scap-security-guide/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch

121 lines
5.3 KiB
Diff
Raw Normal View History

From eed29b1db9dd62d014842340abb8601570fe6655 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Thu, 22 Jul 2021 14:26:49 -0400
Subject: [PATCH] New rule for RHEL-08-020270
---
.../account_emergency_expire_date/rule.yml | 52 +++++++++++++++++++
products/rhel8/profiles/stig.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
5 files changed, 55 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
new file mode 100644
index 0000000000..a47c7f39bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
@@ -0,0 +1,52 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Assign Expiration Date to Emergency Accounts'
+
+description: |-
+ Emergency accounts are privileged accounts established in response to
+ crisis situations where the need for rapid account activation is required.
+ In the event emergency accounts are required, configure the system to
+ terminate them after a documented time period. For every emergency account,
+ run the following command to set an expiration date on it, substituting
+ <tt><i>ACCOUNT_NAME</i></tt> and <tt><i>YYYY-MM-DD</i></tt>
+ appropriately:
+ <pre>$ sudo chage -E <i>YYYY-MM-DD ACCOUNT_NAME</i></pre>
+ <tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the
+ account. For U.S. Government systems, the operating system must be
+ configured to automatically terminate these types of accounts after a
+ period of 72 hours.
+
+rationale: |-
+ If emergency user accounts remain active when no longer needed or for
+ an excessive period, these accounts may be used to gain unauthorized access.
+ To mitigate this risk, automated termination of all emergency accounts
+ must be set upon account creation.
+ <br />
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85910-8
+
+references:
+ cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+ cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03
+ disa: CCI-000016,CCI-001682
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
+ isa-62443-2013: 'SR 1.1,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
+ iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+ nist: AC-2(2),AC-2(3),CM-6(a)
+ nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6
+ srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002
+ stigid@rhel8: RHEL-08-020270
+ vmmsrg: SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620
+
+ocil_clause: 'any emergency accounts have no expiration date set or do not expire within a documented time frame'
+
+ocil: |-
+ For every emergency account, run the following command
+ to obtain its account aging and expiration information:
+ <pre>$ sudo chage -l <i>ACCOUNT_NAME</i></pre>
+ Verify each of these accounts has an expiration date set as documented.
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 7270a8f91f..c4b9d02af5 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -558,6 +558,7 @@ selections:
- account_disable_post_pw_expiration
# RHEL-08-020270
+ - account_emergency_expire_date
# RHEL-08-020280
- accounts_password_pam_ocredit
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 665f903ead..f500179292 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -43,7 +43,6 @@ CCE-85906-6
CCE-85907-4
CCE-85908-2
CCE-85909-0
-CCE-85910-8
CCE-85911-6
CCE-85912-4
CCE-85913-2
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7d59cfff62..72e205b695 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -24,6 +24,7 @@ documentation_complete: true
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
selections:
- account_disable_post_pw_expiration
+- account_emergency_expire_date
- account_temp_expire_date
- accounts_have_homedir_login_defs
- accounts_logon_fail_delay
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2c2daad6f6..cc21621617 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -35,6 +35,7 @@ documentation_complete: true
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
selections:
- account_disable_post_pw_expiration
+- account_emergency_expire_date
- account_temp_expire_date
- accounts_have_homedir_login_defs
- accounts_logon_fail_delay