From dc92e454b7c3e11b3545b86f1c78b26aeb3f82aa Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 28 Jan 2021 17:45:20 +0100 Subject: [PATCH 01/21] Add initial RHEL8 STIG V1R1 profile. --- .../auditing/service_auditd_enabled/rule.yml | 1 + .../base/package_abrt_removed/rule.yml | 1 + .../base/service_kdump_disabled/rule.yml | 1 + .../package_fapolicyd_installed/rule.yml | 1 + .../service_fapolicyd_enabled/rule.yml | 1 + .../package_vsftpd_removed/rule.yml | 1 + .../kerberos_disable_no_keytab/rule.yml | 1 + .../mail/package_sendmail_removed/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../services/ntp/chronyd_client_only/rule.yml | 1 + .../ntp/chronyd_no_chronyc_network/rule.yml | 1 + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 + .../r_services/no_host_based_files/rule.yml | 1 + .../no_user_host_based_files/rule.yml | 1 + .../package_rsh-server_removed/rule.yml | 1 + .../package_telnet-server_removed/rule.yml | 1 + .../tftp/package_tftp-server_removed/rule.yml | 1 + .../tftp/tftpd_uses_secure_mode/rule.yml | 1 + .../rng/service_rngd_enabled/rule.yml | 1 + .../rule.yml | 1 + .../file_permissions_sshd_pub_key/rule.yml | 1 + .../package_openssh-server_installed/rule.yml | 1 + .../ssh/service_sshd_enabled/rule.yml | 1 + .../sshd_allow_only_protocol2/rule.yml | 1 + .../sshd_disable_compression/rule.yml | 1 + .../sshd_disable_gssapi_auth/rule.yml | 1 + .../sshd_disable_kerb_auth/rule.yml | 1 + .../sshd_disable_root_login/rule.yml | 1 + .../sshd_disable_user_known_hosts/rule.yml | 1 + .../sshd_disable_x11_forwarding/rule.yml | 1 + .../sshd_do_not_permit_user_env/rule.yml | 1 + .../sshd_enable_strictmodes/rule.yml | 1 + .../sshd_enable_warning_banner/rule.yml | 1 + .../ssh_server/sshd_print_last_log/rule.yml | 1 + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 + .../ssh_server/sshd_set_idle_timeout/rule.yml | 1 + .../ssh_server/sshd_set_keepalive/rule.yml | 1 + .../sshd_x11_use_localhost/rule.yml | 3 +- .../sssd/sssd_enable_smartcards/rule.yml | 1 + .../sssd_offline_cred_expiration/rule.yml | 1 + .../configure_usbguard_auditbackend/rule.yml | 1 + .../package_usbguard_installed/rule.yml | 1 + .../service_usbguard_enabled/rule.yml | 1 + .../rule.yml | 1 + .../banner_etc_issue/rule.yml | 1 + .../dconf_gnome_banner_enabled/rule.yml | 1 + .../dconf_gnome_login_banner_text/rule.yml | 1 + .../display_login_attempts/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 2 + .../rule.yml | 1 + .../rule.yml | 1 + .../accounts_password_pam_dcredit/rule.yml | 1 + .../accounts_password_pam_difok/rule.yml | 1 + .../accounts_password_pam_lcredit/rule.yml | 1 + .../rule.yml | 1 + .../accounts_password_pam_maxrepeat/rule.yml | 1 + .../accounts_password_pam_minclass/rule.yml | 1 + .../accounts_password_pam_minlen/rule.yml | 1 + .../accounts_password_pam_ocredit/rule.yml | 1 + .../accounts_password_pam_retry/rule.yml | 1 + .../accounts_password_pam_ucredit/rule.yml | 1 + .../rule.yml | 1 + .../disable_ctrlaltdel_burstaction/rule.yml | 1 + .../disable_ctrlaltdel_reboot/rule.yml | 1 + .../require_emergency_target_auth/rule.yml | 1 + .../require_singleuser_auth/rule.yml | 1 + .../configure_bashrc_exec_tmux/rule.yml | 1 + .../configure_tmux_lock_after_time/rule.yml | 1 + .../configure_tmux_lock_command/rule.yml | 1 + .../no_tmux_in_shells/rule.yml | 1 + .../package_tmux_installed/rule.yml | 1 + .../install_smartcard_packages/rule.yml | 3 +- .../package_opensc_installed/rule.yml | 1 + .../service_debug-shell_disabled/rule.yml | 1 + .../rule.yml | 1 + .../account_temp_expire_date/rule.yml | 1 + .../accounts_maximum_age_login_defs/rule.yml | 1 + .../accounts_minimum_age_login_defs/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../no_empty_passwords/rule.yml | 1 + .../accounts_no_uid_except_zero/rule.yml | 1 + .../accounts_have_homedir_login_defs/rule.yml | 1 + .../accounts_logon_fail_delay/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../accounts_user_home_paths_only/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../file_permission_user_init_files/rule.yml | 1 + .../rule.yml | 1 + .../accounts_umask_etc_bashrc/rule.yml | 1 + .../accounts_umask_etc_login_defs/rule.yml | 1 + .../accounts_umask_interactive_users/rule.yml | 1 + .../audit_rules_login_events_lastlog/rule.yml | 1 + .../audit_rules_immutable/rule.yml | 1 + .../audit_rules_sysadmin_actions/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../file_ownership_var_log_audit/rule.yml | 1 + .../file_permissions_var_log_audit/rule.yml | 1 + .../auditd_data_disk_error_action/rule.yml | 1 + .../auditd_data_disk_full_action/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../auditd_data_retention_space_left/rule.yml | 1 + .../rule.yml | 2 + .../auditd_local_events/rule.yml | 1 + .../auditd_log_format/rule.yml | 1 + .../auditd_name_format/rule.yml | 1 + .../auditing/grub2_audit_argument/rule.yml | 1 + .../rule.yml | 1 + .../auditing/package_audit_installed/rule.yml | 1 + .../audit_immutable_login_uids/rule.yml | 1 + .../auditing/service_auditd_enabled/rule.yml | 1 + .../grub2_pti_argument/rule.yml | 1 + .../grub2_vsyscall_argument/rule.yml | 1 + .../non-uefi/grub2_admin_username/rule.yml | 1 + .../non-uefi/grub2_password/rule.yml | 1 + .../uefi/grub2_uefi_admin_username/rule.yml | 1 + .../uefi/grub2_uefi_password/rule.yml | 1 + .../rsyslog_cron_logging/rule.yml | 1 + .../package_rsyslog-gnutls_installed/rule.yml | 1 + .../package_rsyslog_installed/rule.yml | 1 + .../rsyslog_remote_loghost/rule.yml | 1 + .../logging/service_rsyslog_enabled/rule.yml | 1 + .../package_firewalld_installed/rule.yml | 1 + .../service_firewalld_enabled/rule.yml | 1 + .../configure_firewalld_ports/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../sysctl_net_ipv4_ip_forward/rule.yml | 1 + .../kernel_module_atm_disabled/rule.yml | 1 + .../kernel_module_can_disabled/rule.yml | 1 + .../rule.yml | 1 + .../kernel_module_sctp_disabled/rule.yml | 1 + .../kernel_module_tipc_disabled/rule.yml | 1 + .../kernel_module_bluetooth_disabled/rule.yml | 1 + .../wireless_disable_interfaces/rule.yml | 1 + .../rule.yml | 1 + .../network/network_sniffer_disabled/rule.yml | 1 + .../rule.yml | 1 + .../file_permissions_ungroupowned/rule.yml | 1 + .../files/no_files_unowned_by_user/rule.yml | 1 + .../file_ownership_binary_dirs/rule.yml | 1 + .../file_ownership_library_dirs/rule.yml | 1 + .../file_permissions_binary_dirs/rule.yml | 1 + .../file_permissions_library_dirs/rule.yml | 1 + .../sysctl_fs_protected_hardlinks/rule.yml | 1 + .../sysctl_fs_protected_symlinks/rule.yml | 1 + .../kernel_module_cramfs_disabled/rule.yml | 1 + .../rule.yml | 1 + .../mounting/service_autofs_disabled/rule.yml | 1 + .../mount_option_boot_nosuid/rule.yml | 1 + .../mount_option_dev_shm_nodev/rule.yml | 1 + .../mount_option_dev_shm_noexec/rule.yml | 1 + .../mount_option_dev_shm_nosuid/rule.yml | 1 + .../mount_option_home_nosuid/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../mount_option_tmp_nodev/rule.yml | 1 + .../mount_option_tmp_noexec/rule.yml | 1 + .../mount_option_tmp_nosuid/rule.yml | 1 + .../mount_option_var_log_audit_nodev/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../mount_option_var_log_nodev/rule.yml | 1 + .../mount_option_var_log_noexec/rule.yml | 1 + .../mount_option_var_log_nosuid/rule.yml | 1 + .../mount_option_var_tmp_nodev/rule.yml | 1 + .../mount_option_var_tmp_noexec/rule.yml | 1 + .../mount_option_var_tmp_nosuid/rule.yml | 1 + .../coredump_disable_backtraces/rule.yml | 1 + .../coredump_disable_storage/rule.yml | 1 + .../disable_users_coredumps/rule.yml | 1 + .../rule.yml | 1 + .../sysctl_kernel_kptr_restrict/rule.yml | 1 + .../sysctl_kernel_randomize_va_space/rule.yml | 1 + .../grub2_page_poison_argument/rule.yml | 1 + .../grub2_slub_debug_argument/rule.yml | 1 + .../sysctl_kernel_core_pattern/rule.yml | 1 + .../sysctl_kernel_dmesg_restrict/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + .../sysctl_user_max_user_namespaces/rule.yml | 1 + .../rule.yml | 1 + .../selinux/selinux_policytype/rule.yml | 1 + .../system/selinux/selinux_state/rule.yml | 1 + .../encrypt_partitions/rule.yml | 1 + .../partition_for_home/rule.yml | 1 + .../partition_for_tmp/rule.yml | 1 + .../partition_for_var/rule.yml | 1 + .../partition_for_var_log/rule.yml | 2 + .../partition_for_var_log_audit/rule.yml | 3 + .../partition_for_var_tmp/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../installed_OS_is_vendor_supported/rule.yml | 1 + .../crypto/ssh_client_rekey_limit/rule.yml | 1 + .../integrity/fips/enable_fips_mode/rule.yml | 1 + .../fips/grub2_enable_fips_mode/rule.yml | 1 + .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + .../aide/aide_scan_notification/rule.yml | 1 + .../aide/aide_verify_acls/rule.yml | 1 + .../aide/aide_verify_ext_attributes/rule.yml | 1 + .../aide/package_aide_installed/rule.yml | 1 + .../accounts_authorized_local_users/rule.yml | 3 + .../sudo/sudo_remove_no_authenticate/rule.yml | 1 + .../sudo/sudo_remove_nopasswd/rule.yml | 1 + .../package_abrt-addon-ccpp_removed/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../package_abrt-cli_removed/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../package_gssproxy_removed/rule.yml | 3 +- .../package_iprutils_removed/rule.yml | 1 + .../package_krb5-workstation_removed/rule.yml | 1 + .../package_tuned_removed/rule.yml | 1 + .../clean_components_post_updating/rule.yml | 1 + .../rule.yml | 1 + .../ensure_gpgcheck_local_packages/rule.yml | 1 + .../security_patches_up_to_date/rule.yml | 1 + rhel8/profiles/stig.profile | 310 ++++++++++++++++-- 259 files changed, 543 insertions(+), 38 deletions(-) diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml index bbb5132b5f..0c34cae438 100644 --- a/apple_os/auditing/service_auditd_enabled/rule.yml +++ b/apple_os/auditing/service_auditd_enabled/rule.yml @@ -35,6 +35,7 @@ references: nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146 stigid: AOSX-14-001013 + stigid@rhel8: RHEL-08-010560 ocil_clause: 'auditing is not enabled or running' diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml index 3cee145e25..03f8a5b6a0 100644 --- a/linux_os/guide/services/base/package_abrt_removed/rule.yml +++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml @@ -25,6 +25,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt") }}} diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index ff9d439b4f..8676710018 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -39,6 +39,7 @@ references: iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 cis-csc: 11,12,14,15,3,8,9 ospp: FMT_SMF_EXT.1.1 + stigid@rhel8: RHEL-08-010670 ocil: '{{{ ocil_service_disabled(service="kdump") }}}' diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml index 5869cac7ab..a35cb48f83 100644 --- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml @@ -20,6 +20,7 @@ identifiers: references: nist: CM-6(a),SI-4(22) srg: SRG-OS-000370-GPOS-00155 + stigid@rhel8: RHEL-08-040135 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml index 11f2e9cf7a..44b97a8d6f 100644 --- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml @@ -22,6 +22,7 @@ references: nist: CM-6(a),SI-4(22) ospp: FMT_SMF_EXT.1 srg: SRG-OS-000370-GPOS-00155 + stigid@rhel8: RHEL-08-040135 ocil_clause: 'the service is not enabled' diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 737d9b9cb6..dc7d79af44 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -28,6 +28,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 + stigid@rhel8: RHEL-08-040360 {{{ complete_ocil_entry_package(package="vsftpd") }}} diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml index c552fa7889..d29370c9e9 100644 --- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml +++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml @@ -20,6 +20,7 @@ references: ospp: FTP_ITC_EXT.1 srg: SRG-OS-000120-GPOS-00061 ism: 0418,1055,1402 + stigid@rhel8: RHEL-08-010161 ocil_clause: 'it is present on the system' diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml index 1b62fb49fb..ed29daa2f6 100644 --- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml @@ -30,6 +30,7 @@ references: cis-csc: 11,14,3,9 anssi: BP28(R1) srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-040002 {{{ complete_ocil_entry_package(package="sendmail") }}} diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 1c4bfb60bf..96601ebb87 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -31,6 +31,7 @@ references: disa@sle12: CCI-000139 nist@sle12: AU-5(a),AU-5.1(ii) anssi: BP28(R49) + stigid@rhel8: RHEL-08-030030 ocil_clause: 'it is not' diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml index c2357fe9ee..4bfcc16c7f 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml @@ -24,6 +24,7 @@ references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040680 + stigid@rhel8: RHEL-08-040290 ocil_clause: 'it is not' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml index b3be78ef91..3349a7963a 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml @@ -23,6 +23,7 @@ references: cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06 iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2 cis-csc: 11,13,14,3,8,9 + stigid@rhel8: RHEL-08-010640 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index d9c17fb416..ee6b9aa54a 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -31,6 +31,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@sle12: SLES-12-010820 + stigid@rhel8: RHEL-08-010630 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index c14b0aeefb..6b71f94c2b 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -29,6 +29,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@sle12: SLES-12-010810 + stigid@rhel8: RHEL-08-010650 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml index 76e13f8eb1..071934387c 100644 --- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml @@ -24,6 +24,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000096-GPOS-00050 + stigid@rhel8: RHEL-08-030741 ocil_clause: 'it does not exist or port is set to non-zero value' diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml index 1312c1cfb5..cbc9cc670c 100644 --- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml @@ -24,6 +24,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000096-GPOS-00050 + stigid@rhel8: RHEL-08-030742 ocil_clause: 'it does not exist or port is set to non-zero value' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 4e4be3002f..9a802b5d5d 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -42,6 +42,7 @@ references: cis-csc: 1,14,15,16,3,5,6 stigid@sle12: SLES-12-030300 nist@sle12: AU-8(1)(a),AU-8(1)(b) + stigid@rhel8: RHEL-08-030740 ocil_clause: 'it does not exist or maxpoll has not been set to the expected value' diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index 9891cedab0..01eb9e5f99 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -29,6 +29,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040550 stigid@sle12: SLES-12-010410 + stigid@rhel8: RHEL-08-010460 ocil_clause: 'these files exist' diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index a7f4996f3b..48bff043a6 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -30,6 +30,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040540 stigid@sle12: SLES-12-010400 + stigid@rhel8: RHEL-08-010470 ocil_clause: 'these files exist' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index e5deb01ddb..23d30cb5af 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -34,6 +34,7 @@ references: isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 cis-csc: 11,12,14,15,3,8,9 + stigid@rhel8: RHEL-08-040010 {{{ complete_ocil_entry_package(package="rsh-server") }}} diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index 619b3f0b7d..f42bcba15e 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -44,6 +44,7 @@ references: isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 cis-csc: 11,12,14,15,3,8,9 + stigid@rhel8: RHEL-08-040000 {{{ complete_ocil_entry_package(package="telnet-server") }}} diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index 57f3c0f8bc..2d0258db1e 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -33,6 +33,7 @@ references: cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 cis-csc: 11,12,14,15,3,8,9 + stigid@rhel8: RHEL-08-040190 {{{ complete_ocil_entry_package(package="tftp-server") }}} diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml index b2d87944f1..24cefbb6f9 100644 --- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml @@ -38,6 +38,7 @@ references: cobit5: APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,13,14,15,16,18,3,5,8,9 + stigid@rhel8: RHEL-08-040350 ocil_clause: 'this flag is missing' diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml index 1cc21d0d00..feebdff4eb 100644 --- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml @@ -21,6 +21,7 @@ identifiers: references: ospp: FCS_RBG_EXT.1 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010471 ocil_clause: 'the service is not enabled' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index d460411667..5397a3fdce 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -35,6 +35,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 cis@rhel8: 5.2.3 + stigid@rhel8: RHEL-08-010490 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index b9e07d71af..d49e375df4 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -30,6 +30,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 cis@rhel8: 5.2.4 + stigid@rhel8: RHEL-08-010480 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index 84882d52b3..4fda79df25 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -31,6 +31,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 13,14 ospp: FIA_UAU.5,FTP_ITC_EXT.1 + stigid@rhel8: RHEL-08-040160 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml index f0e258bf04..81d63480c3 100644 --- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml @@ -38,6 +38,7 @@ references: cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 13,14 + stigid@rhel8: RHEL-08-040160 ocil: '{{{ ocil_service_enabled(service="sshd") }}}' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml index 2f5bdfdee3..fc6175e446 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5,8 ism: 0487,1449,1506 + stigid@rhel8: RHEL-08-040060 ocil_clause: 'it is commented out or is not set correctly to Protocol 2' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index f8eec6a074..9e4e2f48b4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -39,6 +39,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 + stigid@rhel8: RHEL-08-010510 ocil_clause: 'it is commented out, or is not set to no or delayed' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index c79d0b5e07..f9ece13f51 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -36,6 +36,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 ism: 0418,1055,1402 + stigid@rhel8: RHEL-08-010521 ocil_clause: 'it is commented out or is not disabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml index 1f1380127c..50eb7a28cb 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml @@ -37,6 +37,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-010521 ocil_clause: 'it is commented out or is not disabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 287954db61..8360f5fa34 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -46,6 +46,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,3,5 anssi: BP28(R19),NT007(R21) + stigid@rhel8: RHEL-08-010550 {{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index 93ff19deff..b55e749139 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -38,6 +38,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 + stigid@rhel8: RHEL-08-010520 {{{ complete_ocil_entry_sshd_option(default="no", option="IgnoreUserKnownHosts", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 5d01170aab..14f0270c78 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -37,6 +37,7 @@ references: srg: SRG-OS-000480-GPOS-00227 disa: CCI-000366 nist: CM-6(b) + stigid@rhel8: RHEL-08-040340 template: name: sshd_lineinfile diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index e5d54261d3..b1d33d3f86 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -39,6 +39,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 + stigid@rhel8: RHEL-08-010830 ocil_clause: 'PermitUserEnvironment is not disabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index 601f6a0ca2..9eeb8f8985 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010500 ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index c93ef6340f..2eb688c1ec 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -43,6 +43,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-010040 {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index 0ce5da30b2..cb15b1e9e9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -32,6 +32,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-020350 ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml index d7941f9c0e..f3f15251b2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml @@ -22,6 +22,7 @@ identifiers: references: ospp: FCS_SSHS_EXT.1 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-040161 ocil_clause: 'it is commented out or is not set' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index 7c6cb7a2d0..19151f0273 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -52,6 +52,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5,7,8 anssi: BP28(R29) + stigid@rhel8: RHEL-08-010200 requires: - sshd_set_keepalive diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index c43fce001a..8987c9b9ed 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -47,6 +47,7 @@ references: cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5,7,8 + stigid@rhel8: RHEL-08-010200 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml index b0fe065d86..bee39a3904 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,rhel7 +prodtype: fedora,ol7,ol8,rhel7,rhel8 title: 'Prevent remote hosts from connecting to the proxy display' @@ -29,6 +29,7 @@ references: stig@ol7: OL07-00-040711 disa: CCI-000366 nist: CM-6(b) + stigid@rhel8: RHEL-08-040341 ocil_clause: "the display proxy is listening on wildcard address" diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml index 7a51b3960f..bcf9d58e62 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml @@ -38,6 +38,7 @@ references: srg: SRG-OS-000375-GPOS-00160 vmmsrg: SRG-OS-000107-VMM-000530 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020250 ocil_clause: 'smart cards are not enabled in SSSD' diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml index b2c450b58e..09ee5187a6 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml @@ -36,6 +36,7 @@ references: cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-020290 ocil_clause: 'it does not exist or is not configured properly' diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml index 2b87e7964f..b2fc36bbfc 100644 --- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml @@ -23,6 +23,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000062-GPOS-00031 + stigid@rhel8: RHEL-08-030603 ocil_clause: 'AuditBackend is not set to LinuxAudit' diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index f23176d83e..6806e0861d 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -22,6 +22,7 @@ identifiers: references: srg: SRG-OS-000378-GPOS-00163 ism: "1418" + stigid@rhel8: RHEL-08-040140 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml index 3f357aa8b7..918a29945d 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml @@ -24,6 +24,7 @@ references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000378-GPOS-00163 ism: "1418" + stigid@rhel8: RHEL-08-040140 ocil_clause: 'the service is not enabled' diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml index 2c34030cdb..789b84643a 100644 --- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml @@ -40,6 +40,7 @@ references: iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 cis-csc: 12,15,8 cis@sle15: 2.2.2 + stigid@rhel8: RHEL-08-040320 ocil_clause: 'the X Windows package group or xorg-x11-server-common has not be removed' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml index 637d8ee528..5e00846773 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -71,6 +71,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-010060 ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index 47c4edad90..c364bdb9e1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -49,6 +49,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-010050 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml index c600620f18..135f15e1be 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml @@ -47,6 +47,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-010050 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml index 3ba5b642db..a6eefa9c15 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml @@ -38,6 +38,7 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0582,0584,05885,0586,0846,0957 + stigid@rhel8: RHEL-08-020340 ocil_clause: 'that is not the case' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index 1669db1231..78247557de 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -46,6 +46,7 @@ references: cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-020220 ocil_clause: 'the value of remember is not set equal to or greater than the expected setting' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index ccee5dd048..85a0ba18a3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -47,6 +47,7 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020010 ocil_clause: 'that is not the case' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index 882b57654e..4b7ee01946 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -44,6 +44,8 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020010 + stigid@rhel8: RHEL-08-020022 ocil_clause: 'that is not the case' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index d1b9c396ae..6bc0f02afc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -53,6 +53,7 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020012 ocil_clause: 'fail_interval is less than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index 2fff1c6011..ead8f697f4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -50,6 +50,7 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020014 ocil_clause: 'unlock_time is less than the expected value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index 8519b72a6b..11040cfa87 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -46,6 +46,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020130 ocil_clause: 'dcredit is not found or not equal to or less than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml index fb64b61520..d659f480d2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -47,6 +47,7 @@ references: cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-020170 ocil_clause: 'difok is not found or not equal to or greater than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index 26fc519e3d..086354372f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -45,6 +45,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020120 ocil_clause: 'lcredit is not found or not less than or equal to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml index d449c97950..5bac335e2d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml @@ -38,6 +38,7 @@ references: cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-020140 ocil_clause: 'that is not the case' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml index cb2755b255..42d5584a9d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml @@ -40,6 +40,7 @@ references: cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-020150 ocil_clause: 'maxrepeat is not found or not greater than or equal to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index dfd34c893e..3e71d9094b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -53,6 +53,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020160 ocil_clause: 'minclass is not found or not set equal to or greater than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index 0776e196f6..a79a03f374 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -44,6 +44,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020230 ocil_clause: 'minlen is not found, or not equal to or greater than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index b82667936b..dd05085fa3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -46,6 +46,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020280 ocil_clause: 'ocredit is not found or not equal to or less than the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index 6b1534adde..90f74b2d3c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -38,6 +38,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,11,12,15,16,3,5,9 + stigid@rhel8: RHEL-08-020100 ocil_clause: 'it is not the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index c2d8f3a1eb..5a656a42a0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -43,6 +43,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020110 ocil_clause: 'ucredit is not found or not set less than or equal to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index 96ffec0eaa..bbfcd7fc28 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -42,6 +42,7 @@ references: cis-csc: 1,12,15,16,5 anssi: BP28(R32) ism: 0418,1055,1402 + stigid@rhel8: RHEL-08-010110 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml index a9e86f2ddd..7192666fc8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml @@ -37,6 +37,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-040172 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index 5824f7b2ca..6066c9391b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -47,6 +47,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-040170 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index f9959f0720..2e902739ae 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -42,6 +42,7 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-010151 ocil_clause: 'the output is different' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index b3afff50c5..8acaaa862c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -44,6 +44,7 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-010151 ocil_clause: 'the output is different' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml index 21edfc9f0b..2582145a8c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -21,6 +21,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000031-GPOS-00012 + stigid@rhel8: RHEL-08-020041 ocil_clause: 'exec tmux is not present at the end of bashrc' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml index 7816ebc8f9..fe99051eb6 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml @@ -22,6 +22,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000029-GPOS-00010 + stigid@rhel8: RHEL-08-020070 ocil_clause: 'lock-after-time is not set or set to zero' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml index bf1ea79df9..88ce99f41b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml @@ -26,6 +26,7 @@ identifiers: references: disa: CCI-000056,CCI-000058 nist: AC-11(a),AC-11(b),CM-6(a) + stigid@rhel8: RHEL-08-020040 vmmsrg: SRG-OS-000028-VMM-000090,SRG-OS-000030-VMM-000110 srg: SRG-OS-000028-GPOS-00009 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml index 596126aafa..ecd9e8f147 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml @@ -22,6 +22,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000324-GPOS-00125 + stigid@rhel8: RHEL-08-020042 ocil_clause: 'tmux is listed in /etc/shells' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml index c900612b1b..d57802a37e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml @@ -40,6 +40,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-020040 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index b3210d6adc..29aa49483d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,rhel7 +prodtype: fedora,ol7,rhel7,rhel8 title: 'Install Smart Card Packages For Multifactor Authentication' @@ -32,6 +32,7 @@ references: nist: CM-6(a) srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162 stigid@rhel7: RHEL-07-041001 + stigid@rhel8: RHEL-08-010390 ocil_clause: 'smartcard software is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml index 2770b637f0..74da38fa22 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml @@ -31,6 +31,7 @@ references: srg: SRG-OS-000375-GPOS-00160 vmmsrg: SRG-OS-000376-VMM-001520 ism: 1382,1384,1386 + stigid@rhel8: RHEL-08-010410 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml index 0f22245e6f..1f712eed7e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml @@ -32,6 +32,7 @@ references: hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) ospp: FIA_UAU.1 srg: SRG-OS-000324-GPOS-00125 + stigid@rhel8: RHEL-08-040180 ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index add8ac0dbd..7e6b5d794e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -47,6 +47,7 @@ references: cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5,7,8 + stigid@rhel8: RHEL-08-020260 ocil_clause: 'the value of INACTIVE is greater than the expected value' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index b647776778..ced7a52a67 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -44,6 +44,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5,7,8 stigid@sle12: SLES-12-010360 + stigid@rhel8: RHEL-08-020000 ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index d8ccd9e086..15ccf530c6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -47,6 +47,7 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 ism: 0418,1055,1402 + stigid@rhel8: RHEL-08-020200 ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 0b6f878378..36a611e3d2 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -45,6 +45,7 @@ references: cis-csc: 1,12,15,16,5 cis@rhel8: 5.5.1.2 ism: 0418,1055,1402 + stigid@rhel8: RHEL-08-020190 ocil_clause: 'it is not equal to or greater than the required value' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 909b51faa8..f9884fd9b4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -42,6 +42,7 @@ references: cis-csc: 1,12,15,16,5 srg: SRG-OS-000078-GPOS-00046 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 + stigid@rhel8: RHEL-08-020231 ocil_clause: 'it is not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index 6d91224cd9..0ef1fcfe8d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -31,6 +31,7 @@ references: vmmsrg: SRG-OS-000076-VMM-000430 stigid@rhel7: RHEL-07-010260 stigid@sle12: SLES-12-010290 + stigid@rhel8: RHEL-08-020210 ocil_clause: 'existing passwords are not configured correctly' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml index 44da709702..cc073067fb 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -31,6 +31,7 @@ references: vmmsrg: SRG-OS-000075-VMM000420 stigid@rhel7: RHEL-07-010240 stigid@sle12: SLES-12-010260 + stigid@rhel8: RHEL-08-020180 ocil_clause: 'existing passwords are not configured correctly' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index 0e36afc8dc..df6da6b913 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -45,6 +45,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5 + stigid@rhel8: sshd_disable_empty_passwords ocil_clause: 'NULL passwords can be used' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 7fd291caea..6b3c71fa80 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -42,6 +42,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-040200 ocil_clause: 'any account other than root has a UID of 0' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index fdd7c6f603..9e19b908c4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -29,6 +29,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020610 stigid@sle12: SLES-12-010720 + stigid@rhel8: RHEL-08-010760 ocil_clause: 'the value of CREATE_HOME is not set to yes, is missing, or the line is commented out' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 84b38afc2c..e62e3cc62b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -30,6 +30,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 + stigid@rhel8: RHEL-08-020310 ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index 32412aa482..5787380d65 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -37,6 +37,7 @@ references: cobit5: DSS01.05,DSS05.02 iso27001-2013: A.13.1.1,A.13.1.3,A.13.2.1,A.14.1.2,A.14.1.3 cis-csc: 14,15,18,9 + stigid@rhel8: RHEL-08-020024 ocil_clause: 'maxlogins is not equal to or less than the expected value' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 77f3a12148..b73743ebcb 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -28,6 +28,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020730 stigid@sle12: SLES-12-010780 + stigid@rhel8: RHEL-08-010660 ocil_clause: 'files are executing world-writable programs' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index 0154c1d73b..b70bfc171a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -32,6 +32,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020720 stigid@sle12: SLES-12-010770 + stigid@rhel8: RHEL-08-010690 ocil_clause: 'paths contain more than local home directories' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index 9ee21744b2..a0e6277ec6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -24,6 +24,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020600 stigid@sle12: SLES-12-010710 + stigid@rhel8: RHEL-08-010720 ocil_clause: 'users home directory is not defined' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index a262abba7a..1c8fb04df7 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -31,6 +31,7 @@ references: stigid@rhel7: RHEL-07-020620 cis@rhel8: 6.2.20 stigid@sle12: SLES-12-010730 + stigid@rhel8: RHEL-08-010750 ocil_clause: 'users home directory does not exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index dfcbbafd17..6c70cc8abf 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -30,6 +30,7 @@ references: stigid@rhel7: RHEL-07-020650 cis@rhel8: 6.2.8 stigid@sle12: SLES-12-010750 + stigid@rhel8: RHEL-08-010740 ocil_clause: 'the group ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 4810c941d6..411a46dd00 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -26,6 +26,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020710 stigid@sle12: SLES-12-010760 + stigid@rhel8: RHEL-08-010770 ocil_clause: 'they are not 0740 or more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 4898bfa6b6..62d603cfbb 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -26,6 +26,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020630 stigid@sle12: SLES-12-010740 + stigid@rhel8: RHEL-08-010730 ocil_clause: 'they are more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 8acc92b311..1c8219de70 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -32,6 +32,7 @@ references: iso27001-2013: A.14.1.1,A.14.2.1,A.14.2.5,A.6.1.5 cis-csc: '18' srg: SRG-OS-000480-GPOS-00228 + stigid@rhel8: RHEL-08-020353 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index 0f4eb59188..0c86e6e9f7 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -33,6 +33,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.1.1,A.14.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.5,A.6.1.5 cis-csc: 11,18,3,9 anssi: BP28(R35) + stigid@rhel8: RHEL-08-020351 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index 6279928044..7629fcb3e4 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -24,6 +24,7 @@ references: disa: CCI-000366,CCI-001814 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-021040 + stigid@rhel8: RHEL-08-020352 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 54e820c309..1d8a6f72cb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -50,6 +50,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 + stigid@rhel8: RHEL-08-030600 ocil_clause: 'there is not output' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml index d264af9e2b..1f563ae0d0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml @@ -42,4 +42,5 @@ references: cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030121 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index f03069bae6..df14260d6d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -46,6 +46,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@rhel8: RHEL-08-030172 ocil_clause: 'there is not output' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index e4b2b8dcb8..0af217801a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -53,6 +53,7 @@ references: iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 stigid@sle12: SLES-12-020210 + stigid@rhel8: RHEL-08-030170 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 0b5707f596..f4dce5557c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -53,6 +53,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@rhel8: RHEL-08-030160 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index 41434f664a..240d4d8e2e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -54,6 +54,7 @@ references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 stigid@sle12: SLES-12-020230 + stigid@rhel8: RHEL-08-030140 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index bae0a29903..069916da1b 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -53,6 +53,7 @@ references: iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 stigid@sle12: SLES-12-020200 + stigid@rhel8: RHEL-08-030150 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index f3d9cf9cd2..5c13ca58f6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -54,6 +54,7 @@ references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 stigid@sle12: SLES-12-020220 srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + stigid@rhel8: RHEL-08-030130 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml index 671eb1ff9f..09618d986d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml @@ -25,6 +25,7 @@ references: cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030120 ocil_clause: 'any are more permissive' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml index 2bcfdca4b6..e495992ecb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml @@ -33,6 +33,7 @@ references: cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030080 ocil: |- {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml index 2ec44f4041..eae8a2dfd0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030070 ocil_clause: 'any are more permissive' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml index 5cd6c55411..442b693951 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml @@ -33,6 +33,7 @@ references: cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030040 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index f3b477da69..01a5c5201d 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -40,6 +40,7 @@ references: srg@sle12: SRG-OS-000047-GPOS-00023 disa@sle12: CCI-000140 nist@sle12: AU-5(b),AU-5.1(iv) + stigid@rhel8: RHEL-08-030060 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml index fd7b3ef1b3..8325306ac6 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml @@ -43,6 +43,7 @@ references: srg@sle12: SRG-OS-000046-GPOS-00022 disa@sle12: CCI-000139 nist@sle12: AU-5(a),AU-5.1(ii) + stigid@rhel8: RHEL-08-030020 ocil_clause: 'auditd is not configured to send emails per identified actions' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml index 9fa2ca6f46..6a32a85fe5 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml @@ -44,6 +44,7 @@ references: isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030050 ocil_clause: 'the system has not been properly configured to rotate audit logs' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index 6b9d2e5f83..2f37c5b0e4 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -42,6 +42,7 @@ references: srg@sle12: SRG-OS-000343-GPOS-00134 disa@sle12: CCI-001855 nist@sle12: AU-5(1) + stigid@rhel8: RHEL-08-030730 ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml index bdc86cf35b..1009699e77 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml @@ -51,6 +51,8 @@ references: isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030730 + stigid@rhel8: RHEL-08-030730 ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml index 8f20910163..5afb2c8f30 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml @@ -21,6 +21,7 @@ identifiers: references: ospp: FAU_GEN.1.1.c srg: SRG-OS-000062-GPOS-00031 + stigid@rhel8: RHEL-08-030061 ocil_clause: local_events isn't set to yes diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml index 250dff5e13..76d31a6ff5 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml @@ -22,6 +22,7 @@ identifiers: references: ospp: FAU_GEN.1 srg: SRG-OS-000255-GPOS-00096 + stigid@rhel8: RHEL-08-030063 ocil_clause: log_format isn't set to ENRICHED diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml index fb6a49708c..a778d5faf2 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml @@ -25,6 +25,7 @@ references: disa: CCI-001851 ospp: FAU_GEN.1 srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 + stigid@rhel8: RHEL-08-030062 ocil_clause: name_format isn't set to hostname diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index 11020f93b3..d033770f57 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -45,6 +45,7 @@ references: iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8 srg: SRG-OS-000254-GPOS-00095 + stigid@rhel8: RHEL-08-030601 ocil_clause: 'auditing is not enabled at boot time' diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index 750dd2001e..27e19e7c9a 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -27,6 +27,7 @@ references: srg: SRG-OS-000254-GPOS-00095 nist: CM-6(a) cis@rhel8: 4.1.1.4 + stigid@rhel8: RHEL-08-030602 ocil_clause: 'audit backlog limit is not configured' diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml index 2fc431c1ae..577176ff00 100644 --- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml @@ -26,6 +26,7 @@ references: srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220 disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914 nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1) + stigid@rhel8: service_auditd_enabled template: name: package_installed diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml index e9b85f815b..073f29c9fe 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml @@ -37,6 +37,7 @@ references: ospp: FAU_GEN.1.1.c nist: AU-2(a) srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 + stigid@rhel8: RHEL-08-030122 ocil_clause: 'the file does not exist or the content differs' diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml index 0696ce915a..d09446bde8 100644 --- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml @@ -52,6 +52,7 @@ references: srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227 disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884 nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a) + stigid@rhel8: RHEL-08-010560 ocil: '{{{ ocil_service_enabled(service="auditd") }}}' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml index a77ebf9041..e3b63d960d 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -25,6 +25,7 @@ identifiers: references: srg: SRG-OS-000433-GPOS-00193 nist: SI-16 + stigid@rhel8: RHEL-08-040004 ocil_clause: 'Kernel page-table isolation is not enabled' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index ea0079db52..b090492046 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -24,6 +24,7 @@ identifiers: references: srg: SRG-OS-000480-GPOS-00227 nist: CM-7(a) + stigid@rhel8: RHEL-08-010422 ocil_clause: 'vsyscalls are enabled' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 4b04936ee2..0690cfbcda 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -49,6 +49,7 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 anssi: BP28(R17) + stigid@rhel8: RHEL-08-010150 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index b2338a5035..92129ab744 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -63,6 +63,7 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 anssi: BP28(R17) + stigid@rhel8: RHEL-08-010150 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index ea5c80f163..08e1da4369 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -56,6 +56,7 @@ references: iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,14,15,16,18,3,5 anssi: BP28(R17) + stigid@rhel8: RHEL-08-010140 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index a423564c23..decb94b92e 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -67,6 +67,7 @@ references: iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,14,15,16,18,3,5 anssi: BP28(R17) + stigid@rhel8: RHEL-08-010140 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml index c1f14c4d7e..5e8f08fd5c 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml @@ -36,6 +36,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.15.2.1,A.15.2.2 cis-csc: 1,14,15,16,3,5,6 ism: 0988,1405 + stigid@rhel8: RHEL-08-030010 ocil_clause: 'cron is not logging to rsyslog' diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml index aae3d94903..4e969a3079 100644 --- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml @@ -18,6 +18,7 @@ identifiers: references: ospp: FTP_ITC_EXT.1.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061 + stigid@rhel8: RHEL-08-030680 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml index 3016a87700..7fb9ee408b 100644 --- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml @@ -28,6 +28,7 @@ references: cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,14,15,16,3,5,6 srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024 + stigid@rhel8: RHEL-08-030670 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index ba51a1506b..8d8be95f23 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -58,6 +58,7 @@ references: cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,13,14,15,16,2,3,5,6 ism: 0988,1405 + stigid@rhel8: RHEL-08-030690 ocil_clause: 'none of these are present' diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml index 12ec48ad15..3ef70473de 100644 --- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml @@ -29,6 +29,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO13.01,BAI03.05,BAI04.04,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cis@ubuntu2004: 4.2.1.2 + stigid@rhel8: RHEL-08-010561 ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 7aea04c670..e82f50f9a0 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -20,6 +20,7 @@ references: nist: CM-6(a) srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116 cis@rhel8: 3.4.1.1 + stigid@rhel8: RHEL-08-040100 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index 2646a5219c..818edc3cba 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 cis@sle15: 3.5.1.4 + stigid@rhel8: RHEL-08-040100 ocil: '{{{ ocil_service_enabled(service="firewalld") }}}' diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml index 7d399274d5..04c7cebc2f 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml @@ -53,6 +53,7 @@ references: iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 cis-csc: 11,12,14,15,3,8,9 ism: "1416" + stigid@rhel8: RHEL-08-040030 ocil_clause: 'the default rules are not configured' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 47c811290c..8e7eabc336 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -27,6 +27,7 @@ references: cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 cis@sle15: 3.3.9 + stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml index 5b5bfc9633..04fa55f524 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml index d75989fca1..304c549b0b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml index 09d263cf00..d3b8347573 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 9253f7235a..ae67ab248d 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -28,6 +28,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-040280 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index 8767a5226f..ac9218fe34 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -40,6 +40,7 @@ references: cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,4,6,8,9 + stigid@rhel8: RHEL-08-040240 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml index d9b2acdec3..dcf480ef63 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -27,6 +27,7 @@ references: cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 cis@sle15: 3.3.9 + stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml index 5cf98305c7..eca95f75b5 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml index d7dad19f3a..f030cd9221 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml index b6ee061057..43c901e3a4 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -16,6 +16,7 @@ identifiers: references: anssi: BP28(R22) + stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 970db38b33..fdd8572cf5 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -28,6 +28,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-040210 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 361073e99c..ffbc45225d 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2 cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 cis@sle15: 3.3.2 + stigid@rhel8: RHEL-08-040280 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 7bc4e3b9b7..4bb38a2e5c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 cis@sle15: 3.3.1 + stigid@rhel8: RHEL-08-040240 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index 8d22d12b28..3d1dfb6eb7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -36,6 +36,7 @@ references: srg: SRG-OS-000480-GPOS-00227 cis@sle15: 3.3.7 stigid@rhel7: RHEL-07-040611 + stigid@rhel8: RHEL-08-040285 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index ed4a024797..4486a92e11 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 cis@sle15: 3.3.3 + stigid@rhel8: RHEL-08-040210 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index ef659ec1c2..f1c4947d34 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -38,6 +38,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 cis@sle15: 3.3.5 + stigid@rhel8: RHEL-08-040230 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_broadcasts", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index f49353c25c..779b92682d 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -39,6 +39,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 cis@sle15: 3.2.2 + stigid@rhel8: RHEL-08-040220 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index d7d5bfe607..ade1338bae 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -39,6 +39,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 cis@sle15: 3.2.2 + stigid@rhel8: RHEL-08-040270 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index b9f3d060d5..6274897a21 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -36,6 +36,7 @@ references: iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2 cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 cis@sle15: 3.2.1 + stigid@rhel8: RHEL-08-040260 ocil: |- {{{ ocil_sysctl_option_value(sysctl="net.ipv4.ip_forward", value="0") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml index d34f1610f1..caff3aaa00 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml @@ -24,6 +24,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040021 {{{ complete_ocil_entry_module_disable(module="atm") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml index 16807a4e81..f25e86ab4d 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml @@ -24,6 +24,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040022 {{{ complete_ocil_entry_module_disable(module="can") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml index aae80b232e..3c8564759c 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml @@ -23,6 +23,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040026 {{{ complete_ocil_entry_module_disable(module="firewire-core") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index 55602ac8be..8db0f11579 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040023 {{{ complete_ocil_entry_module_disable(module="sctp") }}} diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml index 425fa216e5..5953d5ca1d 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml @@ -37,6 +37,7 @@ references: cis-csc: 11,14,3,9 ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040024 {{{ complete_ocil_entry_module_disable(module="tipc") }}} diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml index 496480a0a8..a6c9b7ede4 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml @@ -35,6 +35,7 @@ references: iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 cis-csc: 11,12,14,15,3,8,9 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040111 {{{ complete_ocil_entry_module_disable(module="bluetooth") }}} diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index e76619cd2b..d683b2eda0 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -45,6 +45,7 @@ references: cis-csc: 11,12,14,15,3,8,9 cis@sle15: 3.1.2 ism: 1315,1319 + stigid@rhel8: RHEL-08-040110 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml index 08049f76cb..a9c6550b47 100644 --- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml @@ -38,6 +38,7 @@ references: cobit5: APO13.01,DSS05.02 iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 cis-csc: 12,15,8 + stigid@rhel8: RHEL-08-010680 ocil_clause: 'it does not exist or is not properly configured or less than 2 ''nameserver'' entries exist' diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml index 208d15234e..222063ae09 100644 --- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml @@ -42,6 +42,7 @@ references: cobit5: APO11.06,APO12.06,BAI03.10,BAI09.01,BAI09.02,BAI09.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.05,DSS04.05,DSS05.02,DSS05.05,DSS06.06 iso27001-2013: A.11.1.2,A.11.2.4,A.11.2.5,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.16.1.6,A.8.1.1,A.8.1.2,A.9.1.2 cis-csc: 1,11,14,3,9 + stigid@rhel8: RHEL-08-040330 ocil_clause: 'any network device is in promiscuous mode' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml index f479ed3d17..90011f5f92 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml @@ -24,6 +24,7 @@ identifiers: references: anssi: BP28(R40) + stigid@rhel8: RHEL-08-010700 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 79594c701f..a9efbdda1e 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -42,6 +42,7 @@ references: cis-csc: 1,11,12,13,14,15,16,18,3,5 cis@sle15: 6.1.12 stigid@sle12: SLES-12-010700 + stigid@rhel8: RHEL-08-010790 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index faab0b8822..6acae65b78 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -42,6 +42,7 @@ references: cis-csc: 11,12,13,14,15,16,18,3,5,9 cis@sle15: 6.1.11 stigid@sle12: SLES-12-010690 + stigid@rhel8: RHEL-08-010780 ocil_clause: 'files exist that are not owned by a valid user' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index cfa7ae4dc5..fa53de9041 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010310 ocil_clause: 'any system executables are found to not be owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index 53e1a24c42..e40b5f47d8 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -37,6 +37,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010340 ocil_clause: 'any of these files are not owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index c2bba15f83..3ec56361dc 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010300 ocil_clause: 'any system executables are found to be group or world writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index c09024a224..83add611b9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -37,6 +37,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010330 ocil_clause: 'any of these files are group-writable or world-writable' diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml index 3b04abbf9b..0aefe8ae50 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml @@ -22,6 +22,7 @@ references: cis: 1.6.1 nist: CM-6(a),AC-6(1) srg: SRG-OS-000324-GPOS-00125 + stigid@rhel8: RHEL-08-010374 {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_hardlinks", value="1") }}} diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml index aead2022ee..86a9f8e2d9 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml @@ -24,6 +24,7 @@ references: cis: 1.6.1 nist: CM-6(a),AC-6(1) srg: SRG-OS-000324-GPOS-00125 + stigid@rhel8: RHEL-08-010373 {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_symlinks", value="1") }}} diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml index d2ba212350..302154b636 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml @@ -39,6 +39,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040025 {{{ complete_ocil_entry_module_disable(module="cramfs") }}} diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 24e77cc74e..d1d2bf97f7 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -41,6 +41,7 @@ references: cis@rhel8: 1.1.23 cis@sle15: 1.1.3 stigid@sle12: SLES-12-010580 + stigid@rhel8: RHEL-08-040080 {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 001b9466ae..00d1282a05 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -46,6 +46,7 @@ references: iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 cis@sle15: 1.1.23 + stigid@rhel8: RHEL-08-040070 ocil: '{{{ ocil_service_disabled(service="autofs") }}}' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml index 8410964438..a4da22f666 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml @@ -27,6 +27,7 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 anssi: BP28(R12) + stigid@rhel8: RHEL-08-010571 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml index 140a2eafc0..318117fcca 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml @@ -36,6 +36,7 @@ references: cis-csc: 11,13,14,3,8,9 srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.16 + stigid@rhel8: RHEL-08-040120 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml index 2f740c31a6..f41387ab9f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -39,6 +39,7 @@ references: cis-csc: 11,13,14,3,8,9 srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.17 + stigid@rhel8: RHEL-08-040122 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml index be127be367..d844c9c3b3 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml @@ -36,6 +36,7 @@ references: cis-csc: 11,13,14,3,8,9 srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.18 + stigid@rhel8: RHEL-08-040121 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index 3652cf9f2b..37e8f7fb99 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -38,6 +38,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010790 + stigid@rhel8: RHEL-08-010570 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml index c9f52b36d1..f40daec6c8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml @@ -42,5 +42,6 @@ references: cis-csc: 11,14,3,9 srg: SRG-OS-000368-GPOS-00154 anssi: BP28(R12) + stigid@rhel8: RHEL-08-010580 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml index 30c7065bcc..602ce2da35 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml @@ -36,6 +36,7 @@ references: iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1 cis-csc: 11,12,13,14,16,3,8,9 cis@sle15: 1.1.19 + stigid@rhel8: RHEL-08-010600 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index 47435d887a..4d2bd0eceb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1 cis-csc: 11,12,13,14,16,3,8,9 cis@sle15: 1.1.20 + stigid@rhel8: RHEL-08-010610 ocil_clause: 'removable media partitions are present' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 5f19864ded..9ed257aa22 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -41,6 +41,7 @@ references: cis-csc: 11,12,13,14,15,16,18,3,5,8,9 cis@sle15: 1.1.21 stigid@sle12: SLES-12-010800 + stigid@rhel8: RHEL-08-010620 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml index bcd15e1596..ed27226855 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -35,6 +35,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.4 + stigid@rhel8: RHEL-08-040123 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 7c8bf290fe..77ae8a664f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -34,6 +34,7 @@ references: cis-csc: 11,13,14,3,8,9 anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 + stigid@rhel8: RHEL-08-040125 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index 0f4a028834..b7e171fb02 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -35,6 +35,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.5 + stigid@rhel8: RHEL-08-040124 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index c2765b6c61..404386d777 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -28,6 +28,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 + stigid@rhel8: RHEL-08-040129 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index 820c8385b3..93c63a75f7 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -26,6 +26,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 + stigid@rhel8: RHEL-08-040131 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index 344bafd252..7ee7213995 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -27,6 +27,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 + stigid@rhel8: RHEL-08-040130 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index 4647f2e1c0..8959bd0bb5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -28,6 +28,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 + stigid@rhel8: RHEL-08-040126 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index 0bced14721..baf1eea424 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -27,6 +27,7 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 anssi: BP28(R12) + stigid@rhel8: RHEL-08-040128 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index c4e3d32997..beee543cf2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -28,6 +28,7 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 anssi: BP28(R12) + stigid@rhel8: RHEL-08-040127 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index 233870fed8..4e76e61bb2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -29,6 +29,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.9 + stigid@rhel8: RHEL-08-040132 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index 081b3a4b32..f2b108d58d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -29,6 +29,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.11 + stigid@rhel8: RHEL-08-040134 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index 97a8312536..11bfe2661d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -29,6 +29,7 @@ references: anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154 cis@sle15: 1.1.10 + stigid@rhel8: RHEL-08-040133 platform: machine diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml index 1bef2966d2..04b580e64e 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml @@ -30,6 +30,7 @@ references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227 cis@rhel8: 1.6.1 + stigid@rhel8: RHEL-08-010675 ocil_clause: ProcessSizeMax is not set to zero diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml index 953cd1598b..3225785a8f 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml @@ -26,6 +26,7 @@ references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227 cis@rhel8: 1.6.1 + stigid@rhel8: RHEL-08-010674 ocil_clause: Storage is not set to none diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml index 833fa046d6..c50a366512 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -30,6 +30,7 @@ references: iso27001-2013: A.12.1.3,A.17.2.1 cis-csc: 1,12,13,15,16,2,7,8 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010673 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml index ff8cd4279f..fd12fbbb50 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml @@ -25,6 +25,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010672 ocil_clause: unit systemd-coredump.socket is not masked or running diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index c4b9a0dc88..c9794729dd 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -22,6 +22,7 @@ references: anssi: BP28(R23) nist: SC-30,SC-30(2),SC-30(5),CM-6(a) srg: SRG-OS-000132-GPOS-00067 + stigid@rhel8: RHEL-08-040283 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index d7d0736a94..950ae6b00b 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -29,6 +29,7 @@ references: nist: SC-30,SC-30(2),CM-6(a) srg: SRG-OS-000433-GPOS-00193,SRG-OS-000480-GPOS-00227 anssi: BP28(R23) + stigid@rhel8: RHEL-08-010430 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml index d5808b1861..48acc4d2fd 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -27,6 +27,7 @@ identifiers: references: srg: SRG-OS-000480-GPOS-00227 nist: CM-6(a) + stigid@rhel8: RHEL-08-010421 ocil_clause: 'page allocator poisoning is not enabled' diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml index 477fa57011..516409b6c6 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -27,6 +27,7 @@ identifiers: references: srg: SRG-OS-000433-GPOS-00192 nist: CM-6(a) + stigid@rhel8: RHEL-08-010423 ocil_clause: 'SLUB/SLAB poisoning is not enabled' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml index eaed28cab1..b82e0fcce3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml @@ -20,6 +20,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010671 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index eeec4f1723..90fcd34f73 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -24,6 +24,7 @@ references: nist: SI-11(a),SI-11(b) anssi: BP28(R23) srg: SRG-OS-000132-GPOS-00067 + stigid@rhel8: RHEL-08-010375 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml index 7048a4baa7..83710b7c01 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010372 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml index da90c26f2f..c9fe044a06 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -20,6 +20,7 @@ references: anssi: BP28(R23) ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067 + stigid@rhel8: RHEL-08-010376 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_paranoid", value="2") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml index 883a2fc830..200c2eba46 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml @@ -20,6 +20,7 @@ identifiers: references: ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067 + stigid@rhel8: RHEL-08-040281 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index 5332a2552d..68483432a3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -22,6 +22,7 @@ identifiers: references: anssi: BP28(R25) srg: SRG-OS-000132-GPOS-00067 + stigid@rhel8: RHEL-08-040282 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml index e89e70d2e4..5e3929ec1a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml @@ -29,6 +29,7 @@ references: ospp: FMT_SMF_EXT.1 nist: SC-39,CM-6(a) srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-040284 {{{ complete_ocil_entry_sysctl_option_value(sysctl="user.max_user_namespaces", value="0") }}} diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml index df9053bb9f..a107af62ea 100644 --- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml @@ -30,6 +30,7 @@ identifiers: references: srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010171 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index ba2b9dc94f..f7d6ce6bf1 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -49,6 +49,7 @@ references: cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 + stigid@rhel8: RHEL-08-010450 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index 65cb503d39..0c4056dfe0 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -40,6 +40,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 anssi: BP28(R4),BP28(R66) + stigid@rhel8: RHEL-08-010170 ocil_clause: 'SELINUX is not set to enforcing' diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index fe370a4323..8d5b722c07 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -64,6 +64,7 @@ references: cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06 cis-csc: 13,14 stigid@sle12: SLES-12-010450 + stigid@rhel8: RHEL-08-010030 ocil_clause: 'partitions do not have a type of crypto_LUKS' diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 0c3cc8908e..061eeae93c 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -37,6 +37,7 @@ references: iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 cis-csc: 12,15,8 cis@sle15: 1.1.14 + stigid@rhel8: RHEL-08-010800 {{{ complete_ocil_entry_separate_partition(part="/home") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml index 9fc2d4251a..a4db4948c6 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 cis-csc: 12,15,8 cis@sle15: 1.1.2 + stigid@rhel8: RHEL-08-010543 {{{ complete_ocil_entry_separate_partition(part="/tmp") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index 4ef85ef818..8190a4a4ca 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -37,6 +37,7 @@ references: iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 cis-csc: 12,15,8 cis@sle15: 1.1.7 + stigid@rhel8: RHEL-08-010540 {{{ complete_ocil_entry_separate_partition(part="/var") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index fa0c4ab95d..b90f93deee 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -33,6 +33,8 @@ references: cis-csc: 1,12,14,15,16,3,5,6,8 srg: SRG-OS-000480-GPOS-00227 cis@sle: 1.1.12 + stigid@rhel8: RHEL-08-010540 + stigid@rhel8: RHEL-08-010541 {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index e1bc3ad113..73b5cd50ed 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -40,6 +40,9 @@ references: cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,12,13,14,15,16,2,3,5,6,8 cis@sle15: 1.1.13 + stigid@rhel8: RHEL-08-010540 + stigid@rhel8: RHEL-08-010541 + stigid@rhel8: RHEL-08-010542 {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index 340af24c82..fde3338f40 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -26,6 +26,7 @@ references: cis@ubuntu1804: 1.1.6 anssi: BP28(R12) cis@sle15: 1.1.8 + stigid@rhel8: RHEL-08-010540 {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml index 85423650fa..0594702aa4 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml @@ -39,6 +39,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 + stigid@rhel8: RHEL-08-010820 ocil_clause: 'GDM allows users to automatically login' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index bec17bc68b..cd33cd5b62 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -48,6 +48,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-020060 ocil_clause: 'idle-delay is not equal to or less than the expected value' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index b27b34dcf7..aa492e1c9c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -43,6 +43,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 + stigid@rhel8: RHEL-08-020030 ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly' diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml index 31712897eb..fae18baff6 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml @@ -44,6 +44,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@rhel7: RHEL-07-020231 + stigid@rhel8: RHEL-08-040171 ocil_clause: 'GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed' diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index fba676f0b9..d9eb1b8a61 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -48,6 +48,7 @@ references: cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 cis-csc: 18,20,4 + stigid@rhel8: RHEL-08-010000 ocil_clause: 'the installed operating system is not supported' diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml index e911216101..e054892daf 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml @@ -31,6 +31,7 @@ identifiers: references: ospp: FCS_SSHS_EXT.1 srg: SRG-OS-000423-GPOS-00187 + stigid@rhel8: RHEL-08-040162 ocil_clause: 'it is commented out or is not set' diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 565dabb4b9..558dfc89dd 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -39,6 +39,7 @@ references: ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176 ism: "1446" + stigid@rhel8: RHEL-08-010020 ocil_clause: 'FIPS mode is not enabled' diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 77c78d5705..5879bc2bdb 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -47,6 +47,7 @@ references: cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 cis-csc: 12,15,8 + stigid@rhel8: RHEL-08-010020 ocil_clause: 'FIPS is not configured or enabled in grub' diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 59af9a96e7..0807f512fb 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -28,6 +28,7 @@ references: disa: CCI-000068,CCI-000803,CCI-002450 nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 + stigid@rhel8: RHEL-08-010020 ocil_clause: 'crypto.fips_enabled is not 1' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index cc696141f6..80a0bce1cc 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -50,6 +50,7 @@ references: stigid@sle12: SLES-12-010510 srg@sle12: SRG-OS-000447-GPOS-00201 disa@sle12: CCI-002702 + stigid@rhel8: RHEL-08-010360 ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index 93bdb1715d..451ad97613 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02 iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 cis-csc: 2,3 + stigid@rhel8: RHEL-08-040310 ocil_clause: 'the acl option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 2e81a270c5..3be8209a71 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -36,6 +36,7 @@ references: cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02 iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 cis-csc: 2,3 + stigid@rhel8: RHEL-08-040300 ocil_clause: 'the xattrs option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index abf13a274a..1667604386 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -33,6 +33,7 @@ references: ism: 1034,1288,1341,1417 stigid@sle12: SLES-12-010500 disa@sle12: CCI-002699 + stigid@rhel8: RHEL-08-010360 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml index 435630d85c..51b839b55a 100644 --- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml +++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml @@ -25,6 +25,9 @@ rationale: |- severity: medium +references: + stigid@rhel8: RHEL-08-020320 + ocil_clause: 'there are unauthorized local user accounts on the system' ocil: |- diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml index e704df8983..d01fa44615 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml @@ -37,6 +37,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-010381 ocil_clause: "!authenticate is enabled in sudo" diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml index 8aee5edfa3..382c4b8851 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml @@ -38,6 +38,7 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16,5 + stigid@rhel8: RHEL-08-010380 ocil_clause: 'nopasswd is enabled in sudo' diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml index ed2fc64d08..5482cdf3af 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml index 8bbf9ea53d..3b12bfb5b0 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml index 9be8b08b0f..00b1a36714 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-python") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml index 9aa7f11ada..0412e8b82b 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-cli") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml index d970def693..9d10076523 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml index 7f7787a19a..addb652e92 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml index 6107659d94..6647186cc7 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml @@ -18,6 +18,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}} diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml index 3fea028d70..fa94959f68 100644 --- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml @@ -18,7 +18,8 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - + stigid@rhel8: RHEL-08-040370 + {{{ complete_ocil_entry_package(package="gssproxy") }}} template: diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml index 2c0bdee8a6..9ec5c88c50 100644 --- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml @@ -19,6 +19,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040380 {{{ complete_ocil_entry_package(package="iprutils") }}} diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml index b7e1b4adff..9753c2c773 100644 --- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml @@ -22,6 +22,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061 + stigid@rhel8: RHEL-08-010162 {{{ complete_ocil_entry_package(package="krb5-workstation") }}} diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml index 65c7a22e3e..f12bbc2093 100644 --- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml @@ -21,6 +21,7 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 + stigid@rhel8: RHEL-08-040390 {{{ complete_ocil_entry_package(package="tuned") }}} diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml index f9defcfdc1..6239e950a1 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -33,6 +33,7 @@ references: cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 cis-csc: 18,20,4 + stigid@rhel8: RHEL-08-010440 ocil_clause: 'clean_requirements_on_remove is not enabled or configured correctly' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index 1f86aff1e9..7d031c93f1 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -56,6 +56,7 @@ references: cis-csc: 11,2,3,9 anssi: BP28(R15) stigid@sle12: SLES-12-010550 + stigid@rhel8: RHEL-08-010370 ocil_clause: 'GPG checking is not enabled' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml index 440f02b2a7..54a584cc9d 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml @@ -40,6 +40,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 anssi: BP28(R15) + stigid@rhel8: RHEL-08-010371 ocil_clause: 'gpgcheck is not enabled or configured correctly to verify local packages' diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index 25459f4abb..32f67fe0e3 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -59,6 +59,7 @@ references: iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 cis-csc: 18,20,4 anssi: BP28(R08) + stigid@rhel8: RHEL-08-010010 # SCAP 1.3 content should reference flat non compressed xml files diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index cda0239433..03ce772734 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -1,13 +1,13 @@ documentation_complete: true metadata: - version: V1R0.1-Draft + version: V1R1 SMEs: - carlosmmatos reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' +title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the @@ -23,46 +23,286 @@ description: |- - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image -extends: ospp - selections: - - login_banner_text=dod_banners - - dconf_db_up_to_date + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=077 + - var_password_pam_difok=4 + - var_password_pam_maxrepeat=3 + - var_password_pam_maxclassrepeat=4 + - var_accounts_max_concurrent_login_sessions=10 + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted + - var_system_crypto_policy=fips_ospp + - var_accounts_password_minlen_login_defs=15 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + - var_accounts_fail_delay=4 + + + - installed_OS_is_vendor_supported + - security_patches_up_to_date + - enable_fips_mode + - sysctl_crypto_fips_enabled + - encrypt_partitions + - sshd_enable_warning_banner - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - banner_etc_issue + - set_password_hashing_algorithm_logindefs + - grub2_uefi_password + - grub2_uefi_admin_username + - grub2_password + - grub2_admin_username + - kerberos_disable_no_keytab + - package_krb5-workstation_removed + - selinux_state + - package_policycoreutils_installed + - sshd_set_idle_timeout + - sshd_set_keepalive + - sshd_use_strong_rng + - file_permissions_binary_dirs + - file_ownership_binary_dirs + - file_permissions_library_dirs + - file_ownership_library_dirs + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - sysctl_kernel_kexec_load_disabled + - sysctl_fs_protected_symlinks + - sysctl_fs_protected_hardlinks + - sysctl_kernel_dmesg_restrict + - sysctl_kernel_perf_event_paranoid + - sudo_remove_nopasswd + - sudo_remove_no_authenticate + - package_opensc_installed + - grub2_page_poison_argument + - grub2_vsyscall_argument + - grub2_slub_debug_argument + - sysctl_kernel_randomize_va_space + - clean_components_post_updating + - selinux_policytype + - no_host_based_files + - no_user_host_based_files + - service_rngd_enabled + - file_permissions_sshd_pub_key + - file_permissions_sshd_private_key + - sshd_enable_strictmodes + - sshd_disable_compression + - sshd_disable_user_known_hosts + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit + - partition_for_tmp + - sshd_disable_root_login + - service_auditd_enabled + - service_rsyslog_enabled + - mount_option_home_nosuid + - mount_option_boot_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_nodev_removable_partitions + - mount_option_noexec_removable_partitions + - mount_option_nosuid_removable_partitions + - mount_option_noexec_remote_filesystems + - mount_option_nodev_remote_filesystems + - mount_option_nosuid_remote_filesystems + - service_kdump_disabled + - sysctl_kernel_core_pattern + - service_systemd-coredump_disabled + - disable_users_coredumps + - coredump_disable_storage + - coredump_disable_backtraces + - accounts_user_home_paths_only + - accounts_user_interactive_home_directory_defined + - file_permissions_home_directories + - file_groupownership_home_directories + - accounts_user_interactive_home_directory_exists + - accounts_have_homedir_login_defs + - file_permission_user_init_files + - no_files_unowned_by_user + - file_permissions_ungroupowned + - partition_for_home + - gnome_gdm_disable_automatic_login + - sshd_do_not_permit_user_env + - account_temp_expire_date + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - accounts_passwords_pam_faillock_deny_root + - accounts_max_concurrent_login_sessions + - dconf_gnome_screensaver_lock_enabled + - configure_bashrc_exec_tmux + - no_tmux_in_shells + - dconf_gnome_screensaver_idle_delay + - configure_tmux_lock_after_time + - accounts_password_pam_ucredit + - accounts_password_pam_lcredit + - accounts_password_pam_dcredit + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat + - accounts_password_pam_minclass + - accounts_password_pam_difok - accounts_password_set_min_life_existing + - accounts_minimum_age_login_defs + - accounts_maximum_age_login_defs - accounts_password_set_max_life_existing + - accounts_password_pam_unix_remember + - accounts_password_pam_minlen + - accounts_password_minlen_login_defs - account_disable_post_pw_expiration - - account_temp_expire_date - - audit_rules_usergroup_modification_passwd - - sssd_enable_smartcards + - accounts_password_pam_ocredit - sssd_offline_cred_expiration - - smartcard_configure_cert_checking - - encrypt_partitions - - sysctl_net_ipv4_tcp_syncookies - - clean_components_post_updating - - package_audispd-plugins_installed - - package_libcap-ng-utils_installed - - auditd_audispd_syslog_plugin_activated - - accounts_password_pam_enforce_local - - accounts_password_pam_enforce_root - - # Configure TLS for remote logging + - accounts_logon_fail_delay + - display_login_attempts + - sshd_print_last_log + - accounts_umask_etc_login_defs + - accounts_umask_interactive_users + - accounts_umask_etc_bashrc + - rsyslog_cron_logging + - auditd_data_retention_action_mail_acct + - postfix_client_configure_mail_alias + - auditd_data_disk_error_action + - auditd_data_retention_max_log_file_action + - auditd_data_disk_full_action + - auditd_local_events + - auditd_name_format + - auditd_log_format + - file_permissions_var_log_audit + - directory_permissions_var_log_audit + - audit_rules_immutable + - audit_immutable_login_uids + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_group + - audit_rules_login_events_lastlog + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - configure_usbguard_auditbackend - package_rsyslog_installed - package_rsyslog-gnutls_installed - - rsyslog_remote_tls - - rsyslog_remote_tls_cacert - - # Unselect zIPL rules from OSPP - - "!zipl_bls_entries_only" - - "!zipl_bootmap_is_up_to_date" - - "!zipl_audit_argument" - - "!zipl_audit_backlog_limit_argument" - - "!zipl_page_poison_argument" - - "!zipl_slub_debug_argument" - - "!zipl_vsyscall_argument" - - "!zipl_vsyscall_argument.role=unscored" - - "!zipl_vsyscall_argument.severity=info" - - - installed_OS_is_vendor_supported + - rsyslog_remote_loghost + - auditd_data_retention_space_left + - auditd_data_retention_space_left_action + - chronyd_or_ntpd_set_maxpoll + - chronyd_client_only + - chronyd_no_chronyc_network + - package_telnet-server_removed + - package_abrt_removed + - package_abrt-addon-ccpp_removed + - package_abrt-addon-kerneloops_removed + - package_abrt-addon-python_removed + - package_abrt-cli_removed + - package_abrt-plugin-logger_removed + - package_abrt-plugin-rhtsupport_removed + - package_abrt-plugin-sosreport_removed + - package_sendmail_removed + - package_gssproxy_removed + - grub2_pti_argument + - package_rsh-server_removed + - kernel_module_atm_disabled + - kernel_module_can_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled + - kernel_module_cramfs_disabled + - kernel_module_firewire-core_disabled + - configure_firewalld_ports + - service_autofs_disabled + - kernel_module_usb-storage_disabled + - service_firewalld_enabled + - package_firewalld_installed + - wireless_disable_interfaces + - kernel_module_bluetooth_disabled + - mount_option_dev_shm_nodev + - mount_option_dev_shm_nosuid + - mount_option_dev_shm_noexec + - mount_option_tmp_nodev + - mount_option_tmp_nosuid + - mount_option_tmp_noexec + - mount_option_var_log_nodev + - mount_option_var_log_nosuid + - mount_option_var_log_noexec + - mount_option_var_log_audit_nodev + - mount_option_var_log_audit_nosuid + - mount_option_var_log_audit_noexec + - mount_option_var_tmp_nodev + - mount_option_var_tmp_nosuid + - mount_option_var_tmp_noexec + - package_openssh-server_installed + - service_sshd_enabled + - sshd_rekey_limit + - ssh_client_rekey_limit + - disable_ctrlaltdel_reboot + - dconf_gnome_disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - service_debug-shell_disabled + - package_tftp-server_removed + - accounts_no_uid_except_zero + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_kptr_restrict + - sysctl_user_max_user_namespaces + - sysctl_net_ipv4_conf_all_rp_filter + - postfix_prevent_unrestricted_relay + - aide_verify_ext_attributes + - aide_verify_acls + - package_xorg-x11-server-common_removed + - sshd_disable_x11_forwarding + - sshd_x11_use_localhost + - tftpd_uses_secure_mode + - package_vsftpd_removed + - package_gssproxy_removed + - package_iprutils_removed + - package_tuned_removed + - require_emergency_target_auth + - require_singleuser_auth + - set_password_hashing_algorithm_systemauth + - dir_perms_world_writable_sticky_bits + - package_aide_installed + - aide_scan_notification + - install_smartcard_packages + - sshd_disable_kerb_auth + - sshd_disable_gssapi_auth + - accounts_user_dot_no_world_writable_programs + - network_configure_name_resolution + - dir_perms_world_writable_root_owned + - package_tmux_installed + - configure_tmux_lock_command + - accounts_password_pam_retry + - sssd_enable_smartcards + - no_empty_passwords + - sshd_disable_empty_passwords + - file_ownership_var_log_audit + - audit_rules_sysadmin_actions + - package_audit_installed + - service_auditd_enabled + - sshd_allow_only_protocol2 + - package_fapolicyd_installed + - service_fapolicyd_enabled + - package_usbguard_installed + - service_usbguard_enabled + - network_sniffer_disabled From 22cac40b15eb5beb4144c2521021e093509c05ad Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 29 Jan 2021 11:34:57 +0100 Subject: [PATCH 02/21] Add correct variables to RHEL8 STIG missing from OSPP. They have either a different value from OSPP or they are being explicitly set even if they are default values. --- .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 + .../ntp/var_time_service_set_maxpoll.var | 1 + .../r_services/no_host_based_files/rule.yml | 2 ++ .../no_user_host_based_files/rule.yml | 1 + .../sshd_x11_use_localhost/rule.yml | 1 + .../install_smartcard_packages/rule.yml | 1 + .../accounts_logon_fail_delay/rule.yml | 1 + .../rule.yml | 1 + .../accounts_user_home_paths_only/rule.yml | 1 + .../rule.yml | 1 + .../file_permission_user_init_files/rule.yml | 1 + .../rule.yml | 1 + .../accounts_umask_interactive_users/rule.yml | 1 + .../rule.yml | 1 + .../auditd_data_disk_error_action/rule.yml | 1 + .../auditd_data_disk_full_action/rule.yml | 1 + .../auditd_data_retention_space_left/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + rhel8/profiles/stig.profile | 20 +++++++++++++++++-- 25 files changed, 43 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml index 4bfcc16c7f..0a3d818831 100644 --- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-80512-7 + cce@rhel8: CCE-84054-6 references: stigid@ol7: OL07-00-040680 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml index 3349a7963a..9374bdc065 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml @@ -14,6 +14,7 @@ severity: medium identifiers: cce@rhel7: CCE-80239-7 + cce@rhel8: CCE-84052-0 references: nist: CM-6(a),MP-2 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index ee6b9aa54a..4a50d79600 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-80436-9 cce@sle12: CCE-83103-2 + cce@rhel8: CCE-84050-4 references: stigid@ol7: OL07-00-021021 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index 6b71f94c2b..695e1a1e6c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -15,6 +15,7 @@ severity: medium identifiers: cce@rhel7: CCE-80240-5 cce@sle12: CCE-83102-4 + cce@rhel8: CCE-84053-8 references: stigid@ol7: OL07-00-021020 diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 9a802b5d5d..8d12b741a9 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@rhel7: CCE-80439-3 cce@rhcos4: CCE-82684-2 cce@sle12: CCE-83124-8 + cce@rhel8: CCE-84059-5 references: stigid@ol7: OL07-00-040500 diff --git a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var index 81a7debf25..6dd3ec434c 100644 --- a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var +++ b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var @@ -10,5 +10,6 @@ interactive: false options: 36_hours: 17 + 18_hours: 16 default: 10 system_default: 10 diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index 01eb9e5f99..4944530617 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -23,6 +23,8 @@ severity: high identifiers: cce@rhel7: CCE-80513-5 cce@sle12: CCE-83022-4 + cce@rhel8: CCE-84055-3 + references: stigid@ol7: OL07-00-040550 disa: CCI-000366 diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index 48bff043a6..efb6386261 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -23,6 +23,7 @@ severity: high identifiers: cce@rhel7: CCE-80514-3 cce@sle12: CCE-83021-6 + cce@rhel8: CCE-84056-1 references: stigid@ol7: OL07-00-040540 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml index bee39a3904..664db5e626 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-83404-4 + cce@rhel8: CCE-84058-7 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index 29aa49483d..4b8a9c29f5 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -25,6 +25,7 @@ severity: medium identifiers: cce@rhel7: CCE-80519-2 + cce@rhel8: CCE-84029-8 references: stigid@ol7: OL07-00-041001 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index e62e3cc62b..d1da3b6963 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-80352-8 cce@sle12: CCE-83028-1 + cce@rhel8: CCE-84037-1 references: stigid@ol7: OL07-00-010430 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index b73743ebcb..d41cc0cca4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-80523-4 cce@sle12: CCE-83099-2 + cce@rhel8: CCE-84039-7 references: stigid@ol7: OL07-00-020730 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index b70bfc171a..143920449b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -25,6 +25,7 @@ severity: medium identifiers: cce@rhel7: CCE-80524-2 cce@sle12: CCE-83098-4 + cce@rhel8: CCE-84040-5 references: stigid@ol7: OL07-00-020720 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index a0e6277ec6..a4cf5c2b2d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-80528-3 cce@sle12: CCE-83075-2 + cce@rhel8: CCE-84036-3 references: stigid@ol7: OL07-00-020600 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 411a46dd00..ef6280203f 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -19,6 +19,7 @@ severity: medium identifiers: cce@rhel7: CCE-80525-9 cce@sle12: CCE-83097-6 + cce@rhel8: CCE-84043-9 references: stigid@ol7: OL07-00-020710 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 62d603cfbb..561f9f1394 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -19,6 +19,7 @@ severity: medium identifiers: cce@rhel7: CCE-80530-9 cce@sle12: CCE-83076-0 + cce@rhel8: CCE-84038-9 references: stigid@ol7: OL07-00-020630 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml index 7629fcb3e4..f3648011c5 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-80536-6 + cce@rhel8: CCE-84044-7 references: stigid@ol7: OL07-00-021040 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml index 09618d986d..b9ff8233bb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml @@ -16,6 +16,7 @@ severity: unknown identifiers: cce@rhcos4: CCE-82692-5 + cce@rhel8: CCE-84048-8 references: nist: CM-6(a),AC-6(1),AU-9 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml index 442b693951..d3646de8ff 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml @@ -24,6 +24,7 @@ severity: medium identifiers: cce@rhel7: CCE-80646-3 cce@rhcos4: CCE-82679-2 + cce@rhel8: CCE-84046-2 references: nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index 01a5c5201d..d92afe34e8 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -27,6 +27,7 @@ severity: medium identifiers: cce@rhcos4: CCE-82676-8 cce@sle12: CCE-83032-3 + cce@rhel8: CCE-84045-4 references: nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index 2f37c5b0e4..f1a742a810 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel7: CCE-80537-4 cce@rhcos4: CCE-82681-8 cce@sle12: CCE-83026-5 + cce@rhel8: CCE-84047-0 references: stigid@ol7: OL07-00-030330 diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml index a9c6550b47..8450e29bf7 100644 --- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml @@ -26,6 +26,7 @@ severity: low identifiers: cce@rhel7: CCE-80438-5 + cce@rhel8: CCE-84049-6 references: stigid@ol7: OL07-00-040600 diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml index fae18baff6..d89bc407c7 100644 --- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml @@ -30,6 +30,7 @@ severity: high identifiers: cce@rhel7: CCE-80124-1 + cce@rhel8: CCE-84028-0 references: stigid@ol7: OL07-00-020231 diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 0807f512fb..8753e4aeef 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -23,6 +23,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode identifiers: cce@rhel7: CCE-80658-8 + cce@rhel8: CCE-84027-2 references: disa: CCI-000068,CCI-000803,CCI-002450 diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 03ce772734..66cc5007be 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -24,12 +24,16 @@ description: |- - Red Hat Containers with a Red Hat Enterprise Linux 8 image selections: + # variables - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - var_accounts_user_umask=077 - - var_password_pam_difok=4 + - var_password_pam_difok=8 - var_password_pam_maxrepeat=3 + - var_sshd_disable_compression=no - var_password_pam_maxclassrepeat=4 + - var_password_pam_minclass=4 + - var_accounts_minimum_age_login_defs=1 - var_accounts_max_concurrent_login_sessions=10 - var_password_pam_unix_remember=5 - var_selinux_state=enforcing @@ -41,6 +45,8 @@ selections: - var_password_pam_dcredit=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_password_pam_minlen=15 - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 @@ -48,8 +54,18 @@ selections: - var_ssh_client_rekey_limit_size=1G - var_ssh_client_rekey_limit_time=1hour - var_accounts_fail_delay=4 + - var_account_disable_post_pw_expiration=35 + - var_auditd_action_mail_acct=root + - var_time_service_set_maxpoll=18_hours + - var_password_hashing_algorithm=SHA512 + - var_accounts_maximum_age_login_defs=60 + - var_auditd_space_left=250MB + - var_auditd_space_left_action=email + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog + - var_auditd_disk_full_action=halt - + # rules - installed_OS_is_vendor_supported - security_patches_up_to_date - enable_fips_mode From e9d4aa6be77d6da201a748652effcf150cfaf18e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 29 Jan 2021 13:52:43 +0100 Subject: [PATCH 03/21] Update RHEL8 STIG profile stability data. --- .../data/profile_stability/rhel8/stig.profile | 207 +++++++++++------- 1 file changed, 122 insertions(+), 85 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 6676ca497c..9089f7ef4f 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -25,92 +25,110 @@ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-s selections: - account_disable_post_pw_expiration - account_temp_expire_date +- accounts_have_homedir_login_defs +- accounts_logon_fail_delay - accounts_max_concurrent_login_sessions +- accounts_maximum_age_login_defs +- accounts_minimum_age_login_defs +- accounts_no_uid_except_zero - accounts_password_minlen_login_defs - accounts_password_pam_dcredit - accounts_password_pam_difok -- accounts_password_pam_enforce_local -- accounts_password_pam_enforce_root - accounts_password_pam_lcredit - accounts_password_pam_maxclassrepeat - accounts_password_pam_maxrepeat +- accounts_password_pam_minclass - accounts_password_pam_minlen - accounts_password_pam_ocredit +- accounts_password_pam_retry - accounts_password_pam_ucredit - accounts_password_pam_unix_remember - accounts_password_set_max_life_existing - accounts_password_set_min_life_existing - accounts_passwords_pam_faillock_deny +- accounts_passwords_pam_faillock_deny_root - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_unlock_time - accounts_umask_etc_bashrc -- accounts_umask_etc_csh_cshrc -- accounts_umask_etc_profile -- audit_access_failed -- audit_access_success -- audit_basic_configuration -- audit_create_failed -- audit_create_success -- audit_delete_failed -- audit_delete_success +- accounts_umask_etc_login_defs +- accounts_umask_interactive_users +- accounts_user_dot_no_world_writable_programs +- accounts_user_home_paths_only +- accounts_user_interactive_home_directory_defined +- accounts_user_interactive_home_directory_exists +- aide_scan_notification +- aide_verify_acls +- aide_verify_ext_attributes - audit_immutable_login_uids -- audit_modify_failed -- audit_modify_success -- audit_module_load -- audit_ospp_general -- audit_owner_change_failed -- audit_owner_change_success -- audit_perm_change_failed -- audit_perm_change_success +- audit_rules_immutable +- audit_rules_login_events_lastlog +- audit_rules_sysadmin_actions +- audit_rules_usergroup_modification_group +- audit_rules_usergroup_modification_gshadow +- audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd -- auditd_audispd_syslog_plugin_activated -- auditd_data_retention_flush -- auditd_freq +- audit_rules_usergroup_modification_shadow +- auditd_data_disk_error_action +- auditd_data_disk_full_action +- auditd_data_retention_action_mail_acct +- auditd_data_retention_max_log_file_action +- auditd_data_retention_space_left +- auditd_data_retention_space_left_action - auditd_local_events - auditd_log_format - auditd_name_format -- auditd_write_logs - banner_etc_issue - chronyd_client_only - chronyd_no_chronyc_network +- chronyd_or_ntpd_set_maxpoll - clean_components_post_updating - configure_bashrc_exec_tmux -- configure_bind_crypto_policy -- configure_crypto_policy -- configure_kerberos_crypto_policy -- configure_libreswan_crypto_policy -- configure_openssl_crypto_policy -- configure_ssh_crypto_policy +- configure_firewalld_ports - configure_tmux_lock_after_time - configure_tmux_lock_command - configure_usbguard_auditbackend - coredump_disable_backtraces - coredump_disable_storage -- dconf_db_up_to_date - dconf_gnome_banner_enabled +- dconf_gnome_disable_ctrlaltdel_reboot - dconf_gnome_login_banner_text +- dconf_gnome_screensaver_idle_delay +- dconf_gnome_screensaver_lock_enabled +- dir_perms_world_writable_root_owned +- dir_perms_world_writable_sticky_bits +- directory_permissions_var_log_audit - disable_ctrlaltdel_burstaction - disable_ctrlaltdel_reboot -- disable_host_auth - disable_users_coredumps -- dnf-automatic_apply_updates -- dnf-automatic_security_updates_only -- enable_dracut_fips_module +- display_login_attempts - enable_fips_mode - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages -- ensure_gpgcheck_never_disabled -- ensure_redhat_gpgkey_installed +- file_groupownership_home_directories +- file_ownership_binary_dirs +- file_ownership_library_dirs +- file_ownership_var_log_audit +- file_permission_user_init_files +- file_permissions_binary_dirs +- file_permissions_home_directories +- file_permissions_library_dirs +- file_permissions_sshd_private_key +- file_permissions_sshd_pub_key +- file_permissions_ungroupowned +- file_permissions_var_log_audit +- gnome_gdm_disable_automatic_login +- grub2_admin_username - grub2_audit_argument - grub2_audit_backlog_limit_argument -- grub2_disable_interactive_boot -- grub2_kernel_trust_cpu_rng - grub2_page_poison_argument +- grub2_password - grub2_pti_argument - grub2_slub_debug_argument +- grub2_uefi_admin_username - grub2_uefi_password - grub2_vsyscall_argument +- install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab - kernel_module_atm_disabled @@ -120,14 +138,19 @@ selections: - kernel_module_firewire-core_disabled - kernel_module_sctp_disabled - kernel_module_tipc_disabled -- mount_option_boot_nodev +- kernel_module_usb-storage_disabled - mount_option_boot_nosuid - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid -- mount_option_home_nodev - mount_option_home_nosuid - mount_option_nodev_nonroot_local_partitions +- mount_option_nodev_remote_filesystems +- mount_option_nodev_removable_partitions +- mount_option_noexec_remote_filesystems +- mount_option_noexec_removable_partitions +- mount_option_nosuid_remote_filesystems +- mount_option_nosuid_removable_partitions - mount_option_tmp_nodev - mount_option_tmp_noexec - mount_option_tmp_nosuid @@ -137,13 +160,16 @@ selections: - mount_option_var_log_nodev - mount_option_var_log_noexec - mount_option_var_log_nosuid -- mount_option_var_nodev - mount_option_var_tmp_nodev - mount_option_var_tmp_noexec - mount_option_var_tmp_nosuid +- network_configure_name_resolution +- network_sniffer_disabled - no_empty_passwords +- no_files_unowned_by_user +- no_host_based_files - no_tmux_in_shells -- openssl_use_strong_entropy +- no_user_host_based_files - package_abrt-addon-ccpp_removed - package_abrt-addon-kerneloops_removed - package_abrt-addon-python_removed @@ -153,66 +179,76 @@ selections: - package_abrt-plugin-sosreport_removed - package_abrt_removed - package_aide_installed -- package_audispd-plugins_installed - package_audit_installed -- package_chrony_installed -- package_crypto-policies_installed -- package_dnf-automatic_installed -- package_dnf-plugin-subscription-manager_installed - package_fapolicyd_installed - package_firewalld_installed -- package_gnutls-utils_installed - package_gssproxy_removed - package_iprutils_removed - package_krb5-workstation_removed -- package_libcap-ng-utils_installed -- package_nfs-utils_removed -- package_openscap-scanner_installed -- package_openssh-clients_installed +- package_opensc_installed - package_openssh-server_installed -- package_policycoreutils-python-utils_installed - package_policycoreutils_installed +- package_rsh-server_removed - package_rsyslog-gnutls_installed - package_rsyslog_installed -- package_scap-security-guide_installed - package_sendmail_removed -- package_subscription-manager_installed -- package_sudo_installed +- package_telnet-server_removed +- package_tftp-server_removed - package_tmux_installed +- package_tuned_removed - package_usbguard_installed +- package_vsftpd_removed +- package_xorg-x11-server-common_removed - partition_for_home +- partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit +- postfix_client_configure_mail_alias +- postfix_prevent_unrestricted_relay +- require_emergency_target_auth - require_singleuser_auth -- rsyslog_remote_tls -- rsyslog_remote_tls_cacert -- securetty_root_login_console_only +- rsyslog_cron_logging +- rsyslog_remote_loghost +- security_patches_up_to_date - selinux_policytype - selinux_state - service_auditd_enabled +- service_autofs_disabled - service_debug-shell_disabled - service_fapolicyd_enabled - service_firewalld_enabled - service_kdump_disabled +- service_rngd_enabled +- service_rsyslog_enabled +- service_sshd_enabled - service_systemd-coredump_disabled - service_usbguard_enabled -- smartcard_configure_cert_checking +- set_password_hashing_algorithm_logindefs +- set_password_hashing_algorithm_systemauth - ssh_client_rekey_limit -- ssh_client_use_strong_rng_csh -- ssh_client_use_strong_rng_sh +- sshd_allow_only_protocol2 +- sshd_disable_compression - sshd_disable_empty_passwords - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_root_login +- sshd_disable_user_known_hosts +- sshd_disable_x11_forwarding +- sshd_do_not_permit_user_env - sshd_enable_strictmodes - sshd_enable_warning_banner +- sshd_print_last_log - sshd_rekey_limit - sshd_set_idle_timeout - sshd_set_keepalive - sshd_use_strong_rng +- sshd_x11_use_localhost - sssd_enable_smartcards - sssd_offline_cred_expiration +- sudo_remove_no_authenticate +- sudo_remove_nopasswd +- sysctl_crypto_fips_enabled - sysctl_fs_protected_hardlinks - sysctl_fs_protected_symlinks - sysctl_kernel_core_pattern @@ -220,25 +256,18 @@ selections: - sysctl_kernel_kexec_load_disabled - sysctl_kernel_kptr_restrict - sysctl_kernel_perf_event_paranoid +- sysctl_kernel_randomize_va_space - sysctl_kernel_unprivileged_bpf_disabled - sysctl_kernel_yama_ptrace_scope -- sysctl_net_core_bpf_jit_harden - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_accept_source_route -- sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_source_route -- sysctl_net_ipv4_conf_default_log_martians -- sysctl_net_ipv4_conf_default_rp_filter -- sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_ip_forward -- sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route @@ -246,36 +275,44 @@ selections: - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - sysctl_user_max_user_namespaces -- timer_dnf-automatic_enabled -- usbguard_allow_hid_and_hub -- use_pam_wheel_for_su +- tftpd_uses_secure_mode +- wireless_disable_interfaces - var_rekey_limit_size=1G - var_rekey_limit_time=1hour -- var_accounts_user_umask=027 -- var_password_pam_difok=4 +- var_accounts_user_umask=077 +- var_password_pam_difok=8 - var_password_pam_maxrepeat=3 +- var_sshd_disable_compression=no - var_password_pam_maxclassrepeat=4 -- var_auditd_flush=incremental_async +- var_password_pam_minclass=4 +- var_accounts_minimum_age_login_defs=1 - var_accounts_max_concurrent_login_sessions=10 - var_password_pam_unix_remember=5 - var_selinux_state=enforcing - var_selinux_policy_name=targeted - var_system_crypto_policy=fips_ospp -- var_accounts_password_minlen_login_defs=12 -- var_password_pam_minlen=12 +- var_accounts_password_minlen_login_defs=15 +- var_password_pam_minlen=15 - var_password_pam_ocredit=1 - var_password_pam_dcredit=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 -- sshd_idle_timeout_value=14_minutes +- var_password_pam_retry=3 +- sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=never - var_ssh_client_rekey_limit_size=1G - var_ssh_client_rekey_limit_time=1hour -- login_banner_text=dod_banners -- grub2_vsyscall_argument.role=unscored -- grub2_vsyscall_argument.severity=info -- sysctl_user_max_user_namespaces.role=unscored -- sysctl_user_max_user_namespaces.severity=info -title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' +- var_accounts_fail_delay=4 +- var_account_disable_post_pw_expiration=35 +- var_auditd_action_mail_acct=root +- var_time_service_set_maxpoll=18_hours +- var_password_hashing_algorithm=SHA512 +- var_accounts_maximum_age_login_defs=60 +- var_auditd_space_left=250MB +- var_auditd_space_left_action=email +- var_auditd_disk_error_action=halt +- var_auditd_max_log_file_action=syslog +- var_auditd_disk_full_action=halt +title: DISA STIG for Red Hat Enterprise Linux 8 From 443d09de1487b35d4fc8bbc146ddd74a4412f7f4 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 2 Feb 2021 13:42:40 +0100 Subject: [PATCH 04/21] Set openssl-pkcs11 as default package for install_smartcard_packages. --- .../install_smartcard_packages/rule.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index 4b8a9c29f5..d64240dce2 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -7,7 +7,11 @@ title: 'Install Smart Card Packages For Multifactor Authentication' description: |- Configure the operating system to implement multifactor authentication by installing the required package with the following command: + {{%- if product in ["rhel7", "ol7"] %}} {{{ describe_package_install(package="pam_pkcs11") }}} + {{%- else %}} + {{{ describe_package_install(package="openssl-pkcs11") }}} + {{%- endif %}} rationale: |- Using an authentication device, such as a CAC or token that is separate from @@ -37,9 +41,15 @@ references: ocil_clause: 'smartcard software is not installed' +{{%- if product in ["rhel7", "ol7"] %}} ocil: '{{{ ocil_package(package="pam_pkcs11") }}}' +{{%- else %}} +ocil: '{{{ ocil_package(package="openssl-pkcs11") }}}' +{{%- endif %}} template: name: package_installed vars: - pkgname: pam_pkcs11 + pkgname: openssl-pkcs11 + pkgname@rhel7: pam_pkcs11 + pkgname@ol7: pam_pkcs11 From 628065d65e0ab363dcdbb513f17a28ae839cefb5 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 4 Feb 2021 19:09:44 +0100 Subject: [PATCH 05/21] Remove conflicting rules from RHEL8 STIG profile. --- rhel8/profiles/stig.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 66cc5007be..24eb0f9e21 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -223,7 +223,7 @@ selections: - package_abrt-plugin-rhtsupport_removed - package_abrt-plugin-sosreport_removed - package_sendmail_removed - - package_gssproxy_removed + # - package_gssproxy_removed - grub2_pti_argument - package_rsh-server_removed - kernel_module_atm_disabled @@ -286,7 +286,7 @@ selections: - postfix_prevent_unrestricted_relay - aide_verify_ext_attributes - aide_verify_acls - - package_xorg-x11-server-common_removed + # - package_xorg-x11-server-common_removed - sshd_disable_x11_forwarding - sshd_x11_use_localhost - tftpd_uses_secure_mode From 917744300baa99686955239f6e73b193a7c1e2b9 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 8 Feb 2021 15:47:09 +0100 Subject: [PATCH 06/21] Remove duplicate rule gssproxy package removed from STIG. --- rhel8/profiles/stig.profile | 1 - tests/data/profile_stability/rhel8/stig.profile | 2 -- 2 files changed, 3 deletions(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 24eb0f9e21..34f9f79461 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -291,7 +291,6 @@ selections: - sshd_x11_use_localhost - tftpd_uses_secure_mode - package_vsftpd_removed - - package_gssproxy_removed - package_iprutils_removed - package_tuned_removed - require_emergency_target_auth diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 9089f7ef4f..bc5153fa99 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -182,7 +182,6 @@ selections: - package_audit_installed - package_fapolicyd_installed - package_firewalld_installed -- package_gssproxy_removed - package_iprutils_removed - package_krb5-workstation_removed - package_opensc_installed @@ -198,7 +197,6 @@ selections: - package_tuned_removed - package_usbguard_installed - package_vsftpd_removed -- package_xorg-x11-server-common_removed - partition_for_home - partition_for_tmp - partition_for_var From 9455a5059b09de9bb9d4f5faeca7896246bc2e0e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 8 Feb 2021 17:54:07 +0100 Subject: [PATCH 07/21] Remove one file based audit rule from RHEL8 STIG profile. --- rhel8/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 34f9f79461..a5f8f54de1 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -195,7 +195,7 @@ selections: - file_permissions_var_log_audit - directory_permissions_var_log_audit - audit_rules_immutable - - audit_immutable_login_uids + # - audit_immutable_login_uids - audit_rules_usergroup_modification_shadow - audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd From 987b198504bd45e40a3c4e090ebf36e69f18d43c Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 8 Feb 2021 17:54:26 +0100 Subject: [PATCH 08/21] Increase size of /var partition in RHEL8 STIG kickstart. Set mount options nosuid, nodev and noexec to /boot partition. --- rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg index 28f7ff0927..3e8be668bd 100644 --- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg @@ -100,7 +100,7 @@ zerombr clearpart --linux --initlabel # Create primary system partitions (required for installs) -part /boot --fstype=xfs --size=512 +part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) From 446e9b79aa6cc40ab42c95292914835fa18d0b69 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 9 Feb 2021 14:33:30 +0100 Subject: [PATCH 09/21] Add package_rng-tools_installed because it is dependency of rngd service. --- rhel8/profiles/stig.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index a5f8f54de1..91ce77b4de 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -110,6 +110,7 @@ selections: - no_host_based_files - no_user_host_based_files - service_rngd_enabled + - package_rng-tools_installed - file_permissions_sshd_pub_key - file_permissions_sshd_private_key - sshd_enable_strictmodes From d61652ed418bb4d6b07a88f1bee1bda15196e23e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 9 Feb 2021 14:35:53 +0100 Subject: [PATCH 10/21] Remove draft verbiage from description in RHEL8 STIG profile. --- rhel8/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 91ce77b4de..017e72ee2d 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. + DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of From 9fa00acb2c1b551c26418ce2ff606a579e7fe192 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 10 Feb 2021 12:24:05 +0100 Subject: [PATCH 11/21] Update RHEL8 STIG profile stability data. --- tests/data/profile_stability/rhel8/stig.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index bc5153fa99..668c258306 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. + DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -59,7 +59,6 @@ selections: - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes -- audit_immutable_login_uids - audit_rules_immutable - audit_rules_login_events_lastlog - audit_rules_sysadmin_actions @@ -187,6 +186,7 @@ selections: - package_opensc_installed - package_openssh-server_installed - package_policycoreutils_installed +- package_rng-tools_installed - package_rsh-server_removed - package_rsyslog-gnutls_installed - package_rsyslog_installed From 91a77ac9fce7ba96ba80d2d33efa0b82c5329807 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 10 Feb 2021 12:47:45 +0100 Subject: [PATCH 12/21] Fix duplicated CCE. --- .../auditd_data_retention_space_left/rule.yml | 2 +- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index f1a742a810..7d84595498 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@rhel7: CCE-80537-4 cce@rhcos4: CCE-82681-8 cce@sle12: CCE-83026-5 - cce@rhel8: CCE-84047-0 + cce@rhel8: CCE-83619-7 references: stigid@ol7: OL07-00-030330 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 15bf569a4a..9a5b9703af 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -124,7 +124,6 @@ CCE-83615-5 CCE-83616-3 CCE-83617-1 CCE-83618-9 -CCE-83619-7 CCE-83620-5 CCE-83621-3 CCE-83622-1 From ba53084a041ae151d50f237c58efd136be89012c Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 11 Feb 2021 12:47:56 +0100 Subject: [PATCH 13/21] Add bootloader password to RHEL8 STIG kickstart example. --- rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg index 3e8be668bd..0ec942bb8b 100644 --- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg @@ -83,10 +83,11 @@ selinux --enforcing timezone --utc America/New_York # Specify how the bootloader should be installed (required) +# Plaintext password is: password # Refer to e.g. # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw # to see how to create encrypted password form for different plaintext password -bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 # Initialize (format) all disks (optional) zerombr From 8c7bea0728745c6a25502d26fbb30053b7888261 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 11 Feb 2021 12:49:02 +0100 Subject: [PATCH 14/21] Update RHEL8 STIG profile with FIPS rules. --- rhel8/profiles/stig.profile | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 017e72ee2d..201a5c6ca6 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -38,7 +38,6 @@ selections: - var_password_pam_unix_remember=5 - var_selinux_state=enforcing - var_selinux_policy_name=targeted - - var_system_crypto_policy=fips_ospp - var_accounts_password_minlen_login_defs=15 - var_password_pam_minlen=15 - var_password_pam_ocredit=1 @@ -65,10 +64,21 @@ selections: - var_auditd_max_log_file_action=syslog - var_auditd_disk_full_action=halt + ### Enable / Configure FIPS + - enable_fips_mode + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy + - configure_kerberos_crypto_policy + - enable_dracut_fips_module + # rules - installed_OS_is_vendor_supported - security_patches_up_to_date - - enable_fips_mode + - sysctl_crypto_fips_enabled - encrypt_partitions - sshd_enable_warning_banner @@ -211,6 +221,7 @@ selections: - rsyslog_remote_loghost - auditd_data_retention_space_left - auditd_data_retention_space_left_action + # remediation fails because default configuration file contains pool instead of server keyword - chronyd_or_ntpd_set_maxpoll - chronyd_client_only - chronyd_no_chronyc_network @@ -284,6 +295,7 @@ selections: - sysctl_kernel_kptr_restrict - sysctl_user_max_user_namespaces - sysctl_net_ipv4_conf_all_rp_filter + # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation - postfix_prevent_unrestricted_relay - aide_verify_ext_attributes - aide_verify_acls From 6735cc0b910e75a1909d774efbf033781c6ad424 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 11 Feb 2021 13:29:33 +0100 Subject: [PATCH 15/21] Update RHEL8 STIG profile stability test data. --- tests/data/profile_stability/rhel8/stig.profile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 668c258306..f120201c91 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -82,7 +82,13 @@ selections: - chronyd_or_ntpd_set_maxpoll - clean_components_post_updating - configure_bashrc_exec_tmux +- configure_bind_crypto_policy +- configure_crypto_policy - configure_firewalld_ports +- configure_kerberos_crypto_policy +- configure_libreswan_crypto_policy +- configure_openssl_crypto_policy +- configure_ssh_crypto_policy - configure_tmux_lock_after_time - configure_tmux_lock_command - configure_usbguard_auditbackend @@ -100,6 +106,7 @@ selections: - disable_ctrlaltdel_reboot - disable_users_coredumps - display_login_attempts +- enable_dracut_fips_module - enable_fips_mode - encrypt_partitions - ensure_gpgcheck_globally_activated @@ -288,7 +295,6 @@ selections: - var_password_pam_unix_remember=5 - var_selinux_state=enforcing - var_selinux_policy_name=targeted -- var_system_crypto_policy=fips_ospp - var_accounts_password_minlen_login_defs=15 - var_password_pam_minlen=15 - var_password_pam_ocredit=1 @@ -313,4 +319,5 @@ selections: - var_auditd_disk_error_action=halt - var_auditd_max_log_file_action=syslog - var_auditd_disk_full_action=halt +- var_system_crypto_policy=fips title: DISA STIG for Red Hat Enterprise Linux 8 From b8068d4c2edfb90b4ec75f9d1bb83af78dbb468e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 11 Feb 2021 17:40:40 +0100 Subject: [PATCH 16/21] Remove postfix_prevent_unrestricted_relay from RHEL8 STIG profile. The check doesn't consider if the package postfix is installed or not, which in this case is a hard requirement. --- rhel8/profiles/stig.profile | 3 ++- tests/data/profile_stability/rhel8/stig.profile | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 201a5c6ca6..7aea226c95 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -296,7 +296,8 @@ selections: - sysctl_user_max_user_namespaces - sysctl_net_ipv4_conf_all_rp_filter # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation - - postfix_prevent_unrestricted_relay + # there needs to be a new platform check to identify when postfix is installed or not + # - postfix_prevent_unrestricted_relay - aide_verify_ext_attributes - aide_verify_acls # - package_xorg-x11-server-common_removed diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index f120201c91..2c574382a8 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -210,7 +210,6 @@ selections: - partition_for_var_log - partition_for_var_log_audit - postfix_client_configure_mail_alias -- postfix_prevent_unrestricted_relay - require_emergency_target_auth - require_singleuser_auth - rsyslog_cron_logging From ee253e573e7b571e593666dfe12a5ac0fb240bf5 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 11 Feb 2021 17:58:43 +0100 Subject: [PATCH 17/21] Disable audit rules from RHEL8 STIG profile temporarily. Audit rules should be evaluated first implemented using new approach. --- rhel8/profiles/stig.profile | 16 ++++++++-------- tests/data/profile_stability/rhel8/stig.profile | 7 ------- 2 files changed, 8 insertions(+), 15 deletions(-) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 7aea226c95..0aa6f28986 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -205,14 +205,14 @@ selections: - auditd_log_format - file_permissions_var_log_audit - directory_permissions_var_log_audit - - audit_rules_immutable + # - audit_rules_immutable # - audit_immutable_login_uids - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_group - - audit_rules_login_events_lastlog + # - audit_rules_usergroup_modification_shadow + # - audit_rules_usergroup_modification_opasswd + # - audit_rules_usergroup_modification_passwd + # - audit_rules_usergroup_modification_gshadow + # - audit_rules_usergroup_modification_group + # - audit_rules_login_events_lastlog - grub2_audit_argument - grub2_audit_backlog_limit_argument - configure_usbguard_auditbackend @@ -326,7 +326,7 @@ selections: - no_empty_passwords - sshd_disable_empty_passwords - file_ownership_var_log_audit - - audit_rules_sysadmin_actions + # - audit_rules_sysadmin_actions - package_audit_installed - service_auditd_enabled - sshd_allow_only_protocol2 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 2c574382a8..58fc365707 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -60,13 +60,6 @@ selections: - aide_verify_acls - aide_verify_ext_attributes - audit_rules_immutable -- audit_rules_login_events_lastlog -- audit_rules_sysadmin_actions -- audit_rules_usergroup_modification_group -- audit_rules_usergroup_modification_gshadow -- audit_rules_usergroup_modification_opasswd -- audit_rules_usergroup_modification_passwd -- audit_rules_usergroup_modification_shadow - auditd_data_disk_error_action - auditd_data_disk_full_action - auditd_data_retention_action_mail_acct From 99cf1438cf9ac71af398b34247aec389b3163d7c Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 12 Feb 2021 09:57:35 +0100 Subject: [PATCH 18/21] Add missing SRG mapping for RHEL8 STIG profile rules. --- .../postfix_client_configure_mail_alias/rule.yml | 1 + .../mount_option_nodev_remote_filesystems/rule.yml | 1 + .../directory_permissions_var_log_audit/rule.yml | 1 + .../auditd_data_disk_error_action/rule.yml | 1 + .../auditd_data_disk_full_action/rule.yml | 1 + .../auditd_data_retention_max_log_file_action/rule.yml | 1 + .../guide/system/logging/service_rsyslog_enabled/rule.yml | 1 + .../files/dir_perms_world_writable_root_owned/rule.yml | 1 + .../files/dir_perms_world_writable_sticky_bits/rule.yml | 4 +++- .../file_ownership_binary_dirs/rule.yml | 1 + .../file_ownership_library_dirs/rule.yml | 1 + .../file_permissions_binary_dirs/rule.yml | 1 + .../file_permissions_library_dirs/rule.yml | 1 + .../mount_option_nodev_removable_partitions/rule.yml | 1 + .../mount_option_noexec_removable_partitions/rule.yml | 1 + .../integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 + 16 files changed, 18 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 96601ebb87..ea30438a5f 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -32,6 +32,7 @@ references: nist@sle12: AU-5(a),AU-5.1(ii) anssi: BP28(R49) stigid@rhel8: RHEL-08-030030 + srg: SRG-OS-000046-GPOS-00022 ocil_clause: 'it is not' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml index 9374bdc065..66f4558923 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml @@ -25,6 +25,7 @@ references: iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2 cis-csc: 11,13,14,3,8,9 stigid@rhel8: RHEL-08-010640 + srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml index b9ff8233bb..64c7927021 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml @@ -27,6 +27,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 stigid@rhel8: RHEL-08-030120 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 ocil_clause: 'any are more permissive' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml index d3646de8ff..8e6836ae2f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml @@ -35,6 +35,7 @@ references: iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 stigid@rhel8: RHEL-08-030040 + srg: SRG-OS-000047-GPOS-00023 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index d92afe34e8..6b7dddb0ee 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -42,6 +42,7 @@ references: disa@sle12: CCI-000140 nist@sle12: AU-5(b),AU-5.1(iv) stigid@rhel8: RHEL-08-030060 + srg: SRG-OS-000047-GPOS-00023 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml index 6a32a85fe5..07c21ca5ab 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml @@ -45,6 +45,7 @@ references: cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 stigid@rhel8: RHEL-08-030050 + srg: SRG-OS-000047-GPOS-00023 ocil_clause: 'the system has not been properly configured to rotate audit logs' diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml index 3ef70473de..a87d19fc10 100644 --- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml @@ -30,6 +30,7 @@ references: cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 cis@ubuntu2004: 4.2.1.2 stigid@rhel8: RHEL-08-010561 + srg: SRG-OS-000480-GPOS-00227 ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml index 90011f5f92..02e9ce0100 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml @@ -25,6 +25,7 @@ identifiers: references: anssi: BP28(R40) stigid@rhel8: RHEL-08-010700 + srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 5bb3cf3713..3c9e31b97e 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -47,7 +47,9 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 cis@sle15: 1.1.22 - stigid@sle12: SLES-12-010460 + stigid@sle12: SLES-12-010460 + stigid@rhel8: RHEL-08-010190 + srg: SRG-OS-000138-GPOS-00069 ocil_clause: 'any world-writable directories are missing the sticky bit' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index fa53de9041..36943519fa 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -37,6 +37,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@rhel8: RHEL-08-010310 + srg: SRG-OS-000259-GPOS-00100 ocil_clause: 'any system executables are found to not be owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index e40b5f47d8..c39997169b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -38,6 +38,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@rhel8: RHEL-08-010340 + srg: SRG-OS-000259-GPOS-00100 ocil_clause: 'any of these files are not owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index 3ec56361dc..efe4a723d7 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -37,6 +37,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@rhel8: RHEL-08-010300 + srg: SRG-OS-000259-GPOS-00100 ocil_clause: 'any system executables are found to be group or world writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 83add611b9..e3a067e0b8 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -38,6 +38,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 stigid@rhel8: RHEL-08-010330 + srg: SRG-OS-000259-GPOS-00100 ocil_clause: 'any of these files are group-writable or world-writable' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml index 602ce2da35..5912fb9d8c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml @@ -37,6 +37,7 @@ references: cis-csc: 11,12,13,14,16,3,8,9 cis@sle15: 1.1.19 stigid@rhel8: RHEL-08-010600 + srg: SRG-OS-000480-GPOS-00227 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index 4d2bd0eceb..6e17c9f514 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -35,6 +35,7 @@ references: cis-csc: 11,12,13,14,16,3,8,9 cis@sle15: 1.1.20 stigid@rhel8: RHEL-08-010610 + srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'removable media partitions are present' diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 8753e4aeef..129df45d54 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -30,6 +30,7 @@ references: nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 stigid@rhel8: RHEL-08-010020 + srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223 ocil_clause: 'crypto.fips_enabled is not 1' From 76f5b95600228ff64a8730155256e045124d0f58 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 12 Feb 2021 13:58:12 +0100 Subject: [PATCH 19/21] Update RHEL8 STIG profile stability test data. --- tests/data/profile_stability/rhel8/stig.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 58fc365707..55b645b67b 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -59,7 +59,6 @@ selections: - aide_scan_notification - aide_verify_acls - aide_verify_ext_attributes -- audit_rules_immutable - auditd_data_disk_error_action - auditd_data_disk_full_action - auditd_data_retention_action_mail_acct From e0765fb6c96510ac015388b94e82938370792e12 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 12 Feb 2021 14:22:48 +0100 Subject: [PATCH 20/21] Fix RHEL8 STIG ID references. --- apple_os/auditing/service_auditd_enabled/rule.yml | 1 - .../services/fapolicyd/package_fapolicyd_installed/rule.yml | 1 - .../services/ssh/package_openssh-server_installed/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml | 1 - .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 - .../guide/services/usbguard/package_usbguard_installed/rule.yml | 1 - .../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 1 - .../accounts_passwords_pam_faillock_deny_root/rule.yml | 1 - .../accounts-physical/require_emergency_target_auth/rule.yml | 1 - .../console_screen_locking/package_tmux_installed/rule.yml | 1 - .../auditd_data_retention_space_left_action/rule.yml | 2 -- linux_os/guide/system/auditing/package_audit_installed/rule.yml | 1 - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 1 - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 1 - .../firewalld_activation/package_firewalld_installed/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 1 - .../software/disk_partitioning/partition_for_var_log/rule.yml | 1 - .../disk_partitioning/partition_for_var_log_audit/rule.yml | 2 -- .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 - .../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 - .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 1 - .../software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 - .../software-integrity/aide/package_aide_installed/rule.yml | 1 - .../system-tools/package_abrt-addon-ccpp_removed/rule.yml | 1 - .../system-tools/package_abrt-addon-kerneloops_removed/rule.yml | 1 - .../system-tools/package_abrt-addon-python_removed/rule.yml | 1 - .../software/system-tools/package_abrt-cli_removed/rule.yml | 1 - .../system-tools/package_abrt-plugin-logger_removed/rule.yml | 1 - .../package_abrt-plugin-rhtsupport_removed/rule.yml | 1 - .../system-tools/package_abrt-plugin-sosreport_removed/rule.yml | 1 - 38 files changed, 40 deletions(-) diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml index 0c34cae438..bbb5132b5f 100644 --- a/apple_os/auditing/service_auditd_enabled/rule.yml +++ b/apple_os/auditing/service_auditd_enabled/rule.yml @@ -35,7 +35,6 @@ references: nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146 stigid: AOSX-14-001013 - stigid@rhel8: RHEL-08-010560 ocil_clause: 'auditing is not enabled or running' diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml index a35cb48f83..5869cac7ab 100644 --- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml @@ -20,7 +20,6 @@ identifiers: references: nist: CM-6(a),SI-4(22) srg: SRG-OS-000370-GPOS-00155 - stigid@rhel8: RHEL-08-040135 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index 4fda79df25..84882d52b3 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -31,7 +31,6 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 13,14 ospp: FIA_UAU.5,FTP_ITC_EXT.1 - stigid@rhel8: RHEL-08-040160 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml index 50eb7a28cb..1f1380127c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml @@ -37,7 +37,6 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,3,9 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 - stigid@rhel8: RHEL-08-010521 ocil_clause: 'it is commented out or is not disabled' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 8987c9b9ed..c43fce001a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -47,7 +47,6 @@ references: cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,3,5,7,8 - stigid@rhel8: RHEL-08-010200 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index 6806e0861d..f23176d83e 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -22,7 +22,6 @@ identifiers: references: srg: SRG-OS-000378-GPOS-00163 ism: "1418" - stigid@rhel8: RHEL-08-040140 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index c364bdb9e1..47c4edad90 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -49,7 +49,6 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 - stigid@rhel8: RHEL-08-010050 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index 4b7ee01946..fb7a2d37ae 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -44,7 +44,6 @@ references: iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 - stigid@rhel8: RHEL-08-020010 stigid@rhel8: RHEL-08-020022 ocil_clause: 'that is not the case' diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 2e902739ae..f9959f0720 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -42,7 +42,6 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 - stigid@rhel8: RHEL-08-010151 ocil_clause: 'the output is different' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml index d57802a37e..c900612b1b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml @@ -40,7 +40,6 @@ references: cobit5: DSS05.04,DSS05.10,DSS06.10 iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 cis-csc: 1,12,15,16 - stigid@rhel8: RHEL-08-020040 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml index 1009699e77..bdc86cf35b 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml @@ -51,8 +51,6 @@ references: isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 - stigid@rhel8: RHEL-08-030730 - stigid@rhel8: RHEL-08-030730 ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml index 577176ff00..2fc431c1ae 100644 --- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml @@ -26,7 +26,6 @@ references: srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220 disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914 nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1) - stigid@rhel8: service_auditd_enabled template: name: package_installed diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 0690cfbcda..4b04936ee2 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -49,7 +49,6 @@ references: iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,14,15,16,18,3,5 anssi: BP28(R17) - stigid@rhel8: RHEL-08-010150 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 08e1da4369..ea5c80f163 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -56,7 +56,6 @@ references: iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,14,15,16,18,3,5 anssi: BP28(R17) - stigid@rhel8: RHEL-08-010140 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index e82f50f9a0..7aea04c670 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -20,7 +20,6 @@ references: nist: CM-6(a) srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116 cis@rhel8: 3.4.1.1 - stigid@rhel8: RHEL-08-040100 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml index 04fa55f524..5b5bfc9633 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml index 304c549b0b..d75989fca1 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml index d3b8347573..09d263cf00 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040261 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index ae67ab248d..9253f7235a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -28,7 +28,6 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel8: RHEL-08-040280 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index ac9218fe34..8767a5226f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -40,7 +40,6 @@ references: cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,4,6,8,9 - stigid@rhel8: RHEL-08-040240 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml index eca95f75b5..5cf98305c7 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml index f030cd9221..d7dad19f3a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml index 43c901e3a4..b6ee061057 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -16,7 +16,6 @@ identifiers: references: anssi: BP28(R22) - stigid@rhel8: RHEL-08-040262 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index fdd8572cf5..970db38b33 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -28,7 +28,6 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel8: RHEL-08-040210 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index b90f93deee..77ea8196c1 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -33,7 +33,6 @@ references: cis-csc: 1,12,14,15,16,3,5,6,8 srg: SRG-OS-000480-GPOS-00227 cis@sle: 1.1.12 - stigid@rhel8: RHEL-08-010540 stigid@rhel8: RHEL-08-010541 {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index 73b5cd50ed..3ff8be67b5 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -40,8 +40,6 @@ references: cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01 cis-csc: 1,12,13,14,15,16,2,3,5,6,8 cis@sle15: 1.1.13 - stigid@rhel8: RHEL-08-010540 - stigid@rhel8: RHEL-08-010541 stigid@rhel8: RHEL-08-010542 {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index fde3338f40..340af24c82 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -26,7 +26,6 @@ references: cis@ubuntu1804: 1.1.6 anssi: BP28(R12) cis@sle15: 1.1.8 - stigid@rhel8: RHEL-08-010540 {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index d9eb1b8a61..fba676f0b9 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -48,7 +48,6 @@ references: cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 cis-csc: 18,20,4 - stigid@rhel8: RHEL-08-010000 ocil_clause: 'the installed operating system is not supported' diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 5879bc2bdb..77c78d5705 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -47,7 +47,6 @@ references: cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 cis-csc: 12,15,8 - stigid@rhel8: RHEL-08-010020 ocil_clause: 'FIPS is not configured or enabled in grub' diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 129df45d54..b439a0305f 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -29,7 +29,6 @@ references: disa: CCI-000068,CCI-000803,CCI-002450 nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 - stigid@rhel8: RHEL-08-010020 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223 ocil_clause: 'crypto.fips_enabled is not 1' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index 1667604386..abf13a274a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -33,7 +33,6 @@ references: ism: 1034,1288,1341,1417 stigid@sle12: SLES-12-010500 disa@sle12: CCI-002699 - stigid@rhel8: RHEL-08-010360 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml index 5482cdf3af..ed2fc64d08 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml index 3b12bfb5b0..8bbf9ea53d 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml index 00b1a36714..9be8b08b0f 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-addon-python") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml index 0412e8b82b..9aa7f11ada 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-cli") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml index 9d10076523..d970def693 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml index addb652e92..7f7787a19a 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml @@ -19,7 +19,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}} diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml index 6647186cc7..6107659d94 100644 --- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml @@ -18,7 +18,6 @@ identifiers: references: srg: SRG-OS-000095-GPOS-00049 - stigid@rhel8: RHEL-08-040001 {{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}} From 7724efd079c177adaa3ab70056b57f57b9424e9f Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 12 Feb 2021 16:26:49 +0100 Subject: [PATCH 21/21] Add severity according RHEL8 STIG for rules that had unknown severity. --- linux_os/guide/services/ntp/chronyd_client_only/rule.yml | 2 +- linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml | 2 +- .../account_expiration/account_temp_expire_date/rule.yml | 2 +- .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- .../directory_permissions_var_log_audit/rule.yml | 2 +- .../sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra/rule.yml | 2 +- .../permissions/files/sysctl_fs_protected_hardlinks/rule.yml | 2 +- .../permissions/files/sysctl_fs_protected_symlinks/rule.yml | 2 +- .../mount_option_nodev_nonroot_local_partitions/rule.yml | 2 +- .../mount_option_noexec_removable_partitions/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_nodev/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- .../restrictions/coredumps/coredump_disable_backtraces/rule.yml | 2 +- .../restrictions/coredumps/coredump_disable_storage/rule.yml | 2 +- .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 +- .../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +- .../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml index 071934387c..83d1ba0df1 100644 --- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml @@ -13,7 +13,7 @@ rationale: |- Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. -severity: unknown +severity: low platform: machine # The check uses service_... extended definition, which doesnt support offline mode diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml index cbc9cc670c..d6d776a9a3 100644 --- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml @@ -13,7 +13,7 @@ rationale: |- Not exposing the management interface of the chrony daemon on the network diminishes the attack space. -severity: unknown +severity: low platform: machine # The check uses service_... extended definition, which doesnt support offline mode diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index ced7a52a67..c3a2a13bed 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -25,7 +25,7 @@ rationale: |- must be set upon account creation.
-severity: unknown +severity: medium identifiers: cce@rhel7: CCE-81000-2 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 1c8219de70..e06ae36196 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -15,7 +15,7 @@ rationale: |- A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80202-5 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml index 64c7927021..65dc7861ce 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml @@ -12,7 +12,7 @@ description: |- rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' -severity: unknown +severity: medium identifiers: cce@rhcos4: CCE-82692-5 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 8e7eabc336..0b38e2f414 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80180-3 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml index dcf480ef63..167fb59f48 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.default.acc rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80181-1 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml index 0aefe8ae50..9874bb19dc 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml @@ -10,7 +10,7 @@ rationale: |- based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-81026-7 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml index 86a9f8e2d9..655283997a 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml @@ -12,7 +12,7 @@ rationale: |- accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-81029-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml index f40daec6c8..f7c3502b00 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml @@ -25,7 +25,7 @@ ocil: | ocil_clause: "some mounts appear among output lines" -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80145-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml index 6e17c9f514..d329ad2962 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml @@ -15,7 +15,7 @@ rationale: |- Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80147-2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml index ed27226855..35173f9e61 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/tmp", "nodev") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80149-8 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 77ae8a664f..4f831bdacb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/tmp", "noexec") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80150-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index b7e171fb02..5bcbebdfda 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/tmp", "nosuid") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80151-4 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index 4e76e61bb2..136ba137a2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/var/tmp", "nodev") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-81052-3 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index f2b108d58d..8eb0eafc72 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/var/tmp", "noexec") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-82150-4 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index 11bfe2661d..90c578791c 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -16,7 +16,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/var/tmp", "nosuid") }}} -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-82153-8 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml index 04b580e64e..79af205224 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml @@ -20,7 +20,7 @@ rationale: |- debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. -severity: unknown +severity: medium identifiers: cce@rhel8: CCE-82251-0 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml index 3225785a8f..9fdb4d8fd1 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml @@ -16,7 +16,7 @@ rationale: |- debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. -severity: unknown +severity: medium identifiers: cce@rhel8: CCE-82252-8 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml index c50a366512..991c92dd0a 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -15,7 +15,7 @@ rationale: |- terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -severity: unknown +severity: medium identifiers: cce@rhel7: CCE-80169-6 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml index fd12fbbb50..125e764b3a 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml @@ -14,7 +14,7 @@ rationale: |- terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -severity: unknown +severity: medium platform: machine diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml index b82e0fcce3..60e5048462 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml @@ -11,7 +11,7 @@ rationale: |- terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -severity: unknown +severity: medium identifiers: cce@rhel8: CCE-82215-5