From dc92e454b7c3e11b3545b86f1c78b26aeb3f82aa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 28 Jan 2021 17:45:20 +0100
Subject: [PATCH 01/21] Add initial RHEL8 STIG V1R1 profile.
---
.../auditing/service_auditd_enabled/rule.yml | 1 +
.../base/package_abrt_removed/rule.yml | 1 +
.../base/service_kdump_disabled/rule.yml | 1 +
.../package_fapolicyd_installed/rule.yml | 1 +
.../service_fapolicyd_enabled/rule.yml | 1 +
.../package_vsftpd_removed/rule.yml | 1 +
.../kerberos_disable_no_keytab/rule.yml | 1 +
.../mail/package_sendmail_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../services/ntp/chronyd_client_only/rule.yml | 1 +
.../ntp/chronyd_no_chronyc_network/rule.yml | 1 +
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 +
.../r_services/no_host_based_files/rule.yml | 1 +
.../no_user_host_based_files/rule.yml | 1 +
.../package_rsh-server_removed/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../tftp/package_tftp-server_removed/rule.yml | 1 +
.../tftp/tftpd_uses_secure_mode/rule.yml | 1 +
.../rng/service_rngd_enabled/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_sshd_pub_key/rule.yml | 1 +
.../package_openssh-server_installed/rule.yml | 1 +
.../ssh/service_sshd_enabled/rule.yml | 1 +
.../sshd_allow_only_protocol2/rule.yml | 1 +
.../sshd_disable_compression/rule.yml | 1 +
.../sshd_disable_gssapi_auth/rule.yml | 1 +
.../sshd_disable_kerb_auth/rule.yml | 1 +
.../sshd_disable_root_login/rule.yml | 1 +
.../sshd_disable_user_known_hosts/rule.yml | 1 +
.../sshd_disable_x11_forwarding/rule.yml | 1 +
.../sshd_do_not_permit_user_env/rule.yml | 1 +
.../sshd_enable_strictmodes/rule.yml | 1 +
.../sshd_enable_warning_banner/rule.yml | 1 +
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 +
.../ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
.../ssh_server/sshd_set_keepalive/rule.yml | 1 +
.../sshd_x11_use_localhost/rule.yml | 3 +-
.../sssd/sssd_enable_smartcards/rule.yml | 1 +
.../sssd_offline_cred_expiration/rule.yml | 1 +
.../configure_usbguard_auditbackend/rule.yml | 1 +
.../package_usbguard_installed/rule.yml | 1 +
.../service_usbguard_enabled/rule.yml | 1 +
.../rule.yml | 1 +
.../banner_etc_issue/rule.yml | 1 +
.../dconf_gnome_banner_enabled/rule.yml | 1 +
.../dconf_gnome_login_banner_text/rule.yml | 1 +
.../display_login_attempts/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 2 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_password_pam_dcredit/rule.yml | 1 +
.../accounts_password_pam_difok/rule.yml | 1 +
.../accounts_password_pam_lcredit/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_password_pam_maxrepeat/rule.yml | 1 +
.../accounts_password_pam_minclass/rule.yml | 1 +
.../accounts_password_pam_minlen/rule.yml | 1 +
.../accounts_password_pam_ocredit/rule.yml | 1 +
.../accounts_password_pam_retry/rule.yml | 1 +
.../accounts_password_pam_ucredit/rule.yml | 1 +
.../rule.yml | 1 +
.../disable_ctrlaltdel_burstaction/rule.yml | 1 +
.../disable_ctrlaltdel_reboot/rule.yml | 1 +
.../require_emergency_target_auth/rule.yml | 1 +
.../require_singleuser_auth/rule.yml | 1 +
.../configure_bashrc_exec_tmux/rule.yml | 1 +
.../configure_tmux_lock_after_time/rule.yml | 1 +
.../configure_tmux_lock_command/rule.yml | 1 +
.../no_tmux_in_shells/rule.yml | 1 +
.../package_tmux_installed/rule.yml | 1 +
.../install_smartcard_packages/rule.yml | 3 +-
.../package_opensc_installed/rule.yml | 1 +
.../service_debug-shell_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../account_temp_expire_date/rule.yml | 1 +
.../accounts_maximum_age_login_defs/rule.yml | 1 +
.../accounts_minimum_age_login_defs/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../no_empty_passwords/rule.yml | 1 +
.../accounts_no_uid_except_zero/rule.yml | 1 +
.../accounts_have_homedir_login_defs/rule.yml | 1 +
.../accounts_logon_fail_delay/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_user_home_paths_only/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_permission_user_init_files/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_umask_etc_bashrc/rule.yml | 1 +
.../accounts_umask_etc_login_defs/rule.yml | 1 +
.../accounts_umask_interactive_users/rule.yml | 1 +
.../audit_rules_login_events_lastlog/rule.yml | 1 +
.../audit_rules_immutable/rule.yml | 1 +
.../audit_rules_sysadmin_actions/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../file_ownership_var_log_audit/rule.yml | 1 +
.../file_permissions_var_log_audit/rule.yml | 1 +
.../auditd_data_disk_error_action/rule.yml | 1 +
.../auditd_data_disk_full_action/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_data_retention_space_left/rule.yml | 1 +
.../rule.yml | 2 +
.../auditd_local_events/rule.yml | 1 +
.../auditd_log_format/rule.yml | 1 +
.../auditd_name_format/rule.yml | 1 +
.../auditing/grub2_audit_argument/rule.yml | 1 +
.../rule.yml | 1 +
.../auditing/package_audit_installed/rule.yml | 1 +
.../audit_immutable_login_uids/rule.yml | 1 +
.../auditing/service_auditd_enabled/rule.yml | 1 +
.../grub2_pti_argument/rule.yml | 1 +
.../grub2_vsyscall_argument/rule.yml | 1 +
.../non-uefi/grub2_admin_username/rule.yml | 1 +
.../non-uefi/grub2_password/rule.yml | 1 +
.../uefi/grub2_uefi_admin_username/rule.yml | 1 +
.../uefi/grub2_uefi_password/rule.yml | 1 +
.../rsyslog_cron_logging/rule.yml | 1 +
.../package_rsyslog-gnutls_installed/rule.yml | 1 +
.../package_rsyslog_installed/rule.yml | 1 +
.../rsyslog_remote_loghost/rule.yml | 1 +
.../logging/service_rsyslog_enabled/rule.yml | 1 +
.../package_firewalld_installed/rule.yml | 1 +
.../service_firewalld_enabled/rule.yml | 1 +
.../configure_firewalld_ports/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 +
.../kernel_module_atm_disabled/rule.yml | 1 +
.../kernel_module_can_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../kernel_module_sctp_disabled/rule.yml | 1 +
.../kernel_module_tipc_disabled/rule.yml | 1 +
.../kernel_module_bluetooth_disabled/rule.yml | 1 +
.../wireless_disable_interfaces/rule.yml | 1 +
.../rule.yml | 1 +
.../network/network_sniffer_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_ungroupowned/rule.yml | 1 +
.../files/no_files_unowned_by_user/rule.yml | 1 +
.../file_ownership_binary_dirs/rule.yml | 1 +
.../file_ownership_library_dirs/rule.yml | 1 +
.../file_permissions_binary_dirs/rule.yml | 1 +
.../file_permissions_library_dirs/rule.yml | 1 +
.../sysctl_fs_protected_hardlinks/rule.yml | 1 +
.../sysctl_fs_protected_symlinks/rule.yml | 1 +
.../kernel_module_cramfs_disabled/rule.yml | 1 +
.../rule.yml | 1 +
.../mounting/service_autofs_disabled/rule.yml | 1 +
.../mount_option_boot_nosuid/rule.yml | 1 +
.../mount_option_dev_shm_nodev/rule.yml | 1 +
.../mount_option_dev_shm_noexec/rule.yml | 1 +
.../mount_option_dev_shm_nosuid/rule.yml | 1 +
.../mount_option_home_nosuid/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../mount_option_tmp_nodev/rule.yml | 1 +
.../mount_option_tmp_noexec/rule.yml | 1 +
.../mount_option_tmp_nosuid/rule.yml | 1 +
.../mount_option_var_log_audit_nodev/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../mount_option_var_log_nodev/rule.yml | 1 +
.../mount_option_var_log_noexec/rule.yml | 1 +
.../mount_option_var_log_nosuid/rule.yml | 1 +
.../mount_option_var_tmp_nodev/rule.yml | 1 +
.../mount_option_var_tmp_noexec/rule.yml | 1 +
.../mount_option_var_tmp_nosuid/rule.yml | 1 +
.../coredump_disable_backtraces/rule.yml | 1 +
.../coredump_disable_storage/rule.yml | 1 +
.../disable_users_coredumps/rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_kernel_kptr_restrict/rule.yml | 1 +
.../sysctl_kernel_randomize_va_space/rule.yml | 1 +
.../grub2_page_poison_argument/rule.yml | 1 +
.../grub2_slub_debug_argument/rule.yml | 1 +
.../sysctl_kernel_core_pattern/rule.yml | 1 +
.../sysctl_kernel_dmesg_restrict/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 +
.../sysctl_user_max_user_namespaces/rule.yml | 1 +
.../rule.yml | 1 +
.../selinux/selinux_policytype/rule.yml | 1 +
.../system/selinux/selinux_state/rule.yml | 1 +
.../encrypt_partitions/rule.yml | 1 +
.../partition_for_home/rule.yml | 1 +
.../partition_for_tmp/rule.yml | 1 +
.../partition_for_var/rule.yml | 1 +
.../partition_for_var_log/rule.yml | 2 +
.../partition_for_var_log_audit/rule.yml | 3 +
.../partition_for_var_tmp/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../installed_OS_is_vendor_supported/rule.yml | 1 +
.../crypto/ssh_client_rekey_limit/rule.yml | 1 +
.../integrity/fips/enable_fips_mode/rule.yml | 1 +
.../fips/grub2_enable_fips_mode/rule.yml | 1 +
.../fips/sysctl_crypto_fips_enabled/rule.yml | 1 +
.../aide/aide_scan_notification/rule.yml | 1 +
.../aide/aide_verify_acls/rule.yml | 1 +
.../aide/aide_verify_ext_attributes/rule.yml | 1 +
.../aide/package_aide_installed/rule.yml | 1 +
.../accounts_authorized_local_users/rule.yml | 3 +
.../sudo/sudo_remove_no_authenticate/rule.yml | 1 +
.../sudo/sudo_remove_nopasswd/rule.yml | 1 +
.../package_abrt-addon-ccpp_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_abrt-cli_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../package_gssproxy_removed/rule.yml | 3 +-
.../package_iprutils_removed/rule.yml | 1 +
.../package_krb5-workstation_removed/rule.yml | 1 +
.../package_tuned_removed/rule.yml | 1 +
.../clean_components_post_updating/rule.yml | 1 +
.../rule.yml | 1 +
.../ensure_gpgcheck_local_packages/rule.yml | 1 +
.../security_patches_up_to_date/rule.yml | 1 +
rhel8/profiles/stig.profile | 310 ++++++++++++++++--
259 files changed, 543 insertions(+), 38 deletions(-)
diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml
index bbb5132b5f..0c34cae438 100644
--- a/apple_os/auditing/service_auditd_enabled/rule.yml
+++ b/apple_os/auditing/service_auditd_enabled/rule.yml
@@ -35,6 +35,7 @@ references:
nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146
stigid: AOSX-14-001013
+ stigid@rhel8: RHEL-08-010560
ocil_clause: 'auditing is not enabled or running'
diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml
index 3cee145e25..03f8a5b6a0 100644
--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml
+++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt") }}}
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
index ff9d439b4f..8676710018 100644
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
@@ -39,6 +39,7 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9
ospp: FMT_SMF_EXT.1.1
+ stigid@rhel8: RHEL-08-010670
ocil: '{{{ ocil_service_disabled(service="kdump") }}}'
diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
index 5869cac7ab..a35cb48f83 100644
--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
nist: CM-6(a),SI-4(22)
srg: SRG-OS-000370-GPOS-00155
+ stigid@rhel8: RHEL-08-040135
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
index 11f2e9cf7a..44b97a8d6f 100644
--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
+++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml
@@ -22,6 +22,7 @@ references:
nist: CM-6(a),SI-4(22)
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000370-GPOS-00155
+ stigid@rhel8: RHEL-08-040135
ocil_clause: 'the service is not enabled'
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index 737d9b9cb6..dc7d79af44 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -28,6 +28,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
+ stigid@rhel8: RHEL-08-040360
{{{ complete_ocil_entry_package(package="vsftpd") }}}
diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
index c552fa7889..d29370c9e9 100644
--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
+++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
@@ -20,6 +20,7 @@ references:
ospp: FTP_ITC_EXT.1
srg: SRG-OS-000120-GPOS-00061
ism: 0418,1055,1402
+ stigid@rhel8: RHEL-08-010161
ocil_clause: 'it is present on the system'
diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 1b62fb49fb..ed29daa2f6 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -30,6 +30,7 @@ references:
cis-csc: 11,14,3,9
anssi: BP28(R1)
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040002
{{{ complete_ocil_entry_package(package="sendmail") }}}
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
index 1c4bfb60bf..96601ebb87 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -31,6 +31,7 @@ references:
disa@sle12: CCI-000139
nist@sle12: AU-5(a),AU-5.1(ii)
anssi: BP28(R49)
+ stigid@rhel8: RHEL-08-030030
ocil_clause: 'it is not'
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
index c2357fe9ee..4bfcc16c7f 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
@@ -24,6 +24,7 @@ references:
disa: CCI-000366
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040680
+ stigid@rhel8: RHEL-08-040290
ocil_clause: 'it is not'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
index b3be78ef91..3349a7963a 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
@@ -23,6 +23,7 @@ references:
cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06
iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
cis-csc: 11,13,14,3,8,9
+ stigid@rhel8: RHEL-08-010640
ocil_clause: 'the setting does not show'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
index d9c17fb416..ee6b9aa54a 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
@@ -31,6 +31,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@sle12: SLES-12-010820
+ stigid@rhel8: RHEL-08-010630
ocil_clause: 'the setting does not show'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
index c14b0aeefb..6b71f94c2b 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
@@ -29,6 +29,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@sle12: SLES-12-010810
+ stigid@rhel8: RHEL-08-010650
ocil_clause: 'the setting does not show'
diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
index 76e13f8eb1..071934387c 100644
--- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000096-GPOS-00050
+ stigid@rhel8: RHEL-08-030741
ocil_clause: 'it does not exist or port is set to non-zero value'
diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
index 1312c1cfb5..cbc9cc670c 100644
--- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000096-GPOS-00050
+ stigid@rhel8: RHEL-08-030742
ocil_clause: 'it does not exist or port is set to non-zero value'
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 4e4be3002f..9a802b5d5d 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -42,6 +42,7 @@ references:
cis-csc: 1,14,15,16,3,5,6
stigid@sle12: SLES-12-030300
nist@sle12: AU-8(1)(a),AU-8(1)(b)
+ stigid@rhel8: RHEL-08-030740
ocil_clause: 'it does not exist or maxpoll has not been set to the expected value'
diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
index 9891cedab0..01eb9e5f99 100644
--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
@@ -29,6 +29,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040550
stigid@sle12: SLES-12-010410
+ stigid@rhel8: RHEL-08-010460
ocil_clause: 'these files exist'
diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
index a7f4996f3b..48bff043a6 100644
--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
@@ -30,6 +30,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040540
stigid@sle12: SLES-12-010400
+ stigid@rhel8: RHEL-08-010470
ocil_clause: 'these files exist'
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index e5deb01ddb..23d30cb5af 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -34,6 +34,7 @@ references:
isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
cis-csc: 11,12,14,15,3,8,9
+ stigid@rhel8: RHEL-08-040010
{{{ complete_ocil_entry_package(package="rsh-server") }}}
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 619b3f0b7d..f42bcba15e 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -44,6 +44,7 @@ references:
isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
cis-csc: 11,12,14,15,3,8,9
+ stigid@rhel8: RHEL-08-040000
{{{ complete_ocil_entry_package(package="telnet-server") }}}
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 57f3c0f8bc..2d0258db1e 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -33,6 +33,7 @@ references:
cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9
+ stigid@rhel8: RHEL-08-040190
{{{ complete_ocil_entry_package(package="tftp-server") }}}
diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
index b2d87944f1..24cefbb6f9 100644
--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,13,14,15,16,18,3,5,8,9
+ stigid@rhel8: RHEL-08-040350
ocil_clause: 'this flag is missing'
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
index 1cc21d0d00..feebdff4eb 100644
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FCS_RBG_EXT.1
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010471
ocil_clause: 'the service is not enabled'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index d460411667..5397a3fdce 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -35,6 +35,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
cis@rhel8: 5.2.3
+ stigid@rhel8: RHEL-08-010490
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index b9e07d71af..d49e375df4 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -30,6 +30,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
cis@rhel8: 5.2.4
+ stigid@rhel8: RHEL-08-010480
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}'
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index 84882d52b3..4fda79df25 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -31,6 +31,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 13,14
ospp: FIA_UAU.5,FTP_ITC_EXT.1
+ stigid@rhel8: RHEL-08-040160
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
index f0e258bf04..81d63480c3 100644
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 13,14
+ stigid@rhel8: RHEL-08-040160
ocil: '{{{ ocil_service_enabled(service="sshd") }}}'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
index 2f5bdfdee3..fc6175e446 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
@@ -41,6 +41,7 @@ references:
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5,8
ism: 0487,1449,1506
+ stigid@rhel8: RHEL-08-040060
ocil_clause: 'it is commented out or is not set correctly to Protocol 2'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index f8eec6a074..9e4e2f48b4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -39,6 +39,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
+ stigid@rhel8: RHEL-08-010510
ocil_clause: 'it is commented out, or is not set to no or delayed'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
index c79d0b5e07..f9ece13f51 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -36,6 +36,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
ism: 0418,1055,1402
+ stigid@rhel8: RHEL-08-010521
ocil_clause: 'it is commented out or is not disabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
index 1f1380127c..50eb7a28cb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
@@ -37,6 +37,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-010521
ocil_clause: 'it is commented out or is not disabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
index 287954db61..8360f5fa34 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -46,6 +46,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,3,5
anssi: BP28(R19),NT007(R21)
+ stigid@rhel8: RHEL-08-010550
{{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
index 93ff19deff..b55e749139 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
+ stigid@rhel8: RHEL-08-010520
{{{ complete_ocil_entry_sshd_option(default="no", option="IgnoreUserKnownHosts", value="yes") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 5d01170aab..14f0270c78 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -37,6 +37,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
disa: CCI-000366
nist: CM-6(b)
+ stigid@rhel8: RHEL-08-040340
template:
name: sshd_lineinfile
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
index e5d54261d3..b1d33d3f86 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -39,6 +39,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
+ stigid@rhel8: RHEL-08-010830
ocil_clause: 'PermitUserEnvironment is not disabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
index 601f6a0ca2..9eeb8f8985 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-010500
ocil_clause: 'it is commented out or is not enabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index c93ef6340f..2eb688c1ec 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -43,6 +43,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-010040
{{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
index 0ce5da30b2..cb15b1e9e9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -32,6 +32,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-020350
ocil_clause: 'it is commented out or is not enabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index d7941f9c0e..f3f15251b2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
ospp: FCS_SSHS_EXT.1
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040161
ocil_clause: 'it is commented out or is not set'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 7c6cb7a2d0..19151f0273 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -52,6 +52,7 @@ references:
iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
anssi: BP28(R29)
+ stigid@rhel8: RHEL-08-010200
requires:
- sshd_set_keepalive
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index c43fce001a..8987c9b9ed 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+ stigid@rhel8: RHEL-08-010200
requires:
- sshd_set_idle_timeout
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index b0fe065d86..bee39a3904 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,rhel7
+prodtype: fedora,ol7,ol8,rhel7,rhel8
title: 'Prevent remote hosts from connecting to the proxy display'
@@ -29,6 +29,7 @@ references:
stig@ol7: OL07-00-040711
disa: CCI-000366
nist: CM-6(b)
+ stigid@rhel8: RHEL-08-040341
ocil_clause: "the display proxy is listening on wildcard address"
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
index 7a51b3960f..bcf9d58e62 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
@@ -38,6 +38,7 @@ references:
srg: SRG-OS-000375-GPOS-00160
vmmsrg: SRG-OS-000107-VMM-000530
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020250
ocil_clause: 'smart cards are not enabled in SSSD'
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
index b2c450b58e..09ee5187a6 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-020290
ocil_clause: 'it does not exist or is not configured properly'
diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
index 2b87e7964f..b2fc36bbfc 100644
--- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
+++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
@@ -23,6 +23,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000062-GPOS-00031
+ stigid@rhel8: RHEL-08-030603
ocil_clause: 'AuditBackend is not set to LinuxAudit'
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
index f23176d83e..6806e0861d 100644
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
srg: SRG-OS-000378-GPOS-00163
ism: "1418"
+ stigid@rhel8: RHEL-08-040140
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
index 3f357aa8b7..918a29945d 100644
--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
+++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
@@ -24,6 +24,7 @@ references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000378-GPOS-00163
ism: "1418"
+ stigid@rhel8: RHEL-08-040140
ocil_clause: 'the service is not enabled'
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 2c34030cdb..789b84643a 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -40,6 +40,7 @@ references:
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2
cis-csc: 12,15,8
cis@sle15: 2.2.2
+ stigid@rhel8: RHEL-08-040320
ocil_clause: 'the X Windows package group or xorg-x11-server-common has not be removed'
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
index 637d8ee528..5e00846773 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -71,6 +71,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-010060
ocil_clause: 'it does not display the required banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
index 47c4edad90..c364bdb9e1 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
@@ -49,6 +49,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-010050
ocil_clause: 'it is not'
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml
index c600620f18..135f15e1be 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-010050
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
index 3ba5b642db..a6eefa9c15 100644
--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
@@ -38,6 +38,7 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0582,0584,05885,0586,0846,0957
+ stigid@rhel8: RHEL-08-020340
ocil_clause: 'that is not the case'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 1669db1231..78247557de 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -46,6 +46,7 @@ references:
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-020220
ocil_clause: 'the value of remember is not set equal to or greater than the expected setting'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index ccee5dd048..85a0ba18a3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -47,6 +47,7 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020010
ocil_clause: 'that is not the case'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index 882b57654e..4b7ee01946 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -44,6 +44,8 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020010
+ stigid@rhel8: RHEL-08-020022
ocil_clause: 'that is not the case'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index d1b9c396ae..6bc0f02afc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -53,6 +53,7 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020012
ocil_clause: 'fail_interval is less than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index 2fff1c6011..ead8f697f4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -50,6 +50,7 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020014
ocil_clause: 'unlock_time is less than the expected value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
index 8519b72a6b..11040cfa87 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -46,6 +46,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020130
ocil_clause: 'dcredit is not found or not equal to or less than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
index fb64b61520..d659f480d2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-020170
ocil_clause: 'difok is not found or not equal to or greater than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
index 26fc519e3d..086354372f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -45,6 +45,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020120
ocil_clause: 'lcredit is not found or not less than or equal to the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index d449c97950..5bac335e2d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-020140
ocil_clause: 'that is not the case'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
index cb2755b255..42d5584a9d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -40,6 +40,7 @@ references:
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-020150
ocil_clause: 'maxrepeat is not found or not greater than or equal to the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index dfd34c893e..3e71d9094b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -53,6 +53,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020160
ocil_clause: 'minclass is not found or not set equal to or greater than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index 0776e196f6..a79a03f374 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -44,6 +44,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020230
ocil_clause: 'minlen is not found, or not equal to or greater than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index b82667936b..dd05085fa3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -46,6 +46,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020280
ocil_clause: 'ocredit is not found or not equal to or less than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index 6b1534adde..90f74b2d3c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,11,12,15,16,3,5,9
+ stigid@rhel8: RHEL-08-020100
ocil_clause: 'it is not the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
index c2d8f3a1eb..5a656a42a0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -43,6 +43,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020110
ocil_clause: 'ucredit is not found or not set less than or equal to the required value'
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
index 96ffec0eaa..bbfcd7fc28 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
@@ -42,6 +42,7 @@ references:
cis-csc: 1,12,15,16,5
anssi: BP28(R32)
ism: 0418,1055,1402
+ stigid@rhel8: RHEL-08-010110
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
index a9e86f2ddd..7192666fc8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-040172
ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.'
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
index 5824f7b2ca..6066c9391b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-040170
ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed'
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index f9959f0720..2e902739ae 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -42,6 +42,7 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-010151
ocil_clause: 'the output is different'
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index b3afff50c5..8acaaa862c 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -44,6 +44,7 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-010151
ocil_clause: 'the output is different'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
index 21edfc9f0b..2582145a8c 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000031-GPOS-00012
+ stigid@rhel8: RHEL-08-020041
ocil_clause: 'exec tmux is not present at the end of bashrc'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
index 7816ebc8f9..fe99051eb6 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000029-GPOS-00010
+ stigid@rhel8: RHEL-08-020070
ocil_clause: 'lock-after-time is not set or set to zero'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
index bf1ea79df9..88ce99f41b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
@@ -26,6 +26,7 @@ identifiers:
references:
disa: CCI-000056,CCI-000058
nist: AC-11(a),AC-11(b),CM-6(a)
+ stigid@rhel8: RHEL-08-020040
vmmsrg: SRG-OS-000028-VMM-000090,SRG-OS-000030-VMM-000110
srg: SRG-OS-000028-GPOS-00009
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml
index 596126aafa..ecd9e8f147 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000324-GPOS-00125
+ stigid@rhel8: RHEL-08-020042
ocil_clause: 'tmux is listed in /etc/shells'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index c900612b1b..d57802a37e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -40,6 +40,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-020040
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index b3210d6adc..29aa49483d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,rhel7
+prodtype: fedora,ol7,rhel7,rhel8
title: 'Install Smart Card Packages For Multifactor Authentication'
@@ -32,6 +32,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162
stigid@rhel7: RHEL-07-041001
+ stigid@rhel8: RHEL-08-010390
ocil_clause: 'smartcard software is not installed'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
index 2770b637f0..74da38fa22 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
@@ -31,6 +31,7 @@ references:
srg: SRG-OS-000375-GPOS-00160
vmmsrg: SRG-OS-000376-VMM-001520
ism: 1382,1384,1386
+ stigid@rhel8: RHEL-08-010410
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
index 0f22245e6f..1f712eed7e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml
@@ -32,6 +32,7 @@ references:
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
ospp: FIA_UAU.1
srg: SRG-OS-000324-GPOS-00125
+ stigid@rhel8: RHEL-08-040180
ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
index add8ac0dbd..7e6b5d794e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+ stigid@rhel8: RHEL-08-020260
ocil_clause: 'the value of INACTIVE is greater than the expected value'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
index b647776778..ced7a52a67 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
@@ -44,6 +44,7 @@ references:
iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
stigid@sle12: SLES-12-010360
+ stigid@rhel8: RHEL-08-020000
ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index d8ccd9e086..15ccf530c6 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -47,6 +47,7 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
ism: 0418,1055,1402
+ stigid@rhel8: RHEL-08-020200
ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 0b6f878378..36a611e3d2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -45,6 +45,7 @@ references:
cis-csc: 1,12,15,16,5
cis@rhel8: 5.5.1.2
ism: 0418,1055,1402
+ stigid@rhel8: RHEL-08-020190
ocil_clause: 'it is not equal to or greater than the required value'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 909b51faa8..f9884fd9b4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -42,6 +42,7 @@ references:
cis-csc: 1,12,15,16,5
srg: SRG-OS-000078-GPOS-00046
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
+ stigid@rhel8: RHEL-08-020231
ocil_clause: 'it is not set to the required value'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
index 6d91224cd9..0ef1fcfe8d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
@@ -31,6 +31,7 @@ references:
vmmsrg: SRG-OS-000076-VMM-000430
stigid@rhel7: RHEL-07-010260
stigid@sle12: SLES-12-010290
+ stigid@rhel8: RHEL-08-020210
ocil_clause: 'existing passwords are not configured correctly'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
index 44da709702..cc073067fb 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -31,6 +31,7 @@ references:
vmmsrg: SRG-OS-000075-VMM000420
stigid@rhel7: RHEL-07-010240
stigid@sle12: SLES-12-010260
+ stigid@rhel8: RHEL-08-020180
ocil_clause: 'existing passwords are not configured correctly'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
index 0e36afc8dc..df6da6b913 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -45,6 +45,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5
+ stigid@rhel8: sshd_disable_empty_passwords
ocil_clause: 'NULL passwords can be used'
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
index 7fd291caea..6b3c71fa80 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
@@ -42,6 +42,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-040200
ocil_clause: 'any account other than root has a UID of 0'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml
index fdd7c6f603..9e19b908c4 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml
@@ -29,6 +29,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020610
stigid@sle12: SLES-12-010720
+ stigid@rhel8: RHEL-08-010760
ocil_clause: 'the value of CREATE_HOME is not set to yes, is missing, or the line is commented out'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 84b38afc2c..e62e3cc62b 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -30,6 +30,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
+ stigid@rhel8: RHEL-08-020310
ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index 32412aa482..5787380d65 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: DSS01.05,DSS05.02
iso27001-2013: A.13.1.1,A.13.1.3,A.13.2.1,A.14.1.2,A.14.1.3
cis-csc: 14,15,18,9
+ stigid@rhel8: RHEL-08-020024
ocil_clause: 'maxlogins is not equal to or less than the expected value'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
index 77f3a12148..b73743ebcb 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
@@ -28,6 +28,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020730
stigid@sle12: SLES-12-010780
+ stigid@rhel8: RHEL-08-010660
ocil_clause: 'files are executing world-writable programs'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
index 0154c1d73b..b70bfc171a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
@@ -32,6 +32,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020720
stigid@sle12: SLES-12-010770
+ stigid@rhel8: RHEL-08-010690
ocil_clause: 'paths contain more than local home directories'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
index 9ee21744b2..a0e6277ec6 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
@@ -24,6 +24,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020600
stigid@sle12: SLES-12-010710
+ stigid@rhel8: RHEL-08-010720
ocil_clause: 'users home directory is not defined'
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index a262abba7a..1c8fb04df7 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -31,6 +31,7 @@ references:
stigid@rhel7: RHEL-07-020620
cis@rhel8: 6.2.20
stigid@sle12: SLES-12-010730
+ stigid@rhel8: RHEL-08-010750
ocil_clause: 'users home directory does not exist'
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index dfcbbafd17..6c70cc8abf 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -30,6 +30,7 @@ references:
stigid@rhel7: RHEL-07-020650
cis@rhel8: 6.2.8
stigid@sle12: SLES-12-010750
+ stigid@rhel8: RHEL-08-010740
ocil_clause: 'the group ownership is incorrect'
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
index 4810c941d6..411a46dd00 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -26,6 +26,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020710
stigid@sle12: SLES-12-010760
+ stigid@rhel8: RHEL-08-010770
ocil_clause: 'they are not 0740 or more permissive'
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
index 4898bfa6b6..62d603cfbb 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
@@ -26,6 +26,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-020630
stigid@sle12: SLES-12-010740
+ stigid@rhel8: RHEL-08-010730
ocil_clause: 'they are more permissive'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 8acc92b311..1c8219de70 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -32,6 +32,7 @@ references:
iso27001-2013: A.14.1.1,A.14.2.1,A.14.2.5,A.6.1.5
cis-csc: '18'
srg: SRG-OS-000480-GPOS-00228
+ stigid@rhel8: RHEL-08-020353
ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 0f4eb59188..0c86e6e9f7 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -33,6 +33,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.1.1,A.14.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.5,A.6.1.5
cis-csc: 11,18,3,9
anssi: BP28(R35)
+ stigid@rhel8: RHEL-08-020351
ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
index 6279928044..7629fcb3e4 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@@ -24,6 +24,7 @@ references:
disa: CCI-000366,CCI-001814
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-021040
+ stigid@rhel8: RHEL-08-020352
ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
index 54e820c309..1d8a6f72cb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -50,6 +50,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
+ stigid@rhel8: RHEL-08-030600
ocil_clause: 'there is not output'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
index d264af9e2b..1f563ae0d0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml
@@ -42,4 +42,5 @@ references:
cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030121
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
index f03069bae6..df14260d6d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -46,6 +46,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ stigid@rhel8: RHEL-08-030172
ocil_clause: 'there is not output'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
index e4b2b8dcb8..0af217801a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -53,6 +53,7 @@ references:
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
stigid@sle12: SLES-12-020210
+ stigid@rhel8: RHEL-08-030170
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
index 0b5707f596..f4dce5557c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
@@ -53,6 +53,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ stigid@rhel8: RHEL-08-030160
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
index 41434f664a..240d4d8e2e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -54,6 +54,7 @@ references:
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
stigid@sle12: SLES-12-020230
+ stigid@rhel8: RHEL-08-030140
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
index bae0a29903..069916da1b 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -53,6 +53,7 @@ references:
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
stigid@sle12: SLES-12-020200
+ stigid@rhel8: RHEL-08-030150
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
index f3d9cf9cd2..5c13ca58f6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -54,6 +54,7 @@ references:
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
stigid@sle12: SLES-12-020220
srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+ stigid@rhel8: RHEL-08-030130
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
index 671eb1ff9f..09618d986d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
@@ -25,6 +25,7 @@ references:
cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030120
ocil_clause: 'any are more permissive'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
index 2bcfdca4b6..e495992ecb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
@@ -33,6 +33,7 @@ references:
cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030080
ocil: |-
{{{ describe_file_owner(file="/var/log/audit", owner="root") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
index 2ec44f4041..eae8a2dfd0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030070
ocil_clause: 'any are more permissive'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
index 5cd6c55411..442b693951 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
@@ -33,6 +33,7 @@ references:
cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030040
ocil_clause: 'the system is not configured to switch to single-user mode for corrective action'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
index f3b477da69..01a5c5201d 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
@@ -40,6 +40,7 @@ references:
srg@sle12: SRG-OS-000047-GPOS-00023
disa@sle12: CCI-000140
nist@sle12: AU-5(b),AU-5.1(iv)
+ stigid@rhel8: RHEL-08-030060
ocil_clause: 'the system is not configured to switch to single-user mode for corrective action'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
index fd7b3ef1b3..8325306ac6 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
@@ -43,6 +43,7 @@ references:
srg@sle12: SRG-OS-000046-GPOS-00022
disa@sle12: CCI-000139
nist@sle12: AU-5(a),AU-5.1(ii)
+ stigid@rhel8: RHEL-08-030020
ocil_clause: 'auditd is not configured to send emails per identified actions'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
index 9fa2ca6f46..6a32a85fe5 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
@@ -44,6 +44,7 @@ references:
isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030050
ocil_clause: 'the system has not been properly configured to rotate audit logs'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
index 6b9d2e5f83..2f37c5b0e4 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -42,6 +42,7 @@ references:
srg@sle12: SRG-OS-000343-GPOS-00134
disa@sle12: CCI-001855
nist@sle12: AU-5(1)
+ stigid@rhel8: RHEL-08-030730
ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
index bdc86cf35b..1009699e77 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
@@ -51,6 +51,8 @@ references:
isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+ stigid@rhel8: RHEL-08-030730
+ stigid@rhel8: RHEL-08-030730
ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
index 8f20910163..5afb2c8f30 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FAU_GEN.1.1.c
srg: SRG-OS-000062-GPOS-00031
+ stigid@rhel8: RHEL-08-030061
ocil_clause: local_events isn't set to yes
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
index 250dff5e13..76d31a6ff5 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
ospp: FAU_GEN.1
srg: SRG-OS-000255-GPOS-00096
+ stigid@rhel8: RHEL-08-030063
ocil_clause: log_format isn't set to ENRICHED
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
index fb6a49708c..a778d5faf2 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
@@ -25,6 +25,7 @@ references:
disa: CCI-001851
ospp: FAU_GEN.1
srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+ stigid@rhel8: RHEL-08-030062
ocil_clause: name_format isn't set to hostname
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 11020f93b3..d033770f57 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -45,6 +45,7 @@ references:
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8
srg: SRG-OS-000254-GPOS-00095
+ stigid@rhel8: RHEL-08-030601
ocil_clause: 'auditing is not enabled at boot time'
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index 750dd2001e..27e19e7c9a 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -27,6 +27,7 @@ references:
srg: SRG-OS-000254-GPOS-00095
nist: CM-6(a)
cis@rhel8: 4.1.1.4
+ stigid@rhel8: RHEL-08-030602
ocil_clause: 'audit backlog limit is not configured'
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
index 2fc431c1ae..577176ff00 100644
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -26,6 +26,7 @@ references:
srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220
disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914
nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
+ stigid@rhel8: service_auditd_enabled
template:
name: package_installed
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index e9b85f815b..073f29c9fe 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -37,6 +37,7 @@ references:
ospp: FAU_GEN.1.1.c
nist: AU-2(a)
srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220
+ stigid@rhel8: RHEL-08-030122
ocil_clause: 'the file does not exist or the content differs'
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
index 0696ce915a..d09446bde8 100644
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -52,6 +52,7 @@ references:
srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227
disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884
nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
+ stigid@rhel8: RHEL-08-010560
ocil: '{{{ ocil_service_enabled(service="auditd") }}}'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index a77ebf9041..e3b63d960d 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
srg: SRG-OS-000433-GPOS-00193
nist: SI-16
+ stigid@rhel8: RHEL-08-040004
ocil_clause: 'Kernel page-table isolation is not enabled'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index ea0079db52..b090492046 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-7(a)
+ stigid@rhel8: RHEL-08-010422
ocil_clause: 'vsyscalls are enabled'
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 4b04936ee2..0690cfbcda 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -49,6 +49,7 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
anssi: BP28(R17)
+ stigid@rhel8: RHEL-08-010150
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index b2338a5035..92129ab744 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -63,6 +63,7 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
anssi: BP28(R17)
+ stigid@rhel8: RHEL-08-010150
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index ea5c80f163..08e1da4369 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -56,6 +56,7 @@ references:
iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,14,15,16,18,3,5
anssi: BP28(R17)
+ stigid@rhel8: RHEL-08-010140
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index a423564c23..decb94b92e 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -67,6 +67,7 @@ references:
iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,14,15,16,18,3,5
anssi: BP28(R17)
+ stigid@rhel8: RHEL-08-010140
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
index c1f14c4d7e..5e8f08fd5c 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml
@@ -36,6 +36,7 @@ references:
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.15.2.1,A.15.2.2
cis-csc: 1,14,15,16,3,5,6
ism: 0988,1405
+ stigid@rhel8: RHEL-08-030010
ocil_clause: 'cron is not logging to rsyslog'
diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
index aae3d94903..4e969a3079 100644
--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
references:
ospp: FTP_ITC_EXT.1.1
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061
+ stigid@rhel8: RHEL-08-030680
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
index 3016a87700..7fb9ee408b 100644
--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml
@@ -28,6 +28,7 @@ references:
cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,14,15,16,3,5,6
srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024
+ stigid@rhel8: RHEL-08-030670
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index ba51a1506b..8d8be95f23 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -58,6 +58,7 @@ references:
cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,13,14,15,16,2,3,5,6
ism: 0988,1405
+ stigid@rhel8: RHEL-08-030690
ocil_clause: 'none of these are present'
diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
index 12ec48ad15..3ef70473de 100644
--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
@@ -29,6 +29,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO13.01,BAI03.05,BAI04.04,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cis@ubuntu2004: 4.2.1.2
+ stigid@rhel8: RHEL-08-010561
ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}'
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
index 7aea04c670..e82f50f9a0 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -20,6 +20,7 @@ references:
nist: CM-6(a)
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116
cis@rhel8: 3.4.1.1
+ stigid@rhel8: RHEL-08-040100
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
index 2646a5219c..818edc3cba 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
@@ -34,6 +34,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
cis@sle15: 3.5.1.4
+ stigid@rhel8: RHEL-08-040100
ocil: '{{{ ocil_service_enabled(service="firewalld") }}}'
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
index 7d399274d5..04c7cebc2f 100644
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
@@ -53,6 +53,7 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9
ism: "1416"
+ stigid@rhel8: RHEL-08-040030
ocil_clause: 'the default rules are not configured'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
index 47c811290c..8e7eabc336 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
@@ -27,6 +27,7 @@ references:
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
cis@sle15: 3.3.9
+ stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
index 5b5bfc9633..04fa55f524 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
index d75989fca1..304c549b0b 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
index 09d263cf00..d3b8347573 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
index 9253f7235a..ae67ab248d 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -28,6 +28,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040280
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index 8767a5226f..ac9218fe34 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -40,6 +40,7 @@ references:
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,4,6,8,9
+ stigid@rhel8: RHEL-08-040240
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
index d9b2acdec3..dcf480ef63 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
@@ -27,6 +27,7 @@ references:
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
cis@sle15: 3.3.9
+ stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
index 5cf98305c7..eca95f75b5 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
index d7dad19f3a..f030cd9221 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
index b6ee061057..43c901e3a4 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
anssi: BP28(R22)
+ stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
index 970db38b33..fdd8572cf5 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
@@ -28,6 +28,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040210
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
index 361073e99c..ffbc45225d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -41,6 +41,7 @@ references:
iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2
cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9
cis@sle15: 3.3.2
+ stigid@rhel8: RHEL-08-040280
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index 7bc4e3b9b7..4bb38a2e5c 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -41,6 +41,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9
cis@sle15: 3.3.1
+ stigid@rhel8: RHEL-08-040240
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 8d22d12b28..3d1dfb6eb7 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -36,6 +36,7 @@ references:
srg: SRG-OS-000480-GPOS-00227
cis@sle15: 3.3.7
stigid@rhel7: RHEL-07-040611
+ stigid@rhel8: RHEL-08-040285
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
index ed4a024797..4486a92e11 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
@@ -41,6 +41,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9
cis@sle15: 3.3.3
+ stigid@rhel8: RHEL-08-040210
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
index ef659ec1c2..f1c4947d34 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
@@ -38,6 +38,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9
cis@sle15: 3.3.5
+ stigid@rhel8: RHEL-08-040230
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_broadcasts", value="1") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
index f49353c25c..779b92682d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
@@ -39,6 +39,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9
cis@sle15: 3.2.2
+ stigid@rhel8: RHEL-08-040220
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
index d7d5bfe607..ade1338bae 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -39,6 +39,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9
cis@sle15: 3.2.2
+ stigid@rhel8: RHEL-08-040270
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index b9f3d060d5..6274897a21 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -36,6 +36,7 @@ references:
iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2
cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9
cis@sle15: 3.2.1
+ stigid@rhel8: RHEL-08-040260
ocil: |-
{{{ ocil_sysctl_option_value(sysctl="net.ipv4.ip_forward", value="0") }}}
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
index d34f1610f1..caff3aaa00 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040021
{{{ complete_ocil_entry_module_disable(module="atm") }}}
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
index 16807a4e81..f25e86ab4d 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040022
{{{ complete_ocil_entry_module_disable(module="can") }}}
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
index aae80b232e..3c8564759c 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml
@@ -23,6 +23,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040026
{{{ complete_ocil_entry_module_disable(module="firewire-core") }}}
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
index 55602ac8be..8db0f11579 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
@@ -34,6 +34,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040023
{{{ complete_ocil_entry_module_disable(module="sctp") }}}
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
index 425fa216e5..5953d5ca1d 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml
@@ -37,6 +37,7 @@ references:
cis-csc: 11,14,3,9
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040024
{{{ complete_ocil_entry_module_disable(module="tipc") }}}
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
index 496480a0a8..a6c9b7ede4 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
@@ -35,6 +35,7 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040111
{{{ complete_ocil_entry_module_disable(module="bluetooth") }}}
diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
index e76619cd2b..d683b2eda0 100644
--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml
@@ -45,6 +45,7 @@ references:
cis-csc: 11,12,14,15,3,8,9
cis@sle15: 3.1.2
ism: 1315,1319
+ stigid@rhel8: RHEL-08-040110
ocil_clause: 'it is not'
diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
index 08049f76cb..a9c6550b47 100644
--- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
+++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: APO13.01,DSS05.02
iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3
cis-csc: 12,15,8
+ stigid@rhel8: RHEL-08-010680
ocil_clause: 'it does not exist or is not properly configured or less than 2 ''nameserver'' entries exist'
diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
index 208d15234e..222063ae09 100644
--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
+++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
@@ -42,6 +42,7 @@ references:
cobit5: APO11.06,APO12.06,BAI03.10,BAI09.01,BAI09.02,BAI09.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.05,DSS04.05,DSS05.02,DSS05.05,DSS06.06
iso27001-2013: A.11.1.2,A.11.2.4,A.11.2.5,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.16.1.6,A.8.1.1,A.8.1.2,A.9.1.2
cis-csc: 1,11,14,3,9
+ stigid@rhel8: RHEL-08-040330
ocil_clause: 'any network device is in promiscuous mode'
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
index f479ed3d17..90011f5f92 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
anssi: BP28(R40)
+ stigid@rhel8: RHEL-08-010700
ocil_clause: 'there is output'
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
index 79594c701f..a9efbdda1e 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -42,6 +42,7 @@ references:
cis-csc: 1,11,12,13,14,15,16,18,3,5
cis@sle15: 6.1.12
stigid@sle12: SLES-12-010700
+ stigid@rhel8: RHEL-08-010790
ocil_clause: 'there is output'
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index faab0b8822..6acae65b78 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -42,6 +42,7 @@ references:
cis-csc: 11,12,13,14,15,16,18,3,5,9
cis@sle15: 6.1.11
stigid@sle12: SLES-12-010690
+ stigid@rhel8: RHEL-08-010780
ocil_clause: 'files exist that are not owned by a valid user'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
index cfa7ae4dc5..fa53de9041 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-010310
ocil_clause: 'any system executables are found to not be owned by root'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index 53e1a24c42..e40b5f47d8 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-010340
ocil_clause: 'any of these files are not owned by root'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
index c2bba15f83..3ec56361dc 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-010300
ocil_clause: 'any system executables are found to be group or world writable'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index c09024a224..83add611b9 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
+ stigid@rhel8: RHEL-08-010330
ocil_clause: 'any of these files are group-writable or world-writable'
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
index 3b04abbf9b..0aefe8ae50 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
@@ -22,6 +22,7 @@ references:
cis: 1.6.1
nist: CM-6(a),AC-6(1)
srg: SRG-OS-000324-GPOS-00125
+ stigid@rhel8: RHEL-08-010374
{{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_hardlinks", value="1") }}}
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
index aead2022ee..86a9f8e2d9 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
@@ -24,6 +24,7 @@ references:
cis: 1.6.1
nist: CM-6(a),AC-6(1)
srg: SRG-OS-000324-GPOS-00125
+ stigid@rhel8: RHEL-08-010373
{{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_symlinks", value="1") }}}
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
index d2ba212350..302154b636 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml
@@ -39,6 +39,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040025
{{{ complete_ocil_entry_module_disable(module="cramfs") }}}
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index 24e77cc74e..d1d2bf97f7 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -41,6 +41,7 @@ references:
cis@rhel8: 1.1.23
cis@sle15: 1.1.3
stigid@sle12: SLES-12-010580
+ stigid@rhel8: RHEL-08-040080
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
index 001b9466ae..00d1282a05 100644
--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml
@@ -46,6 +46,7 @@ references:
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
cis@sle15: 1.1.23
+ stigid@rhel8: RHEL-08-040070
ocil: '{{{ ocil_service_disabled(service="autofs") }}}'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
index 8410964438..a4da22f666 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
@@ -27,6 +27,7 @@ references:
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
anssi: BP28(R12)
+ stigid@rhel8: RHEL-08-010571
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
index 140a2eafc0..318117fcca 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
@@ -36,6 +36,7 @@ references:
cis-csc: 11,13,14,3,8,9
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.16
+ stigid@rhel8: RHEL-08-040120
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
index 2f740c31a6..f41387ab9f 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
@@ -39,6 +39,7 @@ references:
cis-csc: 11,13,14,3,8,9
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.17
+ stigid@rhel8: RHEL-08-040122
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
index be127be367..d844c9c3b3 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
@@ -36,6 +36,7 @@ references:
cis-csc: 11,13,14,3,8,9
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.18
+ stigid@rhel8: RHEL-08-040121
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
index 3652cf9f2b..37e8f7fb99 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
@@ -38,6 +38,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227
stigid@sle12: SLES-12-010790
+ stigid@rhel8: RHEL-08-010570
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
index c9f52b36d1..f40daec6c8 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
@@ -42,5 +42,6 @@ references:
cis-csc: 11,14,3,9
srg: SRG-OS-000368-GPOS-00154
anssi: BP28(R12)
+ stigid@rhel8: RHEL-08-010580
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
index 30c7065bcc..602ce2da35 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
@@ -36,6 +36,7 @@ references:
iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1
cis-csc: 11,12,13,14,16,3,8,9
cis@sle15: 1.1.19
+ stigid@rhel8: RHEL-08-010600
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
index 47435d887a..4d2bd0eceb 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
@@ -34,6 +34,7 @@ references:
iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1
cis-csc: 11,12,13,14,16,3,8,9
cis@sle15: 1.1.20
+ stigid@rhel8: RHEL-08-010610
ocil_clause: 'removable media partitions are present'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
index 5f19864ded..9ed257aa22 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
@@ -41,6 +41,7 @@ references:
cis-csc: 11,12,13,14,15,16,18,3,5,8,9
cis@sle15: 1.1.21
stigid@sle12: SLES-12-010800
+ stigid@rhel8: RHEL-08-010620
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index bcd15e1596..ed27226855 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -35,6 +35,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.4
+ stigid@rhel8: RHEL-08-040123
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 7c8bf290fe..77ae8a664f 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -34,6 +34,7 @@ references:
cis-csc: 11,13,14,3,8,9
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
+ stigid@rhel8: RHEL-08-040125
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index 0f4a028834..b7e171fb02 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -35,6 +35,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.5
+ stigid@rhel8: RHEL-08-040124
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
index c2765b6c61..404386d777 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
@@ -28,6 +28,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
+ stigid@rhel8: RHEL-08-040129
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
index 820c8385b3..93c63a75f7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
@@ -26,6 +26,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
+ stigid@rhel8: RHEL-08-040131
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
index 344bafd252..7ee7213995 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
@@ -27,6 +27,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
+ stigid@rhel8: RHEL-08-040130
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 4647f2e1c0..8959bd0bb5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -28,6 +28,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
+ stigid@rhel8: RHEL-08-040126
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
index 0bced14721..baf1eea424 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
@@ -27,6 +27,7 @@ references:
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
anssi: BP28(R12)
+ stigid@rhel8: RHEL-08-040128
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
index c4e3d32997..beee543cf2 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
@@ -28,6 +28,7 @@ references:
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
srg: SRG-OS-000368-GPOS-00154
anssi: BP28(R12)
+ stigid@rhel8: RHEL-08-040127
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 233870fed8..4e76e61bb2 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -29,6 +29,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.9
+ stigid@rhel8: RHEL-08-040132
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 081b3a4b32..f2b108d58d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -29,6 +29,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.11
+ stigid@rhel8: RHEL-08-040134
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index 97a8312536..11bfe2661d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -29,6 +29,7 @@ references:
anssi: BP28(R12)
srg: SRG-OS-000368-GPOS-00154
cis@sle15: 1.1.10
+ stigid@rhel8: RHEL-08-040133
platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
index 1bef2966d2..04b580e64e 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -30,6 +30,7 @@ references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000480-GPOS-00227
cis@rhel8: 1.6.1
+ stigid@rhel8: RHEL-08-010675
ocil_clause: ProcessSizeMax is not set to zero
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
index 953cd1598b..3225785a8f 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -26,6 +26,7 @@ references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000480-GPOS-00227
cis@rhel8: 1.6.1
+ stigid@rhel8: RHEL-08-010674
ocil_clause: Storage is not set to none
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
index 833fa046d6..c50a366512 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
@@ -30,6 +30,7 @@ references:
iso27001-2013: A.12.1.3,A.17.2.1
cis-csc: 1,12,13,15,16,2,7,8
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010673
ocil_clause: 'it is not'
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
index ff8cd4279f..fd12fbbb50 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010672
ocil_clause: unit systemd-coredump.socket is not masked or running
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index c4b9a0dc88..c9794729dd 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -22,6 +22,7 @@ references:
anssi: BP28(R23)
nist: SC-30,SC-30(2),SC-30(5),CM-6(a)
srg: SRG-OS-000132-GPOS-00067
+ stigid@rhel8: RHEL-08-040283
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
index d7d0736a94..950ae6b00b 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
@@ -29,6 +29,7 @@ references:
nist: SC-30,SC-30(2),CM-6(a)
srg: SRG-OS-000433-GPOS-00193,SRG-OS-000480-GPOS-00227
anssi: BP28(R23)
+ stigid@rhel8: RHEL-08-010430
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
index d5808b1861..48acc4d2fd 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
@@ -27,6 +27,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-6(a)
+ stigid@rhel8: RHEL-08-010421
ocil_clause: 'page allocator poisoning is not enabled'
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
index 477fa57011..516409b6c6 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
@@ -27,6 +27,7 @@ identifiers:
references:
srg: SRG-OS-000433-GPOS-00192
nist: CM-6(a)
+ stigid@rhel8: RHEL-08-010423
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index eaed28cab1..b82e0fcce3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010671
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index eeec4f1723..90fcd34f73 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -24,6 +24,7 @@ references:
nist: SI-11(a),SI-11(b)
anssi: BP28(R23)
srg: SRG-OS-000132-GPOS-00067
+ stigid@rhel8: RHEL-08-010375
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
index 7048a4baa7..83710b7c01 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010372
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
index da90c26f2f..c9fe044a06 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
@@ -20,6 +20,7 @@ references:
anssi: BP28(R23)
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000132-GPOS-00067
+ stigid@rhel8: RHEL-08-010376
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_paranoid", value="2") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 883a2fc830..200c2eba46 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000132-GPOS-00067
+ stigid@rhel8: RHEL-08-040281
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 5332a2552d..68483432a3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
anssi: BP28(R25)
srg: SRG-OS-000132-GPOS-00067
+ stigid@rhel8: RHEL-08-040282
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
index e89e70d2e4..5e3929ec1a 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml
@@ -29,6 +29,7 @@ references:
ospp: FMT_SMF_EXT.1
nist: SC-39,CM-6(a)
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040284
{{{ complete_ocil_entry_sysctl_option_value(sysctl="user.max_user_namespaces", value="0") }}}
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
index df9053bb9f..a107af62ea 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
@@ -30,6 +30,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010171
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
index ba2b9dc94f..f7d6ce6bf1 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -49,6 +49,7 @@ references:
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
+ stigid@rhel8: RHEL-08-010450
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
index 65cb503d39..0c4056dfe0 100644
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -40,6 +40,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
anssi: BP28(R4),BP28(R66)
+ stigid@rhel8: RHEL-08-010170
ocil_clause: 'SELINUX is not set to enforcing'
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index fe370a4323..8d5b722c07 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -64,6 +64,7 @@ references:
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
cis-csc: 13,14
stigid@sle12: SLES-12-010450
+ stigid@rhel8: RHEL-08-010030
ocil_clause: 'partitions do not have a type of crypto_LUKS'
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
index 0c3cc8908e..061eeae93c 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml
@@ -37,6 +37,7 @@ references:
iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3
cis-csc: 12,15,8
cis@sle15: 1.1.14
+ stigid@rhel8: RHEL-08-010800
{{{ complete_ocil_entry_separate_partition(part="/home") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
index 9fc2d4251a..a4db4948c6 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml
@@ -34,6 +34,7 @@ references:
iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3
cis-csc: 12,15,8
cis@sle15: 1.1.2
+ stigid@rhel8: RHEL-08-010543
{{{ complete_ocil_entry_separate_partition(part="/tmp") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
index 4ef85ef818..8190a4a4ca 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml
@@ -37,6 +37,7 @@ references:
iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3
cis-csc: 12,15,8
cis@sle15: 1.1.7
+ stigid@rhel8: RHEL-08-010540
{{{ complete_ocil_entry_separate_partition(part="/var") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
index fa0c4ab95d..b90f93deee 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
@@ -33,6 +33,8 @@ references:
cis-csc: 1,12,14,15,16,3,5,6,8
srg: SRG-OS-000480-GPOS-00227
cis@sle: 1.1.12
+ stigid@rhel8: RHEL-08-010540
+ stigid@rhel8: RHEL-08-010541
{{{ complete_ocil_entry_separate_partition(part="/var/log") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
index e1bc3ad113..73b5cd50ed 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
@@ -40,6 +40,9 @@ references:
cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,12,13,14,15,16,2,3,5,6,8
cis@sle15: 1.1.13
+ stigid@rhel8: RHEL-08-010540
+ stigid@rhel8: RHEL-08-010541
+ stigid@rhel8: RHEL-08-010542
{{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index 340af24c82..fde3338f40 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -26,6 +26,7 @@ references:
cis@ubuntu1804: 1.1.6
anssi: BP28(R12)
cis@sle15: 1.1.8
+ stigid@rhel8: RHEL-08-010540
{{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}}
diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
index 85423650fa..0594702aa4 100644
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml
@@ -39,6 +39,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
+ stigid@rhel8: RHEL-08-010820
ocil_clause: 'GDM allows users to automatically login'
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
index bec17bc68b..cd33cd5b62 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
@@ -48,6 +48,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-020060
ocil_clause: 'idle-delay is not equal to or less than the expected value'
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index b27b34dcf7..aa492e1c9c 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -43,6 +43,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
+ stigid@rhel8: RHEL-08-020030
ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly'
diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
index 31712897eb..fae18baff6 100644
--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
@@ -44,6 +44,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@rhel7: RHEL-07-020231
+ stigid@rhel8: RHEL-08-040171
ocil_clause: 'GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed'
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
index fba676f0b9..d9eb1b8a61 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -48,6 +48,7 @@ references:
cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
cis-csc: 18,20,4
+ stigid@rhel8: RHEL-08-010000
ocil_clause: 'the installed operating system is not supported'
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index e911216101..e054892daf 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -31,6 +31,7 @@ identifiers:
references:
ospp: FCS_SSHS_EXT.1
srg: SRG-OS-000423-GPOS-00187
+ stigid@rhel8: RHEL-08-040162
ocil_clause: 'it is commented out or is not set'
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 565dabb4b9..558dfc89dd 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -39,6 +39,7 @@ references:
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176
ism: "1446"
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'FIPS mode is not enabled'
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index 77c78d5705..5879bc2bdb 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -47,6 +47,7 @@ references:
cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2
cis-csc: 12,15,8
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'FIPS is not configured or enabled in grub'
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 59af9a96e7..0807f512fb 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -28,6 +28,7 @@ references:
disa: CCI-000068,CCI-000803,CCI-002450
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
+ stigid@rhel8: RHEL-08-010020
ocil_clause: 'crypto.fips_enabled is not 1'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index cc696141f6..80a0bce1cc 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -50,6 +50,7 @@ references:
stigid@sle12: SLES-12-010510
srg@sle12: SRG-OS-000447-GPOS-00201
disa@sle12: CCI-002702
+ stigid@rhel8: RHEL-08-010360
ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
index 93bdb1715d..451ad97613 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02
iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4
cis-csc: 2,3
+ stigid@rhel8: RHEL-08-040310
ocil_clause: 'the acl option is missing or not added to the correct ruleset'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index 2e81a270c5..3be8209a71 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -36,6 +36,7 @@ references:
cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02
iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4
cis-csc: 2,3
+ stigid@rhel8: RHEL-08-040300
ocil_clause: 'the xattrs option is missing or not added to the correct ruleset'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index abf13a274a..1667604386 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -33,6 +33,7 @@ references:
ism: 1034,1288,1341,1417
stigid@sle12: SLES-12-010500
disa@sle12: CCI-002699
+ stigid@rhel8: RHEL-08-010360
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
index 435630d85c..51b839b55a 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
@@ -25,6 +25,9 @@ rationale: |-
severity: medium
+references:
+ stigid@rhel8: RHEL-08-020320
+
ocil_clause: 'there are unauthorized local user accounts on the system'
ocil: |-
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
index e704df8983..d01fa44615 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-010381
ocil_clause: "!authenticate is enabled in sudo"
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
index 8aee5edfa3..382c4b8851 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
@@ -38,6 +38,7 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16,5
+ stigid@rhel8: RHEL-08-010380
ocil_clause: 'nopasswd is enabled in sudo'
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
index ed2fc64d08..5482cdf3af 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
index 8bbf9ea53d..3b12bfb5b0 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
index 9be8b08b0f..00b1a36714 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-python") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
index 9aa7f11ada..0412e8b82b 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-cli") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
index d970def693..9d10076523 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
index 7f7787a19a..addb652e92 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
index 6107659d94..6647186cc7 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
index 3fea028d70..fa94959f68 100644
--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
@@ -18,7 +18,8 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
-
+ stigid@rhel8: RHEL-08-040370
+
{{{ complete_ocil_entry_package(package="gssproxy") }}}
template:
diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
index 2c0bdee8a6..9ec5c88c50 100644
--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040380
{{{ complete_ocil_entry_package(package="iprutils") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
index b7e1b4adff..9753c2c773 100644
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061
+ stigid@rhel8: RHEL-08-010162
{{{ complete_ocil_entry_package(package="krb5-workstation") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
index 65c7a22e3e..f12bbc2093 100644
--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
+ stigid@rhel8: RHEL-08-040390
{{{ complete_ocil_entry_package(package="tuned") }}}
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
index f9defcfdc1..6239e950a1 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -33,6 +33,7 @@ references:
cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
cis-csc: 18,20,4
+ stigid@rhel8: RHEL-08-010440
ocil_clause: 'clean_requirements_on_remove is not enabled or configured correctly'
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
index 1f86aff1e9..7d031c93f1 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -56,6 +56,7 @@ references:
cis-csc: 11,2,3,9
anssi: BP28(R15)
stigid@sle12: SLES-12-010550
+ stigid@rhel8: RHEL-08-010370
ocil_clause: 'GPG checking is not enabled'
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
index 440f02b2a7..54a584cc9d 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
@@ -40,6 +40,7 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
anssi: BP28(R15)
+ stigid@rhel8: RHEL-08-010371
ocil_clause: 'gpgcheck is not enabled or configured correctly to verify local packages'
diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
index 25459f4abb..32f67fe0e3 100644
--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
@@ -59,6 +59,7 @@ references:
iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
cis-csc: 18,20,4
anssi: BP28(R08)
+ stigid@rhel8: RHEL-08-010010
# SCAP 1.3 content should reference flat non compressed xml files
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index cda0239433..03ce772734 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -1,13 +1,13 @@
documentation_complete: true
metadata:
- version: V1R0.1-Draft
+ version: V1R1
SMEs:
- carlosmmatos
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
+title: 'DISA STIG for Red Hat Enterprise Linux 8'
description: |-
This profile contains configuration checks that align to the
@@ -23,46 +23,286 @@ description: |-
- Red Hat Storage
- Red Hat Containers with a Red Hat Enterprise Linux 8 image
-extends: ospp
-
selections:
- - login_banner_text=dod_banners
- - dconf_db_up_to_date
+ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - var_accounts_user_umask=077
+ - var_password_pam_difok=4
+ - var_password_pam_maxrepeat=3
+ - var_password_pam_maxclassrepeat=4
+ - var_accounts_max_concurrent_login_sessions=10
+ - var_password_pam_unix_remember=5
+ - var_selinux_state=enforcing
+ - var_selinux_policy_name=targeted
+ - var_system_crypto_policy=fips_ospp
+ - var_accounts_password_minlen_login_defs=15
+ - var_password_pam_minlen=15
+ - var_password_pam_ocredit=1
+ - var_password_pam_dcredit=1
+ - var_password_pam_ucredit=1
+ - var_password_pam_lcredit=1
+ - sshd_idle_timeout_value=10_minutes
+ - var_accounts_passwords_pam_faillock_deny=3
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - var_accounts_passwords_pam_faillock_unlock_time=never
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
+ - var_accounts_fail_delay=4
+
+
+ - installed_OS_is_vendor_supported
+ - security_patches_up_to_date
+ - enable_fips_mode
+ - sysctl_crypto_fips_enabled
+ - encrypt_partitions
+ - sshd_enable_warning_banner
- dconf_gnome_banner_enabled
- dconf_gnome_login_banner_text
- banner_etc_issue
+ - set_password_hashing_algorithm_logindefs
+ - grub2_uefi_password
+ - grub2_uefi_admin_username
+ - grub2_password
+ - grub2_admin_username
+ - kerberos_disable_no_keytab
+ - package_krb5-workstation_removed
+ - selinux_state
+ - package_policycoreutils_installed
+ - sshd_set_idle_timeout
+ - sshd_set_keepalive
+ - sshd_use_strong_rng
+ - file_permissions_binary_dirs
+ - file_ownership_binary_dirs
+ - file_permissions_library_dirs
+ - file_ownership_library_dirs
+ - ensure_gpgcheck_globally_activated
+ - ensure_gpgcheck_local_packages
+ - sysctl_kernel_kexec_load_disabled
+ - sysctl_fs_protected_symlinks
+ - sysctl_fs_protected_hardlinks
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_perf_event_paranoid
+ - sudo_remove_nopasswd
+ - sudo_remove_no_authenticate
+ - package_opensc_installed
+ - grub2_page_poison_argument
+ - grub2_vsyscall_argument
+ - grub2_slub_debug_argument
+ - sysctl_kernel_randomize_va_space
+ - clean_components_post_updating
+ - selinux_policytype
+ - no_host_based_files
+ - no_user_host_based_files
+ - service_rngd_enabled
+ - file_permissions_sshd_pub_key
+ - file_permissions_sshd_private_key
+ - sshd_enable_strictmodes
+ - sshd_disable_compression
+ - sshd_disable_user_known_hosts
+ - partition_for_var
+ - partition_for_var_log
+ - partition_for_var_log_audit
+ - partition_for_tmp
+ - sshd_disable_root_login
+ - service_auditd_enabled
+ - service_rsyslog_enabled
+ - mount_option_home_nosuid
+ - mount_option_boot_nosuid
+ - mount_option_nodev_nonroot_local_partitions
+ - mount_option_nodev_removable_partitions
+ - mount_option_noexec_removable_partitions
+ - mount_option_nosuid_removable_partitions
+ - mount_option_noexec_remote_filesystems
+ - mount_option_nodev_remote_filesystems
+ - mount_option_nosuid_remote_filesystems
+ - service_kdump_disabled
+ - sysctl_kernel_core_pattern
+ - service_systemd-coredump_disabled
+ - disable_users_coredumps
+ - coredump_disable_storage
+ - coredump_disable_backtraces
+ - accounts_user_home_paths_only
+ - accounts_user_interactive_home_directory_defined
+ - file_permissions_home_directories
+ - file_groupownership_home_directories
+ - accounts_user_interactive_home_directory_exists
+ - accounts_have_homedir_login_defs
+ - file_permission_user_init_files
+ - no_files_unowned_by_user
+ - file_permissions_ungroupowned
+ - partition_for_home
+ - gnome_gdm_disable_automatic_login
+ - sshd_do_not_permit_user_env
+ - account_temp_expire_date
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_interval
+ - accounts_passwords_pam_faillock_unlock_time
+ - accounts_passwords_pam_faillock_deny_root
+ - accounts_max_concurrent_login_sessions
+ - dconf_gnome_screensaver_lock_enabled
+ - configure_bashrc_exec_tmux
+ - no_tmux_in_shells
+ - dconf_gnome_screensaver_idle_delay
+ - configure_tmux_lock_after_time
+ - accounts_password_pam_ucredit
+ - accounts_password_pam_lcredit
+ - accounts_password_pam_dcredit
+ - accounts_password_pam_maxclassrepeat
+ - accounts_password_pam_maxrepeat
+ - accounts_password_pam_minclass
+ - accounts_password_pam_difok
- accounts_password_set_min_life_existing
+ - accounts_minimum_age_login_defs
+ - accounts_maximum_age_login_defs
- accounts_password_set_max_life_existing
+ - accounts_password_pam_unix_remember
+ - accounts_password_pam_minlen
+ - accounts_password_minlen_login_defs
- account_disable_post_pw_expiration
- - account_temp_expire_date
- - audit_rules_usergroup_modification_passwd
- - sssd_enable_smartcards
+ - accounts_password_pam_ocredit
- sssd_offline_cred_expiration
- - smartcard_configure_cert_checking
- - encrypt_partitions
- - sysctl_net_ipv4_tcp_syncookies
- - clean_components_post_updating
- - package_audispd-plugins_installed
- - package_libcap-ng-utils_installed
- - auditd_audispd_syslog_plugin_activated
- - accounts_password_pam_enforce_local
- - accounts_password_pam_enforce_root
-
- # Configure TLS for remote logging
+ - accounts_logon_fail_delay
+ - display_login_attempts
+ - sshd_print_last_log
+ - accounts_umask_etc_login_defs
+ - accounts_umask_interactive_users
+ - accounts_umask_etc_bashrc
+ - rsyslog_cron_logging
+ - auditd_data_retention_action_mail_acct
+ - postfix_client_configure_mail_alias
+ - auditd_data_disk_error_action
+ - auditd_data_retention_max_log_file_action
+ - auditd_data_disk_full_action
+ - auditd_local_events
+ - auditd_name_format
+ - auditd_log_format
+ - file_permissions_var_log_audit
+ - directory_permissions_var_log_audit
+ - audit_rules_immutable
+ - audit_immutable_login_uids
+ - audit_rules_usergroup_modification_shadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_group
+ - audit_rules_login_events_lastlog
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - configure_usbguard_auditbackend
- package_rsyslog_installed
- package_rsyslog-gnutls_installed
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
-
- # Unselect zIPL rules from OSPP
- - "!zipl_bls_entries_only"
- - "!zipl_bootmap_is_up_to_date"
- - "!zipl_audit_argument"
- - "!zipl_audit_backlog_limit_argument"
- - "!zipl_page_poison_argument"
- - "!zipl_slub_debug_argument"
- - "!zipl_vsyscall_argument"
- - "!zipl_vsyscall_argument.role=unscored"
- - "!zipl_vsyscall_argument.severity=info"
-
- - installed_OS_is_vendor_supported
+ - rsyslog_remote_loghost
+ - auditd_data_retention_space_left
+ - auditd_data_retention_space_left_action
+ - chronyd_or_ntpd_set_maxpoll
+ - chronyd_client_only
+ - chronyd_no_chronyc_network
+ - package_telnet-server_removed
+ - package_abrt_removed
+ - package_abrt-addon-ccpp_removed
+ - package_abrt-addon-kerneloops_removed
+ - package_abrt-addon-python_removed
+ - package_abrt-cli_removed
+ - package_abrt-plugin-logger_removed
+ - package_abrt-plugin-rhtsupport_removed
+ - package_abrt-plugin-sosreport_removed
+ - package_sendmail_removed
+ - package_gssproxy_removed
+ - grub2_pti_argument
+ - package_rsh-server_removed
+ - kernel_module_atm_disabled
+ - kernel_module_can_disabled
+ - kernel_module_sctp_disabled
+ - kernel_module_tipc_disabled
+ - kernel_module_cramfs_disabled
+ - kernel_module_firewire-core_disabled
+ - configure_firewalld_ports
+ - service_autofs_disabled
+ - kernel_module_usb-storage_disabled
+ - service_firewalld_enabled
+ - package_firewalld_installed
+ - wireless_disable_interfaces
+ - kernel_module_bluetooth_disabled
+ - mount_option_dev_shm_nodev
+ - mount_option_dev_shm_nosuid
+ - mount_option_dev_shm_noexec
+ - mount_option_tmp_nodev
+ - mount_option_tmp_nosuid
+ - mount_option_tmp_noexec
+ - mount_option_var_log_nodev
+ - mount_option_var_log_nosuid
+ - mount_option_var_log_noexec
+ - mount_option_var_log_audit_nodev
+ - mount_option_var_log_audit_nosuid
+ - mount_option_var_log_audit_noexec
+ - mount_option_var_tmp_nodev
+ - mount_option_var_tmp_nosuid
+ - mount_option_var_tmp_noexec
+ - package_openssh-server_installed
+ - service_sshd_enabled
+ - sshd_rekey_limit
+ - ssh_client_rekey_limit
+ - disable_ctrlaltdel_reboot
+ - dconf_gnome_disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
+ - service_debug-shell_disabled
+ - package_tftp-server_removed
+ - accounts_no_uid_except_zero
+ - sysctl_net_ipv4_conf_default_accept_redirects
+ - sysctl_net_ipv6_conf_default_accept_redirects
+ - sysctl_net_ipv4_conf_all_send_redirects
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv6_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv6_conf_default_accept_source_route
+ - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv6_conf_all_accept_ra
+ - sysctl_net_ipv6_conf_default_accept_ra
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv4_conf_all_accept_redirects
+ - sysctl_net_ipv6_conf_all_accept_redirects
+ - sysctl_kernel_unprivileged_bpf_disabled
+ - sysctl_kernel_yama_ptrace_scope
+ - sysctl_kernel_kptr_restrict
+ - sysctl_user_max_user_namespaces
+ - sysctl_net_ipv4_conf_all_rp_filter
+ - postfix_prevent_unrestricted_relay
+ - aide_verify_ext_attributes
+ - aide_verify_acls
+ - package_xorg-x11-server-common_removed
+ - sshd_disable_x11_forwarding
+ - sshd_x11_use_localhost
+ - tftpd_uses_secure_mode
+ - package_vsftpd_removed
+ - package_gssproxy_removed
+ - package_iprutils_removed
+ - package_tuned_removed
+ - require_emergency_target_auth
+ - require_singleuser_auth
+ - set_password_hashing_algorithm_systemauth
+ - dir_perms_world_writable_sticky_bits
+ - package_aide_installed
+ - aide_scan_notification
+ - install_smartcard_packages
+ - sshd_disable_kerb_auth
+ - sshd_disable_gssapi_auth
+ - accounts_user_dot_no_world_writable_programs
+ - network_configure_name_resolution
+ - dir_perms_world_writable_root_owned
+ - package_tmux_installed
+ - configure_tmux_lock_command
+ - accounts_password_pam_retry
+ - sssd_enable_smartcards
+ - no_empty_passwords
+ - sshd_disable_empty_passwords
+ - file_ownership_var_log_audit
+ - audit_rules_sysadmin_actions
+ - package_audit_installed
+ - service_auditd_enabled
+ - sshd_allow_only_protocol2
+ - package_fapolicyd_installed
+ - service_fapolicyd_enabled
+ - package_usbguard_installed
+ - service_usbguard_enabled
+ - network_sniffer_disabled
From 22cac40b15eb5beb4144c2521021e093509c05ad Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 29 Jan 2021 11:34:57 +0100
Subject: [PATCH 02/21] Add correct variables to RHEL8 STIG missing from OSPP.
They have either a different value from OSPP or they are being
explicitly set even if they are default values.
---
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 +
.../ntp/var_time_service_set_maxpoll.var | 1 +
.../r_services/no_host_based_files/rule.yml | 2 ++
.../no_user_host_based_files/rule.yml | 1 +
.../sshd_x11_use_localhost/rule.yml | 1 +
.../install_smartcard_packages/rule.yml | 1 +
.../accounts_logon_fail_delay/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_user_home_paths_only/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permission_user_init_files/rule.yml | 1 +
.../rule.yml | 1 +
.../accounts_umask_interactive_users/rule.yml | 1 +
.../rule.yml | 1 +
.../auditd_data_disk_error_action/rule.yml | 1 +
.../auditd_data_disk_full_action/rule.yml | 1 +
.../auditd_data_retention_space_left/rule.yml | 1 +
.../rule.yml | 1 +
.../rule.yml | 1 +
.../fips/sysctl_crypto_fips_enabled/rule.yml | 1 +
rhel8/profiles/stig.profile | 20 +++++++++++++++++--
25 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
index 4bfcc16c7f..0a3d818831 100644
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80512-7
+ cce@rhel8: CCE-84054-6
references:
stigid@ol7: OL07-00-040680
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
index 3349a7963a..9374bdc065 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80239-7
+ cce@rhel8: CCE-84052-0
references:
nist: CM-6(a),MP-2
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
index ee6b9aa54a..4a50d79600 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80436-9
cce@sle12: CCE-83103-2
+ cce@rhel8: CCE-84050-4
references:
stigid@ol7: OL07-00-021021
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
index 6b71f94c2b..695e1a1e6c 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
@@ -15,6 +15,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80240-5
cce@sle12: CCE-83102-4
+ cce@rhel8: CCE-84053-8
references:
stigid@ol7: OL07-00-021020
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index 9a802b5d5d..8d12b741a9 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -27,6 +27,7 @@ identifiers:
cce@rhel7: CCE-80439-3
cce@rhcos4: CCE-82684-2
cce@sle12: CCE-83124-8
+ cce@rhel8: CCE-84059-5
references:
stigid@ol7: OL07-00-040500
diff --git a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var
index 81a7debf25..6dd3ec434c 100644
--- a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var
+++ b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var
@@ -10,5 +10,6 @@ interactive: false
options:
36_hours: 17
+ 18_hours: 16
default: 10
system_default: 10
diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
index 01eb9e5f99..4944530617 100644
--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml
@@ -23,6 +23,8 @@ severity: high
identifiers:
cce@rhel7: CCE-80513-5
cce@sle12: CCE-83022-4
+ cce@rhel8: CCE-84055-3
+
references:
stigid@ol7: OL07-00-040550
disa: CCI-000366
diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
index 48bff043a6..efb6386261 100644
--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml
@@ -23,6 +23,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80514-3
cce@sle12: CCE-83021-6
+ cce@rhel8: CCE-84056-1
references:
stigid@ol7: OL07-00-040540
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index bee39a3904..664db5e626 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-83404-4
+ cce@rhel8: CCE-84058-7
references:
srg: SRG-OS-000480-GPOS-00227
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index 29aa49483d..4b8a9c29f5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80519-2
+ cce@rhel8: CCE-84029-8
references:
stigid@ol7: OL07-00-041001
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index e62e3cc62b..d1da3b6963 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80352-8
cce@sle12: CCE-83028-1
+ cce@rhel8: CCE-84037-1
references:
stigid@ol7: OL07-00-010430
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
index b73743ebcb..d41cc0cca4 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80523-4
cce@sle12: CCE-83099-2
+ cce@rhel8: CCE-84039-7
references:
stigid@ol7: OL07-00-020730
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
index b70bfc171a..143920449b 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
@@ -25,6 +25,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80524-2
cce@sle12: CCE-83098-4
+ cce@rhel8: CCE-84040-5
references:
stigid@ol7: OL07-00-020720
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
index a0e6277ec6..a4cf5c2b2d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80528-3
cce@sle12: CCE-83075-2
+ cce@rhel8: CCE-84036-3
references:
stigid@ol7: OL07-00-020600
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
index 411a46dd00..ef6280203f 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80525-9
cce@sle12: CCE-83097-6
+ cce@rhel8: CCE-84043-9
references:
stigid@ol7: OL07-00-020710
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
index 62d603cfbb..561f9f1394 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80530-9
cce@sle12: CCE-83076-0
+ cce@rhel8: CCE-84038-9
references:
stigid@ol7: OL07-00-020630
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
index 7629fcb3e4..f3648011c5 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80536-6
+ cce@rhel8: CCE-84044-7
references:
stigid@ol7: OL07-00-021040
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
index 09618d986d..b9ff8233bb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
@@ -16,6 +16,7 @@ severity: unknown
identifiers:
cce@rhcos4: CCE-82692-5
+ cce@rhel8: CCE-84048-8
references:
nist: CM-6(a),AC-6(1),AU-9
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
index 442b693951..d3646de8ff 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80646-3
cce@rhcos4: CCE-82679-2
+ cce@rhel8: CCE-84046-2
references:
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
index 01a5c5201d..d92afe34e8 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhcos4: CCE-82676-8
cce@sle12: CCE-83032-3
+ cce@rhel8: CCE-84045-4
references:
nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
index 2f37c5b0e4..f1a742a810 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel7: CCE-80537-4
cce@rhcos4: CCE-82681-8
cce@sle12: CCE-83026-5
+ cce@rhel8: CCE-84047-0
references:
stigid@ol7: OL07-00-030330
diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
index a9c6550b47..8450e29bf7 100644
--- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
+++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml
@@ -26,6 +26,7 @@ severity: low
identifiers:
cce@rhel7: CCE-80438-5
+ cce@rhel8: CCE-84049-6
references:
stigid@ol7: OL07-00-040600
diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
index fae18baff6..d89bc407c7 100644
--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml
@@ -30,6 +30,7 @@ severity: high
identifiers:
cce@rhel7: CCE-80124-1
+ cce@rhel8: CCE-84028-0
references:
stigid@ol7: OL07-00-020231
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 0807f512fb..8753e4aeef 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -23,6 +23,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode
identifiers:
cce@rhel7: CCE-80658-8
+ cce@rhel8: CCE-84027-2
references:
disa: CCI-000068,CCI-000803,CCI-002450
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 03ce772734..66cc5007be 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -24,12 +24,16 @@ description: |-
- Red Hat Containers with a Red Hat Enterprise Linux 8 image
selections:
+ # variables
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=077
- - var_password_pam_difok=4
+ - var_password_pam_difok=8
- var_password_pam_maxrepeat=3
+ - var_sshd_disable_compression=no
- var_password_pam_maxclassrepeat=4
+ - var_password_pam_minclass=4
+ - var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
@@ -41,6 +45,8 @@ selections:
- var_password_pam_dcredit=1
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
+ - var_password_pam_retry=3
+ - var_password_pam_minlen=15
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
@@ -48,8 +54,18 @@ selections:
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
- var_accounts_fail_delay=4
+ - var_account_disable_post_pw_expiration=35
+ - var_auditd_action_mail_acct=root
+ - var_time_service_set_maxpoll=18_hours
+ - var_password_hashing_algorithm=SHA512
+ - var_accounts_maximum_age_login_defs=60
+ - var_auditd_space_left=250MB
+ - var_auditd_space_left_action=email
+ - var_auditd_disk_error_action=halt
+ - var_auditd_max_log_file_action=syslog
+ - var_auditd_disk_full_action=halt
-
+ # rules
- installed_OS_is_vendor_supported
- security_patches_up_to_date
- enable_fips_mode
From e9d4aa6be77d6da201a748652effcf150cfaf18e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 29 Jan 2021 13:52:43 +0100
Subject: [PATCH 03/21] Update RHEL8 STIG profile stability data.
---
.../data/profile_stability/rhel8/stig.profile | 207 +++++++++++-------
1 file changed, 122 insertions(+), 85 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6676ca497c..9089f7ef4f 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -25,92 +25,110 @@ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-s
selections:
- account_disable_post_pw_expiration
- account_temp_expire_date
+- accounts_have_homedir_login_defs
+- accounts_logon_fail_delay
- accounts_max_concurrent_login_sessions
+- accounts_maximum_age_login_defs
+- accounts_minimum_age_login_defs
+- accounts_no_uid_except_zero
- accounts_password_minlen_login_defs
- accounts_password_pam_dcredit
- accounts_password_pam_difok
-- accounts_password_pam_enforce_local
-- accounts_password_pam_enforce_root
- accounts_password_pam_lcredit
- accounts_password_pam_maxclassrepeat
- accounts_password_pam_maxrepeat
+- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_ocredit
+- accounts_password_pam_retry
- accounts_password_pam_ucredit
- accounts_password_pam_unix_remember
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_passwords_pam_faillock_deny
+- accounts_passwords_pam_faillock_deny_root
- accounts_passwords_pam_faillock_interval
- accounts_passwords_pam_faillock_unlock_time
- accounts_umask_etc_bashrc
-- accounts_umask_etc_csh_cshrc
-- accounts_umask_etc_profile
-- audit_access_failed
-- audit_access_success
-- audit_basic_configuration
-- audit_create_failed
-- audit_create_success
-- audit_delete_failed
-- audit_delete_success
+- accounts_umask_etc_login_defs
+- accounts_umask_interactive_users
+- accounts_user_dot_no_world_writable_programs
+- accounts_user_home_paths_only
+- accounts_user_interactive_home_directory_defined
+- accounts_user_interactive_home_directory_exists
+- aide_scan_notification
+- aide_verify_acls
+- aide_verify_ext_attributes
- audit_immutable_login_uids
-- audit_modify_failed
-- audit_modify_success
-- audit_module_load
-- audit_ospp_general
-- audit_owner_change_failed
-- audit_owner_change_success
-- audit_perm_change_failed
-- audit_perm_change_success
+- audit_rules_immutable
+- audit_rules_login_events_lastlog
+- audit_rules_sysadmin_actions
+- audit_rules_usergroup_modification_group
+- audit_rules_usergroup_modification_gshadow
+- audit_rules_usergroup_modification_opasswd
- audit_rules_usergroup_modification_passwd
-- auditd_audispd_syslog_plugin_activated
-- auditd_data_retention_flush
-- auditd_freq
+- audit_rules_usergroup_modification_shadow
+- auditd_data_disk_error_action
+- auditd_data_disk_full_action
+- auditd_data_retention_action_mail_acct
+- auditd_data_retention_max_log_file_action
+- auditd_data_retention_space_left
+- auditd_data_retention_space_left_action
- auditd_local_events
- auditd_log_format
- auditd_name_format
-- auditd_write_logs
- banner_etc_issue
- chronyd_client_only
- chronyd_no_chronyc_network
+- chronyd_or_ntpd_set_maxpoll
- clean_components_post_updating
- configure_bashrc_exec_tmux
-- configure_bind_crypto_policy
-- configure_crypto_policy
-- configure_kerberos_crypto_policy
-- configure_libreswan_crypto_policy
-- configure_openssl_crypto_policy
-- configure_ssh_crypto_policy
+- configure_firewalld_ports
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend
- coredump_disable_backtraces
- coredump_disable_storage
-- dconf_db_up_to_date
- dconf_gnome_banner_enabled
+- dconf_gnome_disable_ctrlaltdel_reboot
- dconf_gnome_login_banner_text
+- dconf_gnome_screensaver_idle_delay
+- dconf_gnome_screensaver_lock_enabled
+- dir_perms_world_writable_root_owned
+- dir_perms_world_writable_sticky_bits
+- directory_permissions_var_log_audit
- disable_ctrlaltdel_burstaction
- disable_ctrlaltdel_reboot
-- disable_host_auth
- disable_users_coredumps
-- dnf-automatic_apply_updates
-- dnf-automatic_security_updates_only
-- enable_dracut_fips_module
+- display_login_attempts
- enable_fips_mode
- encrypt_partitions
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages
-- ensure_gpgcheck_never_disabled
-- ensure_redhat_gpgkey_installed
+- file_groupownership_home_directories
+- file_ownership_binary_dirs
+- file_ownership_library_dirs
+- file_ownership_var_log_audit
+- file_permission_user_init_files
+- file_permissions_binary_dirs
+- file_permissions_home_directories
+- file_permissions_library_dirs
+- file_permissions_sshd_private_key
+- file_permissions_sshd_pub_key
+- file_permissions_ungroupowned
+- file_permissions_var_log_audit
+- gnome_gdm_disable_automatic_login
+- grub2_admin_username
- grub2_audit_argument
- grub2_audit_backlog_limit_argument
-- grub2_disable_interactive_boot
-- grub2_kernel_trust_cpu_rng
- grub2_page_poison_argument
+- grub2_password
- grub2_pti_argument
- grub2_slub_debug_argument
+- grub2_uefi_admin_username
- grub2_uefi_password
- grub2_vsyscall_argument
+- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
- kernel_module_atm_disabled
@@ -120,14 +138,19 @@ selections:
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- kernel_module_tipc_disabled
-- mount_option_boot_nodev
+- kernel_module_usb-storage_disabled
- mount_option_boot_nosuid
- mount_option_dev_shm_nodev
- mount_option_dev_shm_noexec
- mount_option_dev_shm_nosuid
-- mount_option_home_nodev
- mount_option_home_nosuid
- mount_option_nodev_nonroot_local_partitions
+- mount_option_nodev_remote_filesystems
+- mount_option_nodev_removable_partitions
+- mount_option_noexec_remote_filesystems
+- mount_option_noexec_removable_partitions
+- mount_option_nosuid_remote_filesystems
+- mount_option_nosuid_removable_partitions
- mount_option_tmp_nodev
- mount_option_tmp_noexec
- mount_option_tmp_nosuid
@@ -137,13 +160,16 @@ selections:
- mount_option_var_log_nodev
- mount_option_var_log_noexec
- mount_option_var_log_nosuid
-- mount_option_var_nodev
- mount_option_var_tmp_nodev
- mount_option_var_tmp_noexec
- mount_option_var_tmp_nosuid
+- network_configure_name_resolution
+- network_sniffer_disabled
- no_empty_passwords
+- no_files_unowned_by_user
+- no_host_based_files
- no_tmux_in_shells
-- openssl_use_strong_entropy
+- no_user_host_based_files
- package_abrt-addon-ccpp_removed
- package_abrt-addon-kerneloops_removed
- package_abrt-addon-python_removed
@@ -153,66 +179,76 @@ selections:
- package_abrt-plugin-sosreport_removed
- package_abrt_removed
- package_aide_installed
-- package_audispd-plugins_installed
- package_audit_installed
-- package_chrony_installed
-- package_crypto-policies_installed
-- package_dnf-automatic_installed
-- package_dnf-plugin-subscription-manager_installed
- package_fapolicyd_installed
- package_firewalld_installed
-- package_gnutls-utils_installed
- package_gssproxy_removed
- package_iprutils_removed
- package_krb5-workstation_removed
-- package_libcap-ng-utils_installed
-- package_nfs-utils_removed
-- package_openscap-scanner_installed
-- package_openssh-clients_installed
+- package_opensc_installed
- package_openssh-server_installed
-- package_policycoreutils-python-utils_installed
- package_policycoreutils_installed
+- package_rsh-server_removed
- package_rsyslog-gnutls_installed
- package_rsyslog_installed
-- package_scap-security-guide_installed
- package_sendmail_removed
-- package_subscription-manager_installed
-- package_sudo_installed
+- package_telnet-server_removed
+- package_tftp-server_removed
- package_tmux_installed
+- package_tuned_removed
- package_usbguard_installed
+- package_vsftpd_removed
+- package_xorg-x11-server-common_removed
- partition_for_home
+- partition_for_tmp
- partition_for_var
- partition_for_var_log
- partition_for_var_log_audit
+- postfix_client_configure_mail_alias
+- postfix_prevent_unrestricted_relay
+- require_emergency_target_auth
- require_singleuser_auth
-- rsyslog_remote_tls
-- rsyslog_remote_tls_cacert
-- securetty_root_login_console_only
+- rsyslog_cron_logging
+- rsyslog_remote_loghost
+- security_patches_up_to_date
- selinux_policytype
- selinux_state
- service_auditd_enabled
+- service_autofs_disabled
- service_debug-shell_disabled
- service_fapolicyd_enabled
- service_firewalld_enabled
- service_kdump_disabled
+- service_rngd_enabled
+- service_rsyslog_enabled
+- service_sshd_enabled
- service_systemd-coredump_disabled
- service_usbguard_enabled
-- smartcard_configure_cert_checking
+- set_password_hashing_algorithm_logindefs
+- set_password_hashing_algorithm_systemauth
- ssh_client_rekey_limit
-- ssh_client_use_strong_rng_csh
-- ssh_client_use_strong_rng_sh
+- sshd_allow_only_protocol2
+- sshd_disable_compression
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
- sshd_disable_root_login
+- sshd_disable_user_known_hosts
+- sshd_disable_x11_forwarding
+- sshd_do_not_permit_user_env
- sshd_enable_strictmodes
- sshd_enable_warning_banner
+- sshd_print_last_log
- sshd_rekey_limit
- sshd_set_idle_timeout
- sshd_set_keepalive
- sshd_use_strong_rng
+- sshd_x11_use_localhost
- sssd_enable_smartcards
- sssd_offline_cred_expiration
+- sudo_remove_no_authenticate
+- sudo_remove_nopasswd
+- sysctl_crypto_fips_enabled
- sysctl_fs_protected_hardlinks
- sysctl_fs_protected_symlinks
- sysctl_kernel_core_pattern
@@ -220,25 +256,18 @@ selections:
- sysctl_kernel_kexec_load_disabled
- sysctl_kernel_kptr_restrict
- sysctl_kernel_perf_event_paranoid
+- sysctl_kernel_randomize_va_space
- sysctl_kernel_unprivileged_bpf_disabled
- sysctl_kernel_yama_ptrace_scope
-- sysctl_net_core_bpf_jit_harden
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
-- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_all_rp_filter
-- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
-- sysctl_net_ipv4_conf_default_log_martians
-- sysctl_net_ipv4_conf_default_rp_filter
-- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_net_ipv4_ip_forward
-- sysctl_net_ipv4_tcp_syncookies
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
@@ -246,36 +275,44 @@ selections:
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_user_max_user_namespaces
-- timer_dnf-automatic_enabled
-- usbguard_allow_hid_and_hub
-- use_pam_wheel_for_su
+- tftpd_uses_secure_mode
+- wireless_disable_interfaces
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
-- var_accounts_user_umask=027
-- var_password_pam_difok=4
+- var_accounts_user_umask=077
+- var_password_pam_difok=8
- var_password_pam_maxrepeat=3
+- var_sshd_disable_compression=no
- var_password_pam_maxclassrepeat=4
-- var_auditd_flush=incremental_async
+- var_password_pam_minclass=4
+- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_system_crypto_policy=fips_ospp
-- var_accounts_password_minlen_login_defs=12
-- var_password_pam_minlen=12
+- var_accounts_password_minlen_login_defs=15
+- var_password_pam_minlen=15
- var_password_pam_ocredit=1
- var_password_pam_dcredit=1
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
-- sshd_idle_timeout_value=14_minutes
+- var_password_pam_retry=3
+- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
-- login_banner_text=dod_banners
-- grub2_vsyscall_argument.role=unscored
-- grub2_vsyscall_argument.severity=info
-- sysctl_user_max_user_namespaces.role=unscored
-- sysctl_user_max_user_namespaces.severity=info
-title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
+- var_accounts_fail_delay=4
+- var_account_disable_post_pw_expiration=35
+- var_auditd_action_mail_acct=root
+- var_time_service_set_maxpoll=18_hours
+- var_password_hashing_algorithm=SHA512
+- var_accounts_maximum_age_login_defs=60
+- var_auditd_space_left=250MB
+- var_auditd_space_left_action=email
+- var_auditd_disk_error_action=halt
+- var_auditd_max_log_file_action=syslog
+- var_auditd_disk_full_action=halt
+title: DISA STIG for Red Hat Enterprise Linux 8
From 443d09de1487b35d4fc8bbc146ddd74a4412f7f4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 2 Feb 2021 13:42:40 +0100
Subject: [PATCH 04/21] Set openssl-pkcs11 as default package for
install_smartcard_packages.
---
.../install_smartcard_packages/rule.yml | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
index 4b8a9c29f5..d64240dce2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -7,7 +7,11 @@ title: 'Install Smart Card Packages For Multifactor Authentication'
description: |-
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
+ {{%- if product in ["rhel7", "ol7"] %}}
{{{ describe_package_install(package="pam_pkcs11") }}}
+ {{%- else %}}
+ {{{ describe_package_install(package="openssl-pkcs11") }}}
+ {{%- endif %}}
rationale: |-
Using an authentication device, such as a CAC or token that is separate from
@@ -37,9 +41,15 @@ references:
ocil_clause: 'smartcard software is not installed'
+{{%- if product in ["rhel7", "ol7"] %}}
ocil: '{{{ ocil_package(package="pam_pkcs11") }}}'
+{{%- else %}}
+ocil: '{{{ ocil_package(package="openssl-pkcs11") }}}'
+{{%- endif %}}
template:
name: package_installed
vars:
- pkgname: pam_pkcs11
+ pkgname: openssl-pkcs11
+ pkgname@rhel7: pam_pkcs11
+ pkgname@ol7: pam_pkcs11
From 628065d65e0ab363dcdbb513f17a28ae839cefb5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 4 Feb 2021 19:09:44 +0100
Subject: [PATCH 05/21] Remove conflicting rules from RHEL8 STIG profile.
---
rhel8/profiles/stig.profile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 66cc5007be..24eb0f9e21 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -223,7 +223,7 @@ selections:
- package_abrt-plugin-rhtsupport_removed
- package_abrt-plugin-sosreport_removed
- package_sendmail_removed
- - package_gssproxy_removed
+ # - package_gssproxy_removed
- grub2_pti_argument
- package_rsh-server_removed
- kernel_module_atm_disabled
@@ -286,7 +286,7 @@ selections:
- postfix_prevent_unrestricted_relay
- aide_verify_ext_attributes
- aide_verify_acls
- - package_xorg-x11-server-common_removed
+ # - package_xorg-x11-server-common_removed
- sshd_disable_x11_forwarding
- sshd_x11_use_localhost
- tftpd_uses_secure_mode
From 917744300baa99686955239f6e73b193a7c1e2b9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 8 Feb 2021 15:47:09 +0100
Subject: [PATCH 06/21] Remove duplicate rule gssproxy package removed from
STIG.
---
rhel8/profiles/stig.profile | 1 -
tests/data/profile_stability/rhel8/stig.profile | 2 --
2 files changed, 3 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 24eb0f9e21..34f9f79461 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -291,7 +291,6 @@ selections:
- sshd_x11_use_localhost
- tftpd_uses_secure_mode
- package_vsftpd_removed
- - package_gssproxy_removed
- package_iprutils_removed
- package_tuned_removed
- require_emergency_target_auth
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 9089f7ef4f..bc5153fa99 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -182,7 +182,6 @@ selections:
- package_audit_installed
- package_fapolicyd_installed
- package_firewalld_installed
-- package_gssproxy_removed
- package_iprutils_removed
- package_krb5-workstation_removed
- package_opensc_installed
@@ -198,7 +197,6 @@ selections:
- package_tuned_removed
- package_usbguard_installed
- package_vsftpd_removed
-- package_xorg-x11-server-common_removed
- partition_for_home
- partition_for_tmp
- partition_for_var
From 9455a5059b09de9bb9d4f5faeca7896246bc2e0e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 8 Feb 2021 17:54:07 +0100
Subject: [PATCH 07/21] Remove one file based audit rule from RHEL8 STIG
profile.
---
rhel8/profiles/stig.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 34f9f79461..a5f8f54de1 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -195,7 +195,7 @@ selections:
- file_permissions_var_log_audit
- directory_permissions_var_log_audit
- audit_rules_immutable
- - audit_immutable_login_uids
+ # - audit_immutable_login_uids
- audit_rules_usergroup_modification_shadow
- audit_rules_usergroup_modification_opasswd
- audit_rules_usergroup_modification_passwd
From 987b198504bd45e40a3c4e090ebf36e69f18d43c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 8 Feb 2021 17:54:26 +0100
Subject: [PATCH 08/21] Increase size of /var partition in RHEL8 STIG
kickstart.
Set mount options nosuid, nodev and noexec to /boot partition.
---
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
index 28f7ff0927..3e8be668bd 100644
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -100,7 +100,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
From 446e9b79aa6cc40ab42c95292914835fa18d0b69 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 9 Feb 2021 14:33:30 +0100
Subject: [PATCH 09/21] Add package_rng-tools_installed because it is
dependency of rngd service.
---
rhel8/profiles/stig.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index a5f8f54de1..91ce77b4de 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -110,6 +110,7 @@ selections:
- no_host_based_files
- no_user_host_based_files
- service_rngd_enabled
+ - package_rng-tools_installed
- file_permissions_sshd_pub_key
- file_permissions_sshd_private_key
- sshd_enable_strictmodes
From d61652ed418bb4d6b07a88f1bee1bda15196e23e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 9 Feb 2021 14:35:53 +0100
Subject: [PATCH 10/21] Remove draft verbiage from description in RHEL8 STIG
profile.
---
rhel8/profiles/stig.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 91ce77b4de..017e72ee2d 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
description: |-
This profile contains configuration checks that align to the
- [DRAFT] DISA STIG for Red Hat Enterprise Linux 8.
+ DISA STIG for Red Hat Enterprise Linux 8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
configuration baseline as applicable to the operating system tier of
From 9fa00acb2c1b551c26418ce2ff606a579e7fe192 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 10 Feb 2021 12:24:05 +0100
Subject: [PATCH 11/21] Update RHEL8 STIG profile stability data.
---
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index bc5153fa99..668c258306 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,6 +1,6 @@
description: 'This profile contains configuration checks that align to the
- [DRAFT] DISA STIG for Red Hat Enterprise Linux 8.
+ DISA STIG for Red Hat Enterprise Linux 8.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -59,7 +59,6 @@ selections:
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
-- audit_immutable_login_uids
- audit_rules_immutable
- audit_rules_login_events_lastlog
- audit_rules_sysadmin_actions
@@ -187,6 +186,7 @@ selections:
- package_opensc_installed
- package_openssh-server_installed
- package_policycoreutils_installed
+- package_rng-tools_installed
- package_rsh-server_removed
- package_rsyslog-gnutls_installed
- package_rsyslog_installed
From 91a77ac9fce7ba96ba80d2d33efa0b82c5329807 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 10 Feb 2021 12:47:45 +0100
Subject: [PATCH 12/21] Fix duplicated CCE.
---
.../auditd_data_retention_space_left/rule.yml | 2 +-
shared/references/cce-redhat-avail.txt | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
index f1a742a810..7d84595498 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -23,7 +23,7 @@ identifiers:
cce@rhel7: CCE-80537-4
cce@rhcos4: CCE-82681-8
cce@sle12: CCE-83026-5
- cce@rhel8: CCE-84047-0
+ cce@rhel8: CCE-83619-7
references:
stigid@ol7: OL07-00-030330
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 15bf569a4a..9a5b9703af 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -124,7 +124,6 @@ CCE-83615-5
CCE-83616-3
CCE-83617-1
CCE-83618-9
-CCE-83619-7
CCE-83620-5
CCE-83621-3
CCE-83622-1
From ba53084a041ae151d50f237c58efd136be89012c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Feb 2021 12:47:56 +0100
Subject: [PATCH 13/21] Add bootloader password to RHEL8 STIG kickstart
example.
---
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
index 3e8be668bd..0ec942bb8b 100644
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -83,10 +83,11 @@ selinux --enforcing
timezone --utc America/New_York
# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
From 8c7bea0728745c6a25502d26fbb30053b7888261 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Feb 2021 12:49:02 +0100
Subject: [PATCH 14/21] Update RHEL8 STIG profile with FIPS rules.
---
rhel8/profiles/stig.profile | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 017e72ee2d..201a5c6ca6 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -38,7 +38,6 @@ selections:
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - var_system_crypto_policy=fips_ospp
- var_accounts_password_minlen_login_defs=15
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
@@ -65,10 +64,21 @@ selections:
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
+ ### Enable / Configure FIPS
+ - enable_fips_mode
+ - var_system_crypto_policy=fips
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_openssl_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_kerberos_crypto_policy
+ - enable_dracut_fips_module
+
# rules
- installed_OS_is_vendor_supported
- security_patches_up_to_date
- - enable_fips_mode
+
- sysctl_crypto_fips_enabled
- encrypt_partitions
- sshd_enable_warning_banner
@@ -211,6 +221,7 @@ selections:
- rsyslog_remote_loghost
- auditd_data_retention_space_left
- auditd_data_retention_space_left_action
+ # remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
- chronyd_client_only
- chronyd_no_chronyc_network
@@ -284,6 +295,7 @@ selections:
- sysctl_kernel_kptr_restrict
- sysctl_user_max_user_namespaces
- sysctl_net_ipv4_conf_all_rp_filter
+ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- postfix_prevent_unrestricted_relay
- aide_verify_ext_attributes
- aide_verify_acls
From 6735cc0b910e75a1909d774efbf033781c6ad424 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Feb 2021 13:29:33 +0100
Subject: [PATCH 15/21] Update RHEL8 STIG profile stability test data.
---
tests/data/profile_stability/rhel8/stig.profile | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 668c258306..f120201c91 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -82,7 +82,13 @@ selections:
- chronyd_or_ntpd_set_maxpoll
- clean_components_post_updating
- configure_bashrc_exec_tmux
+- configure_bind_crypto_policy
+- configure_crypto_policy
- configure_firewalld_ports
+- configure_kerberos_crypto_policy
+- configure_libreswan_crypto_policy
+- configure_openssl_crypto_policy
+- configure_ssh_crypto_policy
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend
@@ -100,6 +106,7 @@ selections:
- disable_ctrlaltdel_reboot
- disable_users_coredumps
- display_login_attempts
+- enable_dracut_fips_module
- enable_fips_mode
- encrypt_partitions
- ensure_gpgcheck_globally_activated
@@ -288,7 +295,6 @@ selections:
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
-- var_system_crypto_policy=fips_ospp
- var_accounts_password_minlen_login_defs=15
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
@@ -313,4 +319,5 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
+- var_system_crypto_policy=fips
title: DISA STIG for Red Hat Enterprise Linux 8
From b8068d4c2edfb90b4ec75f9d1bb83af78dbb468e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Feb 2021 17:40:40 +0100
Subject: [PATCH 16/21] Remove postfix_prevent_unrestricted_relay from RHEL8
STIG profile.
The check doesn't consider if the package postfix is installed or not,
which in this case is a hard requirement.
---
rhel8/profiles/stig.profile | 3 ++-
tests/data/profile_stability/rhel8/stig.profile | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 201a5c6ca6..7aea226c95 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -296,7 +296,8 @@ selections:
- sysctl_user_max_user_namespaces
- sysctl_net_ipv4_conf_all_rp_filter
# /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
- - postfix_prevent_unrestricted_relay
+ # there needs to be a new platform check to identify when postfix is installed or not
+ # - postfix_prevent_unrestricted_relay
- aide_verify_ext_attributes
- aide_verify_acls
# - package_xorg-x11-server-common_removed
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index f120201c91..2c574382a8 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -210,7 +210,6 @@ selections:
- partition_for_var_log
- partition_for_var_log_audit
- postfix_client_configure_mail_alias
-- postfix_prevent_unrestricted_relay
- require_emergency_target_auth
- require_singleuser_auth
- rsyslog_cron_logging
From ee253e573e7b571e593666dfe12a5ac0fb240bf5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Feb 2021 17:58:43 +0100
Subject: [PATCH 17/21] Disable audit rules from RHEL8 STIG profile
temporarily.
Audit rules should be evaluated first implemented using new approach.
---
rhel8/profiles/stig.profile | 16 ++++++++--------
tests/data/profile_stability/rhel8/stig.profile | 7 -------
2 files changed, 8 insertions(+), 15 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 7aea226c95..0aa6f28986 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -205,14 +205,14 @@ selections:
- auditd_log_format
- file_permissions_var_log_audit
- directory_permissions_var_log_audit
- - audit_rules_immutable
+ # - audit_rules_immutable
# - audit_immutable_login_uids
- - audit_rules_usergroup_modification_shadow
- - audit_rules_usergroup_modification_opasswd
- - audit_rules_usergroup_modification_passwd
- - audit_rules_usergroup_modification_gshadow
- - audit_rules_usergroup_modification_group
- - audit_rules_login_events_lastlog
+ # - audit_rules_usergroup_modification_shadow
+ # - audit_rules_usergroup_modification_opasswd
+ # - audit_rules_usergroup_modification_passwd
+ # - audit_rules_usergroup_modification_gshadow
+ # - audit_rules_usergroup_modification_group
+ # - audit_rules_login_events_lastlog
- grub2_audit_argument
- grub2_audit_backlog_limit_argument
- configure_usbguard_auditbackend
@@ -326,7 +326,7 @@ selections:
- no_empty_passwords
- sshd_disable_empty_passwords
- file_ownership_var_log_audit
- - audit_rules_sysadmin_actions
+ # - audit_rules_sysadmin_actions
- package_audit_installed
- service_auditd_enabled
- sshd_allow_only_protocol2
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 2c574382a8..58fc365707 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -60,13 +60,6 @@ selections:
- aide_verify_acls
- aide_verify_ext_attributes
- audit_rules_immutable
-- audit_rules_login_events_lastlog
-- audit_rules_sysadmin_actions
-- audit_rules_usergroup_modification_group
-- audit_rules_usergroup_modification_gshadow
-- audit_rules_usergroup_modification_opasswd
-- audit_rules_usergroup_modification_passwd
-- audit_rules_usergroup_modification_shadow
- auditd_data_disk_error_action
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
From 99cf1438cf9ac71af398b34247aec389b3163d7c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 12 Feb 2021 09:57:35 +0100
Subject: [PATCH 18/21] Add missing SRG mapping for RHEL8 STIG profile rules.
---
.../postfix_client_configure_mail_alias/rule.yml | 1 +
.../mount_option_nodev_remote_filesystems/rule.yml | 1 +
.../directory_permissions_var_log_audit/rule.yml | 1 +
.../auditd_data_disk_error_action/rule.yml | 1 +
.../auditd_data_disk_full_action/rule.yml | 1 +
.../auditd_data_retention_max_log_file_action/rule.yml | 1 +
.../guide/system/logging/service_rsyslog_enabled/rule.yml | 1 +
.../files/dir_perms_world_writable_root_owned/rule.yml | 1 +
.../files/dir_perms_world_writable_sticky_bits/rule.yml | 4 +++-
.../file_ownership_binary_dirs/rule.yml | 1 +
.../file_ownership_library_dirs/rule.yml | 1 +
.../file_permissions_binary_dirs/rule.yml | 1 +
.../file_permissions_library_dirs/rule.yml | 1 +
.../mount_option_nodev_removable_partitions/rule.yml | 1 +
.../mount_option_noexec_removable_partitions/rule.yml | 1 +
.../integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 +
16 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
index 96601ebb87..ea30438a5f 100644
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -32,6 +32,7 @@ references:
nist@sle12: AU-5(a),AU-5.1(ii)
anssi: BP28(R49)
stigid@rhel8: RHEL-08-030030
+ srg: SRG-OS-000046-GPOS-00022
ocil_clause: 'it is not'
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
index 9374bdc065..66f4558923 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml
@@ -25,6 +25,7 @@ references:
iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2
cis-csc: 11,13,14,3,8,9
stigid@rhel8: RHEL-08-010640
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'the setting does not show'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
index b9ff8233bb..64c7927021 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
@@ -27,6 +27,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8
stigid@rhel8: RHEL-08-030120
+ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
ocil_clause: 'any are more permissive'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
index d3646de8ff..8e6836ae2f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml
@@ -35,6 +35,7 @@ references:
iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
stigid@rhel8: RHEL-08-030040
+ srg: SRG-OS-000047-GPOS-00023
ocil_clause: 'the system is not configured to switch to single-user mode for corrective action'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
index d92afe34e8..6b7dddb0ee 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
@@ -42,6 +42,7 @@ references:
disa@sle12: CCI-000140
nist@sle12: AU-5(b),AU-5.1(iv)
stigid@rhel8: RHEL-08-030060
+ srg: SRG-OS-000047-GPOS-00023
ocil_clause: 'the system is not configured to switch to single-user mode for corrective action'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
index 6a32a85fe5..07c21ca5ab 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml
@@ -45,6 +45,7 @@ references:
cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
stigid@rhel8: RHEL-08-030050
+ srg: SRG-OS-000047-GPOS-00023
ocil_clause: 'the system has not been properly configured to rotate audit logs'
diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
index 3ef70473de..a87d19fc10 100644
--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml
@@ -30,6 +30,7 @@ references:
cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
cis@ubuntu2004: 4.2.1.2
stigid@rhel8: RHEL-08-010561
+ srg: SRG-OS-000480-GPOS-00227
ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}'
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
index 90011f5f92..02e9ce0100 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
anssi: BP28(R40)
stigid@rhel8: RHEL-08-010700
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'there is output'
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
index 5bb3cf3713..3c9e31b97e 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
@@ -47,7 +47,9 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
cis@sle15: 1.1.22
- stigid@sle12: SLES-12-010460
+ stigid@sle12: SLES-12-010460
+ stigid@rhel8: RHEL-08-010190
+ srg: SRG-OS-000138-GPOS-00069
ocil_clause: 'any world-writable directories are missing the sticky bit'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
index fa53de9041..36943519fa 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml
@@ -37,6 +37,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@rhel8: RHEL-08-010310
+ srg: SRG-OS-000259-GPOS-00100
ocil_clause: 'any system executables are found to not be owned by root'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index e40b5f47d8..c39997169b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -38,6 +38,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@rhel8: RHEL-08-010340
+ srg: SRG-OS-000259-GPOS-00100
ocil_clause: 'any of these files are not owned by root'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
index 3ec56361dc..efe4a723d7 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml
@@ -37,6 +37,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@rhel8: RHEL-08-010300
+ srg: SRG-OS-000259-GPOS-00100
ocil_clause: 'any system executables are found to be group or world writable'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index 83add611b9..e3a067e0b8 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -38,6 +38,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
stigid@rhel8: RHEL-08-010330
+ srg: SRG-OS-000259-GPOS-00100
ocil_clause: 'any of these files are group-writable or world-writable'
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
index 602ce2da35..5912fb9d8c 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml
@@ -37,6 +37,7 @@ references:
cis-csc: 11,12,13,14,16,3,8,9
cis@sle15: 1.1.19
stigid@rhel8: RHEL-08-010600
+ srg: SRG-OS-000480-GPOS-00227
platform: machine
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
index 4d2bd0eceb..6e17c9f514 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
@@ -35,6 +35,7 @@ references:
cis-csc: 11,12,13,14,16,3,8,9
cis@sle15: 1.1.20
stigid@rhel8: RHEL-08-010610
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'removable media partitions are present'
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 8753e4aeef..129df45d54 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -30,6 +30,7 @@ references:
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
stigid@rhel8: RHEL-08-010020
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223
ocil_clause: 'crypto.fips_enabled is not 1'
From 76f5b95600228ff64a8730155256e045124d0f58 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 12 Feb 2021 13:58:12 +0100
Subject: [PATCH 19/21] Update RHEL8 STIG profile stability test data.
---
tests/data/profile_stability/rhel8/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 58fc365707..55b645b67b 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -59,7 +59,6 @@ selections:
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
-- audit_rules_immutable
- auditd_data_disk_error_action
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
From e0765fb6c96510ac015388b94e82938370792e12 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 12 Feb 2021 14:22:48 +0100
Subject: [PATCH 20/21] Fix RHEL8 STIG ID references.
---
apple_os/auditing/service_auditd_enabled/rule.yml | 1 -
.../services/fapolicyd/package_fapolicyd_installed/rule.yml | 1 -
.../services/ssh/package_openssh-server_installed/rule.yml | 1 -
.../services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml | 1 -
.../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 -
.../guide/services/usbguard/package_usbguard_installed/rule.yml | 1 -
.../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 1 -
.../accounts_passwords_pam_faillock_deny_root/rule.yml | 1 -
.../accounts-physical/require_emergency_target_auth/rule.yml | 1 -
.../console_screen_locking/package_tmux_installed/rule.yml | 1 -
.../auditd_data_retention_space_left_action/rule.yml | 2 --
linux_os/guide/system/auditing/package_audit_installed/rule.yml | 1 -
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 1 -
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 1 -
.../firewalld_activation/package_firewalld_installed/rule.yml | 1 -
.../sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml | 1 -
.../sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml | 1 -
.../sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml | 1 -
.../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 1 -
.../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 1 -
.../sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml | 1 -
.../sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml | 1 -
.../sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml | 1 -
.../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 1 -
.../software/disk_partitioning/partition_for_var_log/rule.yml | 1 -
.../disk_partitioning/partition_for_var_log_audit/rule.yml | 2 --
.../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 -
.../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 -
.../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 1 -
.../software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 -
.../software-integrity/aide/package_aide_installed/rule.yml | 1 -
.../system-tools/package_abrt-addon-ccpp_removed/rule.yml | 1 -
.../system-tools/package_abrt-addon-kerneloops_removed/rule.yml | 1 -
.../system-tools/package_abrt-addon-python_removed/rule.yml | 1 -
.../software/system-tools/package_abrt-cli_removed/rule.yml | 1 -
.../system-tools/package_abrt-plugin-logger_removed/rule.yml | 1 -
.../package_abrt-plugin-rhtsupport_removed/rule.yml | 1 -
.../system-tools/package_abrt-plugin-sosreport_removed/rule.yml | 1 -
38 files changed, 40 deletions(-)
diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml
index 0c34cae438..bbb5132b5f 100644
--- a/apple_os/auditing/service_auditd_enabled/rule.yml
+++ b/apple_os/auditing/service_auditd_enabled/rule.yml
@@ -35,7 +35,6 @@ references:
nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1)
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146
stigid: AOSX-14-001013
- stigid@rhel8: RHEL-08-010560
ocil_clause: 'auditing is not enabled or running'
diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
index a35cb48f83..5869cac7ab 100644
--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
+++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
@@ -20,7 +20,6 @@ identifiers:
references:
nist: CM-6(a),SI-4(22)
srg: SRG-OS-000370-GPOS-00155
- stigid@rhel8: RHEL-08-040135
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index 4fda79df25..84882d52b3 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -31,7 +31,6 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 13,14
ospp: FIA_UAU.5,FTP_ITC_EXT.1
- stigid@rhel8: RHEL-08-040160
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
index 50eb7a28cb..1f1380127c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
@@ -37,7 +37,6 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,3,9
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
- stigid@rhel8: RHEL-08-010521
ocil_clause: 'it is commented out or is not disabled'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index 8987c9b9ed..c43fce001a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -47,7 +47,6 @@ references:
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
- stigid@rhel8: RHEL-08-010200
requires:
- sshd_set_idle_timeout
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
index 6806e0861d..f23176d83e 100644
--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
+++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -22,7 +22,6 @@ identifiers:
references:
srg: SRG-OS-000378-GPOS-00163
ism: "1418"
- stigid@rhel8: RHEL-08-040140
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
index c364bdb9e1..47c4edad90 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml
@@ -49,7 +49,6 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
- stigid@rhel8: RHEL-08-010050
ocil_clause: 'it is not'
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
index 4b7ee01946..fb7a2d37ae 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
@@ -44,7 +44,6 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
- stigid@rhel8: RHEL-08-020010
stigid@rhel8: RHEL-08-020022
ocil_clause: 'that is not the case'
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index 2e902739ae..f9959f0720 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -42,7 +42,6 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
- stigid@rhel8: RHEL-08-010151
ocil_clause: 'the output is different'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index d57802a37e..c900612b1b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -40,7 +40,6 @@ references:
cobit5: DSS05.04,DSS05.10,DSS06.10
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
- stigid@rhel8: RHEL-08-020040
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
index 1009699e77..bdc86cf35b 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml
@@ -51,8 +51,6 @@ references:
isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
- stigid@rhel8: RHEL-08-030730
- stigid@rhel8: RHEL-08-030730
ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low'
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
index 577176ff00..2fc431c1ae 100644
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -26,7 +26,6 @@ references:
srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220
disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914
nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
- stigid@rhel8: service_auditd_enabled
template:
name: package_installed
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 0690cfbcda..4b04936ee2 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -49,7 +49,6 @@ references:
iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,14,15,16,18,3,5
anssi: BP28(R17)
- stigid@rhel8: RHEL-08-010150
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 08e1da4369..ea5c80f163 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -56,7 +56,6 @@ references:
iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,14,15,16,18,3,5
anssi: BP28(R17)
- stigid@rhel8: RHEL-08-010140
ocil_clause: 'it does not'
diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
index e82f50f9a0..7aea04c670 100644
--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
@@ -20,7 +20,6 @@ references:
nist: CM-6(a)
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116
cis@rhel8: 3.4.1.1
- stigid@rhel8: RHEL-08-040100
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
index 04fa55f524..5b5bfc9633 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
index 304c549b0b..d75989fca1 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
index d3b8347573..09d263cf00 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040261
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
index ae67ab248d..9253f7235a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -28,7 +28,6 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel8: RHEL-08-040280
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index ac9218fe34..8767a5226f 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -40,7 +40,6 @@ references:
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,4,6,8,9
- stigid@rhel8: RHEL-08-040240
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
index eca95f75b5..5cf98305c7 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
index f030cd9221..d7dad19f3a 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
index 43c901e3a4..b6ee061057 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml
@@ -16,7 +16,6 @@ identifiers:
references:
anssi: BP28(R22)
- stigid@rhel8: RHEL-08-040262
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}}
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
index fdd8572cf5..970db38b33 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
@@ -28,7 +28,6 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel8: RHEL-08-040210
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
index b90f93deee..77ea8196c1 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml
@@ -33,7 +33,6 @@ references:
cis-csc: 1,12,14,15,16,3,5,6,8
srg: SRG-OS-000480-GPOS-00227
cis@sle: 1.1.12
- stigid@rhel8: RHEL-08-010540
stigid@rhel8: RHEL-08-010541
{{{ complete_ocil_entry_separate_partition(part="/var/log") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
index 73b5cd50ed..3ff8be67b5 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml
@@ -40,8 +40,6 @@ references:
cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01
cis-csc: 1,12,13,14,15,16,2,3,5,6,8
cis@sle15: 1.1.13
- stigid@rhel8: RHEL-08-010540
- stigid@rhel8: RHEL-08-010541
stigid@rhel8: RHEL-08-010542
{{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
index fde3338f40..340af24c82 100644
--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml
@@ -26,7 +26,6 @@ references:
cis@ubuntu1804: 1.1.6
anssi: BP28(R12)
cis@sle15: 1.1.8
- stigid@rhel8: RHEL-08-010540
{{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}}
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
index d9eb1b8a61..fba676f0b9 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
@@ -48,7 +48,6 @@ references:
cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02
iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3
cis-csc: 18,20,4
- stigid@rhel8: RHEL-08-010000
ocil_clause: 'the installed operating system is not supported'
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index 5879bc2bdb..77c78d5705 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -47,7 +47,6 @@ references:
cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03
iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2
cis-csc: 12,15,8
- stigid@rhel8: RHEL-08-010020
ocil_clause: 'FIPS is not configured or enabled in grub'
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 129df45d54..b439a0305f 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -29,7 +29,6 @@ references:
disa: CCI-000068,CCI-000803,CCI-002450
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
- stigid@rhel8: RHEL-08-010020
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223
ocil_clause: 'crypto.fips_enabled is not 1'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 1667604386..abf13a274a 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -33,7 +33,6 @@ references:
ism: 1034,1288,1341,1417
stigid@sle12: SLES-12-010500
disa@sle12: CCI-002699
- stigid@rhel8: RHEL-08-010360
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
index 5482cdf3af..ed2fc64d08 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
index 3b12bfb5b0..8bbf9ea53d 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
index 00b1a36714..9be8b08b0f 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-addon-python") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
index 0412e8b82b..9aa7f11ada 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-cli") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
index 9d10076523..d970def693 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
index addb652e92..7f7787a19a 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml
@@ -19,7 +19,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}}
diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
index 6647186cc7..6107659d94 100644
--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml
@@ -18,7 +18,6 @@ identifiers:
references:
srg: SRG-OS-000095-GPOS-00049
- stigid@rhel8: RHEL-08-040001
{{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}}
From 7724efd079c177adaa3ab70056b57f57b9424e9f Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 12 Feb 2021 16:26:49 +0100
Subject: [PATCH 21/21] Add severity according RHEL8 STIG for rules that had
unknown severity.
---
linux_os/guide/services/ntp/chronyd_client_only/rule.yml | 2 +-
linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml | 2 +-
.../account_expiration/account_temp_expire_date/rule.yml | 2 +-
.../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +-
.../directory_permissions_var_log_audit/rule.yml | 2 +-
.../sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 2 +-
.../sysctl_net_ipv6_conf_default_accept_ra/rule.yml | 2 +-
.../permissions/files/sysctl_fs_protected_hardlinks/rule.yml | 2 +-
.../permissions/files/sysctl_fs_protected_symlinks/rule.yml | 2 +-
.../mount_option_nodev_nonroot_local_partitions/rule.yml | 2 +-
.../mount_option_noexec_removable_partitions/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_nodev/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
.../restrictions/coredumps/coredump_disable_backtraces/rule.yml | 2 +-
.../restrictions/coredumps/coredump_disable_storage/rule.yml | 2 +-
.../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 +-
.../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +-
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 +-
22 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
index 071934387c..83d1ba0df1 100644
--- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml
@@ -13,7 +13,7 @@ rationale: |-
Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface.
-severity: unknown
+severity: low
platform: machine # The check uses service_... extended definition, which doesnt support offline mode
diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
index cbc9cc670c..d6d776a9a3 100644
--- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml
@@ -13,7 +13,7 @@ rationale: |-
Not exposing the management interface of the chrony daemon on
the network diminishes the attack space.
-severity: unknown
+severity: low
platform: machine # The check uses service_... extended definition, which doesnt support offline mode
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
index ced7a52a67..c3a2a13bed 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
@@ -25,7 +25,7 @@ rationale: |-
must be set upon account creation.
<br />
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-81000-2
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index 1c8219de70..e06ae36196 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -15,7 +15,7 @@ rationale: |-
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80202-5
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
index 64c7927021..65dc7861ce 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml
@@ -12,7 +12,7 @@ description: |-
rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.'
-severity: unknown
+severity: medium
identifiers:
cce@rhcos4: CCE-82692-5
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
index 8e7eabc336..0b38e2f414 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml
@@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_
rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.'
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80180-3
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
index dcf480ef63..167fb59f48 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml
@@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.default.acc
rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.'
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80181-1
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
index 0aefe8ae50..9874bb19dc 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of <tt>open()</tt> or <tt>creat()</tt>.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-81026-7
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
index 86a9f8e2d9..655283997a 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
@@ -12,7 +12,7 @@ rationale: |-
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
<tt>open()</tt> or <tt>creat()</tt>.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-81029-1
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
index f40daec6c8..f7c3502b00 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
@@ -25,7 +25,7 @@ ocil: |
ocil_clause: "some mounts appear among output lines"
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80145-6
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
index 6e17c9f514..d329ad2962 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml
@@ -15,7 +15,7 @@ rationale: |-
Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80147-2
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index ed27226855..35173f9e61 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/tmp", "nodev") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80149-8
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 77ae8a664f..4f831bdacb 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/tmp", "noexec") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80150-6
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index b7e171fb02..5bcbebdfda 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/tmp", "nosuid") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80151-4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 4e76e61bb2..136ba137a2 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/var/tmp", "nodev") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-81052-3
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index f2b108d58d..8eb0eafc72 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/var/tmp", "noexec") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-82150-4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index 11bfe2661d..90c578791c 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/var/tmp", "nosuid") }}}
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-82153-8
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
index 04b580e64e..79af205224 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -20,7 +20,7 @@ rationale: |-
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.
-severity: unknown
+severity: medium
identifiers:
cce@rhel8: CCE-82251-0
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
index 3225785a8f..9fdb4d8fd1 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -16,7 +16,7 @@ rationale: |-
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.
-severity: unknown
+severity: medium
identifiers:
cce@rhel8: CCE-82252-8
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
index c50a366512..991c92dd0a 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml
@@ -15,7 +15,7 @@ rationale: |-
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-80169-6
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
index fd12fbbb50..125e764b3a 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems.
-severity: unknown
+severity: medium
platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index b82e0fcce3..60e5048462 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.
-severity: unknown
+severity: medium
identifiers:
cce@rhel8: CCE-82215-5