ComplianceAsCode · jan-cerny · Jun 23, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
diff --git a/controls/anssi.yml b/controls/anssi.yml
diff --git a/controls/e8.yml b/controls/e8.yml
@@ -1,181 +1,180 @@
+---
 id: 'e8'
 policy: 'e8'
 source: 'https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Hardening%20Linux%20Workstations%20and%20Servers%20%28November%202023%29.pdf'
 title: 'Australian Cyber Security Centre (ACSC)'
+
 levels:
     - id: base
 
 controls:
-    -   id: 'patching'
-        levels:
-            - base
-        title: 'Application and operating system patching'
-        rules:
-            {{%- if "rhel" not in product %}}
-            - package_talk_removed
-            - package_talk-server_removed
-            {{%- endif %}}
-            - package_ypbind_removed
-            - package_telnet_removed
-            - service_telnet_disabled
-            - package_telnet-server_removed
-            - package_rsh_removed
-            - package_rsh-server_removed
-            - service_avahi-daemon_disabled
-            - package_squid_removed
-            - service_squid_disabled
-            - ensure_redhat_gpgkey_installed
-            - ensure_gpgcheck_never_disabled
-            - ensure_gpgcheck_local_packages
-            - ensure_gpgcheck_globally_activated
-            - security_patches_up_to_date
-            - dnf-automatic_security_updates_only
-        status: automated
-
-    -   id: 'mfa'
-        levels:
-            - base
-        title: 'Multi-factor authentication'
-        status: manual
-
-    -   id: 'restrict_admin'
-        levels:
-            - base
-        title: 'Restricting administrative privileges'
-        rules:
-            - accounts_no_uid_except_zero
-            - sudo_remove_nopasswd
-            - sudo_remove_no_authenticate
-            - sudo_require_authentication
-
-        status: partial
-
-    -   id: 'app_control'
-        levels:
-            - base
-        title: 'Application control'
-        rules:
-            - package_fapolicyd_installed
-            - service_fapolicyd_enabled
-        status: partial
-
-    -   id: 'restrict_macros'
-        levels:
-            - base
-        title: 'Restrict Microsoft Office macros'
-        status: not applicable
-
-    -   id: 'app_hardening'
-        levels:
-            - base
-        title: 'User application hardening'
-        status: pending
-
-    -   id: 'backups'
-        levels:
-            - base
-        title: 'Regular backups'
-        related_rules:
-            - package_rear_installed
-        status: manual
-
-    -   id: 'hardening'
-        levels:
-            - base
-        title: 'General hardening'
-        rules:
-            - var_system_crypto_policy=default_nosha1
-            - configure_crypto_policy
-            - configure_ssh_crypto_policy
-            ### Secure access
-            - sshd_use_directory_configuration
-            - sshd_disable_root_login
-            - sshd_disable_gssapi_auth
-            - sshd_print_last_log
-            - sshd_do_not_permit_user_env
-            - sshd_disable_rhosts
-            - sshd_set_loglevel_info
-            - sshd_disable_empty_passwords
-            - sshd_disable_user_known_hosts
-            - sshd_enable_strictmodes
-            ### Audit
-            - package_rsyslog_installed
-            - service_rsyslog_enabled
-            - service_auditd_enabled
-            - var_auditd_flush=incremental_async
-            - auditd_data_retention_flush
-            - auditd_local_events
-            - auditd_write_logs
-            - auditd_log_format
-            - auditd_freq
-            - auditd_name_format
-            - audit_rules_login_events_tallylog
-            - audit_rules_login_events_faillock
-            - audit_rules_login_events_lastlog
-            - audit_rules_time_adjtimex
-            - audit_rules_time_clock_settime
-            - audit_rules_time_watch_localtime
-            - audit_rules_time_settimeofday
-            - audit_rules_time_stime
-            - audit_rules_execution_restorecon
-            - audit_rules_execution_chcon
-            - audit_rules_execution_semanage
-            - audit_rules_execution_setsebool
-            - audit_rules_execution_setfiles
-            - audit_rules_execution_seunshare
-            - audit_rules_sysadmin_actions
-            - audit_rules_networkconfig_modification
-            - audit_rules_usergroup_modification_group
-            - audit_rules_usergroup_modification_gshadow
-            - audit_rules_usergroup_modification_opasswd
-            - audit_rules_usergroup_modification_passwd
-            - audit_rules_usergroup_modification_shadow
-            - audit_rules_dac_modification_chmod
-            - audit_rules_dac_modification_chown
-            - audit_rules_kernel_module_loading
-
-            ### System security settings
-            - sysctl_kernel_randomize_va_space
-            - sysctl_kernel_exec_shield
-            - sysctl_kernel_kptr_restrict
-            - sysctl_kernel_dmesg_restrict
-            - sysctl_kernel_kexec_load_disabled
-            - sysctl_kernel_yama_ptrace_scope
-            - sysctl_kernel_unprivileged_bpf_disabled
-            - sysctl_net_core_bpf_jit_harden
-
-            ### SELinux
-            - var_selinux_state=enforcing
-            - selinux_state
-            - var_selinux_policy_name=targeted
-            - selinux_policytype
-
-            ### Filesystem integrity
-            - rpm_verify_hashes
-            - rpm_verify_permissions
-            - rpm_verify_ownership
-            - file_permissions_unauthorized_sgid
-            - file_permissions_unauthorized_suid
-            - file_permissions_unauthorized_world_writable
-            - dir_perms_world_writable_sticky_bits
-            - file_permissions_library_dirs
-            - file_ownership_binary_dirs
-            - file_permissions_binary_dirs
-            - file_ownership_library_dirs
-
-            ### Passwords
-            - var_authselect_profile=sssd
-            - enable_authselect
-            - no_empty_passwords
-
-            ### Partitioning
-            - mount_option_dev_shm_nodev
-            - mount_option_dev_shm_nosuid
-            - mount_option_dev_shm_noexec
-
-            ### Network
-            - package_firewalld_installed
-            - service_firewalld_enabled
-            - network_sniffer_disabled
-
-        status: partial # Always will be partial as more could be done
+    - id: 'patching'
+      levels:
+          - base
+      title: 'Application and operating system patching'
+      rules:
+          - package_talk_removed
+          - package_talk-server_removed
+          - package_ypbind_removed
+          - package_telnet_removed
+          - service_telnet_disabled
+          - package_telnet-server_removed
+          - package_rsh_removed
+          - package_rsh-server_removed
+          - service_avahi-daemon_disabled
+          - package_squid_removed
+          - service_squid_disabled
+          - ensure_redhat_gpgkey_installed
+          - ensure_gpgcheck_never_disabled
+          - ensure_gpgcheck_local_packages
+          - ensure_gpgcheck_globally_activated
+          - security_patches_up_to_date
+          - dnf-automatic_security_updates_only
+      status: automated
+
+    - id: 'mfa'
+      levels:
+          - base
+      title: 'Multi-factor authentication'
+      status: manual
+
+    - id: 'restrict_admin'
+      levels:
+          - base
+      title: 'Restricting administrative privileges'
+      rules:
+          - accounts_no_uid_except_zero
+          - sudo_remove_nopasswd
+          - sudo_remove_no_authenticate
+          - sudo_require_authentication
+
+      status: partial
+
+    - id: 'app_control'
+      levels:
+          - base
+      title: 'Application control'
+      rules:
+          - package_fapolicyd_installed
+          - service_fapolicyd_enabled
+      status: partial
+
+    - id: 'restrict_macros'
+      levels:
+          - base
+      title: 'Restrict Microsoft Office macros'
+      status: not applicable
+
+    - id: 'app_hardening'
+      levels:
+          - base
+      title: 'User application hardening'
+      status: pending
+
+    - id: 'backups'
+      levels:
+          - base
+      title: 'Regular backups'
+      related_rules:
+          - package_rear_installed
+      status: manual
+
+    - id: 'hardening'
+      levels:
+          - base
+      title: 'General hardening'
+      rules:
+          - var_system_crypto_policy=default_nosha1
+          - configure_crypto_policy
+          - configure_ssh_crypto_policy
+          ### Secure access
+          - sshd_use_directory_configuration
+          - sshd_disable_root_login
+          - sshd_disable_gssapi_auth
+          - sshd_print_last_log
+          - sshd_do_not_permit_user_env
+          - sshd_disable_rhosts
+          - sshd_set_loglevel_info
+          - sshd_disable_empty_passwords
+          - sshd_disable_user_known_hosts
+          - sshd_enable_strictmodes
+          ### Audit
+          - package_rsyslog_installed
+          - service_rsyslog_enabled
+          - service_auditd_enabled
+          - var_auditd_flush=incremental_async
+          - auditd_data_retention_flush
+          - auditd_local_events
+          - auditd_write_logs
+          - auditd_log_format
+          - auditd_freq
+          - auditd_name_format
+          - audit_rules_login_events_tallylog
+          - audit_rules_login_events_faillock
+          - audit_rules_login_events_lastlog
+          - audit_rules_time_adjtimex
+          - audit_rules_time_clock_settime
+          - audit_rules_time_watch_localtime
+          - audit_rules_time_settimeofday
+          - audit_rules_time_stime
+          - audit_rules_execution_restorecon
+          - audit_rules_execution_chcon
+          - audit_rules_execution_semanage
+          - audit_rules_execution_setsebool
+          - audit_rules_execution_setfiles
+          - audit_rules_execution_seunshare
+          - audit_rules_sysadmin_actions
+          - audit_rules_networkconfig_modification
+          - audit_rules_usergroup_modification_group
+          - audit_rules_usergroup_modification_gshadow
+          - audit_rules_usergroup_modification_opasswd
+          - audit_rules_usergroup_modification_passwd
+          - audit_rules_usergroup_modification_shadow
+          - audit_rules_dac_modification_chmod
+          - audit_rules_dac_modification_chown
+          - audit_rules_kernel_module_loading
+
+          ### System security settings
+          - sysctl_kernel_randomize_va_space
+          - sysctl_kernel_exec_shield
+          - sysctl_kernel_kptr_restrict
+          - sysctl_kernel_dmesg_restrict
+          - sysctl_kernel_kexec_load_disabled
+          - sysctl_kernel_yama_ptrace_scope
+          - sysctl_kernel_unprivileged_bpf_disabled
+          - sysctl_net_core_bpf_jit_harden
+
+          ### SELinux
+          - var_selinux_state=enforcing
+          - selinux_state
+          - var_selinux_policy_name=targeted
+          - selinux_policytype
+
+          ### Filesystem integrity
+          - rpm_verify_hashes
+          - rpm_verify_permissions
+          - rpm_verify_ownership
+          - file_permissions_unauthorized_sgid
+          - file_permissions_unauthorized_suid
+          - file_permissions_unauthorized_world_writable
+          - dir_perms_world_writable_sticky_bits
+          - file_permissions_library_dirs
+          - file_ownership_binary_dirs
+          - file_permissions_binary_dirs
+          - file_ownership_library_dirs
+
+          ### Passwords
+          - var_authselect_profile=sssd
+          - enable_authselect
+          - no_empty_passwords
+
+          ### Partitioning
+          - mount_option_dev_shm_nodev
+          - mount_option_dev_shm_nosuid
+          - mount_option_dev_shm_noexec
+
+          ### Network
+          - package_firewalld_installed
+          - service_firewalld_enabled
+          - network_sniffer_disabled
+      status: partial  # Always will be partial as more could be done