From 7899e18d486b6181f3213c3c1351f24cdce84bf8 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 10:34:47 -0500 Subject: [PATCH 01/20] Split RHEL-08-040100 into two rules One for the firewalld package and one for the firewalld service. --- .../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index cff9581e76..42849bdd5a 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -40,7 +40,7 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@rhel7: RHEL-07-040520 - stigid@rhel8: RHEL-08-040100 + stigid@rhel8: RHEL-08-040101 stigid@sle15: SLES-15-010220 ocil: |- diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 965068a691..9d0145a96f 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -968,9 +968,11 @@ selections: # RHEL-08-040090 # RHEL-08-040100 - - service_firewalld_enabled - package_firewalld_installed + # RHEL-08-040101 + - service_firewalld_enabled + # RHEL-08-040110 - wireless_disable_interfaces From 7396acddc284acc54d66640e7e0bc5251334bc0b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 11:44:59 -0500 Subject: [PATCH 02/20] Split the rule for RHEL-08-020040 Split and package_tmux_installed and configure_tmux_lock_command --- .../console_screen_locking/package_tmux_installed/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml index 550eaea8bb..120d1c49e0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml @@ -40,7 +40,7 @@ references: nist-csf: PR.AC-7 ospp: FMT_MOF_EXT.1 srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009 - stigid@rhel8: RHEL-08-020040 + stigid@rhel8: RHEL-08-020039 vmmsrg: SRG-OS-000030-VMM-000110 ocil_clause: 'the package is not installed' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 9d0145a96f..9f57b28f4f 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -481,8 +481,10 @@ selections: # RHEL-08-020030 - dconf_gnome_screensaver_lock_enabled - # RHEL-08-020040 + # RHEL-08-020039 - package_tmux_installed + + # RHEL-08-020040 - configure_tmux_lock_command # RHEL-08-020041 From 6e3a93e173fbd12640e585d579f1e1d0afd3f419 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 11:49:59 -0500 Subject: [PATCH 03/20] Split RHEL-08-040100 One for the openssh-server package and one for the openssh-server service. --- .../services/ssh/package_openssh-server_installed/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index 0b2a660c29..b551f08f38 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -30,7 +30,7 @@ references: srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190 stigid@ol7: OL07-00-040300 stigid@rhel7: RHEL-07-040300 - stigid@rhel8: RHEL-08-040160 + stigid@rhel8: RHEL-08-040159 stigid@ubuntu2004: UBTU-20-010042 ocil_clause: 'the package is not installed' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 9f57b28f4f..66f70cdfd5 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1037,8 +1037,10 @@ selections: # RHEL-08-040150 - # RHEL-08-040160 + # RHEL-08-040159 - package_openssh-server_installed + + # RHEL-08-040160 - service_sshd_enabled # RHEL-08-040161 From 097682c4e225b7bdefd7b38c89cadf984540da04 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 11:56:17 -0500 Subject: [PATCH 04/20] Split RHEL-08-040140 Package usbguard and service usbguard are split out into their own STIG ID. now. --- .../services/usbguard/package_usbguard_installed/rule.yml | 2 +- .../services/usbguard/service_usbguard_enabled/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index 333718182e..19ef8aaca6 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -48,7 +48,7 @@ references: disa: CCI-001958 ism: "1418" srg: SRG-OS-000378-GPOS-00163 - stigid@rhel8: RHEL-08-040140 + stigid@rhel8: RHEL-08-040139 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml index 86adda9ecc..4f008129ea 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml @@ -27,7 +27,7 @@ references: nist: CM-8(3)(a),IA-3 ospp: FMT_SMF_EXT.1 srg: SRG-OS-000378-GPOS-00163 - stigid@rhel8: RHEL-08-040140 + stigid@rhel8: RHEL-08-040141 ocil_clause: 'the service is not enabled' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 66f70cdfd5..fd090e4058 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1030,11 +1030,15 @@ selections: - package_fapolicyd_installed - service_fapolicyd_enabled - # RHEL-08-040140 + # RHEL-08-040139 - package_usbguard_installed - - service_usbguard_enabled + + # RHEL-08-040140 - usbguard_generate_policy + # RHEL-08-040141 + - service_usbguard_enabled + # RHEL-08-040150 # RHEL-08-040159 From 1b28e2bed919e7f16519b051d39f7df640498d4f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:01:13 -0500 Subject: [PATCH 05/20] Split RHEL-08-030180 One for the auditd package and one for the auditd service. --- linux_os/guide/system/auditing/service_auditd_enabled/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml index e10e8c7782..c7ce75e87c 100644 --- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml @@ -55,7 +55,7 @@ references: stigid@sle12: SLES-12-020010 stigid@sle15: SLES-15-030050 nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a) - stigid@rhel8: RHEL-08-010560 + stigid@rhel8: RHEL-08-030381 ocil: |- {{{ ocil_service_enabled(service="auditd") }}} diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index fd090e4058..682034af4d 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -683,6 +683,9 @@ selections: # RHEL-08-030180 - package_audit_installed + # RHEL-08-030181 + - service_auditd_enabled + # RHEL-08-030190 - audit_rules_privileged_commands_su From 0cf0bb3f6153be26abd4622221d73356be667d1f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:04:34 -0500 Subject: [PATCH 06/20] Split RHEL-08-010521 Disabling Kerb5 and gssapi auth for sshd move split into two STIG ids. --- .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index 946ba7f1d6..2134da2839 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -36,7 +36,7 @@ references: srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040430 stigid@rhel7: RHEL-07-040430 - stigid@rhel8: RHEL-08-010521 + stigid@rhel8: RHEL-08-010522 vmmsrg: SRG-OS-000480-VMM-002000 ocil_clause: 'it is commented out or is not disabled' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 682034af4d..f913545106 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -318,6 +318,8 @@ selections: # RHEL-08-010521 - sshd_disable_kerb_auth + + # RHEL-08-010522 - sshd_disable_gssapi_auth # RHEL-08-010540 From 994b19da2cb0f88d6eb0533d1ba4cae362351e56 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:10:06 -0500 Subject: [PATCH 07/20] Split RHEL-08-010471 One for the rng-tools package and one for the rngd service. --- .../software/system-tools/package_rng-tools_installed/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml index 33d5625fee..663a270626 100644 --- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml @@ -21,7 +21,7 @@ identifiers: references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 - stigid@rhel8: RHEL-08-010471 + stigid@rhel8: RHEL-08-010472 ocil_clause: 'the package is not installed' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index f913545106..e6ef5ee42c 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -299,6 +299,8 @@ selections: # RHEL-08-010471 - service_rngd_enabled + + # RHEL-08-010472 - package_rng-tools_installed # RHEL-08-010480 From 2d1756e3fe017645922b1622dac139a249c48a12 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:14:53 -0500 Subject: [PATCH 08/20] Split RHEL-08-010200 idle timeout and keepalive are now split --- .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index 95c840fc5f..5a44255013 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -53,7 +53,7 @@ references: srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175 stigid@ol7: OL07-00-040320 stigid@rhel7: RHEL-07-040320 - stigid@rhel8: RHEL-08-010200 + stigid@rhel8: RHEL-08-010201 stigid@sle12: SLES-12-030190 stigid@sle15: SLES-15-010280 stigid@ubuntu2004: UBTU-20-010037 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index e6ef5ee42c..036fd00808 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -156,9 +156,11 @@ selections: - dir_perms_world_writable_sticky_bits # RHEL-08-010200 - - sshd_set_idle_timeout - sshd_set_keepalive_0 + # RHEL-08-010201 + - sshd_set_idle_timeout + # RHEL-08-010210 - file_permissions_var_log_messages From 0823a6f84d32338223502dfc93b09df5225debf6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:23:31 -0500 Subject: [PATCH 09/20] Split RHEL-08-010141 GRUB2 UEFI username and password split --- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index a5f9349882..8a98cbdc95 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -56,7 +56,7 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010490 stigid@rhel7: RHEL-07-010490 - stigid@rhel8: RHEL-08-010140 + stigid@rhel8: RHEL-08-010141 ocil_clause: 'it does not' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 036fd00808..83500c35b3 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -121,6 +121,8 @@ selections: # RHEL-08-010140 - grub2_uefi_password + + # RHEL-08-010141 - grub2_uefi_admin_username # RHEL-08-010150 From a4dd46d84d9ab8a9fd4984cbc1b9432e2920d3f5 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:24:18 -0500 Subject: [PATCH 10/20] Split RHEL-08-010150 GRUB admin username and password split --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index f5cf144e0b..bb2f1bae21 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -49,7 +49,7 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010480 stigid@rhel7: RHEL-07-010480 - stigid@rhel8: RHEL-08-010150 + stigid@rhel8: RHEL-08-010149 ocil_clause: 'it does not' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 83500c35b3..10d6fd6ebd 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -125,9 +125,11 @@ selections: # RHEL-08-010141 - grub2_uefi_admin_username + # RHEL-08-010149 + - grub2_admin_username + # RHEL-08-010150 - grub2_password - - grub2_admin_username # RHEL-08-010151 - require_singleuser_auth From e1950738e3d5a35027d322589e736e8bfdba98b3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Jul 2021 12:44:27 -0500 Subject: [PATCH 11/20] Split RHEL-08-040135 Package fapolicyd and service fapolicyd have been split. --- .../guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml index 6c2663de9f..4a1cd16608 100644 --- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml @@ -24,7 +24,7 @@ references: nist: CM-6(a),SI-4(22) ospp: FMT_SMF_EXT.1 srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154 - stigid@rhel8: RHEL-08-040135 + stigid@rhel8: RHEL-08-040136 ocil_clause: 'the service is not enabled' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 10d6fd6ebd..8272b25057 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1041,6 +1041,8 @@ selections: # RHEL-08-040135 - package_fapolicyd_installed + + # RHEL-08-040136 - service_fapolicyd_enabled # RHEL-08-040139 From e259cdaeb85f7f1f371fa11c08a615d1828fe30e Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:42:38 -0500 Subject: [PATCH 12/20] Split RHEL-08-020330 Also added a placeholder for RHEL-08-020332 --- .../password_storage/no_empty_passwords/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index 19e5e95d60..75f988ffb2 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -53,7 +53,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010290 stigid@rhel7: RHEL-07-010290 - stigid@rhel8: RHEL-08-020330 + stigid@rhel8: RHEL-08-020331 stigid@sle12: SLES-12-010231 stigid@sle15: SLES-15-020300 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 8272b25057..793fdd1e87 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -591,9 +591,13 @@ selections: # - accounts_authorized_local_users # RHEL-08-020330 - - no_empty_passwords - sshd_disable_empty_passwords + # RHEL-08-020331 + - no_empty_passwords + + # RHEL-08-020332 + # RHEL-08-020340 - display_login_attempts From 5c2b73b5a4462225e876b29ead9f92da3c5f4331 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:45:28 -0500 Subject: [PATCH 13/20] Split RHEL-08-010050 --- .../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index c84cff33f3..b6ba3edc47 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -54,7 +54,7 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 stigid@ol7: OL07-00-010030 stigid@rhel7: RHEL-07-010030 - stigid@rhel8: RHEL-08-010050 + stigid@rhel8: RHEL-08-010049 stigid@sle12: SLES-12-010040 stigid@sle15: SLES-15-010080 stigid@ubuntu2004: UBTU-20-010002 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 793fdd1e87..976c3f1892 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -95,8 +95,10 @@ selections: # RHEL-08-010040 - sshd_enable_warning_banner - # RHEL-08-010050 + # RHEL-08-010049 - dconf_gnome_banner_enabled + + # RHEL-08-010050 - dconf_gnome_login_banner_text # RHEL-08-010060 From d7c7cefd39de31bb484faad49766bbca22469aea Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:47:50 -0500 Subject: [PATCH 14/20] Split RHEL-08-010130 --- .../accounts_password_pam_unix_rounds_system_auth/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml index d44119622a..0b694b0e0b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml @@ -32,7 +32,7 @@ references: anssi: BP28(R32) disa: CCI-000196 srg: SRG-OS-000073-GPOS-00041 - stigid@rhel8: RHEL-08-010130 + stigid@rhel8: RHEL-08-010131 ocil_clause: 'it does not set the appropriate number of hashing rounds' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 976c3f1892..5230dcd9c5 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -118,9 +118,11 @@ selections: - accounts_password_all_shadowed_sha512 # RHEL-08-010130 - - accounts_password_pam_unix_rounds_system_auth - accounts_password_pam_unix_rounds_password_auth + # RHEL-08-010131 + - accounts_password_pam_unix_rounds_system_auth + # RHEL-08-010140 - grub2_uefi_password From f78b565e1f15cff194aef78af2184088fc41782a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:50:42 -0500 Subject: [PATCH 15/20] Split RHEL-08-010151 --- .../accounts-physical/require_emergency_target_auth/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 930d3a09fd..e2f61432ba 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -42,7 +42,7 @@ references: srg: SRG-OS-000080-GPOS-00048 stigid@ol7: OL07-00-010481 stigid@rhel7: RHEL-07-010481 - stigid@rhel8: RHEL-08-010151 + stigid@rhel8: RHEL-08-010152 ocil_clause: 'the output is different' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 5230dcd9c5..040228b832 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -137,11 +137,9 @@ selections: # RHEL-08-010151 - require_singleuser_auth - - require_emergency_target_auth # RHEL-08-010152 - # To be released in V1R3 - # - require_emergency_target_auth + - require_emergency_target_auth # RHEL-08-010160 - set_password_hashing_algorithm_systemauth From a7766cf4ccfd00eaad910fb98b02694868000410 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 08:57:18 -0500 Subject: [PATCH 16/20] Split RHEL-08-040210 --- .../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index e8555a4895..bee6c117f3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -43,7 +43,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040640 stigid@rhel7: RHEL-07-040640 - stigid@rhel8: RHEL-08-040210 + stigid@rhel8: RHEL-08-040209 stigid@sle12: SLES-12-030400 stigid@sle15: SLES-15-040340 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 040228b832..394a460c51 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1092,8 +1092,10 @@ selections: # RHEL-08-040200 - accounts_no_uid_except_zero - # RHEL-08-040210 + # RHEL-08-040209 - sysctl_net_ipv4_conf_default_accept_redirects + + # RHEL-08-040210 - sysctl_net_ipv6_conf_default_accept_redirects # RHEL-08-040220 From ac28c4231415be5e58bcea6f9fdd8652c6d39c45 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 09:08:27 -0500 Subject: [PATCH 17/20] Split RHEL-08-040240 --- .../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index b56f2891f5..f92772eb57 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -45,7 +45,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040610 stigid@rhel7: RHEL-07-040610 - stigid@rhel8: RHEL-08-040240 + stigid@rhel8: RHEL-08-040239 stigid@sle12: SLES-12-030360 stigid@sle15: SLES-15-040300 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 394a460c51..9cccd25963 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1104,8 +1104,10 @@ selections: # RHEL-08-040230 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - # RHEL-08-040240 + # RHEL-08-040239 - sysctl_net_ipv4_conf_all_accept_source_route + + # RHEL-08-040240 - sysctl_net_ipv6_conf_all_accept_source_route # RHEL-08-040250 From 717ed63c6ad9b69b75aee69bbf1198515011499f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 09:11:08 -0500 Subject: [PATCH 18/20] Split RHEL-08-040250 --- .../sysctl_net_ipv4_conf_default_accept_source_route/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 4df2465995..b1e7f247e2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -46,7 +46,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040620 stigid@rhel7: RHEL-07-040620 - stigid@rhel8: RHEL-08-040250 + stigid@rhel8: RHEL-08-040249 stigid@sle12: SLES-12-030370 stigid@sle15: SLES-15-040320 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 9cccd25963..4d1869c629 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1110,8 +1110,10 @@ selections: # RHEL-08-040240 - sysctl_net_ipv6_conf_all_accept_source_route - # RHEL-08-040250 + # RHEL-08-040249 - sysctl_net_ipv4_conf_default_accept_source_route + + # RHEL-08-040250 - sysctl_net_ipv6_conf_default_accept_source_route # RHEL-08-040260 From 9b244bc0828e2eb6ffe389d7ef590e6b967a4c07 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Aug 2021 09:13:19 -0500 Subject: [PATCH 19/20] Split RHEL-08-040280 --- .../sysctl_net_ipv4_conf_all_accept_redirects/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index d5e7fe4599..726042198e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -44,7 +44,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040641 stigid@rhel7: RHEL-07-040641 - stigid@rhel8: RHEL-08-040280 + stigid@rhel8: RHEL-08-040279 stigid@sle12: SLES-12-030390 stigid@sle15: SLES-15-040330 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 4d1869c629..0a1fdd15ca 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1128,8 +1128,10 @@ selections: # RHEL-08-040270 - sysctl_net_ipv4_conf_default_send_redirects - # RHEL-08-040280 + # RHEL-08-040279 - sysctl_net_ipv4_conf_all_accept_redirects + + # RHEL-08-040280 - sysctl_net_ipv6_conf_all_accept_redirects # RHEL-08-040281 From 7723ff37c5abd8681b70ad686c5df45d7d0b44ed Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 5 Aug 2021 14:46:46 -0500 Subject: [PATCH 20/20] Update couple of references for RHEL8 STIG --- .../enable_nx/bios_enable_execution_restrictions/rule.yml | 2 +- .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml index 99f2c739c9..2176a0bb9b 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml @@ -32,6 +32,6 @@ references: nist: SC-39,CM-6(a) nist-csf: PR.IP-1 srg: SRG-OS-000433-GPOS-00192 - stig@rhel8: RHEL-08-010420 + stigid@rhel8: RHEL-08-010420 platform: machine diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index 726975e808..d57c0f0ce9 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -30,6 +30,7 @@ references: cis@ubuntu1804: 1.1.6 cis@ubuntu2004: 1.1.11 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010544 {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}}