Refresh CIS Control File for RHEL10 release 1.0

linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_admin_space_left_action.var

@@ -20,3 +20,4 @@ options:
     ignore: ignore
     cis_rhel8: single|halt
     cis_rhel9: single|halt
+    cis_rhel10: single|halt

linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var

@@ -23,6 +23,7 @@ options:
     rhel8: syslog|single|halt
     cis_rhel8: syslog|single|halt
     cis_rhel9: syslog|single|halt
+    cis_rhel10: syslog|single|halt
     cis_ubuntu2404: syslog|single|halt
     cis_debian12: syslog|single|halt
 

linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var

@@ -24,5 +24,6 @@ options:
     rhel8: syslog|single|halt
     cis_rhel8: syslog|single|halt
     cis_rhel9: halt|single
+    cis_rhel10: halt|single
     cis_ubuntu2404: halt|single
     cis_debian12: halt|single

linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_space_left_action.var

@@ -20,3 +20,4 @@ options:
     ignore: ignore
     cis_rhel8: email|exec|single|halt
     cis_rhel9: email|exec|single|halt
+    cis_rhel10: email|exec|single|halt

linux_os/guide/services/base/service_cockpit_disabled/rule.yml

@@ -13,6 +13,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel10: CCE-87509-6
+
 platform: system_with_kernel
 
 ocil_clause: |-

linux_os/guide/services/ssh/ssh_server/sshd_disable_forwarding/rule.yml

@@ -11,6 +11,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel10: CCE-87508-8
+
 ocil_clause: "The DisableForwarding option exists and is yes"
 
 ocil: |-

linux_os/guide/services/ssh/sshd_strong_kex.var

@@ -15,6 +15,7 @@ options:
     pcidss: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     cis_rhel8: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
     cis_rhel9: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+    cis_rhel10: -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
     cis_sle12: curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
     cis_sle15: curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
     cis_ubuntu2204: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

linux_os/guide/services/ssh/sshd_strong_macs.var

@@ -14,6 +14,7 @@ options:
     default: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
     cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
+    cis_rhel10: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
     cis_sle12: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     cis_sle15: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     cis_tencentos4: hmac-sha2-512,[email protected],hmac-sha2-256,[email protected]

linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml

@@ -16,6 +16,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel10: CCE-87072-5
+
 ocil_clause: 'nologin is listed in /etc/shells'
 
 ocil: |-

linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml

@@ -14,6 +14,9 @@ rationale: |-
 
 severity: high
 
+identifiers:
+    cce@rhel10: CCE-87073-3
+
 ocil_clause: 'any groups other than "root" have a GID of "0"'
 
 ocil: |-

linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml

@@ -15,4 +15,7 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel10: CCE-87074-1
+
 platform: package[bash]

linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml

@@ -13,10 +13,11 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel10: CCE-87075-8
     cce@sle12: CCE-83248-5
     cce@sle15: CCE-85725-0
     cce@slmicro5: CCE-93641-9
-    cce@slmicro6: CCE-95085-7 
+    cce@slmicro6: CCE-95085-7
 
 references:
     nist: CM-6(b),CM-6.1(iv)

linux_os/guide/system/permissions/mounting/kernel_module_overlayfs_disabled/rule.yml

@@ -16,6 +16,9 @@ rationale: |-
 
 severity: low
 
+identifiers:
+    cce@rhel10: CCE-87507-0
+
 platform: system_with_kernel
 
 template:

products/rhel10/profiles/cis.profile

@@ -2,17 +2,22 @@
 documentation_complete: true
 
 metadata:
+    version: 1.0.0
     SMEs:
-        - marcusburghardt
+        - mab879
+        - ggbecker
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: 'DRAFT - CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Server'
+title: 'CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Server'
 
 description: |-
-    This is a draft profile for experimental purposes.
-    It is based on the CIS RHEL 9 profile, because an equivalent policy for RHEL 10 didn't yet
-    exist at time of the release.
+    This profile defines a baseline that aligns to the "Level 2 - Server"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 10 Benchmark™, v1.0.0, released 2025-08-27.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 10 CIS Benchmarks™ content.
 
 selections:
     - cis_rhel10:all:l2_server

products/rhel10/profiles/cis_server_l1.profile

@@ -2,17 +2,22 @@
 documentation_complete: true
 
 metadata:
+    version: 1.0.0
     SMEs:
-        - marcusburghardt
+        - mab879
+        - ggbecker
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: 'DRAFT - CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Server'
+title: 'CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Server'
 
 description: |-
-    This is a draft profile for experimental purposes.
-    It is based on the CIS RHEL 9 profile, because an equivalent policy for RHEL 10 didn't yet
-    exist at time of the release.
+    This profile defines a baseline that aligns to the "Level 1 - Server"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 10 Benchmark™, v1.0.0, released 2025-08-27.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 10 CIS Benchmarks™ content.
 
 selections:
     - cis_rhel10:all:l1_server

products/rhel10/profiles/cis_workstation_l1.profile

@@ -2,17 +2,22 @@
 documentation_complete: true
 
 metadata:
+    version: 1.0.0
     SMEs:
-        - marcusburghardt
+        - mab879
+        - ggbecker
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: 'DRAFT - CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Workstation'
+title: 'CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 - Workstation'
 
 description: |-
-    This is a draft profile for experimental purposes.
-    It is based on the CIS RHEL 9 profile, because an equivalent policy for RHEL 10 didn't yet
-    exist at time of the release.
+    This profile defines a baseline that aligns to the "Level 1 - Workstation"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 10 Benchmark™, v1.0.0, released 2025-08-27.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 10 CIS Benchmarks™ content.
 
 selections:
     - cis_rhel10:all:l1_workstation

products/rhel10/profiles/cis_workstation_l2.profile

@@ -2,17 +2,22 @@
 documentation_complete: true
 
 metadata:
+    version: 1.0.0
     SMEs:
-        - marcusburghardt
+        - mab879
+        - ggbecker
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: 'DRAFT - CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Workstation'
+title: 'CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 - Workstation'
 
 description: |-
-    This is a draft profile for experimental purposes.
-    It is based on the CIS RHEL 9 profile, because an equivalent policy for RHEL 10 didn't yet
-    exist at time of the release.
+    This profile defines a baseline that aligns to the "Level 2 - Workstation"
+    configuration from the Center for Internet Security® Red Hat Enterprise
+    Linux 10 Benchmark™, v1.0.0, released 2025-08-27.
+
+    This profile includes Center for Internet Security®
+    Red Hat Enterprise Linux 10 CIS Benchmarks™ content.
 
 selections:
     - cis_rhel10:all:l2_workstation

products/rhel10/profiles/default.profile

@@ -34,3 +34,10 @@ selections:
     - package_scap-security-guide_installed
     - set_password_hashing_yescrypt_cost_factor_logindefs
     - var_authselect_profile=local
+    - audit_rules_networkconfig_modification_network_scripts
+    - package_pam_pwquality_installed
+    - journald_compress
+    - socket_systemd-journal-remote_disabled
+    - package_systemd-journal-remote_installed
+    - journald_storage
+    - partition_for_dev_shm

shared/references/cce-redhat-avail.txt

@@ -229,10 +229,6 @@ CCE-87062-6
 CCE-87063-4
 CCE-87064-2
 CCE-87068-3
-CCE-87072-5
-CCE-87073-3
-CCE-87074-1
-CCE-87075-8
 CCE-87076-6
 CCE-87078-2
 CCE-87079-0
@@ -487,9 +483,6 @@ CCE-87500-5
 CCE-87501-3
 CCE-87503-9
 CCE-87505-4
-CCE-87507-0
-CCE-87508-8
-CCE-87509-6
 CCE-87510-4
 CCE-87511-2
 CCE-87512-0