From 7899e18d486b6181f3213c3c1351f24cdce84bf8 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 10:34:47 -0500

Subject: [PATCH 01/20] Split RHEL-08-040100 into two rules

One for the firewalld package and one for the firewalld service.

---

 .../firewalld_activation/service_firewalld_enabled/rule.yml   | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml

index cff9581e76..42849bdd5a 100644

--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml

+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml

@@ -40,7 +40,7 @@ references:

     srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232

     stigid@ol7: OL07-00-040520

     stigid@rhel7: RHEL-07-040520

-    stigid@rhel8: RHEL-08-040100

+    stigid@rhel8: RHEL-08-040101

     stigid@sle15: SLES-15-010220

 ocil: |-

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 965068a691..9d0145a96f 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -968,9 +968,11 @@ selections:

     # RHEL-08-040090

     # RHEL-08-040100

-    - service_firewalld_enabled

     - package_firewalld_installed

+    # RHEL-08-040101

+    - service_firewalld_enabled

+

     # RHEL-08-040110

     - wireless_disable_interfaces

From 7396acddc284acc54d66640e7e0bc5251334bc0b Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 11:44:59 -0500

Subject: [PATCH 02/20] Split the rule for RHEL-08-020040

Split and package_tmux_installed and configure_tmux_lock_command

---

 .../console_screen_locking/package_tmux_installed/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml

index 550eaea8bb..120d1c49e0 100644

--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml

@@ -40,7 +40,7 @@ references:

     nist-csf: PR.AC-7

     ospp: FMT_MOF_EXT.1

     srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009

-    stigid@rhel8: RHEL-08-020040

+    stigid@rhel8: RHEL-08-020039

     vmmsrg: SRG-OS-000030-VMM-000110

 ocil_clause: 'the package is not installed'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 9d0145a96f..9f57b28f4f 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -481,8 +481,10 @@ selections:

     # RHEL-08-020030

     - dconf_gnome_screensaver_lock_enabled

-    # RHEL-08-020040

+    # RHEL-08-020039

     - package_tmux_installed

+

+    # RHEL-08-020040

     - configure_tmux_lock_command

     # RHEL-08-020041

From 6e3a93e173fbd12640e585d579f1e1d0afd3f419 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 11:49:59 -0500

Subject: [PATCH 03/20] Split RHEL-08-040100

One for the openssh-server package and one for the openssh-server service.

---

 .../services/ssh/package_openssh-server_installed/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

index 0b2a660c29..b551f08f38 100644

--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -30,7 +30,7 @@ references:

     srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190

     stigid@ol7: OL07-00-040300

     stigid@rhel7: RHEL-07-040300

-    stigid@rhel8: RHEL-08-040160

+    stigid@rhel8: RHEL-08-040159

     stigid@ubuntu2004: UBTU-20-010042

 ocil_clause: 'the package is not installed'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 9f57b28f4f..66f70cdfd5 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -1037,8 +1037,10 @@ selections:

     # RHEL-08-040150

-    # RHEL-08-040160

+    # RHEL-08-040159

     - package_openssh-server_installed

+

+    # RHEL-08-040160

     - service_sshd_enabled

     # RHEL-08-040161

From 097682c4e225b7bdefd7b38c89cadf984540da04 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 11:56:17 -0500

Subject: [PATCH 04/20] Split RHEL-08-040140

Package usbguard and service usbguard are split out into their own

STIG ID. now.

---

 .../services/usbguard/package_usbguard_installed/rule.yml | 2 +-

 .../services/usbguard/service_usbguard_enabled/rule.yml   | 2 +-

 products/rhel8/profiles/stig.profile                      | 8 ++++++--

 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

index 333718182e..19ef8aaca6 100644

--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

@@ -48,7 +48,7 @@ references:

     disa: CCI-001958

     ism: "1418"

     srg: SRG-OS-000378-GPOS-00163

-    stigid@rhel8: RHEL-08-040140

+    stigid@rhel8: RHEL-08-040139

 ocil_clause: 'the package is not installed'

diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml

index 86adda9ecc..4f008129ea 100644

--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml

+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml

@@ -27,7 +27,7 @@ references:

     nist: CM-8(3)(a),IA-3

     ospp: FMT_SMF_EXT.1

     srg: SRG-OS-000378-GPOS-00163

-    stigid@rhel8: RHEL-08-040140

+    stigid@rhel8: RHEL-08-040141

 ocil_clause: 'the service is not enabled'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 66f70cdfd5..fd090e4058 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -1030,11 +1030,15 @@ selections:

     - package_fapolicyd_installed

     - service_fapolicyd_enabled

-    # RHEL-08-040140

+    # RHEL-08-040139

     - package_usbguard_installed

-    - service_usbguard_enabled

+

+    # RHEL-08-040140

     - usbguard_generate_policy

+    # RHEL-08-040141

+    - service_usbguard_enabled

+

     # RHEL-08-040150

     # RHEL-08-040159

From 1b28e2bed919e7f16519b051d39f7df640498d4f Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:01:13 -0500

Subject: [PATCH 05/20] Split RHEL-08-030180

One for the auditd package and one for the auditd service.

---

 linux_os/guide/system/auditing/service_auditd_enabled/rule.yml | 2 +-

 products/rhel8/profiles/stig.profile                           | 3 +++

 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml

index e10e8c7782..c7ce75e87c 100644

--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml

+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml

@@ -55,7 +55,7 @@ references:

     stigid@sle12: SLES-12-020010

     stigid@sle15: SLES-15-030050

     nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)

-    stigid@rhel8: RHEL-08-010560

+    stigid@rhel8: RHEL-08-030381

 ocil: |-

     {{{ ocil_service_enabled(service="auditd") }}}

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index fd090e4058..682034af4d 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -683,6 +683,9 @@ selections:

     # RHEL-08-030180

     - package_audit_installed

+    # RHEL-08-030181

+    - service_auditd_enabled

+

     # RHEL-08-030190

     - audit_rules_privileged_commands_su

From 0cf0bb3f6153be26abd4622221d73356be667d1f Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:04:34 -0500

Subject: [PATCH 06/20] Split RHEL-08-010521

Disabling Kerb5 and gssapi auth for sshd move split into two STIG ids.

---

 .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml   | 2 +-

 products/rhel8/profiles/stig.profile                            | 2 ++

 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml

index 946ba7f1d6..2134da2839 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml

@@ -36,7 +36,7 @@ references:

     srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227

     stigid@ol7: OL07-00-040430

     stigid@rhel7: RHEL-07-040430

-    stigid@rhel8: RHEL-08-010521

+    stigid@rhel8: RHEL-08-010522

     vmmsrg: SRG-OS-000480-VMM-002000

 ocil_clause: 'it is commented out or is not disabled'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 682034af4d..f913545106 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -318,6 +318,8 @@ selections:

     # RHEL-08-010521

     - sshd_disable_kerb_auth

+

+    # RHEL-08-010522

     - sshd_disable_gssapi_auth

     # RHEL-08-010540

From 994b19da2cb0f88d6eb0533d1ba4cae362351e56 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:10:06 -0500

Subject: [PATCH 07/20] Split RHEL-08-010471

One for the rng-tools package and one for the rngd service.

---

 .../software/system-tools/package_rng-tools_installed/rule.yml  | 2 +-

 products/rhel8/profiles/stig.profile                            | 2 ++

 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml

index 33d5625fee..663a270626 100644

--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml

+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml

@@ -21,7 +21,7 @@ identifiers:

 references:

     disa: CCI-000366

     srg: SRG-OS-000480-GPOS-00227

-    stigid@rhel8: RHEL-08-010471

+    stigid@rhel8: RHEL-08-010472

 ocil_clause: 'the package is not installed'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index f913545106..e6ef5ee42c 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -299,6 +299,8 @@ selections:

     # RHEL-08-010471

     - service_rngd_enabled

+

+    # RHEL-08-010472

     - package_rng-tools_installed

     # RHEL-08-010480

From 2d1756e3fe017645922b1622dac139a249c48a12 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:14:53 -0500

Subject: [PATCH 08/20] Split RHEL-08-010200

idle timeout and keepalive are now split

---

 .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

index 95c840fc5f..5a44255013 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -53,7 +53,7 @@ references:

     srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175

     stigid@ol7: OL07-00-040320

     stigid@rhel7: RHEL-07-040320

-    stigid@rhel8: RHEL-08-010200

+    stigid@rhel8: RHEL-08-010201

     stigid@sle12: SLES-12-030190

     stigid@sle15: SLES-15-010280

     stigid@ubuntu2004: UBTU-20-010037

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index e6ef5ee42c..036fd00808 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -156,9 +156,11 @@ selections:

     - dir_perms_world_writable_sticky_bits

     # RHEL-08-010200

-    - sshd_set_idle_timeout

     - sshd_set_keepalive_0

+    # RHEL-08-010201

+    - sshd_set_idle_timeout

+

     # RHEL-08-010210

     - file_permissions_var_log_messages

From 0823a6f84d32338223502dfc93b09df5225debf6 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:23:31 -0500

Subject: [PATCH 09/20] Split RHEL-08-010141

GRUB2 UEFI username and password split

---

 .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                            | 2 ++

 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml

index a5f9349882..8a98cbdc95 100644

--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml

+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml

@@ -56,7 +56,7 @@ references:

     srg: SRG-OS-000080-GPOS-00048

     stigid@ol7: OL07-00-010490

     stigid@rhel7: RHEL-07-010490

-    stigid@rhel8: RHEL-08-010140

+    stigid@rhel8: RHEL-08-010141

 ocil_clause: 'it does not'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 036fd00808..83500c35b3 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -121,6 +121,8 @@ selections:

     # RHEL-08-010140

     - grub2_uefi_password

+

+    # RHEL-08-010141

     - grub2_uefi_admin_username

     # RHEL-08-010150

From a4dd46d84d9ab8a9fd4984cbc1b9432e2920d3f5 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:24:18 -0500

Subject: [PATCH 10/20] Split RHEL-08-010150

GRUB admin username and password split

---

 .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml   | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml

index f5cf144e0b..bb2f1bae21 100644

--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml

+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml

@@ -49,7 +49,7 @@ references:

     srg: SRG-OS-000080-GPOS-00048

     stigid@ol7: OL07-00-010480

     stigid@rhel7: RHEL-07-010480

-    stigid@rhel8: RHEL-08-010150

+    stigid@rhel8: RHEL-08-010149

 ocil_clause: 'it does not'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 83500c35b3..10d6fd6ebd 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -125,9 +125,11 @@ selections:

     # RHEL-08-010141

     - grub2_uefi_admin_username

+    # RHEL-08-010149

+    - grub2_admin_username

+

     # RHEL-08-010150

     - grub2_password

-    - grub2_admin_username

     # RHEL-08-010151

     - require_singleuser_auth

From e1950738e3d5a35027d322589e736e8bfdba98b3 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 28 Jul 2021 12:44:27 -0500

Subject: [PATCH 11/20] Split RHEL-08-040135

Package fapolicyd and service fapolicyd have been split.

---

 .../guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml | 2 +-

 products/rhel8/profiles/stig.profile                            | 2 ++

 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

index 6c2663de9f..4a1cd16608 100644

--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

@@ -24,7 +24,7 @@ references:

     nist: CM-6(a),SI-4(22)

     ospp: FMT_SMF_EXT.1

     srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154

-    stigid@rhel8: RHEL-08-040135

+    stigid@rhel8: RHEL-08-040136

 ocil_clause: 'the service is not enabled'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 10d6fd6ebd..8272b25057 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -1041,6 +1041,8 @@ selections:

     # RHEL-08-040135

     - package_fapolicyd_installed

+

+    # RHEL-08-040136

     - service_fapolicyd_enabled

     # RHEL-08-040139

From e259cdaeb85f7f1f371fa11c08a615d1828fe30e Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:42:38 -0500

Subject: [PATCH 12/20] Split RHEL-08-020330

Also added a placeholder for RHEL-08-020332

---

 .../password_storage/no_empty_passwords/rule.yml            | 2 +-

 products/rhel8/profiles/stig.profile                        | 6 +++++-

 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml

index 19e5e95d60..75f988ffb2 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml

@@ -53,7 +53,7 @@ references:

     srg: SRG-OS-000480-GPOS-00227

     stigid@ol7: OL07-00-010290

     stigid@rhel7: RHEL-07-010290

-    stigid@rhel8:  RHEL-08-020330

+    stigid@rhel8:  RHEL-08-020331

     stigid@sle12: SLES-12-010231

     stigid@sle15: SLES-15-020300

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 8272b25057..793fdd1e87 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -591,9 +591,13 @@ selections:

     # - accounts_authorized_local_users

     # RHEL-08-020330

-    - no_empty_passwords

     - sshd_disable_empty_passwords

+    # RHEL-08-020331

+    - no_empty_passwords

+

+    # RHEL-08-020332

+

     # RHEL-08-020340

     - display_login_attempts

From 5c2b73b5a4462225e876b29ead9f92da3c5f4331 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:45:28 -0500

Subject: [PATCH 13/20] Split RHEL-08-010050

---

 .../gui_login_banner/dconf_gnome_banner_enabled/rule.yml      | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml

index c84cff33f3..b6ba3edc47 100644

--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml

@@ -54,7 +54,7 @@ references:

     srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088

     stigid@ol7: OL07-00-010030

     stigid@rhel7: RHEL-07-010030

-    stigid@rhel8: RHEL-08-010050

+    stigid@rhel8: RHEL-08-010049

     stigid@sle12: SLES-12-010040

     stigid@sle15: SLES-15-010080

     stigid@ubuntu2004: UBTU-20-010002

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 793fdd1e87..976c3f1892 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -95,8 +95,10 @@ selections:

     # RHEL-08-010040

     - sshd_enable_warning_banner

-    # RHEL-08-010050

+    # RHEL-08-010049

     - dconf_gnome_banner_enabled

+

+    # RHEL-08-010050

     - dconf_gnome_login_banner_text

     # RHEL-08-010060

From d7c7cefd39de31bb484faad49766bbca22469aea Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:47:50 -0500

Subject: [PATCH 14/20] Split RHEL-08-010130

---

 .../accounts_password_pam_unix_rounds_system_auth/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml

index d44119622a..0b694b0e0b 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml

@@ -32,7 +32,7 @@ references:

   anssi: BP28(R32)

   disa: CCI-000196

   srg: SRG-OS-000073-GPOS-00041

-  stigid@rhel8: RHEL-08-010130

+  stigid@rhel8: RHEL-08-010131

 ocil_clause: 'it does not set the appropriate number of hashing rounds'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 976c3f1892..5230dcd9c5 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -118,9 +118,11 @@ selections:

     - accounts_password_all_shadowed_sha512

     # RHEL-08-010130

-    - accounts_password_pam_unix_rounds_system_auth

     - accounts_password_pam_unix_rounds_password_auth

+    # RHEL-08-010131

+    - accounts_password_pam_unix_rounds_system_auth

+

     # RHEL-08-010140

     - grub2_uefi_password

From f78b565e1f15cff194aef78af2184088fc41782a Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:50:42 -0500

Subject: [PATCH 15/20] Split RHEL-08-010151

---

 .../accounts-physical/require_emergency_target_auth/rule.yml  | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +---

 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml

index 930d3a09fd..e2f61432ba 100644

--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml

@@ -42,7 +42,7 @@ references:

     srg: SRG-OS-000080-GPOS-00048

     stigid@ol7: OL07-00-010481

     stigid@rhel7: RHEL-07-010481

-    stigid@rhel8: RHEL-08-010151

+    stigid@rhel8: RHEL-08-010152

 ocil_clause: 'the output is different'

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 5230dcd9c5..040228b832 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -137,11 +137,9 @@ selections:

     # RHEL-08-010151

     - require_singleuser_auth

-    - require_emergency_target_auth

     # RHEL-08-010152

-    # To be released in V1R3

-    # - require_emergency_target_auth

+    - require_emergency_target_auth

     # RHEL-08-010160

     - set_password_hashing_algorithm_systemauth

From a7766cf4ccfd00eaad910fb98b02694868000410 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 08:57:18 -0500

Subject: [PATCH 16/20] Split RHEL-08-040210

---

 .../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml    | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml

index e8555a4895..bee6c117f3 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml

@@ -43,7 +43,7 @@ references:

     srg: SRG-OS-000480-GPOS-00227

     stigid@ol7: OL07-00-040640

     stigid@rhel7: RHEL-07-040640

-    stigid@rhel8: RHEL-08-040210

+    stigid@rhel8: RHEL-08-040209

     stigid@sle12: SLES-12-030400

     stigid@sle15: SLES-15-040340

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 040228b832..394a460c51 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -1092,8 +1092,10 @@ selections:

     # RHEL-08-040200

     - accounts_no_uid_except_zero

-    # RHEL-08-040210

+    # RHEL-08-040209

     - sysctl_net_ipv4_conf_default_accept_redirects

+

+    # RHEL-08-040210

     - sysctl_net_ipv6_conf_default_accept_redirects

     # RHEL-08-040220

From ac28c4231415be5e58bcea6f9fdd8652c6d39c45 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 09:08:27 -0500

Subject: [PATCH 17/20] Split RHEL-08-040240

---

 .../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml     | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml

index b56f2891f5..f92772eb57 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml

@@ -45,7 +45,7 @@ references:

     srg: SRG-OS-000480-GPOS-00227

     stigid@ol7: OL07-00-040610

     stigid@rhel7: RHEL-07-040610

-    stigid@rhel8: RHEL-08-040240

+    stigid@rhel8: RHEL-08-040239

     stigid@sle12: SLES-12-030360

     stigid@sle15: SLES-15-040300

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 394a460c51..9cccd25963 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -1104,8 +1104,10 @@ selections:

     # RHEL-08-040230

     - sysctl_net_ipv4_icmp_echo_ignore_broadcasts

-    # RHEL-08-040240

+    # RHEL-08-040239

     - sysctl_net_ipv4_conf_all_accept_source_route

+

+    # RHEL-08-040240

     - sysctl_net_ipv6_conf_all_accept_source_route

     # RHEL-08-040250

From 717ed63c6ad9b69b75aee69bbf1198515011499f Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Wed, 4 Aug 2021 09:11:08 -0500

Subject: [PATCH 18/20] Split RHEL-08-040250

---

 .../sysctl_net_ipv4_conf_default_accept_source_route/rule.yml | 2 +-

 products/rhel8/profiles/stig.profile                          | 4 +++-

 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml

index 4df2465995..b1e7f247e2 100644