From 7899e18d486b6181f3213c3c1351f24cdce84bf8 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 10:34:47 -0500
Subject: [PATCH 01/20] Split RHEL-08-040100 into two rules
One for the firewalld package and one for the firewalld service.
---
.../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
index cff9581e76..42849bdd5a 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -40,7 +40,7 @@ references:
srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232
stigid@ol7: OL07-00-040520
stigid@rhel7: RHEL-07-040520
- stigid@rhel8: RHEL-08-040100
+ stigid@rhel8: RHEL-08-040101
stigid@sle15: SLES-15-010220
ocil: |-
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 965068a691..9d0145a96f 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -968,9 +968,11 @@ selections:
# RHEL-08-040090
# RHEL-08-040100
- - service_firewalld_enabled
- package_firewalld_installed
+ # RHEL-08-040101
+ - service_firewalld_enabled
+
# RHEL-08-040110
- wireless_disable_interfaces
From 7396acddc284acc54d66640e7e0bc5251334bc0b Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 11:44:59 -0500
Subject: [PATCH 02/20] Split the rule for RHEL-08-020040
Split and package_tmux_installed and configure_tmux_lock_command
---
.../console_screen_locking/package_tmux_installed/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index 550eaea8bb..120d1c49e0 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -40,7 +40,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009
- stigid@rhel8: RHEL-08-020040
+ stigid@rhel8: RHEL-08-020039
vmmsrg: SRG-OS-000030-VMM-000110
ocil_clause: 'the package is not installed'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9d0145a96f..9f57b28f4f 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -481,8 +481,10 @@ selections:
# RHEL-08-020030
- dconf_gnome_screensaver_lock_enabled
- # RHEL-08-020040
+ # RHEL-08-020039
- package_tmux_installed
+
+ # RHEL-08-020040
- configure_tmux_lock_command
# RHEL-08-020041
From 6e3a93e173fbd12640e585d579f1e1d0afd3f419 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 11:49:59 -0500
Subject: [PATCH 03/20] Split RHEL-08-040100
One for the openssh-server package and one for the openssh-server service.
---
.../services/ssh/package_openssh-server_installed/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index 0b2a660c29..b551f08f38 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -30,7 +30,7 @@ references:
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190
stigid@ol7: OL07-00-040300
stigid@rhel7: RHEL-07-040300
- stigid@rhel8: RHEL-08-040160
+ stigid@rhel8: RHEL-08-040159
stigid@ubuntu2004: UBTU-20-010042
ocil_clause: 'the package is not installed'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9f57b28f4f..66f70cdfd5 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1037,8 +1037,10 @@ selections:
# RHEL-08-040150
- # RHEL-08-040160
+ # RHEL-08-040159
- package_openssh-server_installed
+
+ # RHEL-08-040160
- service_sshd_enabled
# RHEL-08-040161
From 097682c4e225b7bdefd7b38c89cadf984540da04 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 11:56:17 -0500
Subject: [PATCH 04/20] Split RHEL-08-040140
Package usbguard and service usbguard are split out into their own
STIG ID. now.
---
.../services/usbguard/package_usbguard_installed/rule.yml | 2 +-
.../services/usbguard/service_usbguard_enabled/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 8 ++++++--
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
index 333718182e..19ef8aaca6 100644
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -48,7 +48,7 @@ references:
disa: CCI-001958
ism: "1418"
srg: SRG-OS-000378-GPOS-00163
- stigid@rhel8: RHEL-08-040140
+ stigid@rhel8: RHEL-08-040139
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
index 86adda9ecc..4f008129ea 100644
--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
@@ -27,7 +27,7 @@ references:
nist: CM-8(3)(a),IA-3
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000378-GPOS-00163
- stigid@rhel8: RHEL-08-040140
+ stigid@rhel8: RHEL-08-040141
ocil_clause: 'the service is not enabled'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 66f70cdfd5..fd090e4058 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1030,11 +1030,15 @@ selections:
- package_fapolicyd_installed
- service_fapolicyd_enabled
- # RHEL-08-040140
+ # RHEL-08-040139
- package_usbguard_installed
- - service_usbguard_enabled
+
+ # RHEL-08-040140
- usbguard_generate_policy
+ # RHEL-08-040141
+ - service_usbguard_enabled
+
# RHEL-08-040150
# RHEL-08-040159
From 1b28e2bed919e7f16519b051d39f7df640498d4f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:01:13 -0500
Subject: [PATCH 05/20] Split RHEL-08-030180
One for the auditd package and one for the auditd service.
---
linux_os/guide/system/auditing/service_auditd_enabled/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
index e10e8c7782..c7ce75e87c 100644
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -55,7 +55,7 @@ references:
stigid@sle12: SLES-12-020010
stigid@sle15: SLES-15-030050
nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
- stigid@rhel8: RHEL-08-010560
+ stigid@rhel8: RHEL-08-030381
ocil: |-
{{{ ocil_service_enabled(service="auditd") }}}
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index fd090e4058..682034af4d 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -683,6 +683,9 @@ selections:
# RHEL-08-030180
- package_audit_installed
+ # RHEL-08-030181
+ - service_auditd_enabled
+
# RHEL-08-030190
- audit_rules_privileged_commands_su
From 0cf0bb3f6153be26abd4622221d73356be667d1f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:04:34 -0500
Subject: [PATCH 06/20] Split RHEL-08-010521
Disabling Kerb5 and gssapi auth for sshd move split into two STIG ids.
---
.../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
index 946ba7f1d6..2134da2839 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -36,7 +36,7 @@ references:
srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040430
stigid@rhel7: RHEL-07-040430
- stigid@rhel8: RHEL-08-010521
+ stigid@rhel8: RHEL-08-010522
vmmsrg: SRG-OS-000480-VMM-002000
ocil_clause: 'it is commented out or is not disabled'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 682034af4d..f913545106 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -318,6 +318,8 @@ selections:
# RHEL-08-010521
- sshd_disable_kerb_auth
+
+ # RHEL-08-010522
- sshd_disable_gssapi_auth
# RHEL-08-010540
From 994b19da2cb0f88d6eb0533d1ba4cae362351e56 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:10:06 -0500
Subject: [PATCH 07/20] Split RHEL-08-010471
One for the rng-tools package and one for the rngd service.
---
.../software/system-tools/package_rng-tools_installed/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
index 33d5625fee..663a270626 100644
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
@@ -21,7 +21,7 @@ identifiers:
references:
disa: CCI-000366
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel8: RHEL-08-010471
+ stigid@rhel8: RHEL-08-010472
ocil_clause: 'the package is not installed'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index f913545106..e6ef5ee42c 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -299,6 +299,8 @@ selections:
# RHEL-08-010471
- service_rngd_enabled
+
+ # RHEL-08-010472
- package_rng-tools_installed
# RHEL-08-010480
From 2d1756e3fe017645922b1622dac139a249c48a12 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:14:53 -0500
Subject: [PATCH 08/20] Split RHEL-08-010200
idle timeout and keepalive are now split
---
.../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 95c840fc5f..5a44255013 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -53,7 +53,7 @@ references:
srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175
stigid@ol7: OL07-00-040320
stigid@rhel7: RHEL-07-040320
- stigid@rhel8: RHEL-08-010200
+ stigid@rhel8: RHEL-08-010201
stigid@sle12: SLES-12-030190
stigid@sle15: SLES-15-010280
stigid@ubuntu2004: UBTU-20-010037
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index e6ef5ee42c..036fd00808 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -156,9 +156,11 @@ selections:
- dir_perms_world_writable_sticky_bits
# RHEL-08-010200
- - sshd_set_idle_timeout
- sshd_set_keepalive_0
+ # RHEL-08-010201
+ - sshd_set_idle_timeout
+
# RHEL-08-010210
- file_permissions_var_log_messages
From 0823a6f84d32338223502dfc93b09df5225debf6 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:23:31 -0500
Subject: [PATCH 09/20] Split RHEL-08-010141
GRUB2 UEFI username and password split
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index a5f9349882..8a98cbdc95 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -56,7 +56,7 @@ references:
srg: SRG-OS-000080-GPOS-00048
stigid@ol7: OL07-00-010490
stigid@rhel7: RHEL-07-010490
- stigid@rhel8: RHEL-08-010140
+ stigid@rhel8: RHEL-08-010141
ocil_clause: 'it does not'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 036fd00808..83500c35b3 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -121,6 +121,8 @@ selections:
# RHEL-08-010140
- grub2_uefi_password
+
+ # RHEL-08-010141
- grub2_uefi_admin_username
# RHEL-08-010150
From a4dd46d84d9ab8a9fd4984cbc1b9432e2920d3f5 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:24:18 -0500
Subject: [PATCH 10/20] Split RHEL-08-010150
GRUB admin username and password split
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index f5cf144e0b..bb2f1bae21 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -49,7 +49,7 @@ references:
srg: SRG-OS-000080-GPOS-00048
stigid@ol7: OL07-00-010480
stigid@rhel7: RHEL-07-010480
- stigid@rhel8: RHEL-08-010150
+ stigid@rhel8: RHEL-08-010149
ocil_clause: 'it does not'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 83500c35b3..10d6fd6ebd 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -125,9 +125,11 @@ selections:
# RHEL-08-010141
- grub2_uefi_admin_username
+ # RHEL-08-010149
+ - grub2_admin_username
+
# RHEL-08-010150
- grub2_password
- - grub2_admin_username
# RHEL-08-010151
- require_singleuser_auth
From e1950738e3d5a35027d322589e736e8bfdba98b3 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 28 Jul 2021 12:44:27 -0500
Subject: [PATCH 11/20] Split RHEL-08-040135
Package fapolicyd and service fapolicyd have been split.
---
.../guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
index 6c2663de9f..4a1cd16608 100644
--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
@@ -24,7 +24,7 @@ references:
nist: CM-6(a),SI-4(22)
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154
- stigid@rhel8: RHEL-08-040135
+ stigid@rhel8: RHEL-08-040136
ocil_clause: 'the service is not enabled'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 10d6fd6ebd..8272b25057 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1041,6 +1041,8 @@ selections:
# RHEL-08-040135
- package_fapolicyd_installed
+
+ # RHEL-08-040136
- service_fapolicyd_enabled
# RHEL-08-040139
From e259cdaeb85f7f1f371fa11c08a615d1828fe30e Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:42:38 -0500
Subject: [PATCH 12/20] Split RHEL-08-020330
Also added a placeholder for RHEL-08-020332
---
.../password_storage/no_empty_passwords/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
index 19e5e95d60..75f988ffb2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -53,7 +53,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-010290
stigid@rhel7: RHEL-07-010290
- stigid@rhel8: RHEL-08-020330
+ stigid@rhel8: RHEL-08-020331
stigid@sle12: SLES-12-010231
stigid@sle15: SLES-15-020300
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 8272b25057..793fdd1e87 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -591,9 +591,13 @@ selections:
# - accounts_authorized_local_users
# RHEL-08-020330
- - no_empty_passwords
- sshd_disable_empty_passwords
+ # RHEL-08-020331
+ - no_empty_passwords
+
+ # RHEL-08-020332
+
# RHEL-08-020340
- display_login_attempts
From 5c2b73b5a4462225e876b29ead9f92da3c5f4331 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:45:28 -0500
Subject: [PATCH 13/20] Split RHEL-08-010050
---
.../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
index c84cff33f3..b6ba3edc47 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
@@ -54,7 +54,7 @@ references:
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088
stigid@ol7: OL07-00-010030
stigid@rhel7: RHEL-07-010030
- stigid@rhel8: RHEL-08-010050
+ stigid@rhel8: RHEL-08-010049
stigid@sle12: SLES-12-010040
stigid@sle15: SLES-15-010080
stigid@ubuntu2004: UBTU-20-010002
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 793fdd1e87..976c3f1892 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -95,8 +95,10 @@ selections:
# RHEL-08-010040
- sshd_enable_warning_banner
- # RHEL-08-010050
+ # RHEL-08-010049
- dconf_gnome_banner_enabled
+
+ # RHEL-08-010050
- dconf_gnome_login_banner_text
# RHEL-08-010060
From d7c7cefd39de31bb484faad49766bbca22469aea Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:47:50 -0500
Subject: [PATCH 14/20] Split RHEL-08-010130
---
.../accounts_password_pam_unix_rounds_system_auth/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
index d44119622a..0b694b0e0b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml
@@ -32,7 +32,7 @@ references:
anssi: BP28(R32)
disa: CCI-000196
srg: SRG-OS-000073-GPOS-00041
- stigid@rhel8: RHEL-08-010130
+ stigid@rhel8: RHEL-08-010131
ocil_clause: 'it does not set the appropriate number of hashing rounds'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 976c3f1892..5230dcd9c5 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -118,9 +118,11 @@ selections:
- accounts_password_all_shadowed_sha512
# RHEL-08-010130
- - accounts_password_pam_unix_rounds_system_auth
- accounts_password_pam_unix_rounds_password_auth
+ # RHEL-08-010131
+ - accounts_password_pam_unix_rounds_system_auth
+
# RHEL-08-010140
- grub2_uefi_password
From f78b565e1f15cff194aef78af2184088fc41782a Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:50:42 -0500
Subject: [PATCH 15/20] Split RHEL-08-010151
---
.../accounts-physical/require_emergency_target_auth/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +---
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index 930d3a09fd..e2f61432ba 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -42,7 +42,7 @@ references:
srg: SRG-OS-000080-GPOS-00048
stigid@ol7: OL07-00-010481
stigid@rhel7: RHEL-07-010481
- stigid@rhel8: RHEL-08-010151
+ stigid@rhel8: RHEL-08-010152
ocil_clause: 'the output is different'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 5230dcd9c5..040228b832 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -137,11 +137,9 @@ selections:
# RHEL-08-010151
- require_singleuser_auth
- - require_emergency_target_auth
# RHEL-08-010152
- # To be released in V1R3
- # - require_emergency_target_auth
+ - require_emergency_target_auth
# RHEL-08-010160
- set_password_hashing_algorithm_systemauth
From a7766cf4ccfd00eaad910fb98b02694868000410 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 08:57:18 -0500
Subject: [PATCH 16/20] Split RHEL-08-040210
---
.../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
index e8555a4895..bee6c117f3 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
@@ -43,7 +43,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040640
stigid@rhel7: RHEL-07-040640
- stigid@rhel8: RHEL-08-040210
+ stigid@rhel8: RHEL-08-040209
stigid@sle12: SLES-12-030400
stigid@sle15: SLES-15-040340
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 040228b832..394a460c51 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1092,8 +1092,10 @@ selections:
# RHEL-08-040200
- accounts_no_uid_except_zero
- # RHEL-08-040210
+ # RHEL-08-040209
- sysctl_net_ipv4_conf_default_accept_redirects
+
+ # RHEL-08-040210
- sysctl_net_ipv6_conf_default_accept_redirects
# RHEL-08-040220
From ac28c4231415be5e58bcea6f9fdd8652c6d39c45 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 09:08:27 -0500
Subject: [PATCH 17/20] Split RHEL-08-040240
---
.../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index b56f2891f5..f92772eb57 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -45,7 +45,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040610
stigid@rhel7: RHEL-07-040610
- stigid@rhel8: RHEL-08-040240
+ stigid@rhel8: RHEL-08-040239
stigid@sle12: SLES-12-030360
stigid@sle15: SLES-15-040300
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 394a460c51..9cccd25963 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1104,8 +1104,10 @@ selections:
# RHEL-08-040230
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- # RHEL-08-040240
+ # RHEL-08-040239
- sysctl_net_ipv4_conf_all_accept_source_route
+
+ # RHEL-08-040240
- sysctl_net_ipv6_conf_all_accept_source_route
# RHEL-08-040250
From 717ed63c6ad9b69b75aee69bbf1198515011499f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 09:11:08 -0500
Subject: [PATCH 18/20] Split RHEL-08-040250
---
.../sysctl_net_ipv4_conf_default_accept_source_route/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index 4df2465995..b1e7f247e2 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -46,7 +46,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040620
stigid@rhel7: RHEL-07-040620
- stigid@rhel8: RHEL-08-040250
+ stigid@rhel8: RHEL-08-040249
stigid@sle12: SLES-12-030370
stigid@sle15: SLES-15-040320
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9cccd25963..4d1869c629 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1110,8 +1110,10 @@ selections:
# RHEL-08-040240
- sysctl_net_ipv6_conf_all_accept_source_route
- # RHEL-08-040250
+ # RHEL-08-040249
- sysctl_net_ipv4_conf_default_accept_source_route
+
+ # RHEL-08-040250
- sysctl_net_ipv6_conf_default_accept_source_route
# RHEL-08-040260
From 9b244bc0828e2eb6ffe389d7ef590e6b967a4c07 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 4 Aug 2021 09:13:19 -0500
Subject: [PATCH 19/20] Split RHEL-08-040280
---
.../sysctl_net_ipv4_conf_all_accept_redirects/rule.yml | 2 +-
products/rhel8/profiles/stig.profile | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
index d5e7fe4599..726042198e 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -44,7 +44,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040641
stigid@rhel7: RHEL-07-040641
- stigid@rhel8: RHEL-08-040280
+ stigid@rhel8: RHEL-08-040279
stigid@sle12: SLES-12-030390
stigid@sle15: SLES-15-040330
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4d1869c629..0a1fdd15ca 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1128,8 +1128,10 @@ selections:
# RHEL-08-040270
- sysctl_net_ipv4_conf_default_send_redirects
- # RHEL-08-040280
+ # RHEL-08-040279
- sysctl_net_ipv4_conf_all_accept_redirects
+
+ # RHEL-08-040280
- sysctl_net_ipv6_conf_all_accept_redirects
# RHEL-08-040281
From 7723ff37c5abd8681b70ad686c5df45d7d0b44ed Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 5 Aug 2021 14:46:46 -0500
Subject: [PATCH 20/20] Update couple of references for RHEL8 STIG
---
.../enable_nx/bios_enable_execution_restrictions/rule.yml | 2 +-
.../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
index 99f2c739c9..2176a0bb9b 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
@@ -32,6 +32,6 @@ references:
nist: SC-39,CM-6(a)
nist-csf: PR.IP-1
srg: SRG-OS-000433-GPOS-00192
- stig@rhel8: RHEL-08-010420
+ stigid@rhel8: RHEL-08-010420
platform: machine
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index 726975e808..d57c0f0ce9 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -30,6 +30,7 @@ references:
cis@ubuntu1804: 1.1.6
cis@ubuntu2004: 1.1.11
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010544
{{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}}