that are considered trusted (i.e. are allowed to access the local system
+    without supplying a password).
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-87390-1
+
+ocil_clause: 'any .rhost files exist'
+
+warnings:
+    - general: |-
+        Automatic remediation of this rule is not available due to the unique
+        requirements of each system. Any .rhost files should be investigated
+        and removed manually.
+
+ocil: |-
+    To check the system for the existence of any <tt>.rhost</tt> files,
+    run the following command:
+    <pre>$ sudo find /home -xdev -name .rhost</pre>
+
+platform: system_with_kernel

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/tests/no_files.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+RHOST_FILES=$(find /home -xdev -name .rhost)
+
+IFS=$'\n'
+for f in $RHOST_FILES; do
+	rm -f "$f"
+done

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_rhost_files/tests/rhost_file.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+#
+# remediation = none
+
+useradd -m testRhostUser1
+touch /home/testRhostUser1/.rhost

linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/ansible/shared.yml

@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Gather User Info'
+  ansible.builtin.getent:
+    database: passwd
+
+- name: '{{{ rule_title }}} - Check Bash History Files Existence'
+  ansible.builtin.stat:
+    path: "{{ item.value[4] }}/.bash_history"
+  register: bash_history_files
+  with_dict: "{{ ansible_facts.getent_passwd }}"
+  when:
+    - item.value[4] != "/sbin/nologin"
+    - item.key not in ["nobody", "nfsnobody"]
+    - item.value[1] | int >= {{{ uid_min }}}
+
+- name: '{{{ rule_title }}} - Fix Bash History Files Permissions'
+  ansible.builtin.file:
+    path: "{{ item.stat.path }}"
+    mode: u-sx,go=
+  with_items: "{{ bash_history_files.results }}"
+  when:
+    - item.stat is defined
+    - item.stat.exists

linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml

@@ -14,6 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel10: CCE-87392-7
     cce@sle15: CCE-92554-5
 
 ocil_clause: 'file is not 0600 or more permissive'

shared/references/cce-redhat-avail.txt

@@ -418,8 +418,6 @@ CCE-87385-1
 CCE-87386-9
 CCE-87387-7
 CCE-87389-3
-CCE-87390-1
-CCE-87392-7
 CCE-87393-5
 CCE-87394-3
 CCE-87397-6

tests/data/profile_stability/rhel10/cis.profile

@@ -191,6 +191,7 @@ file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
 file_ownership_var_log_audit_stig
+file_permission_user_bash_history
 file_permission_user_init_files
 file_permissions_at_allow
 file_permissions_audit_binaries
@@ -280,6 +281,7 @@ no_forward_files
 no_netrc_files
 no_nologin_in_shells
 no_password_auth_for_systemaccounts
+no_rhost_files
 no_shelllogin_for_systemaccounts
 package_aide_installed
 package_audit-libs_installed

tests/data/profile_stability/rhel10/cis_server_l1.profile

@@ -116,6 +116,7 @@ file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
+file_permission_user_bash_history
 file_permission_user_init_files
 file_permissions_at_allow
 file_permissions_backup_etc_group
@@ -196,6 +197,7 @@ no_files_unowned_by_user
 no_forward_files
 no_netrc_files
 no_password_auth_for_systemaccounts
+no_rhost_files
 no_shelllogin_for_systemaccounts
 package_aide_installed
 package_bind_removed

tests/data/profile_stability/rhel10/cis_workstation_l1.profile

@@ -114,6 +114,7 @@ file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
+file_permission_user_bash_history
 file_permission_user_init_files
 file_permissions_at_allow
 file_permissions_backup_etc_group
@@ -192,6 +193,7 @@ no_files_unowned_by_user
 no_forward_files
 no_netrc_files
 no_password_auth_for_systemaccounts
+no_rhost_files
 no_shelllogin_for_systemaccounts
 package_aide_installed
 package_bind_removed

tests/data/profile_stability/rhel10/cis_workstation_l2.profile

@@ -191,6 +191,7 @@ file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
 file_ownership_var_log_audit_stig
+file_permission_user_bash_history
 file_permission_user_init_files
 file_permissions_at_allow
 file_permissions_audit_binaries
@@ -280,6 +281,7 @@ no_forward_files
 no_netrc_files
 no_nologin_in_shells
 no_password_auth_for_systemaccounts
+no_rhost_files
 no_shelllogin_for_systemaccounts
 package_aide_installed
 package_audit-libs_installed