Documentation for CIS framework, eg. CIS RHEL 8

MatthiasW 2022-06-23 12:00:50 UTC #1

I’m wondering about documentation about framework for CIS checklists. I’ve found the older ones https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Users_Guide/c_understanding_the_output.html which is completly different to eg. folder structure in RHEL 7 or 8.

rohit 2022-06-28 06:48:46 UTC #2

This is more of a reference and not the only way. We have been creating custom SCM Checklists. If you have any specific questions, let me know.

MatthiasW 2022-06-29 05:42:38 UTC #3

Hi, thanks for your reply and offer. Two questions so far:

Deploy&run fixlet creates some files in /var/opt/BESClient/__BESData/__SCMData/ like
-rw-------. 1 root root 5466 Jun 29 01:55 0db28230971655085fa310d74b306641484028a3.out
-rw-------. 1 root root 0 Jun 29 01:55 0db28230971655085fa310d74b306641484028a3.out.err
-rw-------. 1 root root 13 Jun 29 01:55 0db28230971655085fa310d74b306641484028a3.out.metadata
containing results from CIS checks. Unfortunately I didn’t find a way to check which file(name) belongs to which check.
We’ve created adjusted some checks so we have custom checks in custom site. In case of syncing from external site, how can I easy identify my custom checks? I’ve already added a prefix like “[Custom]” in the checkname. Using wizard “syncronize custom checks” this prefix is not visible.

MatthiasW 2022-07-01 16:27:31 UTC #4

Looking at 1. it seems like the filenames “0db…” are created by deploy and run task without any correlation to SCM content. They can be found in fixlet relevance.

JasonWalker 2022-07-01 17:43:02 UTC #5

One can query Session Relevance in the Console Debugger or REST API…

(name of it, following texts of lasts "%22" of preceding texts of firsts ".out%22" of relevance of it) of fixlets of bes sites whose (name of it = "CIS Checklist for RHEL 8")

Ensure password expiration is 365 days or less, 5c1ca9afe0322c0e47fec4f67cb7763f3b21696c
Disable USB Storage, bf16f3bfca4698936538b0bc284013443e2d6084
Ensure minimum days between password changes is 7 or more, 366260e1d8bbbd8af8a9d659b40d17837ba2751a
Ensure nftables loopback traffic is configured, a947f648daf1a1a9cb5186805bf9b4e8d0381894
Ensure mounting of cramfs filesystems is disabled, 5ea7ff0584fe719c0efc101a5ff61c9c44c6f309
Ensure password expiration warning days is 7 or more, 56e69f55cd064bb934227f0299f5025e855411d6
Ensure nftables default deny firewall policy, daad1d7ff0c6b4c5fb02ab4e14f20e6bc13b25ed

MatthiasW 2022-07-05 13:23:49 UTC #6

Thanks pretty much, worked like a charm. Challenge will be not to forget about unitl next time of need