diff --git a/controls/bsi_sys_1_1_rhel10.yml b/controls/bsi_sys_1_1_rhel10.yml new file mode 100644 index 00000000000..00768bc0f63 --- /dev/null +++ b/controls/bsi_sys_1_1_rhel10.yml @@ -0,0 +1,680 @@ +--- +# In BSI Basic Protection are multiple Requirements in one control. +# i.e. there are multiple sentences, some including a RFC2119 keyword +# Since we must increase granularity to create a precise control, +# we number each sentence with a RFC2119 keyword as a section, grouping sentences, which are logically connected. +# we number inline in brackets, so the lookup is easy +# we reference these numbers in comments over each rule or group of rules +policy: 'BSI-SYS-1-1-RHEL10' +title: 'SYS.1.1 General Server (RHEL10)' +id: bsi_sys_1_1_rhel10 +version: '1.0' +source: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf + +levels: + - id: basic + - id: standard + inherits_from: + - basic + - id: elevated + inherits_from: + - standard + +reference_type: bsi +product: rhel10 + +controls: + - id: SYS.1.1.A1 + title: Appropriate Installation + levels: + - basic + description: |- + (1) Servers MUST be operated in locations that may only be accessed by authorised persons. + (2) Servers MUST therefore be set up and installed in data centres, computer rooms, or lockable server rooms (see the corresponding modules in the INF Infrastructure layer). (3) Servers MUST NOT be used as personal computers (4) IT systems used as workstations MUST NOT be used as servers. + notes: |- + This requirement must be implemented organizationally and cannot be checked technically + status: manual + + - id: SYS.1.1.A2 + title: User Authentication on Servers + levels: + - basic + description: |- + (1) Authentication methods adequate for the protection needs at hand MUST be used when users and services log into servers. (2) This SHOULD be taken into account for administrative access in particular. (3) Central, network-based authentication services SHOULD be used whenever possible. + notes: |- + Section 1,2: sshd configuration, NoPermitRootLogin,PAM + Section 3: AD Integration, IdM? + status: pending + + - id: SYS.1.1.A3 + title: ELIMINATED + levels: + - basic + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A4 + title: ELIMINATED + levels: + - basic + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A5 + title: Protection of Interfaces + levels: + - basic + description: |- + (1) It MUST be ensured that only specified removable storage media and other devices can be + connected to servers. All interfaces that are no longer needed must be disabled. + notes: |- + Section 1: If you dont utilize specific software to control the allowed devices for usb ports, + you can ensure compliance by disabling the usb port completely. + Interfaces is ambigious, it is focussed on usb etc. not on network. + status: automated + rules: + # Section 1 + # USB + - grub2_nousb_argument + - bios_disable_usb_boot + - kernel_module_usb-storage_disabled + # Automount + - service_autofs_disabled + # Firewire + - kernel_module_firewire-core_disabled + + - id: SYS.1.1.A6 + title: Disabling Unnecessary Services + levels: + - basic + description: |- + (1) All unnecessary services and applications — particularly network services — MUST be + disabled or uninstalled. (2) All unused functions in firmware MUST also be disabled. + (3) On servers, the disk space allotted to both individual users and applications SHOULD be + restricted appropriately. + (4) The decisions taken in this regard SHOULD be documented in a way that makes it clear which + configuration and software equipment was chosen for servers. + notes: |- + Section 1: We can conclude for servers, that wireless protocols are unnecessary + Section 4: Documentation and organizational tasks. + status: partial + rules: + # Section 1, 2 + - mask_nonessential_services + - configure_firewalld_ports + - kernel_module_bluetooth_disabled + - kernel_module_cfg80211_disabled + - kernel_module_iwlmvm_disabled + - kernel_module_iwlwifi_disabled + - kernel_module_mac80211_disabled + - service_bluetooth_disabled + - wireless_disable_in_bios + - wireless_disable_interfaces + # Section 3 + - partition_for_home + - partition_for_opt + - partition_for_var + - partition_for_var_log + - partition_for_usr + - partition_for_tmp + - partition_for_var_tmp + + - id: SYS.1.1.A7 + title: ELIMINATED + levels: + - basic + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A8 + title: ELIMINATED + levels: + - basic + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A9 + title: Using Anti-Virus Programs on Servers + levels: + - basic + description: |- + (1) Whether virus protection programs can and should be used MUST be checked depending on the + operating system installed, the services provided, and other existing protection mechanisms of + the server in question. (2) Where available, concrete statements from the relevant operating + system modules of the IT-Grundschutz Compendium on whether virus protection is necessary MUST + be considered. + notes: |- + Section 1,2: Antivirus software on linux systems is more useful, if the servers provide any + file or mailservices to endpoints. + status: automated + rules: + - install_antivirus + - install_endpoint_security_software + + - id: SYS.1.1.A10 + title: Logging + levels: + - basic + description: |- + (1) In general, all security-relevant system events MUST be logged, including the following at + minimum: + • (2) System starts and reboots + • (3) Successful and failed login attempts (operating system and application software) + • (4) Failed authorisation checks + • (5) Blocked data flows (violations of ACLs or firewall rules) + • (6) Creation of or changes to users, groups, and authorisations + • (7) Security-relevant error messages (e.g. hardware defects, exceeded capacity limits) + • (8) Warnings from security systems (e.g. virus protection) + notes: |- + This whole requirement is more specifically implemented in the CIS hardening guide, which also + defines permissions to protect against manipulations. + Section 7 and 8 are not addressed explicitly with rules, as 8 is specific for the AV software + and 7 is quite broad. + # OPS.1.1.5: Logging Anforderung anschauen + # AIDE + Section 2: Only in system logs, not in specialized audit logs + Section 5: Identify how firewalld logs and if we could use that + status: automated + rules: + # ensure auditd is installed + - package_audit_installed + - package_audit-libs_installed + # ensure auditd is enabled + - service_auditd_enabled + # Section 2 (start / reboot) + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - var_audit_backlog_limit=8192 + - audit_rules_continue_loading + # Section 3 (login) + - audit_rules_session_events + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - var_accounts_passwords_pam_faillock_dir=run + # Section 4 (authorization) + - audit_rules_sysadmin_actions + - audit_rules_suid_auid_privilege_function + - audit_sudo_log_events + - audit_rules_privileged_commands + - audit_rules_execution_chcon + - audit_rules_execution_setfacl + # Section 5 (dataflows / firewall) + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + # Section 6 (users and groups) + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_privileged_commands_usermod + + - id: SYS.1.1.A11 + title: Defining a Security Policy for Servers + levels: + - standard + description: |- + (1) Based on the general security policy of the organisation in question, the requirements for + servers SHOULD be specified in a separate security policy. (2) This policy SHOULD be known to + all administrators and other persons involved in the procurement and operation of servers and + be integral to their work. (3) The implementation of the policy's requirements SHOULD be + checked at regular intervals. (4) The results SHOULD be appropriately documented. + notes: |- + This requirement must be implemented organizationally. + If we interprete this towards hardening, the CIS Profile could be used + status: manual + + - id: SYS.1.1.A12 + title: Planning the Use of Servers + levels: + - standard + description: |- + Each server system SHOULD be suitably planned. In this process, the following points + SHOULD be taken into account at minimum: + • Selection of the hardware platform, operating system, and application software + • Hardware capacity (performance, memory, bandwidth, etc) + • Type and number of communication interfaces + • Power consumption, thermal load, space requirements, and structural shape + • Administrative access points (see SYS.1.1.A5 Protection of Administration Interfaces) + • User access + • Logging (see SYS.1.1.A10 Logging). + • Updates for operating systems and applications + • Integration into system and network management, backups, and protection systems + (virus protection, IDS, etc) + All decisions taken in the planning phase SHOULD be documented in such a way that they can + be understood at any future point in time. + notes: |- + This requirement must be implemented organizationally. + Some parts could be technically checked, i.e. if repositories are configureg, if AV is + installed and therelike. + status: manual + + - id: SYS.1.1.A13 + title: Procurement of Servers + levels: + - standard + description: |- + Prior to procuring one or more servers, a requirements list SHOULD be drawn up that can be + used to evaluate the products available on the market. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A14 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A15 + title: Stable and Uninterruptible Power Supply [Building Services] + levels: + - standard + description: |- + (1) Every server SHOULD be connected to an uninterruptible power supply (UPS). + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A16 + title: Secure Basic Configuration of Servers + levels: + - standard + description: |- + (1) The basic settings of servers SHOULD be checked and, where necessary, adapted to the + specifications of the security policy at hand. (2) Clients SHOULD only be connected to the + Internet after the installation and configuration have been completed. + notes: |- + One could argue, that this is done with this profile. Or could utilize the CIS Benchmark again, + if CIS is the security policy + status: inherently met + # rules: + + - id: SYS.1.1.A17 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A18 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A19 + title: Configuring Local Packet Filters + levels: + - standard + description: |- + (1) Based on a set of rules, existing local packet filters SHOULD be designed to limit + incoming and outgoing communications to the necessary communication partners, communication + protocols, ports, and interfaces. (2) The identity of remote systems and the integrity of + corresponding connections SHOULD be protected cryptographically. + notes: |- + Section 1: This can be addressed by utilizing firewalld or therelike + Section 2: this must be configured on the application layer + # deactivate WebConsole to circumvent TLS + status: partial + rules: + # Section 1 + - service_firewalld_enabled + - package_firewalld_installed + - unnecessary_firewalld_services_ports_disabled + - set_firewalld_appropriate_zone + + - id: SYS.1.1.A20 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A21 + title: Operational Documentation for Servers + levels: + - standard + description: |- + (1) Operational tasks that are carried out on a server SHOULD be clearly documented in terms + of what has been done, when, and by whom. (2) In particular, the documentation SHOULD make + configuration changes transparent. (3) Security-relevant responsibilities, such as who is + authorised to install new hard disks, SHOULD be documented. (4) Everything that can be + documented automatically SHOULD be documented automatically. (5) The documentation SHOULD be + protected against unauthorised access and loss. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A22 + title: Integration into Contingency Planning + levels: + - standard + description: |- + (1) Servers SHOULD be taken into account in business continuity management processes. + (2) To this end, the contingency requirements for the system in question SHOULD be determined + and appropriate contingency procedures implemented—for example, by drawing up recovery plans + or securely storing passwords and cryptographic keys. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A23 + title: Monitoring Systems and Servers + levels: + - standard + description: |- + (1) Server systems SHOULD be integrated into an appropriate system monitoring concept. + (2) The status and functionality of these systems and the services operated on them SHOULD be + continuously monitored. (3) Error conditions and defined thresholds that are exceeded SHOULD + be reported to the operating personnel. + notes: |- + Monitoring is a very specific and organization dependend task. therefore we do not + check this automatically + status: manual + # rules: + # there does not seem to be a rule for that + + - id: SYS.1.1.A24 + title: Security Checks for Servers + levels: + - standard + description: |- + (1) Servers SHOULD be subjected to regular security tests to check their compliance with the + applicable security requirements and identify possible vulnerabilities. (2) In particular, + these security tests SHOULD be performed on servers with external interfaces. (3) To prevent + indirect attacks via infected systems in an organisation’s own network, internal server + systems SHOULD also be checked accordingly at defined intervals. (4) Whether the security + checks can be realised automatically—by means of suitable scripts, for example—SHOULD be + examined. + notes: |- + This is met due to the usage of this compliance profile. + status: inherently met + + - id: SYS.1.1.A25 + title: Controlled Decommissioning of a Server + levels: + - standard + description: |- + (1) When decommissioning a server, it SHOULD be ensured that no important data that might + still be present on the storage media is lost and no sensitive data remains. + (2) There SHOULD be an overview of the data stored in each location on the server. + (3) Furthermore, it SHOULD be ensured that services offered by the server will be taken over + by another server when necessary. + (4) A checklist SHOULD be created that is to be completed when decommissioning a server. + (5) This checklist SHOULD at least include aspects related to backing up data, migrating + services, and subsequently deleting all data in a secure manner. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A35 + title: Drawing Up and Maintaining an Operating Manual + levels: + - standard + description: |- + (1) An operating manual SHOULD be drawn up. (2) It SHOULD document all the rules, requirements, + and settings that are necessary in operating servers. (3) There SHOULD be a specific operating + manual for every type of server. (4) Each operating manual SHOULD be updated at regular + intervals. (5) Operating manuals SHOULD be protected against unauthorised access. (6) Operating + manuals SHOULD be available in emergencies. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A37 + title: Encapsulation of Security-Critical Applications and Operating System Components + levels: + - standard + description: |- + (1) In order to prevent an attacker from accessing the operating system or other applications and + prevent access from the operating system to files that are particularly sensitive, applications + and operating system components (such as authentication or certificate verification) SHOULD + be specially encapsulated according to their protection needs or isolated from other + applications and operating system components. (2) Particular attention SHOULD be paid to + security-critical applications that work with data from insecure sources (e.g. web browsers and + office communication applications) + notes: |- + Section 1-2: This can be done by utilizing SELinux for enhanced protection and/or container + technology (Microsegmentation) + status: automated + rules: + - package_libselinux_installed + - grub2_enable_selinux + - selinux_not_disabled + - var_selinux_policy_name=targeted + - selinux_policytype + - var_selinux_state=enforcing + - selinux_state + - selinux_confinement_of_daemons + + - id: SYS.1.1.A26 + title: ELIMINATED + levels: + - elevated + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A27 + title: Host-Based Attack Detection + levels: + - elevated + description: |- + (1) Host-based attack detection systems (also referred to as host-based intrusion detection + systems, IDS, or intrusion prevention systems, IPS) SHOULD be used to monitor system + behaviour for abnormalities and misuse. (2) The IDS/IPS mechanisms used SHOULD be + appropriately selected, configured, and thoroughly tested. (3) If an attack has been detected, + the operating personnel SHOULD be alerted in an appropriate manner. + (4) Using operating system mechanisms or suitable additional products, changes made to system + files and configuration settings SHOULD be checked, restricted, and reported. + notes: |- + Section 1: Can only be checked manually. + Section 2,3: this is an organizational requirement + Section 4: AIDE could be leveraged as a system mechanism + status: partial + rules: + # Section 1 + - install_hids + # Section 4 + - package_aide_installed + - aide_scan_notification + - aide_periodic_cron_checking + # currently not in rhel9, causes massive error with filesystem walk + # - aide_disable_silentreports + - aide_build_database + + - rpm_verify_hashes + - rpm_verify_ownership + + related_rules: + # while rpm_verify_permissions is a part of how to detect changes, it conflicts + # with permission hardening rules like the cron_permissions rules and therelike. + # it is more important to harden the permissions to prevent change, than it is to + # ensure that the permissions are the same as in the rpm database. + - rpm_verify_permissions + # Section 4 + - aide_periodic_checking_systemd_timer + + - id: SYS.1.1.A28 + title: Increasing Availability Through Redundancy + levels: + - elevated + description: |- + (1) Server systems with high availability requirements SHOULD be protected adequately against + failures. (2) At minimum, suitable redundancies SHOULD be available and maintenance contracts + concluded with the respective suppliers. (3) Whether high-availability architectures with + automatic failover (across various sites, if necessary) are required in the case of very high + requirements SHOULD be checked. + notes: |- + this is an organizational requirement + status: manual + + - id: SYS.1.1.A29 + title: ELIMINATED + levels: + - elevated + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A30 + title: One Service per Server + levels: + - elevated + description: |- + (1) Depending on the threat landscape at hand and the protection needs of services, only one + service SHOULD be operated on each server. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.1.A31 + title: Using Execution Control + levels: + - elevated + description: |- + (1) Execution control SHOULD be used to ensure that only explicitly authorised programs and + scripts can be executed. (2) The rules SHOULD be set as restrictively as possible. (3) If explicit + specification of paths and hashes is not possible, certificate-based or path rules SHOULD be + used as an alternative. + notes: |- + While not directly leveraging a allowlist of executable programs, SELinux and fapolicyd help to + address this issue. They deny execution or fileaccess based on a list of allowed permissions. + status: automated + rules: + # selinux + - package_libselinux_installed + - grub2_enable_selinux + - selinux_not_disabled + - var_selinux_policy_name=targeted + - selinux_policytype + - var_selinux_state=enforcing + - selinux_state + - selinux_confinement_of_daemons + # fapolicyd + - fapolicy_default_deny + - package_fapolicyd_installed + - service_fapolicyd_enabled + + - id: SYS.1.1.A32 + title: ELIMINATED + levels: + - elevated + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.1.A33 + title: Active Administration of Root Certificates + levels: + - elevated + description: |- + (1) As part of the procurement and installation of a server, the root certificates that are + required to operate the server SHOULD be documented. (2) Only the previously documented root + certificates required for operation SHOULD be present on the server. (3) Regular checks SHOULD + be performed as to whether existing root certificates still comply with the respective + organisation’s requirements. (4) All certificate stores on the IT system at hand SHOULD be + included in these checks. + notes: |- + Section 1: organizational control + Section 2-4: can be addressed by a manual rule in OpenSCAP + This can be in conflict with rpm_checks as changing the ca-trust-store triggers these checks. + status: manual + rules: + # Section 1-4 + - only_allow_specific_certs + + - id: SYS.1.1.A34 + title: Hard Disk Encryption + levels: + - elevated + description: |- + (1) In case of increased protection needs, a server's storage media should be encrypted using a + product or procedure that is considered secure. (2) This SHOULD also apply to virtual machines + containing production data. (3) Trusted Platform Module (TPM) SHOULD NOT be the only form + of key protection used. (4) Recovery passwords SHOULD be stored in an appropriate and secure + location. (5) In case of very high requirements (e.g. regarding confidentiality), full volume or full + disk encryption SHOULD be used. + notes: |- + Section 1-3: Specification of what is needed + Section 4: organizational control + Section 5: can be addressed on a partition label with existing checks + # Keylime? + # nbde? + # https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening + status: partial + rules: + # Section 3 + - grub2_rng_core_default_quality_argument + # Section 1,5 + - encrypt_partitions + + - id: SYS.1.1.A36 + title: Protecting the Boot Process + levels: + - elevated + description: |- + (1) A server's boot loader and operating system kernel SHOULD be checked by self-controlled key + material that is signed upon system start in a trusted chain (secure boot). (2) Unnecessary key + material SHOULD be removed. + notes: |- + At the moment there is no automatic check to check if secure boot is active. + It can be done manually by using mokutil --sb-state + status: manual + rules: [] + + - id: SYS.1.1.A38 + title: Hardening of the Host System by Means of a Read-Only File System + levels: + - elevated + description: |- + The integrity of the host system should be ensured by a read-only file system (an immutable OS). + notes: |- + RHEL does not meet this requirement. RHEL in ImageMode (bootc) might be the solution + for that. + status: does not meet diff --git a/controls/bsi_sys_1_3_rhel10.yml b/controls/bsi_sys_1_3_rhel10.yml new file mode 100644 index 00000000000..03f22c71169 --- /dev/null +++ b/controls/bsi_sys_1_3_rhel10.yml @@ -0,0 +1,446 @@ +--- +# In BSI Basic Protection are multiple Requirements in one control. +# i.e. there are multiple sentences, some including a RFC2119 keyword +# Since we must increase granularity to create a precise control, +# we number each sentence with a RFC2119 keyword as a section, grouping sentences, which are logically connected. +# we number inline in brackets, so the lookup is easy +# we reference these numbers in comments over each rule or group of rules +policy: 'BSI-SYS-1-3-RHEL10' +title: 'SYS.1.3 Linux Server (RHEL10)' +id: bsi_sys_1_3_rhel10 +version: '1.0' +source: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf + +levels: + - id: basic + - id: standard + inherits_from: + - basic + - id: elevated + inherits_from: + - standard + +reference_type: bsi +product: rhel10 + +controls: + - id: SYS.1.3.A1 + title: ELIMINATED + levels: + - basic + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A2 + title: Careful Allocation of IDs + levels: + - basic + description: |- + (1) Each login name, each user ID (UID) and each group ID (GID) MUST ONLY be used once. + (2) Every user MUST be a member of at least one group. (3) Every GID mentioned in the /etc/passwd + file MUST be defined in the /etc/group file. (4) Every group SHOULD only contain the users that + are absolutely necessary. (5) In networked systems, care MUST also be taken to ensure that user + and group names (UIDs and GIDs) are assigned consistently in the system network if there is a + possibility that the same UIDs or GIDs could be assigned to different user or group names on + the systems during cross-system access. + notes: |- + Section 2: System accounts do not always have a group + Section 4 is a manual control + Section 5 this cant be checked on a per system base, and therefore is an organizational control + status: partial + rules: + # Section 1 + - account_unique_id + - account_unique_name + - group_unique_id + - group_unique_name + # Section 2 + # this could be automated + # Section 3 + - gid_passwd_group_same + + - id: SYS.1.3.A3 + title: No Automatic Integration of Removable Drives + levels: + - basic + description: |- + (1) Removable media such as USB pen drives or CDs/DVDs MUST NOT be integrated automatically. + notes: |- + https://access.redhat.com/solutions/18978 + status: automated + rules: + # USB + - grub2_nousb_argument + - bios_disable_usb_boot + - kernel_module_usb-storage_disabled + # Automount + - service_autofs_disabled + + - id: SYS.1.3.A4 + title: Protection from Exploitation of Vulnerabilities in Applications + levels: + - basic + description: |- + (1) ASLR and DEP/NX MUST be activated in the kernel and used by applications to make it harder + to exploit vulnerabilities in applications. (2) Security functions of the kernel and of the standard + libraries (such as heap and stack protection) MUST NOT be disabled. + notes: |- + This should be the default on all modern platforms + Section 2: organizational requirement towards the admin + status: automated + rules: + - bios_enable_execution_restrictions + - package_libselinux_installed + - grub2_enable_selinux + - selinux_not_disabled + + - id: SYS.1.3.A5 + title: Secure Installation of Software Packages + levels: + - basic + description: |- + (1) If software to be installed is to be compiled from source code, it MUST ONLY be unpacked, + configured, and compiled using an unprivileged user account. (2) The software to be installed + MUST NOT then be installed in the root file system of the server in question in an + uncontrolled manner. + + (3) If the software is compiled from the source text, the selected parameters SHOULD be + documented appropriately. (4) Based on this documentation, it SHOULD be possible to compile + the software in a transparent and reproducible manner at any time. (5) All further installation + steps SHOULD also be documented. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.3.A6 + title: Managing Users and Groups + levels: + - standard + description: |- + (1) The corresponding management tools SHOULD be used for managing users and groups. (2) The + configuration files /etc/passwd, /etc/shadow, /etc/group, and /etc/sudoers SHOULD NOT be + edited directly. + notes: |- + This requirement must be implemented organizationally. + We could add auditing rules for these files, which shows edits, but do not prevent the users + in the toolings they use for editing. + status: partial + rules: + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + + - id: SYS.1.3.A7 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A8 + title: Encrypted Access via Secure Shell + levels: + - standard + description: |- + (1) Only Secure Shell (SSH) SHOULD be used to create an encrypted and authenticated interactive + connection between two IT systems. (2) All other protocols whose functions are covered by + Secure Shell SHOULD be disabled completely. (3) For authentication, users SHOULD primarily + use certificates instead of passwords. + notes: |- + Section 1: this should be the default + Section 2: this should be the default + Section 3: The requirement says PRIMARILY use certificate, not disallow PasswordAuthentication + completely + status: automated + rules: + # Section 1 + - service_sshd_enabled + - sshd_allow_only_protocol2 + - firewalld_sshd_port_enabled + # Section 2 + - package_telnet-server_removed + - package_telnet_removed + # Section 3 + - sshd_disable_empty_passwords + - sshd_disable_root_password_login + - sshd_enable_pubkey_auth + + - id: SYS.1.3.A9 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A10 + title: Preventing Further Intrusion When Vulnerabilities Are Exploited + levels: + - standard + description: |- + (1) Services and applications SHOULD be protected with individual security architecture (e.g. + with AppArmor or SELinux). (2) In addition, chroot environments and LXC or Docker containers + SHOULD be taken into account here. (3) It SHOULD be ensured that the standard profiles and + rules provided are activated. + notes: |- + Section 2: we could add podman specific tasks, but it would be hard to evaluate if they are + used properly + status: partial + rules: + # Section 1 + # SELinux + - package_libselinux_installed + - grub2_enable_selinux + - selinux_not_disabled + # Section 3 + - var_selinux_policy_name=targeted + - selinux_policytype + - var_selinux_state=enforcing + - selinux_state + - selinux_confinement_of_daemons + + - id: SYS.1.3.A11 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A12 + title: ELIMINATED + levels: + - standard + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A13 + title: ELIMINATED + levels: + - elevated + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A14 + title: Preventing Unauthorised Collection of System and User Information + levels: + - standard + description: |- + (1) Information output for users regarding the operating system and access to protocol and + configuration files SHOULD be limited to the required minimum. (2) Moreover, confidential + information SHOULD NOT be provided as parameters when commands are issued. + notes: |- + Section 2: This requirement must be implemented organizationally. + status: partial + rules: + # Section 1 + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_grub2_cfg + + - file_groupowner_user_cfg + - file_owner_user_cfg + - file_permissions_user_cfg + + - file_groupowner_efi_grub2_cfg + - file_owner_efi_grub2_cfg + - file_permissions_efi_grub2_cfg + + - file_groupowner_efi_user_cfg + - file_owner_efi_user_cfg + - file_permissions_efi_user_cfg + + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + + - file_groupowner_etc_issue_net + - file_owner_etc_issue_net + - file_permissions_etc_issue_net + + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + + - file_groupowner_cron_yearly + - file_owner_cron_yearly + - file_permissions_cron_yearly + + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_permissions_cron_allow + + - file_groupowner_at_allow + - file_owner_at_allow + - file_permissions_at_allow + + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + + - directory_groupowner_sshd_config_d + - directory_owner_sshd_config_d + - directory_permissions_sshd_config_d + + - file_owner_sshd_drop_in_config + - file_groupowner_sshd_drop_in_config + - file_permissions_sshd_drop_in_config + + - file_groupownership_sshd_private_key + - file_ownership_sshd_private_key + - file_permissions_sshd_private_key + + - file_groupownership_sshd_pub_key + - file_ownership_sshd_pub_key + - file_permissions_sshd_pub_key + + - file_group_ownership_var_log_audit + - file_ownership_var_log_audit + - file_permissions_var_log_audit + + - file_groupownership_audit_configuration + - file_ownership_audit_configuration + - file_permissions_audit_configuration + + - file_groupownership_audit_binaries + - file_ownership_audit_binaries + - file_permissions_audit_binaries + + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + + - file_groupowner_etc_shadow + - file_owner_etc_shadow + - file_permissions_etc_shadow + + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + + - file_groupowner_etc_shells + - file_owner_etc_shells + - file_permissions_etc_shells + + - file_permissions_unauthorized_world_writable + + - no_files_or_dirs_unowned_by_user + - no_files_or_dirs_ungroupowned + - file_permissions_ungroupowned + + - file_permissions_unauthorized_suid + - file_permissions_unauthorized_sgid + + - file_groupownership_home_directories + - file_ownership_home_directories + - file_permissions_home_directories + + - file_groupowner_etc_security_opasswd + - file_owner_etc_security_opasswd + - file_permissions_etc_security_opasswd + + - file_groupowner_etc_security_opasswd_old + - file_owner_etc_security_opasswd_old + - file_permissions_etc_security_opasswd_old + + - file_permission_user_bash_history + + + - id: SYS.1.3.A15 + title: ELIMINATED + levels: + - elevated + description: |- + This requirement has been eliminated. + notes: |- + This requirement has been eliminated. + status: not applicable + + - id: SYS.1.3.A16 + title: Additional Prevention of Further Intrusion When Vulnerabilities Are Exploited + levels: + - elevated + description: |- + (1) The use of system calls SHOULD be limited to those absolutely necessary, particularly for + exposed services and applications. (2) The standard profiles and/or rules (e.g. of SELinux or + AppArmor) SHOULD be checked manually and, if necessary, adapted to an organisation's own + security policies. (3) If necessary, new rules and profiles SHOULD be drawn up. + notes: |- + This requirement must be implemented organizationally. + status: manual + + - id: SYS.1.3.A17 + title: Additional Kernel Protection + levels: + - elevated + description: |- + (1) Specially hardened kernels (e.g. grsecurity, PaX) and appropriate protective safeguards such as + memory protection or file system protection SHOULD be implemented to prevent + exploitation of vulnerabilities and propagation in operating systems. + notes: |- + Section 1: Red Hat does not provide specifically hardened kernels. If using them, please be + aware of the support policy for 3rd Party software (https://access.redhat.com/third-party-software-support). + status: does not meet + rules: [] diff --git a/linux_os/guide/services/mask_nonessential_services/rule.yml b/linux_os/guide/services/mask_nonessential_services/rule.yml index aa692505dca..e5f3dff1906 100644 --- a/linux_os/guide/services/mask_nonessential_services/rule.yml +++ b/linux_os/guide/services/mask_nonessential_services/rule.yml @@ -23,6 +23,7 @@ severity: low identifiers: cce@rhel9: CCE-89970-8 + cce@rhel10: CCE-86933-9 cce@sle12: CCE-92309-4 cce@sle15: CCE-92463-9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml index dfe1abb3b8a..c122314683f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml @@ -27,6 +27,7 @@ severity: medium identifiers: cce@rhel9: CCE-88194-6 + cce@rhel10: CCE-86741-6 ocil_clause: 'it is commented out or not configured properly' diff --git a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml index fa3a0179b63..ff5265ccd62 100644 --- a/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/set_firewalld_appropriate_zone/rule.yml @@ -19,6 +19,7 @@ platform: package[firewalld] identifiers: cce@rhel8: CCE-86111-2 cce@rhel9: CCE-90607-3 + cce@rhel10: CCE-88271-2 cce@sle15: CCE-92556-0 references: diff --git a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml index 09f13bfa474..91c5463794f 100644 --- a/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/unnecessary_firewalld_services_ports_disabled/rule.yml @@ -24,6 +24,7 @@ platform: package[firewalld] identifiers: cce@rhel9: CCE-87628-4 + cce@rhel10: CCE-87763-9 cce@sle15: CCE-92552-9 cce@slmicro5: CCE-94011-4 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_cfg80211_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_cfg80211_disabled/rule.yml index d5dde5d767e..d1cc6045cc1 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_cfg80211_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_cfg80211_disabled/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhcos4: CCE-85932-2 cce@rhel9: CCE-87615-1 + cce@rhel10: CCE-90514-1 references: nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7,AC-18(4) diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlmvm_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlmvm_disabled/rule.yml index a6d4cfbe509..9e95983261b 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlmvm_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlmvm_disabled/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhcos4: CCE-85933-0 cce@rhel9: CCE-90727-9 + cce@rhel10: CCE-88683-8 references: nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7,AC-18(4) diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlwifi_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlwifi_disabled/rule.yml index 4c0f8d96ab1..7df2b689729 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlwifi_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_iwlwifi_disabled/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhcos4: CCE-85934-8 cce@rhel9: CCE-89240-6 + cce@rhel10: CCE-89230-7 references: nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7,AC-18(4) diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_mac80211_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_mac80211_disabled/rule.yml index 298fe6c0e02..b1b780794d1 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_mac80211_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_mac80211_disabled/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhcos4: CCE-85935-5 cce@rhel9: CCE-87086-5 + cce@rhel10: CCE-87948-6 references: nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7,AC-18(4) diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml index 0269c7a22e5..8514f1be061 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml @@ -19,6 +19,7 @@ severity: unknown identifiers: cce@rhcos4: CCE-82659-4 cce@rhel9: CCE-89909-6 + cce@rhel10: CCE-88738-0 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml b/linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml index 7b2256ef0d7..cd4c02b80f3 100644 --- a/linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml +++ b/linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@ocp4: CCE-87411-5 cce@rhcos4: CCE-87849-6 cce@rhel9: CCE-89013-7 + cce@rhel10: CCE-87135-0 ocil_clause: non-trusted CA is installed in the system diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml index f8691b6ab15..3af92cfa15c 100644 --- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml +++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml @@ -17,6 +17,7 @@ severity: unknown identifiers: cce@rhcos4: CCE-82662-8 cce@rhel9: CCE-87913-0 + cce@rhel10: CCE-87595-5 references: cis-csc: 12,16 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml index a23449f8c93..c4aa12b7974 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/rule.yml @@ -24,6 +24,7 @@ severity: high identifiers: cce@rhel8: CCE-83879-7 cce@rhel9: CCE-86556-8 + cce@rhel10: CCE-90098-5 references: cis-csc: 12,13,14,4,7,8 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_endpoint_security_software/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_endpoint_security_software/rule.yml index b4121ec4e14..461b39d88ce 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_endpoint_security_software/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_endpoint_security_software/rule.yml @@ -24,3 +24,4 @@ fixtext: |- identifiers: cce@rhel9: CCE-88504-6 + cce@rhel10: CCE-87008-9 diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml index ccacc67c235..afd4ee561c5 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml @@ -21,6 +21,7 @@ conflicts: identifiers: cce@rhel8: CCE-80831-1 cce@rhel9: CCE-88837-0 + cce@rhel10: CCE-88206-8 cce@sle12: CCE-92218-7 cce@sle15: CCE-85789-6 diff --git a/products/rhel10/profiles/bsi.profile b/products/rhel10/profiles/bsi.profile new file mode 100644 index 00000000000..9dd08c05479 --- /dev/null +++ b/products/rhel10/profiles/bsi.profile @@ -0,0 +1,28 @@ +documentation_complete: true + +title: 'BSI SYS.1.1 and SYS.1.3' + +reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf + +metadata: + SMEs: + - sluetze + version: 2022 + +description: |- + This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz + Basic-Protection. + + This baseline implements OS-Level configuration requirements from the following + sources: + + - Building-Block SYS.1.1 General Server + - Building-Block SYS.1.3 Linux Server + +selections: + - bsi_sys_1_1_rhel10:all + - bsi_sys_1_3_rhel10:all + + # BSI APP.4.4.A4 + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 1f4d82ed490..12cc542945b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -76,7 +76,6 @@ CCE-86726-7 CCE-86728-3 CCE-86730-9 CCE-86734-1 -CCE-86741-6 CCE-86742-4 CCE-86743-2 CCE-86745-7 @@ -154,7 +153,6 @@ CCE-86927-1 CCE-86928-9 CCE-86929-7 CCE-86930-5 -CCE-86933-9 CCE-86934-7 CCE-86935-4 CCE-86936-2 @@ -190,7 +188,6 @@ CCE-87000-6 CCE-87002-2 CCE-87005-5 CCE-87006-3 -CCE-87008-9 CCE-87010-5 CCE-87011-3 CCE-87012-1 @@ -240,7 +237,6 @@ CCE-87131-9 CCE-87132-7 CCE-87133-5 CCE-87134-3 -CCE-87135-0 CCE-87136-8 CCE-87138-4 CCE-87139-2 @@ -519,7 +515,6 @@ CCE-87590-6 CCE-87592-2 CCE-87593-0 CCE-87594-8 -CCE-87595-5 CCE-87597-1 CCE-87600-3 CCE-87603-7 @@ -616,7 +611,6 @@ CCE-87758-9 CCE-87759-7 CCE-87760-5 CCE-87761-3 -CCE-87763-9 CCE-87764-7 CCE-87768-8 CCE-87769-6 @@ -738,7 +732,6 @@ CCE-87943-7 CCE-87944-5 CCE-87945-2 CCE-87947-8 -CCE-87948-6 CCE-87950-2 CCE-87951-0 CCE-87952-8 @@ -889,7 +882,6 @@ CCE-88199-5 CCE-88201-9 CCE-88202-7 CCE-88204-3 -CCE-88206-8 CCE-88208-4 CCE-88209-2 CCE-88211-8 @@ -930,7 +922,6 @@ CCE-88265-4 CCE-88266-2 CCE-88267-0 CCE-88268-8 -CCE-88271-2 CCE-88272-0 CCE-88273-8 CCE-88277-9 @@ -1186,7 +1177,6 @@ CCE-88678-8 CCE-88679-6 CCE-88680-4 CCE-88681-2 -CCE-88683-8 CCE-88684-6 CCE-88685-3 CCE-88690-3 @@ -1218,7 +1208,6 @@ CCE-88734-9 CCE-88735-6 CCE-88736-4 CCE-88737-2 -CCE-88738-0 CCE-88739-8 CCE-88740-6 CCE-88743-0 @@ -1489,7 +1478,6 @@ CCE-89222-4 CCE-89224-0 CCE-89226-5 CCE-89229-9 -CCE-89230-7 CCE-89231-5 CCE-89235-6 CCE-89237-2 @@ -2038,7 +2026,6 @@ CCE-90091-0 CCE-90092-8 CCE-90095-1 CCE-90097-7 -CCE-90098-5 CCE-90101-7 CCE-90102-5 CCE-90103-3 @@ -2314,7 +2301,6 @@ CCE-90509-1 CCE-90510-9 CCE-90512-5 CCE-90513-3 -CCE-90514-1 CCE-90515-8 CCE-90518-2 CCE-90520-8