ComplianceAsCode · Mab879 · Feb 6, 2024 · Feb 1, 2024 · Feb 1, 2024 · Feb 1, 2024
diff --git a/build-scripts/compile_all.py b/build-scripts/compile_all.py
@@ -156,6 +156,7 @@ def main():
         controls_dir, env_yaml, existing_rules)
     controls_manager.load()
     controls_manager.remove_selections_not_known(loader.all_rules)
+    controls_manager.add_references(loader.all_rules)
 
     profiles_by_id = get_all_resolved_profiles_by_id(
         env_yaml, product_yaml, loader, product_cpes, controls_manager, controls_dir)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -12,6 +12,8 @@ levels:
   - id: l2_workstation
     inherits_from:
     - l1_workstation
+reference_type: cis
+product: rhel7
 
 controls:
   - id: reload_dconf_db

@@ -13,6 +13,8 @@ levels:
   - id: l2_workstation
     inherits_from:
       - l1_workstation
+reference_type: cis
+product: rhel8
 
 controls:
   - id: reload_dconf_db

@@ -13,6 +13,8 @@ levels:
   - id: l2_workstation
     inherits_from:
       - l1_workstation
+reference_type: cis
+product: rhel9
 
 controls:
   - id: reload_dconf_db

diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md
@@ -979,6 +979,8 @@ title: short title (required key)
 original_title: used as a reference for policies not yet available in English
 source: a link to the original policy, eg. a URL of a PDF document
 controls_dir: a directory containing files representing controls that will be imported into this policy
+reference_type: Reference type represented by control IDs in this policy.
+product: product ID, set if the policy is specific to a single product.
 levels: a list of levels, the first one is default
   - id: level ID (required key)
     inherits_from: a list of IDs of levels inheriting from
@@ -1002,6 +1004,7 @@ Full example of a controls file:
 id: abcd
 title: ABCD Benchmark for securing Linux systems
 source: https://www.abcd.com/linux.pdf
+reference_type: abcd
 levels:
   - id: low
   - id: high
@@ -1069,6 +1072,37 @@ controls:
       - other-policy:other-control
 ```
 
+### Using Controls for Automated Reference Assignment to Rules
+
+Control files inherently establish the correspondence between the requirements of a specified policy and individual rules.
+That represents a reverse mapping compared to the function of the `references` key in `rule.yml` files.
+The `references` key in `rule.yml` maps the rule to a requirement of an external policy.
+If a control file is used to map the policy requirements, then the references don't need to be specified in `rule.yml`.
+Instead, the build system is able to assign the references to rules automatically at the build time.
+This feature of the build system saves time and avoids data duplication, because the references are centralized in the control file, and they are not specified in `rule.yml` files.
+To use the automated reference assignement, the `reference_type` key must be added to the control file.
+The value of this key represents the type of reference that will be assigned.
+
+For example, to instruct the build system to use the control file to automatically assign `anssi` references to all rules listed in the control file, add the following line to the control file:
+
+```
+reference_type: anssi
+```
+
+The usage of `reference_type` key results in adding a reference to all rules in that control file across all products.
+This is a useful behavior for the control files that represent a product agnostic policy, for example ANSSI.
+However, some policies, for example CIS Benchmarks, are specific for a single product, so we represent them by separate control files, eg. `cis_rhel8.yml` and `cis_rhel9.yml`.
+These files define the same `reference_type`.
+To ensure the correct reference source for a given product we need to label the control file as product-specific.
+Product-specific control files need to have the `product` key set.
+
+For example, to instruct the build system to automatically assign `cis` references to all rules listed in the control file when building the `rhel9` product, include the following lines to the control file:
+
+```
+product: rhel9
+reference_type: cis
+```
+
 ### Using controls in profiles
 
 Later, we can use the policy requirements in profile YAML. Let's say that we

diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi-autoipd_removed/rule.yml
@@ -24,7 +24,6 @@ identifiers:
 
 references:
     cis-csc: 11,14,3,9
-    cis@rhel9: 2.2.2
     cis@sle12: 2.2.3
     cis@sle15: 2.2.3
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06

diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
@@ -24,9 +24,6 @@ identifiers:
 
 references:
     cis-csc: 11,14,3,9
-    cis@rhel7: 2.2.2
-    cis@rhel8: 2.2.2
-    cis@rhel9: 2.2.2
     cis@sle12: 2.2.3
     cis@sle15: 2.2.3
     cis@ubuntu2004: 2.2.3

diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
@@ -23,7 +23,6 @@ identifiers:
 
 references:
     cis-csc: 11,14,3,9
-    cis@rhel8: 2.2.2
     cis@sle12: 2.2.3
     cis@sle15: 2.2.3
     cis@ubuntu2004: 2.2.3

diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml
@@ -25,8 +25,6 @@ identifiers:
 
 references:
     cis-csc: 11,12,14,15,3,8,9
-    cis@rhel7: 1.2.5
-    cis@rhel8: 1.2.2
     cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
     disa: CCI-000382
     isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.7
-    cis@rhel8: 4.1.1.7
-    cis@rhel9: 5.1.7
     cis@sle12: 5.1.7
     cis@sle15: 5.1.7
     cis@ubuntu2004: 5.1.7

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.4
-    cis@rhel8: 4.1.1.4
-    cis@rhel9: 5.1.4
     cis@sle12: 5.1.4
     cis@sle15: 5.1.4
     cis@ubuntu2004: 5.1.4

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.3
-    cis@rhel8: 4.1.1.3
-    cis@rhel9: 5.1.3
     cis@sle12: 5.1.3
     cis@sle15: 5.1.3
     cis@ubuntu2004: 5.1.3

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.6
-    cis@rhel8: 4.1.1.6
-    cis@rhel9: 5.1.6
     cis@sle12: 5.1.6
     cis@sle15: 5.1.6
     cis@ubuntu2004: 5.1.6

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.5
-    cis@rhel8: 4.1.1.5
-    cis@rhel9: 5.1.5
     cis@sle12: 5.1.5
     cis@sle15: 5.1.5
     cis@ubuntu2004: 5.1.5

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.2
-    cis@rhel8: 4.1.1.2
-    cis@rhel9: 5.1.2
     cis@sle12: 5.1.2
     cis@sle15: 5.1.2
     cis@ubuntu2004: 5.1.2

diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.7
-    cis@rhel8: 4.1.1.7
-    cis@rhel9: 5.1.7
     cis@sle12: 5.1.7
     cis@sle15: 5.1.7
     cis@ubuntu2004: 5.1.7

diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.4
-    cis@rhel8: 4.1.1.4
-    cis@rhel9: 5.1.4
     cis@sle12: 5.1.4
     cis@sle15: 5.1.4
     cis@ubuntu2004: 5.1.4

diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.3
-    cis@rhel8: 4.1.1.3
-    cis@rhel9: 5.1.3
     cis@sle12: 5.1.3
     cis@sle15: 5.1.3
     cis@ubuntu2004: 5.1.3

diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.6
-    cis@rhel8: 4.1.1.6
-    cis@rhel9: 5.1.6
     cis@sle12: 5.1.6
     cis@sle15: 5.1.6
     cis@ubuntu2004: 5.1.6

diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.5
-    cis@rhel8: 4.1.1.5
-    cis@rhel9: 5.1.5
     cis@sle12: 5.1.5
     cis@sle15: 5.1.5
     cis@ubuntu2004: 5.1.5

diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.2
-    cis@rhel8: 4.1.1.2
-    cis@rhel9: 5.1.2
     cis@sle12: 5.1.2
     cis@sle15: 5.1.2
     cis@ubuntu2004: 5.1.2

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.7
-    cis@rhel8: 4.1.1.7
-    cis@rhel9: 5.1.7
     cis@sle12: 5.1.7
     cis@sle15: 5.1.7
     cis@ubuntu2004: 5.1.7

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.4
-    cis@rhel8: 4.1.1.4
-    cis@rhel9: 5.1.4
     cis@sle12: 5.1.4
     cis@sle15: 5.1.4
     cis@ubuntu2004: 5.1.4

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.3
-    cis@rhel8: 4.1.1.3
-    cis@rhel9: 5.1.3
     cis@sle12: 5.1.3
     cis@sle15: 5.1.3
     cis@ubuntu2004: 5.1.3

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.6
-    cis@rhel8: 4.1.1.6
-    cis@rhel9: 5.1.6
     cis@sle12: 5.1.6
     cis@sle15: 5.1.6
     cis@ubuntu2004: 5.1.6

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.5
-    cis@rhel8: 4.1.1.5
-    cis@rhel9: 5.1.5
     cis@sle12: 5.1.5
     cis@sle15: 5.1.5
     cis@ubuntu2004: 5.1.5

diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.2
-    cis@rhel8: 4.1.1.2
-    cis@rhel9: 5.1.2
     cis@sle12: 5.1.2
     cis@sle15: 5.1.2
     cis@ubuntu2004: 5.1.2

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml
@@ -21,9 +21,6 @@ identifiers:
     cce@sle15: CCE-91313-7
 
 references:
-    cis@rhel7: 4.1.2.1
-    cis@rhel8: 4.1.2.1
-    cis@rhel9: 5.1.9
     cis@sle12: 5.1.9
     cis@sle15: 5.1.9
     cis@ubuntu2204: 5.1.9

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml
@@ -20,10 +20,6 @@ identifiers:
     cce@rhel8: CCE-86184-9
     cce@rhel9: CCE-86185-6
 
-references:
-    cis@rhel7: 4.1.1.8
-    cis@rhel8: 4.1.1.8
-    cis@rhel9: 5.1.8
 
 ocil_clause: 'the file /etc/cron.allow does not exist'
 

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml
@@ -22,9 +22,6 @@ identifiers:
     cce@sle15: CCE-91314-5
 
 references:
-    cis@rhel7: 4.1.1.8
-    cis@rhel8: 4.1.1.8
-    cis@rhel9: 5.1.8
     cis@sle12: 5.1.8
     cis@sle15: 5.1.8
     cis@ubuntu2204: 5.1.8

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
@@ -20,9 +20,6 @@ identifiers:
     cce@sle15: CCE-91315-2
 
 references:
-    cis@rhel7: 4.1.2.1
-    cis@rhel8: 4.1.2.1
-    cis@rhel9: 5.1.9
     cis@sle12: 5.1.9
     cis@sle15: 5.1.9
     cis@ubuntu2004: 5.1.9

diff --git a/..._os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/..._os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.8
-    cis@rhel8: 4.1.1.8
-    cis@rhel9: 5.1.8
     cis@sle12: 5.1.8
     cis@sle15: 5.1.8
     cis@ubuntu2004: 5.1.8

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
@@ -21,9 +21,6 @@ identifiers:
     cce@sle15: CCE-91317-8
 
 references:
-    cis@rhel7: 4.1.2.1
-    cis@rhel8: 4.1.2.1
-    cis@rhel9: 5.1.9
     cis@sle12: 5.1.9
     cis@sle15: 5.1.9
     cis@ubuntu2004: 5.1.9

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml
@@ -22,9 +22,6 @@ identifiers:
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
-    cis@rhel7: 4.1.1.8
-    cis@rhel8: 4.1.1.8
-    cis@rhel9: 5.1.8
     cis@sle12: 5.1.8
     cis@sle15: 5.1.8
     cis@ubuntu2004: 5.1.8

diff --git a/...x_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/...x_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
@@ -30,9 +30,6 @@ identifiers:
     cce@sle15: CCE-91319-4
 
 references:
-    cis@rhel7: 4.1.2.1
-    cis@rhel8: 4.1.2.1
-    cis@rhel9: 5.1.9
     cis@sle12: 5.1.9
     cis@sle15: 5.1.9
     cis@ubuntu2004: 5.1.9

diff --git a/...os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/...os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml
@@ -31,9 +31,6 @@ identifiers:
     cce@sle15: CCE-91320-2
 
 references:
-    cis@rhel7: 4.1.1.8
-    cis@rhel8: 4.1.1.8
-    cis@rhel9: 5.1.8
     cis@sle12: 5.1.8
     cis@sle15: 5.1.8
     cis@ubuntu2004: 5.1.8