From 13f8417847cc2ffca67000065e5b0140a91154dd Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Fri, 23 Jan 2026 14:07:27 +0000 Subject: [PATCH 1/3] Include rules for sshd drop in files for Ubuntu2204 Signed-off-by: Alan Moore --- controls/cis_ubuntu2204.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml index 468206ef81e4..84f3287f32ee 100644 --- a/controls/cis_ubuntu2204.yml +++ b/controls/cis_ubuntu2204.yml @@ -1495,8 +1495,11 @@ controls: - l1_workstation rules: - file_groupowner_sshd_config + - file_groupowner_sshd_drop_in_config - file_owner_sshd_config + - file_owner_sshd_drop_in_config - file_permissions_sshd_config + - file_permissions_sshd_drop_in_config status: automated - id: 5.1.2 From 09ee20aa6d441a7120ee6f75507f560dd364a797 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Fri, 23 Jan 2026 14:04:41 +0000 Subject: [PATCH 2/3] Include rules for sshd drop in files for Ubuntu2404 Signed-off-by: Alan Moore --- controls/cis_ubuntu2404.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 6b2267eb20f0..0d53a9a6d79b 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2,7 +2,7 @@ policy: CIS Benchmark for Ubuntu 24.04 LTS title: CIS Benchmark for Ubuntu 24.04 LTS id: cis_ubuntu2404 -version: '1.0.0' +version: "1.0.0" source: https://www.cisecurity.org/cis-benchmarks levels: @@ -1116,7 +1116,8 @@ controls: - file_owner_at_deny - file_permissions_at_deny status: automated - notes: file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept + notes: + file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept daemon - id: 3.1.1 @@ -1568,8 +1569,11 @@ controls: - l1_workstation rules: - file_groupowner_sshd_config + - file_groupowner_sshd_drop_in_config - file_owner_sshd_config + - file_owner_sshd_drop_in_config - file_permissions_sshd_config + - file_permissions_sshd_drop_in_config status: automated - id: 5.1.2 @@ -2192,7 +2196,8 @@ controls: rules: - ensure_root_access_controlled status: automated - notes: This rule doesn't come with a remediation, as the exact requirement allows root to either + notes: + This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. - id: 5.4.2.5 From 7ef57585d3187c45fa88b7e9c362cc3eec88490b Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Fri, 23 Jan 2026 14:46:10 +0000 Subject: [PATCH 3/3] Mark multiple lines Signed-off-by: Alan Moore --- controls/cis_ubuntu2404.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 0d53a9a6d79b..58c756c81c9d 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1116,7 +1116,7 @@ controls: - file_owner_at_deny - file_permissions_at_deny status: automated - notes: + notes: |- file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept daemon @@ -2196,7 +2196,7 @@ controls: rules: - ensure_root_access_controlled status: automated - notes: + notes: |- This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked.