Blame SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch

76240a
From eed29b1db9dd62d014842340abb8601570fe6655 Mon Sep 17 00:00:00 2001
76240a
From: Carlos Matos <cmatos@redhat.com>
76240a
Date: Thu, 22 Jul 2021 14:26:49 -0400
76240a
Subject: [PATCH] New rule for RHEL-08-020270
76240a
76240a
---
76240a
 .../account_emergency_expire_date/rule.yml    | 52 +++++++++++++++++++
76240a
 products/rhel8/profiles/stig.profile          |  1 +
76240a
 shared/references/cce-redhat-avail.txt        |  1 -
76240a
 .../data/profile_stability/rhel8/stig.profile |  1 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
76240a
 5 files changed, 55 insertions(+), 1 deletion(-)
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
76240a
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
76240a
new file mode 100644
76240a
index 0000000000..a47c7f39bc
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
76240a
@@ -0,0 +1,52 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: fedora,rhel8
76240a
+
76240a
+title: 'Assign Expiration Date to Emergency Accounts'
76240a
+
76240a
+description: |-
76240a
+    Emergency accounts are privileged accounts established in response to
76240a
+    crisis situations where the need for rapid account activation is required.
76240a
+    In the event emergency accounts are required, configure the system to
76240a
+    terminate them after a documented time period. For every emergency account,
76240a
+    run the following command to set an expiration date on it, substituting
76240a
+    <tt>ACCOUNT_NAME</tt> and <tt>YYYY-MM-DD</tt>
76240a
+    appropriately:
76240a
+    
$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME
76240a
+    <tt>YYYY-MM-DD</tt> indicates the documented expiration date for the
76240a
+    account. For U.S. Government systems, the operating system must be
76240a
+    configured to automatically terminate these types of accounts after a
76240a
+    period of 72 hours.
76240a
+
76240a
+rationale: |-
76240a
+    If emergency user accounts remain active when no longer needed or for
76240a
+    an excessive period, these accounts may be used to gain unauthorized access.
76240a
+    To mitigate this risk, automated termination of all emergency accounts
76240a
+    must be set upon account creation.
76240a
+    
76240a
+
76240a
+severity: medium
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel8: CCE-85910-8
76240a
+
76240a
+references:
76240a
+    cis-csc: 1,12,13,14,15,16,18,3,5,7,8
76240a
+    cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03
76240a
+    disa: CCI-000016,CCI-001682
76240a
+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
76240a
+    isa-62443-2013: 'SR 1.1,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
76240a
+    iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
76240a
+    nist: AC-2(2),AC-2(3),CM-6(a)
76240a
+    nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6
76240a
+    srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002
76240a
+    stigid@rhel8: RHEL-08-020270
76240a
+    vmmsrg: SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620
76240a
+
76240a
+ocil_clause: 'any emergency accounts have no expiration date set or do not expire within a documented time frame'
76240a
+
76240a
+ocil: |-
76240a
+    For every emergency account, run the following command
76240a
+    to obtain its account aging and expiration information:
76240a
+    
$ sudo chage -l ACCOUNT_NAME
76240a
+    Verify each of these accounts has an expiration date set as documented.
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 7270a8f91f..c4b9d02af5 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -558,6 +558,7 @@ selections:
76240a
     - account_disable_post_pw_expiration
76240a
 
76240a
     # RHEL-08-020270
76240a
+    - account_emergency_expire_date
76240a
 
76240a
     # RHEL-08-020280
76240a
     - accounts_password_pam_ocredit
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 665f903ead..f500179292 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -43,7 +43,6 @@ CCE-85906-6
76240a
 CCE-85907-4
76240a
 CCE-85908-2
76240a
 CCE-85909-0
76240a
-CCE-85910-8
76240a
 CCE-85911-6
76240a
 CCE-85912-4
76240a
 CCE-85913-2
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index 7d59cfff62..72e205b695 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -24,6 +24,7 @@ documentation_complete: true
76240a
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
76240a
 selections:
76240a
 - account_disable_post_pw_expiration
76240a
+- account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 2c2daad6f6..cc21621617 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -35,6 +35,7 @@ documentation_complete: true
76240a
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
76240a
 selections:
76240a
 - account_disable_post_pw_expiration
76240a
+- account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay